AD CS operations with FXCNG

5min

This section covers AD CS operations with FXCNG.
Enforce Windows Access Control on an HSM level
For this step, you must log in with an Identity that has a role with the Keys:All Slots permission. You can use the default Administrator role and Admin identities.
The Futurex CNG library enables Windows to associate an Access Control List (ACL) with an HSM key slot. Windows updates this ACL during key pair generation and permission updates. To lock the ACL from changing, perform the following steps:
1
Connect the Excrypt Manager application to the Vectera Plus HSM.
2
Login under dual control.
3
Go to the Key Management page
4
Select Edit Key Storage.
5
Locate the board slot containing the CNG private key. The CNG provider logs this information during key pair generation.
6
Check the Immutable security checkbox.
7
Select [ Apply Changes ].
View certificate store
Use the following command to view the CA certificate store. The LDAP URI varies depending on your organizational Active Directory domain (for example, fx.futurex.com) and CA name (for example, fx-FXCA).
PowerShell
certutil -viewstore "ldap:///CN=fx-FXCA,CN=Certification Authorities,
CN=Public Key Services,CN=Services,CN=Configuration,DC=fx,
DC=futurex,DC=com?cACertificate?base?objectClass=certificationAuthority"
certutil -viewstore "ldap:///CN=fx-FXCA,CN=Certification Authorities,
CN=Public Key Services,CN=Services,CN=Configuration,DC=fx,
DC=futurex,DC=com?cACertificate?base?objectClass=certificationAuthority"
﻿
Between tests, you can choose to clear the certificate store by using a command similar to the following example:
PowerShell
certutil -delstore "ldap:///CN=fx-FXCA,CN=Certification Authorities,
CN=Public Key Services,CN=Services,CN=Configuration,DC=fx,
DC=futurex,DC=com?cACertificate?base?objectClass=certificationAuthority" fx-FXCA
certutil -delstore "ldap:///CN=fx-FXCA,CN=Certification Authorities,
CN=Public Key Services,CN=Services,CN=Configuration,DC=fx,
DC=futurex,DC=com?cACertificate?base?objectClass=certificationAuthority" fx-FXCA
﻿
Sign the certificate by using the HSM
The following steps demonstrate one way to test using the HSM to sign a certificate for the CA server.
1
Open the Certificate Manager on the CA server
2
Right-click Personal > All Tasks > Request New Certificate.
3
In the Certificate Enrollment window, select [ Next ].
4
On the Certificate Enrollment Policy page, choose a certificate enrollment service associated with the CA server, such as Active Directory Enrollment Policy for an Enterprise CA. Select [ Next ].
5
On the Request Certificates page, choose a certificate template and select [ Enroll ].
If the HSM connects, a success message displays. 
If the HSM is offline, you get an error.
6
To locate the issued certificate, perform the following steps:
Open the Active Directory Certificate Authority tool from the Server Manager.
Expand the node associated with your CA common name.
Select Issued Certificates.
A certificate matching your request should display on this page.
﻿

Updated 03 Aug 2024

Did this page help you?

Install and configure Active Directory Certificate Services

Appendix: Migrate an existing CA key from software storage to the HSM