Skip to main content

Configuring the Cryptographic Provider

info

This procedure offers a primarily straightforward integration process. However, please note that there are additional methods available for configuring and setting up Microsoft AD CS.

This guide assumes you have a basic understanding of the Primus HSM and Microsoft Server AD CS. It does not detail every step of the hardware and software setup process.

For the sake of simplicity, only the domain administrator role is used instead of the PKI management roles defined by Microsoft.

How to migrate from Microsoft AD CS to Primus HSM?

Select Microsoft AD CS Cryptographic Provider

To integrate the Securosys HSM with Microsoft Active Directory Certificate Services the Primus KSP/CNG Provider must be specified. This is usually done during installation of the Certificate Authority and can be done either via Graphical User Interface (GUI) or the Command Line Interface (CLI).

note

Please read through the Prerequisites and the Installing CNG Provider sections as they are required for further steps.

When selecting the Provider on the Cryptography for CA window, select the RSA#Securosys Primus HSM Key Storage Provider along with the key type, key length and suitable hash algorithm. Please consider that some older devices and applications do only support key lengths up to 2048 bit.

note

When using an existing private key you will be required to specify your existing key before selecting the Key Storage Provider.

Example of selecting the Securosys Primus Key Storage Provider: