Microsoft Active Directory Certificate Services
Configure your Microsoft Active Directory Certificate Service (ADCS) Certificate Authority (CA) to generate and secure the Microsoft Root CA signing keys on a Luna Cloud HSM Service. The Luna Cloud HSM Service provides full key life-cycle management with FIPS-certified hardware and reduces the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM for Microsoft ADCS service for this integration.
The Microsoft ADCS on Windows provides customizable services for creating and managing public key certificates used in software security systems employing public key infrastructure.
A server configured as a certification authority (CA) provides the management features needed to regulate certificate distribution and use. ADCS is the Windows Server service that provides the core functionality for Windows Server CAs. ADCS provides customizable services for managing certificates for a particular CA and for the enterprise.
The root of trust in a public key infrastructure is the CA. Fundamental to this trust is the CA's root cryptographic signing key, which is used to sign the public keys of certificate holders and more importantly, its own public key. The compromise of a CA's root key by malicious intent, inadvertent errors, or system failures can be of catastrophic proportions. Hence, this root-signing key must be diligently protected by the best technologies and practices within the cryptographic community such as using an HSM on Demand service.
This integration guides uses the following third party applications:
- Microsoft Active Directory Certificate services
This integration is supported on the following operating systems:
- Windows Server 2016
Prerequisites
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM Service
Configure the Luna Cloud HSM service for your application integration. See the section Luna Cloud HSM Service for detailed instructions on deploying and initializing a Luna Cloud HSM service partition and Luna Cloud HSM service client for your application integration.
Please take the following limitations into consideration when integrating your application with a Luna Cloud HSM service partition:
Non-FIPS algorithms: Luna Cloud HSM services operate in a FIPS and non-FIPS mode, which affects which algorithms are available on the partition. If your organization requires non-FIPS algorithms for your operations, ensure you enable the Remove FIPS restrictions check box when configuring your Luna Cloud HSM service. The FIPS mode is enabled by default.
Refer to the Supported Mechanisms in the SDK Reference Guide for more information about available FIPS and non-FIPS algorithms.
Verify Luna Cloud HSM <slot> value: LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If you are completing an integration using Luna Cloud HSM services, you need to verify which slot on the Luna Cloud HSM service you send commands to.
If there is more than one slot, then use the slot set command to direct a command to a specified slot. You can use slot list to determine which slot numbers are in use by which Luna Cloud HSM service.
Prepare Environment for Windows Integration
Your system requires access to the SafeNet Key Storage Provider (KSP). Copy the SafeNetKSP.dll file from your downloaded Luna Cloud HSM service client to C:\\Windows\System32
.
Failure to copy the SafeNetKSP.dll file will result in no access to the SafeNet Key Storage Provider's during the integration. For example, if configuring Microsoft Active Directory Certificate services, the SafeNet Key Storage Providers will not be available options when setting up the Cryptography for CA.
Integration
This document provides detailed instructions and procedures to install and integrate Microsoft ADCS on Windows Server 2016 with an HSM on Demand service. Microsoft ADCS uses the SafeNet Luna Key Storage Provider (KSP) for integration.
We recommend that you familiarize yourself with Microsoft ADCS before beginning the integration. Refer to the Windows Server 2016 documentation for more information.
Configuring the SafeNet Key Storage Provider (KSP)
Install the KSP for generating the CA certificate keys on the Luna Cloud HSM Service. See To register the SafeNet Key Storage Provider for more information about configuring the SafeNet KSP. The tool KspConfig.exe is included in the Luna Client installation directory or is available in the Luna Cloud HSM Service Client.
Your system requires access to the SafeNet Key Storage Provider (KSP). Copy the SafeNetKSP.dll file from your downloaded Luna Cloud HSM Service Client to C:\\Windows\System32
. Failure to copy the SafeNetKSP.dll file will result in no access to the SafeNet Key Storage Provider's during the integration. For example, if configuring Microsoft Active Directory Certificate services, the SafeNet Key Storage Providers will not be available options when setting up the Cryptography for CA.
Navigate to the KSP installation directory. Run KspConfig.exe.
The KSP client is available in the Luna Cloud HSM Service Client in the /KSP folder.
Double-click Register or View Security Library.
Click Browse. Select the cryptoki.dll file from the Luna Cloud HSM Service Client. Click Register.
On successful registration, a Success! message displays. Click OK.
Double-click Register HSM Slots.
Register the HSM for the Administrator user.
a. Open the Register For User drop-down menu and select Administrator.
b. Open the Domain drop-down menu and select your domain.
c. Open the Available Slots drop-down menu and select the service label.
d. Enter the Slot Password.
e. Click Register Slot.
f. On successful registration, a Success! message displays. Click OK.
Register the HSM for the System user.
a. Open the Register For User drop-down menu and select SYSTEM.
b. Open the Domain drop-down menu and select NT AUTHORITY.
c. Open the Available Slots drop-down menu and select the service label.
d. Enter the Slot Password.
e. Click Register Slot.
f. On successful registration, a Success! message displays. Click OK.
The Luna Cloud HSM Service has been registered for both users, despite only one entry appearing for the <slot_label>
in the Registered Slots section of the KSP interface.
Installing Microsoft ADCS
You need to install Microsoft ADCS to configure the Certificate Authority role for the system. You must configure the Microsoft ADCS to use the Luna Cloud HSM Service when you install and configure the Microsoft Certificate Authority (CA) user role.
Log in as an Enterprise Admin or Domain Admin with administrative privileges.
Click Start, Administrative Tools, and open the Server Manager.
Install the Certification Authority user role.
a. Select Add roles and features.
b. On the Before You Begin page click Next.
c. On the Select installation type page enable the Role-based or feature-based installation radio button. Click Next.
d. On the Select destination server page enable the Select a server from the server pool radio button. Select your server from the Server Pool menu. Click Next.
e. On the Select Server Roles page select the Active Directory Certificate services check box. Click Next.
f. A window will display asking you to Add features that are required for Active Directory Certificate services. Click Add Features. Click Next.
These are additional features that must be installed for the Active Directory Certificate services to function.
g. On the Active Directory Certificate services page click Next.
h. On the Select Role services page select the Certification Authority check box. Click Next.
The Certificate Authority is the only CA service supported by a cluster environment.
i. Click Install.
When the installation completes click Configure Active Directory Certificate services on the destination server. The AD CS configuration wizard will display.
a. On the Credentials page click Next.
b. On the Role services page enable the Certification Authority check box. Click Next.
c. On the Setup Type page enable the Enterprise CA check box. Click Next.
d. On the CA Type page enable the Root CA check box. Click Next.
e. On the Private Key page select the option that is most appropriate for your organization. Follow the relative procedural set below:
Create a new private key:
i. Enable the Create a new private key check box
ii. On the Cryptography for CA page open the Select a cryptographic service provider (CSP) drop-down menu and select a SafeNet Key Storage Provider algorithm from the list.
iii. Open the Key character length drop-down menu and select an appropriate length. Select the Hash algorithm that the CA will use for signing certificates.
iv. Enable the Allow administrator interaction when the private key is accessed by the CA check box.
v. Click Next.
Use an existing private key:
i. Enable the Use existing private key and the Select an existing private key on this computer check box. The Change Cryptographic Provider dialog displays.
ii. Click Change and select the SafeNet KSP algorithm that you used to generate the private key.
iii. Clear the CA common name field. Click Search.
iv. Select the existing key. Click Next.
v. Select the Hash algorithm that the CA will use for signing certificates.
vi. Enable the Allow administrator interaction when the private key is accessed by the CA check box.
vii. Click Next.
f. On the CA name page enter a Common name for this CA. Click Next
g. On the Validity Period page set the validity period for the CA certificate. Click Next.
h. On the Configure Certificate Database page set the location where the CA will store its logs. Click Next.
i. On the Confirm Installation Selections page verify that the CA you are about to configure is appropriate.
j. Click Configure.
Click Close to exit the AD CS Configuration after viewing the installation results.
Verify that the CA service is running.
sc query certsvc
Verify the CA key.
certutil -verifykeys
The MS ADCS integration with the HSM on Demand service is complete. If you are configuring RAC you need to continue. If you are not configuring RAC, proceed to Enrolling the CA certificate.
Export the CA certificate
a. Open a command prompt and execute certsrv.msc. Click OK.
b. Select the CA node. Open the Action menu, click All Tasks and select Backup CA.
c. On the Welcome to the Certification Authority Backup Wizard page click Next.
d. Enable the Private key and CA certificate check box. Enter a directory location to store the certificate and key. Click Next.
e. Enter a password in the Password field, and confirm the password in the Confirm Password field. Click Next.
f. Click Finish.
You will receive a warning message stating that the private key cannot be exported. This is expected behavior. The private key never leaves the Luna Cloud HSM Service.
g. Click OK.
h. Use the ksputil.exe so that the keys will be visible to the second node in the cluster.
ksputil clusterKey /s <slot_number> /n <CA_name> /t <Target_host_name>
Halt the CA service to unlock the shared disk resources.
a. Click Action, select All Tasks, and then click Stop service.
b. Close the CA management utility.
Detach the shared storage from the cluster node.
a. Access the Server Manager MMC utility. Click the File and Storage services.
b. Open Disks and right-click the shared disk resource, select Take Offline.
Release the HSM from the cluster node.
a. Disable the network connection to the HSM.
b. Log off from the cluster node.
Enrolling the CA Certificate
You need to set the certificate that will be used by the Certification Authority on the system.
Verify that the CA service is running.
sc query certsvc
Create a CA template that uses SafeNet KSP.
a. Open a command prompt and execute certtmpl.msc.
b. Right-click the Administrator template and click Duplicate Template.
c. On the Compatibility tab open the Certification Authority drop-down menu and select Windows Server 2008. Open the Certificate Recipient drop-down menu and select Windows Server 2008. Click OK.
d. Select the General tab and enter a name for the template in the Template display name field.
e. Select the Cryptography tab and open the Provider Category drop-down menu. Select Key Storage Provider. Enable the Requests must use one of the following providers check box.
f. In the Providers field, select the SafeNet Key Storage Provider check box.
g. Open the Algorithm name drop-down menu and select an algorithm.
h. Open the Request hash drop-down menu and select a hash signature.
i. Select the Subject Name tab and uncheck the Include e-mail name in subject name check box and the E-mail name check box.
j. Click Apply to save the template and click OK.
Open a command prompt and execute certsrv.msc.
Double-click the CA name. Right-click Certificate Templates, select New, and click Certificate Template to Issue.
Select the template that was recently created. Click OK.
Request a certificate based on the template.
a. Open a command prompt and execute certmgr.msc.
b. Right-click Personal, select All Tasks, and click Request New Certificate....
c. Click Next.
d. Click Next.
e. Enable the checkbox next to the recently created template.
f. Click Enroll.
g. Verify the certificate was enrolled successfully.
Archiving Keys
This section will demonstrate that the various configurations with the Luna Cloud HSM Service do not interfere with the CA key archival functionality.
Add a Key Recovery Agent Template to the CA
Add Key Recovery Agent (KRA) template to the CA.
Open a command prompt and execute certsrv.msc.
Right-click Certificate Templates, select New, and click Certificate Template to Issue.
Select the Key Recovery Agent template. Click OK.
Request a KRA certificate
Open a command prompt and execute certmgr.msc.
Right-click Personal, select All Tasks, and click Request New Certificate....
Click Next.
Click Next.
Enable the Key Recovery Agent check box.
Click Enroll.
Verify that enrollment is pending. Click Finish.
Issue the KRA certificate
Open a command prompt and execute certsrv.msc.
Open Pending Requests. Right-click on the latest request for the KRA template, select All Tasks, and click Issue.
Select Issued Certificates... and verify that a new certificate has been issued.
Retrieve the issued certificate from CA.
Open a command prompt and execute certmgr.msc.
Right-click Certificates -- Current User, select All Tasks, and click Automatically enroll and retrieve certificates. Click Next.
Select the recently issued KRA certificate. Click Finish.
Configure the CA to support Key Archival
Open a command prompt and execute certsrv.msc.
Right-click the CA name and select Properties.
Select the Recovery Agents tab and enable the Archive the key radio button. Click Add.
Select the recently created KRA certificate. Click OK.
A dialog window displays stating you must restart the Active Directory Certificate services for the changes to take effect. Click Yes.
Create a template with key archival enabled
Open a command prompt and execute certtmpl.msc.
Right-click the User template and select Duplicate Template.
On the Compatibility tab open the Certification Authority drop-down menu and select Windows Server 2008. Open the Certificate Recipient drop-down menu and select Windows Server 2008. Click OK.
Select the General tab and enter a name for the template in the Template display name field. Enable the Publish certificate in Active Directory check box.
Select the Request Handling tab and enable the Archive subject's encryption private key check box.
Select the Subject Name tab and uncheck the Include e-mail name in subject name check box and the E-mail name check box.
Click Apply and then click OK.
Add a new template to CA for issuing
Open a command prompt and execute certsrv.msc.
Right-click Certificate Templates, click New, and select Certificate Template to Issue.
Select UserKeyArchival and click OK.
Issue the key archival template
Open a command prompt and execute certmgr.msc.
Right-click Personal, select All Tasks, and click Request New Certificate....
Click Next.
Click Next.
Enable the UserKArchival check box.
Click Enroll. Verify that the enrolment was successful.
Click Finish.
Performing a Key Recovery
You can recover archived keys.
Log on to the system as Domain Administrator and ensure that the private key is still recoverable by viewing the Archived Key column in the Certification Authority console.
a. Log on as Domain Administrator.
b. From Administrative Tools, open Certification Authority.
c. In the console tree, double-click CA, and then click Issued Certificates.
d. From the View menu, click Add/Remove Columns.
e. In Add/Remove Columns, in Available Column, select Archived Key, and then click Add. The Archived Key should now appear in Displayed Columns.
f. Click OK and then, in the details pane, scroll to the right and confirm that the last issued certificate to UserKeyArchival has a Yes value in the Archived Key column.
A certificate template must be modified so that the Archive bit and Mark Private Key as Exportable attributes are enabled. The private key is only recoverable if there is data in the Archived Key column.
g. Double-click the Archive User certificate.
h. Click Details. Write down the serial number of the certificate.
The serial number is required for recovery. Do not include spaces between the values.
i. Click OK, and close the Certification Authority.
Import the private key into an output file.
a. Open a command prompt and execute cd\\
. Ensure that you are in the c:\\
directory.
b. Execute certutil -getkey <serial_number> <output_blob>
c. Execute dir <output_blob>
If the file <output_blob>
does not exist, verify the serial number that you used.
Recover the original private/public key.
a. Open a command prompt and execute certutil -recoverkey <output_blob> user.pfx
.
b. When prompted, enter a new password.
c. Execute exit
. Close all windows and log off as the current user.
Find the recovered certificate.
a. Open a command prompt and execute certmgr.msc
.
b. Right-click Certificates (Current User), and select Find Certificates.
c. Enter the CA name into the Contains field and click Find Now.
d. Click Select All on the Edit menu.
e. Click Delete on the File menu.
f. Click Yes.
g. Close Find Certificates.
Import the certificate.
a. Right-click Personal, click All Tasks, and select Import.
b. Click Next.
c. On the Files to Import page enter c:\user.pfx in the File Name field. Click Next.
d. Enter the password for the .pfx file. Click Next.
e. On the Certificate Store page enable the Automatically select the certificate store based on the type of certificate check box. Click Next.
f. Click Finish.
Verify the serial number of the imported certificate.
a. Double-click Personal and select Certificates.
b. Double-click the certificate.
c. Click the Details tab. Verify that the serial number matches the original.
Preparing the Active Directory Certificate Services Cluster Environment
If you are configuring RAC you must prepare the ADCS cluster environment for configuration. Before you proceed with the following procedures, ensure you have completed the following:
- You must configure the SafeNet KSP before preparing the ADCS cluster environment. See Configuring the SafeNet Key Storage Provider (KSP) for more information.
- You must complete Installing Microsoft ADCS on the primary cluster node.
Setting up the CA Server Role on the Secondary Cluster Node
This section provides detailed procedures on setting up the secondary cluster node.
Configure the secondary cluster node
Log in to the cluster node with permissions to install the secondary cluster node. To install an enterprise CA log in to an account with enterprise permissions in the Active Directory domain.
Click Start, select Run, and enter servermanager.msc in the field. Click OK.
Click File and Storage services and select Disks. Ensure that the shared disk used by the CA is online.
Click Start, select Run, and enter MMC in the field. Click OK.
Open the File menu and select Add/Remove Snap-in....
Select Certificates from the Available snap-ins menu and click Add.
Enable the Computer account radio button and click Next.
Enable the Local computer: (the computer this console is running on) radio button. Click Finish.
Click OK.
Import an existing certificate
Right-click Certificates (Local Computer) and select Personal.
In the Action menu click All Tasks and select Import....
The Certificate Import Wizard will open. Click Next.
Enter the filename of the CA certificate for import. Click Next.
If you use the Browse... utility to find the certificate you must change the file type extension to Personal Information Exchange - *.pfx
Enter the password that was previously used to secure the private key. Click Next.
The private key password is required even if there is no private key in the *.pfx file.
Enable the Place all certificates in the following store radio button. Enter Personal in the Certificate Store field. Click Next.
Click Finish to import the certificate. Click OK to confirm the import.
Repair the association between the certificate and private key.
a. In the Certificate Manager expand Personal and select Certificates.
b. Select the imported certificate. Open the Action menu and select Open.
c. On the Details tab select the Serial number field. Copy the serial number value to the clipboard. Click OK.
d. Open a command prompt and execute certutil -repairstore MY "**\ <serial_number>**"
.
Add the AD CS role
Open the Server Manager and select Add Roles and Features.
The Add Roles and Features wizard displays. On the Before You Begin page click Next.
On the Select installation type page enable the Role-based or feature-based installation radio button. Click Next.
On the Select Destination server page enable the Select a server from the server pool radio button. Select your server in the Server Pool menu. Click Next.
On the Select Server Roles page select the Active Directory Certificate services check box. Click Next.
A window displays asking you to Add features that are required for Active Directory Certificate services. Click Add Features. Click Next.
These are additional features that must be installed for the Active Directory Certificate services to function.
On the Features page click Next.
On the Active Directory Certificate services page click Next.
On the Select Role services page select the Certification Authority check box. Click Next.
The Certificate Authority is the only CA service supported by a cluster environment.
Click Install.
When the installation completes click Configure Active Directory Certificate services on the destination server. The AD CS configuration wizard displays.
Configure the AD CS role
On the Credentials page click Next.
On the Role services page enable the Certification Authority check box. Click Next.
On the Setup Type page enable the Enterprise CA check box. Click Next.
On the CA Type page enable the Root CA check box. Click Next.
On the Private Key page enable the Use existing private key and the Select a certificate and use its associated private key radio buttons. Click Next.
On the Existing Certificate page select the CA certificate that was generated on the primary node. Click Next.
On the Configure Certificate Database page set the location where the CA will store its logs. Click Next.
A dialog box will display stating an existing database was found. Click Yes to proceed.
Click Configure.
Click Close to finish the role installation.
Log off from the secondary cluster node.
Installing the Failover Cluster Feature
The following procedure must be repeated for each node in the cluster.
Log in to the cluster node with local Administrator permissions.
Open Server Manager. Click Add roles and features.
On the Before you begin page click Next.
Select the Role-based or feature-based installation radio button. Click Next.
On the Select destination server page enable the Select a server from the server pool radio button. Select your server in the Server Pool menu. Click Next.
Click Next.
On the Select Features page enable the Failover Clustering check box. Click Next.
A window will display asking you to Add features that are required for Failover Clustering. Click Add Features. Click Next.
These are additional features that must be installed for the Active Directory Certificate services to function.
Click Install. When the installation is complete click Close.
Configuring the Failover Cluster Feature
You need to configure and enable the failover cluster feature.
Log on to the cluster node.
Open Server Manager. Open the Tools menu and select Failover Cluster Manager.
Open the Action menu and select Create a cluster.
On the Before You Begin page click Next.
On the Select Servers page enter the cluster node name of the first cluster node in the Enter Server Name field. Click Add.
On the Select Servers page enter the cluster node name of any remaining nodes. Click Add.
Click Next to continue.
On the Access Point for Administering the Cluster page enter a name to identify the cluster configuration. Click Next.
On the Confirmation page verify that you have properly configured the cluster name with the failover cluster. Click Next.
On the Summary page verify the Create Cluster report. Click Finish.
Configuring the Active Directory Certificate services Failover Cluster
You need to configure the failover cluster feature to recognize the primary and activate the standby databases on failure.
Open the Failover Cluster Management snap-in. Right-click Role and select Configure Role.
On the Before You Begin page click Next.
On the Select role page select Generic service. Click Next.
On the Select service page select Active Directory Certificate services. Click Next.
On the Client Access Point page enter a name for the service in the Name field. Click Next.
On the Select Storage page enable the check box next to the disk storage that is mounted to the node. Click Next.
On the Replicate Registry Settings page click Add. Enter SYSTEM\CurrentControlSet\services\CertSvc and click OK. Click Next.
On the Confirmation page verify the service you are configuring. Click Next.
On the Summary page verify the Generic service report. Click Finish.
Use the ksputil.exe to migrate the keys to the cluster.
ksputil c /s <slot_number> /t <CA_cluster_service_name> /n <CA_name>
Creating CRL objects in the Active Directory
You can create a Certificate Revocation List object for your active directory.
Log on to the cluster node.
Open a command prompt and execute cd%WINDIR%\\System32\\Certsrv\\CertEnroll
Publish the CRL into the active directory.
certutil -f dspublish "<CRL_file>"
Modifying the CA Configuration in Active Directory
You can perform the following procedural set from any computer in your Active Directory configuration. The AIA object in the Active Directory stores the CA certificate. To enable both cluster nodes to update the CA certificate, complete the following.
Log on to the system with enterprise permissions.
Click Start, select Run, and enter dssite.msc in the field. Click OK.
Select the top node in the left pane. Open the View menu and select Show services.
Expand services and Public Key services.
Select AIA. Select the CA name. Open the Action menu and select Properties.
a. Select the Security tab and click Add....
b. Click Object Types and enable the Computers check box. Click OK.
c. Enter the name of the secondary cluster node in the Enter the object names to select field. Click OK.
d. Select the Full Control check box for each cluster in the configuration. Click OK.
Select Enrollment services. Select the CA name. Open the Action menu and select Properties.
a. Select the Security tab and click Add....
b. Click Object Types and enable the Computers check box. Click OK.
c. Enter the name of the secondary cluster node in the Enter the object names to select field. Click OK.
d. Select the Full Control check box for each cluster in the configuration. Click OK.
Select KRA. Select the CA name. Open the Action menu and select Properties.
a. Select the Security tab and click Add....
b. Click Object Types and enable the Computers check box. Click OK.
c. Enter the name of the secondary cluster node in the Enter the object names to select field. Click OK.
d. Select the Full Control check box for each cluster in the configuration. Click OK.
Close the Sites and services snap-in.
Backing up the Certification Authority
You can enable and configure the location where the CA backup files will be stored using the Active Directory certificate services management console.
Click Start, select Run, and enter certsrv.msc in the field. Click OK.
Select the CA node. Open the Action menu, click All Tasks and select Backup CA.
On the Welcome to the Certification Authority Backup Wizard page click Next.
Enable the Private key and CA certificate check box. Enter a directory location to store the certificate and key. Click Next.
Enter a password in the Password field, and confirm the password in the Confirm Password field. Click Next.
Click Finish.
Restoring the Certification Authority
You can restore CA certificates from the Active Directory certificate services management console.
Click Start, select Run, and enter certsrv.msc in the field. Click OK.
Select the CA node. Open the Action menu, click All Tasks and select Restore CA.
On the Welcome to the Certification Authority Backup Wizard page click Next.
Enable the Private key and CA certificate check box. Enter a directory location to temporarily store the certificate and key. Click Next.
Enter a password in the Password field, and confirm the password in the Confirm Password field. Click Next.
Click Finish.
A dialog will display. It asks "Do you want to start Active Directory Certificate services?" Click Yes.
Verify the Active Directory Certificate services have successfully restarted in certsrv.
Migrating a MS CA onto a Luna Cloud HSM Service using ms2Luna
Storing keys on the software is not a secure practice. We recommend migrating the security key onto the Luna Cloud HSM Service. Refer to the SDK Reference Guide for more information about using the ms2luna.exe command.
Copy the CA certificate thumbprint.
Open a command prompt and run ms2Luna.exe from the Luna Cloud HSM Service Client /ksp
subdirectory.
You need to register the service using KSP before migrating MS CA to the Luna Cloud HSM Service. See Configuring the SafeNet Key Storage Provider (KSP) for more information about registering the service with the SafeNet KSP.
Enter the Thumbprint of CA certificate and press Enter.
Verify that CA provider changes to SafeNet Key Storage Provider.
Uninstall the existing CA that the key was removed from.