Setting up a CA with ProtectToolkit-M
This section explains how to configure ProtectToolkit-M to be used with the Microsoft CA.
ProtectToolkit-M, in conjunction with Microsoft CA, provides secure storage of keys related to signing certificates.
Before you begin, ensure that:
-
you have read and understood ProtectToolkit 7 software installation and Setup and Configuration.
-
Microsoft CA has NOT been installed prior to the ProtectToolkit-M installation.
-
the current logged-on user has Windows administrator privileges.
-
a keyset exists for the logged-on user.
An example of how to setup the CA with ProtectToolkit-M on Microsoft Windows 2008 R2 follows.
Note
If you are operating the ProtectServer 3 HSM in FIPS Mode for this integration, ensure that client system is configured to communicate with the HSM over the Secure Messaging System (SMS). For more information, refer to Using ProtectToolkit-M with the Secure Messaging System enabled.
This example assumes a standalone configuration for a root CA. Actual values should be chosen as required, to suit each particular installation.
To set up the CA with ProtectToolkit-M
-
From the Windows Control Panel, select Administrative Tools and select Server Manager from the list of tools.
-
Select Add Roles.
-
Check the box for “Active Directory Certificate Services”, select Next, and then Next again.
-
Check the box for “Certification Authority” and select Next.
-
Select Standalone and select Next.
-
Select Root CA and select Next.
-
Select the appropriate option (new or existing private key) and select Next.
-
Select the SafeNet CSP from the list, configure your cryptiographic options as required, and select Next.
-
Configure your CA name as required and select Next.
-
Set the validity period for the certificate generated for the CA as required and select Next.
-
Specify the locations for the certificate database and certificate database log and select Next.
-
Review the CA configuration. If any parameters are incorrect, use the links in the left pane to return to the appropriate page to make changes. When the configuration is correct, select Install to install the CA.
Following the successful completion of the above steps, ProtectToolkit-M is now selected as the CSP for Microsoft CA operations. For further details regarding the Microsoft CA, please refer to your Microsoft documentation.