Microsoft Active Directory Certificate Services Integration Guide

This document covers the necessary information to install, configure, and integrate Microsoft Active Directory Certificate Services (ADCS) on Windows with an HSM on Demand (HSMoD) service. It demonstrates how to secure your Microsoft Root Certificate Authority (CA) signing keys in an HSMoD service.

The Microsoft ADCS on Windows provides customizable services for creating and managing public key certificates used in software security systems employing public key infrastructure.

A server configured as a certification authority (CA) provides the management features needed to regulate certificate distribution and use. ADCS is the Windows Server service that provides the core functionality for Windows Server CAs. ADCS provides customizable services for managing certificates for a particular CA and for the enterprise.

The root of trust in a public key infrastructure is the CA. Fundamental to this trust is the CA’s root cryptographic signing key, which is used to sign the public keys of certificate holders and more importantly, its own public key. The compromise of a CA’s root key by malicious intent, inadvertent errors, or system failures can be of catastrophic proportions. Hence, this root-signing key must be diligently protected by the best technologies and practices within the cryptographic community such as using an HSM on Demand Service.

Using an HSMoD service to secure the Microsoft ADCS root key provides the following benefits:

>full life cycle management of the keys

>load-balancing and failover by clustering

This document contains the following sections:

>Preparing for the Integration

>Integrating Microsoft Active Directory Certificate Services with an HSM on Demand Service on Windows Server 2012 R2 or Windows Server 2016

This overview contains the following topics:

>Third Party Application Details

>Supported Platforms

Third Party Application Details

This integration guides uses the following third party applications:

>Microsoft Active Directory Certificate Services

Supported Platforms

The following platforms are tested with SafeNet Data Protection On Demand:

>Windows Server 2016

>Windows Server 2012R2