Skip to main content

Configure Cryptographic Provider

note

This procedure provides a mainly based straightforward integration process. Please take notice that there may be other ways to configure and setup Microsoft AD CS.

This guide assumes that you are familiar with the Primus HSM and the Microsoft Server AD CS and does not cover every step of the hardware and software setup process. For the sake of simplicity only the domain administrator role is used instead of the PKI management roles defined by Microsoft.

Migration of an existing AD CS instance to Primus HSM is described in chapter Migrating Microsoft PKI (AD CS) to Securosys Primus HSM/CloudHSM, and migration to a new AD CS instance in chapter Migrating Microsoft PKI to another Server Instance.

Select Microsoft AD CS Cryptographic Provider

To integrate the Securosys HSM with Microsoft Active Directory Certificate Services the Primus KSP/CNG Provider must be specified. This is usually done during installation of the Certificate Authority and can be done either via Graphical User Interface (GUI) or the Command Line Interface (CLI).

note

Please read through the Prerequisites and the Installing CNG Provider sections as they are required for further steps.

When selecting the Provider on the Cryptography for CA window, select the RSA#Securosys Primus HSM Key Storage Provider along with the key type, key length and suitable hash algorithm. Please consider that some older devices and applications do only support key lengths up to 2048 bit.

note

When using an existing private key you will be required to specify your existing key before selecting the Key Storage Provider.

Example of selecting the Securosys Primus Key Storage Provider: