Introduction

This guide describes how to integrate the nShield Hardware Security Module (HSM) with Microsoft Active Directory Certificate Services (AD CS) and the Online Certificate Status Protocol (OCSP), and to set up a root Certificate Authority (CA).

Microsoft AD CS provides the functionality for creating and installing a CA. The CA acts as a trusted third-party that certifies the identity of clients to anyone who receives a digitally signed message. The CA may issue, revoke, and manage digital certificates.

The Online Responder is a Microsoft Windows service that implements the OCSP by decoding revocation status requests for specific certificates. The service provides up-to-date validation of certificates based on the contents of the latest Certificate Revocation List (CRL) issued by the CA, and sends back a signed response containing the requested certificate status information. OCSP is used to provide real-time information about a certificate’s status.

The CA and OCSP use the Entrust nShield HSM to protect their private keys. The CA and OCSP also use the HSM for important operations such as key generation, certificate signing, and CRL signing. The nShield HSM can be configured to protect the private keys and meet FIPS 140-2 Level 2 or Level 3.

Instructions in this guide are given both for Microsoft Windows Server Enterprise and Server Core. Server Core is a minimalistic installation option of Windows Server. Server Core does not include a GUI, it is designed to be managed remotely through the command line, PowerShell, or from another computer via a remote GUI tool. In addition to this Server Core, the installation does not include all the Windows Server roles and services included in the Standard and Datacenter editions. These roles and services must be configured and managed from a remote computer. Wherever a step in this guide is different for Windows Server Enterprise and Windows Server Core, instructions are provided for both.

Product configurations

Entrust has successfully tested integrating nShield HSM integration with Microsoft Windows Server 2019 and 2022, and Microsoft Windows Server 2016 (Standard, Datacenter and Server Core editions) and Microsoft AD CS in the following configurations:

Microsoft Windows Server	nShield HSM	nShield Security World Software	nShield Security World Firmware
2016 2019 2022	Solo XC Connect XC	12.60.3 12.60.7 12.60.11 12.70.4 12.71.0 12.80.4 13.3.2 13.4.5 13.6.3	12.50.11 (FIPS 140-2 certified) 12.72.1 and 12.72.3 (FIPS 140-2 certified)
2016 2019 2022	nShield 5c	13.3.2 13.4.5 13.6.3	13.4.5 (FIPS 140-3 certified)
2022	Edge	12.80.4	12.72.0 (FIPS 140-2 certified)

Supported nShield functionality

Feature	Support	Feature	Support
Softcards	Yes	Key management	Yes
FIPS 140-2 Level 3	Yes	Key recovery	Yes
Module-only key	Yes	K-of-N card set	Yes
Load balancing	Yes	Key import	Yes
Fail over	Yes	Mixed Estate	Yes

Feature

Support

Feature

Support

Softcards

Yes

Key management

Yes

FIPS 140-2
Level 3

Yes

Key recovery

Yes

Module-only key

Yes

K-of-N card set

Yes

Load balancing

Yes

Key import

Yes

Fail over

Yes

Mixed Estate

Yes

CA failover clustering is only supported with network attached HSMs (nShield Connect).

Requirements

Before installing these products, read the associated documentation:

For the nShield HSM, read the Installation Guide and User Guide for the HSM.
Microsoft AD CS and OCSP documentation (https://docs.microsoft.com).

Entrust also recommends that you have an agreed organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM.

In particular, these documents should specify the following aspects of HSM administration:

The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
Whether the application keys are protected by the module, Softcard, or an OCS.
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
Whether the Security World should be compliant with FIPS 140-2 Level 3.
Key attributes such as the key size and time-out.
Whether there is any need for auditing key usage.
Whether to use the nShield Cryptographic Service Providers for Microsoft Cryptographic API: Next Generation (CNG) or CryptoAPI (CAPI).
Whether to initialize the nShield Security World as Recoverable. This is highly recommended and is the default option when initializing a Security World.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Entrust recommends that you use CNG for full access to available features and better integration with Microsoft Windows Server editions.

More information

For more information about OS support, contact your Microsoft sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.