AD CS operations with FXCNG

4min

this section covers ad cs operations with fxcng enforce windows access control on an hsm level for this step, you must log in with an identity that has a role with the keys\ all slots permission you can use the default administrator role and admin identities the {{futurex}} cng library enables windows to associate an access control list (acl) with an hsm key slot windows updates this acl during key pair generation and permission updates to lock the acl from changing, perform the following steps connect the excrypt manager application to the {{vectera}} hsm log in under dual control go to the key management page select edit key storage locate the board slot containing the cng private key the cng provider logs this information during key pair generation check the immutable security checkbox select \[ apply changes ] view certificate store use the following command to view the ca certificate store the ldap uri varies depending on your organizational active directory domain (for example, fx futurex com ) and ca name (for example, fx fxca ) certutil viewstore "ldap\ ///cn=fx fxca,cn=certification authorities, cn=public key services,cn=services,cn=configuration,dc=fx, dc=futurex,dc=com?cacertificate?base?objectclass=certificationauthority" between tests, you can choose to clear the certificate store by using a command similar to the following example certutil delstore "ldap\ ///cn=fx fxca,cn=certification authorities, cn=public key services,cn=services,cn=configuration,dc=fx, dc=futurex,dc=com?cacertificate?base?objectclass=certificationauthority" fx fxca sign the certificate by using the hsm the following steps demonstrate one way to test using the hsm to sign a certificate for the ca server open the certificate manager on the ca server right click personal > all tasks > request new certificate in the certificate enrollment window, select \[ next ] on the certificate enrollment policy page, choose a certificate enrollment service associated with the ca server, such as active directory enrollment policy for an enterprise ca select \[ next ] on the request certificates page, choose a certificate template and select \[ enroll ] if the hsm connects, a success message displays if the hsm is offline, you get an error to locate the issued certificate, perform the following steps open the active directory certificate authority tool from the server manager expand the node associated with your ca common name select issued certificates a certificate matching your request should display on this page

Install and configure Active Directory Certificate Services

Appendix: Migrate an existing CA key from software storage to the HSM