Install and register the CNG provider

  1. Select Start > Entrust > CNG configuration wizard.

  2. Select Next on the Welcome window.

    cng welcome screen

  3. Select Next on the Enable HSM Pool Mode window, leaving Enable HSM Mode for CNG Providers un-checked.

    If you intend to use multiple HSMs in a failover and load-sharing capacity, select Enable HSM Pool Mode for CNG Providers. If you do, you can only use module protected keys. Module protection does not provide conventional 1 or 2 factor authentication. Instead, the keys are encrypted and stored as an application key token, also referred to as a Binary Large Object (blob), in the Key Management Data\local directory.

  4. On the Initial setup window, select Use existing security world. Then select Next.

  5. On the Set Module States window, select the HSM (Module) if more than one is available. Then select Next.

    cng select module

  6. On Key Protection Setup window, select Operator Card Set protection. Then select Next.

    cng key protection

  7. On the Token for Key Protection window, choose from the Current Operator Card Sets list created in deploy-entrust-nshield.adoc#create-ocs. Then select Next and Finish.

    cng token for key protection

  8. Verify the provider with the following commands.

    >certutil -csplist | findstr nCipher
Provider Name: nCipher Security World Key Storage Provider

>cnglist.exe --list-providers | findstr nCipher
nCipher Primitive Provider
nCipher Security World Key Storage Provider

  9. Verify the provider in the Windows Registry.

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider
    cng registry