Introduction

This guide describes how MS NDES can utilize a Microsoft Certificate Authority enrolled with an Entrust nShield Hardware Security Module (HSM) as a Root of Trust for storage encryption, to protect the private keys and meet FIPS 140 Level 2 or Level 3.

The Entrust nShield is also used to protect the NDES Admin web page using TLS, where the private key for the certificate is nShield managed. NDES implements the Simple Certificate Enrollment Protocol (SCEP), which defines the communication between network devices and a Registration Authority (RA) for certificate enrollment.

SCEP supports the secure issuance of certificates to network devices which do not run with domain credentials to enroll for x509 version 3 certificates from a Certification Authority (CA).

Ultimately, the network device will have a private key and associated certificate issued by a CA protected by the Entrust nShield HSM. Applications on the device may use the key and its associated certificate to interact with other entities on the network. The most common usage of this certificate on a network device is to authenticate the device in an IPSec session.

Product configurations

Entrust tested the integration with the following versions:

Product	Version
Base OS	Windows Server 2022 Server
Entrust Security World	13.6.3

Product

Version

Base OS

Windows Server 2022 Server

Entrust Security World

13.6.3

Supported nShield hardware and software versions

Entrust tested the integration with the following nShield HSM hardware and software versions:

Product	Security World	Firmware	Netimage
Connect XC	13.6.2	12.72.1 (FIPS 140-2 certified)	13.4.5
nShield 5c	13.6.3	13.2.4 (FIPS 140-3 certified)	13.6.1

Supported nShield HSM functionality

Feature	Support
Module-only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140 Level 3	Yes

Feature

Support

Module-only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140 Level 3

Yes

The following table states the different scenarios for secure/unsecure connections during the integration and what features worked:

Secure/Unsecure	Module	Softcards	OCS Cards	Notes
Unsecure	Yes	Yes	Yes
Secure	Yes	No	Yes	OCS Card with no passphrase

Secure/Unsecure

Module

Softcards

OCS Cards

Notes

Unsecure

Yes

Secure

Yes

OCS Card with no passphrase

unsecure = http connection
secure = https connection

Requirements

Familiarize yourself with:

Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES) documentation (https://docs.microsoft.com).
The Installation Guide and User Guide for the HSM.
Your organizational Certificate Policy and Certificate Practice Statement and a Security Policy or Procedure in place covering administration of the PKI and HSM:
- The number and quorum of Administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.
- The number and quorum of operator cards in the Operator Card Set (OCS) and the policy for managing these cards.
- The keys protection method: Module, Softcard, or OCS.
- The level of compliance for the Security World, FIPS 140 Level 3.
  
  Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
- Key attributes such as key size, time-out, or need for auditing key usage.