privateserver™ hsm...you ran the certutil command, delete the ca private key by running the...
Post on 04-Apr-2020
15 Views
Preview:
TRANSCRIPT
Document Version 1.0
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839-8161 | www.arx.com | sales@arx.com
PrivateServer™ HSM
Replace SVMK Procedure
February 2014
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
Notice
The information provided in this document is the sole property of Algorithmic Research Ltd. No part of
this document may be reproduced, stored or transmitted in any form or any means, electronic,
mechanical, photocopying, recording or otherwise, without prior written permission from Algorithmic
Research Ltd.
Copyright © 2014 by Algorithmic Research Ltd. All rights reserved.
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
Introduction This guide was prepared and tested using Windows 2012 machine.
It will help you migrate your CA’s CSP into an AR KSP.
Requirements Windows Server 2008 R2 or Windows Server 2012 or Windows Server 2012R2 or above.
PrivateServer client (Windows only).
Configured and working Signing Engine.
An altered version of cspkcs12.dll allowing private keys to be stored as non-sensitive.
How to receive an altered version of cspkcs12.dll To receive an altered version of cspkcs12.dll you will have to contact our support at support@arx.com .
Please mention your PrivateServer serial number in order to expedite the issue.
Please note: This file is TEMPORARY and will be used ONLY DURING THIS PROCCESS.
You will have to save a copy of your old file and restore it when you are done.
If not – your keys and PrivateServer will be open to a security breach.
Test Environment We highly recommend preforming this operation on a test environment before preforming it on your
production environment.
This is to ensure you have everything you need and your production environment won’t suffer from
higher downtime
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
1. CAUtils - Backup Will be used as backup of current CA and in the migration process.
a. For Windows Server 2012 R2: First, open a Windows PowerShell window with the Run as administrator
option, and then run the following command:
Backup-CARoleService –path <Your Backup Directory>
b. For Windows Server 2012 and Windows Server 2008 R2: First, run the following Certutil command:
Certutil –backup <Your Backup Directory>
c. For all server versions: Then, run the following command to back up the CA registry settings:
reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc c:\<Your Backup
Directory>\CAregistry.reg
2. Stop the service Please note: if the guide was not finished, after a server restart, this command should be used again.
Stop-service certsvc
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
3. Get the details of your CA certificates
By using the following command and make a note of the values for Cert Hash and Key Container, because
you will need these later
Certutil –store my <Your CA common name>
For example, if you run Certutil –store my "CorpSubCA", you will see output similar to the following
for each CA certificate you have (you will have more than 1 CA certificate if it’s been renewed):
================ Certificate 0 ================
Serial Number: 26e3aa770841989248259e2db7b183cb
Issuer: CN=CorpRootCA, DC=Contoso, DC=com
NotBefore: 5/9/2014 1:08 PM
NotAfter: 5/9/2019 1:18 PM
Subject: CN=CorpSubCA, DC=Contoso, DC=com
Certificate Template Name (Certificate Type): SubCA
CA Version: V1.1
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: SubCA, Subordinate Certification Authority
Cert Hash(sha1): f3 3e f1 bc c5 82 7a b2 a6 0b 15 c1 f6 82 22 09 8e c3 d3 d2
Key Container = CorpSubCA
Unique container name: cd00cf78cfae801b6116617b93290d1d_be779d88-d7da-4fd3-8acb-
a6daafc87e9f
Provider = Microsoft Strong Cryptographic Provider
Signature test passed
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
4. Delete the existing CA certificate and private key:
On Windows Server 2012 R2 and Windows Server 2012:
a. Open a Windows PowerShell window with the Run as administrator option, and then run:
Cd cert:\localmachine\my
b. By using the first value you identified earlier for the Cert Hash as the certificate ID when you ran the
Certutil command, run the following command to delete the certificate and private key:
Del –deletekey <Certificate ID>
c. Repeat the previous step for all CA certificates that were identified when you ran the Certutil
command.
On Windows Server 2008 R2:
a. Use the Certificates snap-in MMC for the Computer Account and navigate to the certificates in
the Personal store.
b. Using the first value you identified earlier for the Cert Hash, locate the certificate and delete it.
c. Repeat the previous step for all CA certificates that were identified when you ran the Certutil
command.
d. By using the first value you identified earlier for the Key Container as the key container name when
you ran the Certutil command, delete the CA private key by running the following command:
Certutil –csp <Your current CSP> -delkey <Key Container Name>
e. Repeat the previous step for all CA certificates that were identified when you ran the Certutil
command.
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
5. Migrate the CA certificate and private key to a KSP
On Windows Server 2012 R2 and Windows Server 2012:
a. Run the following command:
Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>
For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx
c:\Backup\CorpSubCA.p12
On Windows Server 2008 R2:
Because this server version does not support converting the key, you must copy the backed up private key to a
computer that does support this procedure – for example, a computer running Windows Server 2012 R2 or
Windows Server 2012. However, you can also use a computer running Windows 8.1 or Windows 8.
o On this new computer, run the following command:
Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>
For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx
c:\Backup\CorpSubCA.p12
On all Windows Versions:
Connect to the PrivateServer management application and note the 2 new keys added.
a. Double click the Private key and visit the PKCS#11 tab and note the ID field:
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
b. Copy the ID field to a notepad for future usage. (The last dot at the end should not be copied).
Example: MigTest-7167a53e-6919-4695-82a4-881897a151e0
c. Delete the 2 keys (Private/Public) that were created by the CertUtil in the PrivateServer utility.
d. Open up argenie (located in C:\Program Files\ARX\ARX CryptoKit\utils) in advanced mode (using a shortcut with
/br at the end):
e. Import the certificate created in step 1 using Token-> Import Key:
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
f. Browse to the backup folder and choose your p12/pfx file created in step 1, input the password selected for
step 1 and use the Object ID noted earlier in step b:
6. Export the resulting CA certificate and private key to a .PFX file
We are still in argenie
d. Double click the PrivateServer Provider [Slot #]
e. Locate your private key and right click it
f. Export the key:
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
g. Choose a file to safe the key to
h. Select a password for the file
i. Change the encryption to 3DES
7. Restore the exported .PFX file
By running the following command on the CA:
Certutil –restorekey <PFX file path>
For Windows Server 2008 R2: Before you run this command, copy the exported .PFX file to the original CA.
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
8. Import registry settings for the CSP:
a. Create a registry file named Csp.reg so it has the following values:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configurati
on\<Your CA Common Name>\CSP]
"ProviderType"=dword:00000000
"Provider"="AR Key Storage Provider"
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
b. Edit the bold contents + replace <Your CA common name> with your CA common name.
c. Before you save the file, confirm you are using SHA-1 by running the following command:
Certutil –v –getreg ca\csp\HashAlgorithm
The output will look similar to the following:
HashAlgorithm REG_DWORD = 8004 (32772)
CALG_SHA1
Algorithm Class: 0x8000(4) ALG_CLASS_HASH
Algorithm Type: 0x0(0) ALG_TYPE_ANY
Algorithm Sub-id: 0x4(4) ALG_SID_SHA1
If you do not see SHA1 in your output, modify the CNGHashAlgorithm key value in the file to have the
appropriate name.
d. Save the file and then run it:
e. Csp.reg
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
9. Import registry settings for the CSP encryption settings:
a. Create a registry file named EncryptionCsp.reg so it has the following values:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configurati
on\<Your CA Common Name>\EncryptionCSP]
"ProviderType"=dword:00000000
"Provider"="AR Key Storage Provider"
"CNGPublicKeyAlgorithm"="RSA"
"CNGEncryptionAlgorithm"="3DES"
"MachineKeyset"=dword:00000001
"SymmetricKeySize"=dword:000000a8
b. Edit the contents, replacing <Your CA common name> with your CA common name.
c. Before you save the file, confirm you are using 3DES for the encryption algorithm by running the
following command:
certutil -v -getreg ca\encryptioncsp\EncryptionAlgorithm
The output will look similar to the following:
EncryptionAlgorithm REG_DWORD = 6603 (26115)
CALG_3DES
Algorithm Class: 0x6000(3) ALG_CLASS_DATA_ENCRYPT
Algorithm Type: 0x600(3) ALG_TYPE_BLOCK
Algorithm Sub-id: 0x3(3) ALG_SID_3DES
If you do not see 3DES in your output, modify the CNGEncryptionAlgorithm key value in the file to
have the appropriate name.
d. Save the file and then run it:
e. EncryptionCsp.reg
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
10. Optional: Change the CA hash algorithm to SHA-2:
Note: This step is optional but recommended if your CA is using SHA-1 (or another, older
hash algorithm) and requesting devices support the more secure SHA-2 algorithm. It
might also be required to comply with the SHA-1 depreciation policy that is documented
in the SHA1 Deprecation Policy post on the Windows PKI blog.
o On the CA, run the following command:
certutil -setreg ca\csp\CNGHashAlgorithm <Hash Algorithm>
For example: certutil -setreg ca\csp\CNGHashAlgorithm SHA256
11. Start the CA service by running the following command:
Start-service certsvc
Repeat these steps on all CAs in your environment that you want to migrate:
For subordinate CAs: You will not see this migration take effect on the CA certificate until you migrate the
parent CA, and then renew the certificate for the subordinate CA.
For a root CA: You will not see the migration take effect for the CA certificate until you migrate the root CA, and
then renew the certificate for the root CA.
ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com
12. Validating the new settings
These steps are optional but recommended so that you can validate the new settings are operational before
the CA issues new certificates for production use.
To verify that CA service is up and ready to receive requests Run the following command on the CA:
Certutil –ping
A successful response is CertUtil: -CRL command completed successfully
To verify that the CA is configured for the correct key and provider Run the following command on the CA:
Certutil –store my <Your CA Common Name>
A successful response will include the line Provider = AR Key Storage Provider
To verify that the certificate shows the correct signature algorithm and signature hash algorithm Request and issue a certificate for a user or computer and inspect the resulting certificate details.
View the certificate by using the Certificates MMC snap-in and click the Details tab. The Signature
algorithm and Signature hash algorithm should show the correct values for your CA configuration.
If you are using a standalone CA and the Certreq.exe command-line tool to request and retrieve the certificate, you can
also use a Certutil command to view and validate the correct signing and hash algorithms. For example:
Certutil issuedCert.cer | findstr /spi algorithm
To verify that the certificate revocation list publishes and has the correct signature algorithm and signature hash algorithm
1. Publish the certificate revocation list (CRL) by running the following command on the CA:
Certutil –crl
2. Locate the CRL file (%windir%\system32\CertSrv\CertEnroll) and then run the following command:
Certutil [CAName].crl | findstr /spi algorithm
A successful publication displays the message: CertUtil: -CRL command completed successfully.
When you run the second command, confirm that the Algorithm ObjectId value is the correct hash algorithm for your
CA by using the following table:
As an example, this output confirms the CA is using SHA-256:
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm ObjectId CA Signature Algorithm CA Hash Algorithm
sha1RSA RSA SHA-1
sha256RSA RSA SHA-256
top related