Use a HSM for RA certificate private keys

The instructions on this guide recommends that software based keys are used for the NDES Registration Authority (RA) certificates. Microsoft have recently posted a blog article about securing NDES. One of their recommendations is that a HSM should be used for the RA certificate private keys. See: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ndes-security-best-practices/ba-p/2832619 for more information - pub: 11th October, 2021.)

On this basis, this section describes what needs to be done to cover this off.

nCipher CAPI can be used with the NDES RA private keys though there are limitations:

  1. You cannot use a FIPS 140 Level 3 Security World in the NDES server, as CAPI does not meet the requirements for its use.

  2. The nCipher CAPI provider MUST be set up as the 'default' CAPI Provider on the NDES server via the CAPI Configuration wizards. If this is not done, using the CAPI provider is not provided as an option when installing/configuring NDES.

  3. Only module key protection and a 1/N OCS with NO passphrase will work. Essentially, the nCipher CAPI provider has no way of prompting for PINs etc. due to not being supported by the nShield Service Agent and Interactive Services Detection being removed from later versions of Windows.

Procedures changes.

  1. When asked to configure the CNG provider for the NDES server, you should use the CSP Install Wizard instead.

    1. Log into the NDES server using the domain name, INTEROP\Administrator.

    2. Select Start > Entrust nShield Security World > CSP Install wizard.

    3. Proceed with the configuration but make sure you select Module Protection or OCS Protection. Make sure the OCS has been created with no passphrase.

  2. During the NDES Installation and configuration, in the Configure CSPs for the RA, choose the Signature key provider and Encryption key provider on the Cryptography for NDES window. A key size of 2048 or larger is recommended. Select one of the nCipher providers, like:

    1. nCipher Enhanced Cryptographic Provider

    2. nCipher Enhanced RSA and AES Cryptographic Provider

      capi

  3. Once NDES is configured and installed successfully, before configuring the NDES admin page to use an SSL certificate, run the CNG provider configuration utility in the NDES server. It can coexist with the CSP setup done earlier. This is needed so the certificate request for the SSL certificate can be created.