Procedure Overview
There are several ways to migrate an existing Microsoft Certification Authority (AD CS) to use the private keys from the Primus HSM or CloudHSM service, either:
- Migrating the existing private key(s) and certificate from the Microsoft CSP or CNG/KSP to the Primus HSM CNG/KSP key storage provider. Requirement: private key must be exportable in wrapped format, e.g. PKCS#8.
- Using the existing private key and renew the certificate and private key, storing them on Primus HSM CNG/KSP.
- Setting up a new AD CS instance (side-by-side), e.g. to use newer algorithms.
Migrating existing AD CS key material from CSP or CNG/KSP to Securosys Primus HSM CNG/KSP requires the following steps (valid for Windows Server 2012R2/2016/2019):
- Install Securosys Primus HSM and CNG/KSP Provider Software (see Installing CNG Provider)
- Backup AD CS including private key and configuration (see Backup AD CS)
- Delete the key(s) and certificate(s) from the old key store (see Delete the Key and Certificate)
- Import the private key to your Primus HSM or CloudHSM (see Import Private Key to Primus HSM/CloudHSM)
- Reconfigure the AD CS to use the key from the new location (see Reconfigure AD CS Registry)
- Test and cleanup procedures (see Test and Cleanup)
For further information refer to the guidelines provided by Microsoft, e.g.:
warning
The following examples are related to the example Standalone root CA setup in this guide. Migrations of operational CAs should be tested thoroughly in a lab environment and are not covered in this guide.