Environment setup procedures

Install the HSM

Install the HSM using the instructions in the Installation Guide for the nShield HSM.

Entrust recommends that you install the HSM before you configure the Security World software and before you install and configure AD CS.

If you already have an HSM installed and a Security World configured, proceed to install AD CS.

Install the software and create or share the Security World

To install the Security World software and create the Security World:

  1. Install the latest version of the Security World software as described in the User Guide for the HSM. Entrust recommends that you uninstall any existing Security World software before installing the new Security World software.

  2. Initialize a Security World as described in the User Guide for the HSM.

    You will be using this Security World when you are installing and registering either CSP or CNG providers.

  3. Register the CSPs that you intend to use:

    • Windows Server Enterprise:

      For CAPI on 64-bit Windows, both 32-bit and 64-bit CSP install wizards are available. If you intend to use the CAPI CSPs from both 32-bit and 64-bit applications, or if you are unsure, run both wizards. The CNG Configuration Wizard registers the CNG Providers for use by both 32-bit and 64-bit applications where relevant. For detailed information on registering the CAPI CSPs or CNG Providers, refer to the User Guide for the HSM.

    • Windows Server Core:

      > cnginstall --install
> cngregister
> capingwizard

  4. If you are going to use Key Counting using the nShield CNG/KSP with the CA, you need to create a CAPolicy.inf file in the %Windows% directory before installing the CA role, and set a registry value. The Registry container is HKLM\Software\nCipher\CryptoNG\ and the Registry Key is UseCountEnabled which must be set to 1. See Install Certificate Services.

  5. If you are intending to use Module protection, pool mode can be configured using the relevant CNG or CAPI wizards. To enable pool mode using the CNG wizard:

    1. Launch the CNG configuration wizard, and select the Enable HSM Pool Mode screen.

    2. Select the Enable HSM Pool Mode for CNG Providers option.

    To enable pool mode using the CSP wizards:

    1. Select 32bit CSP install wizard or 64bit CSP install wizard (depending on the platform in use).

    2. Launch the 32bit CSP install wizard or the 64bit CSP install wizard, and select the Enable HSM Pool Mode screen. Select the Enable HSM Pool Mode for CAPI Providers option.