Document Version 1.0

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839-8161 | www.arx.com | sales@arx.com

PrivateServer™ HSM

Replace SVMK Procedure

February 2014

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

Notice

The information provided in this document is the sole property of Algorithmic Research Ltd. No part of

this document may be reproduced, stored or transmitted in any form or any means, electronic,

mechanical, photocopying, recording or otherwise, without prior written permission from Algorithmic

Research Ltd.

Copyright © 2014 by Algorithmic Research Ltd. All rights reserved.

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

Introduction This guide was prepared and tested using Windows 2012 machine.

It will help you migrate your CA’s CSP into an AR KSP.

Requirements Windows Server 2008 R2 or Windows Server 2012 or Windows Server 2012R2 or above.

PrivateServer client (Windows only).

Configured and working Signing Engine.

An altered version of cspkcs12.dll allowing private keys to be stored as non-sensitive.

How to receive an altered version of cspkcs12.dll To receive an altered version of cspkcs12.dll you will have to contact our support at support@arx.com .

Please mention your PrivateServer serial number in order to expedite the issue.

Please note: This file is TEMPORARY and will be used ONLY DURING THIS PROCCESS.

You will have to save a copy of your old file and restore it when you are done.

If not – your keys and PrivateServer will be open to a security breach.

Test Environment We highly recommend preforming this operation on a test environment before preforming it on your

production environment.

This is to ensure you have everything you need and your production environment won’t suffer from

higher downtime

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

1. CAUtils - Backup Will be used as backup of current CA and in the migration process.

a. For Windows Server 2012 R2: First, open a Windows PowerShell window with the Run as administrator

option, and then run the following command:

Backup-CARoleService –path <Your Backup Directory>

b. For Windows Server 2012 and Windows Server 2008 R2: First, run the following Certutil command:

Certutil –backup <Your Backup Directory>

c. For all server versions: Then, run the following command to back up the CA registry settings:

reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc c:\<Your Backup

Directory>\CAregistry.reg

2. Stop the service Please note: if the guide was not finished, after a server restart, this command should be used again.

Stop-service certsvc

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

3. Get the details of your CA certificates

By using the following command and make a note of the values for Cert Hash and Key Container, because

you will need these later

Certutil –store my <Your CA common name>

For example, if you run Certutil –store my "CorpSubCA", you will see output similar to the following

for each CA certificate you have (you will have more than 1 CA certificate if it’s been renewed):

================ Certificate 0 ================

Serial Number: 26e3aa770841989248259e2db7b183cb

Issuer: CN=CorpRootCA, DC=Contoso, DC=com

NotBefore: 5/9/2014 1:08 PM

NotAfter: 5/9/2019 1:18 PM

Subject: CN=CorpSubCA, DC=Contoso, DC=com

Certificate Template Name (Certificate Type): SubCA

CA Version: V1.1

Signature matches Public Key

Root Certificate: Subject matches Issuer

Template: SubCA, Subordinate Certification Authority

Cert Hash(sha1): f3 3e f1 bc c5 82 7a b2 a6 0b 15 c1 f6 82 22 09 8e c3 d3 d2

Key Container = CorpSubCA

Unique container name: cd00cf78cfae801b6116617b93290d1d_be779d88-d7da-4fd3-8acb-

a6daafc87e9f

Provider = Microsoft Strong Cryptographic Provider

Signature test passed

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

4. Delete the existing CA certificate and private key:

On Windows Server 2012 R2 and Windows Server 2012:

a. Open a Windows PowerShell window with the Run as administrator option, and then run:

Cd cert:\localmachine\my

b. By using the first value you identified earlier for the Cert Hash as the certificate ID when you ran the

Certutil command, run the following command to delete the certificate and private key:

Del –deletekey <Certificate ID>

c. Repeat the previous step for all CA certificates that were identified when you ran the Certutil

command.

On Windows Server 2008 R2:

a. Use the Certificates snap-in MMC for the Computer Account and navigate to the certificates in

the Personal store.

b. Using the first value you identified earlier for the Cert Hash, locate the certificate and delete it.

c. Repeat the previous step for all CA certificates that were identified when you ran the Certutil

command.

d. By using the first value you identified earlier for the Key Container as the key container name when

you ran the Certutil command, delete the CA private key by running the following command:

Certutil –csp <Your current CSP> -delkey <Key Container Name>

e. Repeat the previous step for all CA certificates that were identified when you ran the Certutil

command.

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

5. Migrate the CA certificate and private key to a KSP

On Windows Server 2012 R2 and Windows Server 2012:

a. Run the following command:

Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>

For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx

c:\Backup\CorpSubCA.p12

On Windows Server 2008 R2:

Because this server version does not support converting the key, you must copy the backed up private key to a

computer that does support this procedure – for example, a computer running Windows Server 2012 R2 or

Windows Server 2012. However, you can also use a computer running Windows 8.1 or Windows 8.

o On this new computer, run the following command:

Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>

For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx

c:\Backup\CorpSubCA.p12

On all Windows Versions:

Connect to the PrivateServer management application and note the 2 new keys added.

a. Double click the Private key and visit the PKCS#11 tab and note the ID field:

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

b. Copy the ID field to a notepad for future usage. (The last dot at the end should not be copied).

Example: MigTest-7167a53e-6919-4695-82a4-881897a151e0

c. Delete the 2 keys (Private/Public) that were created by the CertUtil in the PrivateServer utility.

d. Open up argenie (located in C:\Program Files\ARX\ARX CryptoKit\utils) in advanced mode (using a shortcut with

/br at the end):

e. Import the certificate created in step 1 using Token-> Import Key:

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

f. Browse to the backup folder and choose your p12/pfx file created in step 1, input the password selected for

step 1 and use the Object ID noted earlier in step b:

6. Export the resulting CA certificate and private key to a .PFX file

We are still in argenie

d. Double click the PrivateServer Provider [Slot #]

e. Locate your private key and right click it

f. Export the key:

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

g. Choose a file to safe the key to

h. Select a password for the file

i. Change the encryption to 3DES

7. Restore the exported .PFX file

By running the following command on the CA:

Certutil –restorekey <PFX file path>

For Windows Server 2008 R2: Before you run this command, copy the exported .PFX file to the original CA.

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

8. Import registry settings for the CSP:

a. Create a registry file named Csp.reg so it has the following values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configurati

on\<Your CA Common Name>\CSP]

"ProviderType"=dword:00000000

"Provider"="AR Key Storage Provider"

"CNGPublicKeyAlgorithm"="RSA"

"CNGHashAlgorithm"="SHA1"

b. Edit the bold contents + replace <Your CA common name> with your CA common name.

c. Before you save the file, confirm you are using SHA-1 by running the following command:

Certutil –v –getreg ca\csp\HashAlgorithm

The output will look similar to the following:

HashAlgorithm REG_DWORD = 8004 (32772)

CALG_SHA1

Algorithm Class: 0x8000(4) ALG_CLASS_HASH

Algorithm Type: 0x0(0) ALG_TYPE_ANY

Algorithm Sub-id: 0x4(4) ALG_SID_SHA1

If you do not see SHA1 in your output, modify the CNGHashAlgorithm key value in the file to have the

appropriate name.

d. Save the file and then run it:

e. Csp.reg

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

9. Import registry settings for the CSP encryption settings:

a. Create a registry file named EncryptionCsp.reg so it has the following values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configurati

on\<Your CA Common Name>\EncryptionCSP]

"ProviderType"=dword:00000000

"Provider"="AR Key Storage Provider"

"CNGPublicKeyAlgorithm"="RSA"

"CNGEncryptionAlgorithm"="3DES"

"MachineKeyset"=dword:00000001

"SymmetricKeySize"=dword:000000a8

b. Edit the contents, replacing <Your CA common name> with your CA common name.

c. Before you save the file, confirm you are using 3DES for the encryption algorithm by running the

following command:

certutil -v -getreg ca\encryptioncsp\EncryptionAlgorithm

The output will look similar to the following:

EncryptionAlgorithm REG_DWORD = 6603 (26115)

CALG_3DES

Algorithm Class: 0x6000(3) ALG_CLASS_DATA_ENCRYPT

Algorithm Type: 0x600(3) ALG_TYPE_BLOCK

Algorithm Sub-id: 0x3(3) ALG_SID_3DES

If you do not see 3DES in your output, modify the CNGEncryptionAlgorithm key value in the file to

have the appropriate name.

d. Save the file and then run it:

e. EncryptionCsp.reg

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

10. Optional: Change the CA hash algorithm to SHA-2:

Note: This step is optional but recommended if your CA is using SHA-1 (or another, older

hash algorithm) and requesting devices support the more secure SHA-2 algorithm. It

might also be required to comply with the SHA-1 depreciation policy that is documented

in the SHA1 Deprecation Policy post on the Windows PKI blog.

o On the CA, run the following command:

certutil -setreg ca\csp\CNGHashAlgorithm <Hash Algorithm>

For example: certutil -setreg ca\csp\CNGHashAlgorithm SHA256

11. Start the CA service by running the following command:

Start-service certsvc

Repeat these steps on all CAs in your environment that you want to migrate:

For subordinate CAs: You will not see this migration take effect on the CA certificate until you migrate the

parent CA, and then renew the certificate for the subordinate CA.

For a root CA: You will not see the migration take effect for the CA certificate until you migrate the root CA, and

then renew the certificate for the root CA.

ARX | 855 Folsom St. Suite 939, San Francisco, CA 94107 | Tel. (415) 839 -8161 | www.arx.com | sales@arx.com

12. Validating the new settings

These steps are optional but recommended so that you can validate the new settings are operational before

the CA issues new certificates for production use.

To verify that CA service is up and ready to receive requests Run the following command on the CA:

Certutil –ping

A successful response is CertUtil: -CRL command completed successfully

To verify that the CA is configured for the correct key and provider Run the following command on the CA:

Certutil –store my <Your CA Common Name>

A successful response will include the line Provider = AR Key Storage Provider

To verify that the certificate shows the correct signature algorithm and signature hash algorithm Request and issue a certificate for a user or computer and inspect the resulting certificate details.

View the certificate by using the Certificates MMC snap-in and click the Details tab. The Signature

algorithm and Signature hash algorithm should show the correct values for your CA configuration.

If you are using a standalone CA and the Certreq.exe command-line tool to request and retrieve the certificate, you can

also use a Certutil command to view and validate the correct signing and hash algorithms. For example:

Certutil issuedCert.cer | findstr /spi algorithm

To verify that the certificate revocation list publishes and has the correct signature algorithm and signature hash algorithm

1. Publish the certificate revocation list (CRL) by running the following command on the CA:

Certutil –crl

2. Locate the CRL file (%windir%\system32\CertSrv\CertEnroll) and then run the following command:

Certutil [CAName].crl | findstr /spi algorithm

A successful publication displays the message: CertUtil: -CRL command completed successfully.

When you run the second command, confirm that the Algorithm ObjectId value is the correct hash algorithm for your

CA by using the following table:

As an example, this output confirms the CA is using SHA-256:

Signature Algorithm:

Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA

Algorithm ObjectId CA Signature Algorithm CA Hash Algorithm

sha1RSA RSA SHA-1

sha256RSA RSA SHA-256