Appendix: Migrate an existing CA key from software storage to the HSM

this appendix covers the following migration tasks back up the ca database, ca certificate, and private key on the ad cs server remove the ca role service from the ad cs server import the private key into the hsm by using fxcli restore the ad cs server 1 | back up the ca database, ca certificate, and private key on the ad cs server to back up the ca database, certificate, and private key, you must use an account that is a ca administrator on an enterprise ca, the default configuration for ca administrators includes the local administrators group, the enterprise admins group, and the domain admins group on a standalone ca, the default configuration for ca administrators includes the local administrators group the following steps use the ca snap in tool to back up the ca database and private key if you prefer to complete these steps by using powershell or certutil exe , see the following microsoft knowledge base article https //docs microsoft com/en us/previous versions/windows/it pro/windows server 2012 r2 and 2012/dn486805(v=ws 11) https //docs microsoft com/en us/previous versions/windows/it pro/windows server 2012 r2 and 2012/dn486805(v=ws 11) choose a backup location and attach media, if necessary log on to the source ca open the certification authority snap in right click the node with the ca name, select all tasks , and then select back up ca in the welcome window of the ca backup wizard , select \[ next ] in the items to back up window, select the private key and ca certificate and certificate database and certificate database log check boxes, specify the backup location, and then select \[ next ] in the select a password window, type a password to protect the ca private key, and select \[ next ] in the completing the backup wizard , select \[ finish ] after the backup completes, verify the following files in the location you specified caname p12 , which contains the ca certificate and private key the database folder containing files certbkxp dat , edb##### log , and caname edb open a command prompt window, and type net stop certsvc to stop the ad cs service you should stop the service to prevent the issuance of additional certificates if the source ca issues certificates after a database backup completes, repeat the ca database backup procedure to ensure the database backup contains all issued certificates copy all backup files to a location that is accessible from the destination server, such as a network share or removable media 2 | remove the ca role service from the ad cs server in server manager , select the manage button in the top menu, then select \[ remove roles and features ] in the before you begin section of the the remove roles and features wizard , select \[ next ] in the select destination server window, leave the default option selected and select \[ next ] in the remove server roles window, select the active directory certificate services role when prompted, select \[ remove features ] select \[ next ] until you reach the confirmation page, and then select \[ remove ] after the removal process completes, close the window and restart the server to finish removing the features 3 | import the private key into the vectera plus hsm in this section, the hsm cli application will be used to import the private key that was backed up from ad cs first, run the following command to connect to the hsm via usb (note the computer that is running hsm cli must be directly connected to front usb port of the hsm ) fxcli connect usb then, log in with the default admin identities fxcli login user the login user command prompts for the username and password you must run it twice to log in with both default admin identities now, run the following command to import the private key of the ca into an available key slot on the hsm fxcli pkcs12 import f c \futurex\windows server ca p12 p safest s 10 label windows server ca win system dacl if the import succeeded, when you run the keytable reload command you see the private key in the slot that was designated as shown in the following example keytable reload result status success statuscode 0 slots \ slot 10 type "key" name "windows server ca" kcv "266b" algorithm rsa bits 2048 usage sign,verify startvalidity "1971 01 01 00 00 00" endvalidity "2999 01 01 00 00 00" exportable true clearexportable false passwordexportable false requiresauth false modifiable true externaldata "01000000030000001257494e444f57532d5345525645522d2d4341000001020000001257494e444f57532d5345525645522d2d4341000001200000010087c59f43b051def062aad4aa8128913d3344d4af197b28c709242504e9323b65a6609251eb2061674e2b55f3b1ccd85c573d76ead3f6edfeca3aad729ec25eec5ae078e38e0e803e92c86c06c5c11914cd5fcf12de26465534ccd911d9568d12093ef4ca311b4d2795ca92bd23f43898dc382a65b131597f7c946ddead3def0a792b85321a074d8e31b11a20700a531b1746f1a8f7239ec17ee4fd1f8c8209b142e7c8ba51c2724b286ceda0141d0021154cd43faef77bbc3390a88172b9add6d54bed3e1e3855ab9ab822f1b900d430c22542dab2fa96ae8a03268d717f6f98f6817320cf87e3c63be5ab374c1606377db481c1c327e46bf6e553e6fb3e3f8b00000121000000040008000000000122000000030100010000016300000001008000da7e00000048010004940000000000000000000000001400000002003400020000000003180000000010010200000000000520000000200200000003140000000010010100000000000512000000" 4 | restore the ad cs server this section shows you how to restore the ad cs server by performing the following tasks import the ca certificate re add the ca role service restore the ca database and configuration 1 | import the ca certificate the first section of this appendix backs up the ca certificate to a pkcs #12 (pfx) file, containing both the certificate and the private key because the private key should no longer exist in ad cs (being stored on the hsm), this example uses openssl to extract only the certificate from the pkcs #12 file before importing the ca certificate back into windows you must install openssl for windows before performing this procedure open powershell and run the following openssl command to extract only the ca certificate from the pkcs #12 backup file openssl pkcs12 in windows server ca p12 out windows server ca pem nokeys the ca certificate is output to the file name specified in the out flag start the certificates snap in for the local computer account in the console tree, double click certificates (local computer) and select personal on the action menu, select all tasks and select import to open the certificate import wizard select \[ next ] locate the \<caname> pem file that was output from the openssl command in the first step, and select \[ open ] select place all certificates in the following store verify personal displays in the certificate store if you don't see it, select browse , select personal , then select \[ ok ] in the console tree, double click personal certificates and select the imported ca certificate on the action menu, select \[ open ] go to the details tab, copy the serial number to the clipboard, and select \[ ok ] open a command prompt, type certutil store my "{serialnumber} , and then press enter copy the value in the unique container name field from the output of the preceding command to the clipboard run the following command to delete the private key's original association with the ca certificate (from when it was stored in software) certutil delkey csp ksp "unique container name" run the following command to associate the ca certificate with the private key now stored on the hsm certutil repairstore csp "futurex cng" my "serial number" specify the same certificate serial number here that was specified in step 10 2 | re add the ca role service by using the server manager in the console tree, select roles on the action menu, select add roles in the before you begin window, select \[ next ] in the select server roles window, select the active directory certificate services checkbox and select \[ next ] in the introduction to ad cs window, select \[ next ] in the role services window, select the certificate authority checkbox and select \[ next ] in the specify setup type window, specify either enterprise or standalone , to match the source ca then, select \[ next ] in the specify ca type window, specify either root ca or subordinate ca to match the source ca then, select \[ next ] in the set up private key window, select use existing private key and select a certificate and use its associated private key in the certificates list, select the imported ca certificate and select \[ next ] in the ca database window, specify the locations for the ca database and log files select \[ next ] in the confirmation window, review the messages and select \[ configure ] 3 | restore the ca database and configuration after you reinstall the ca role service, perform the following steps, which use the ca snap in tool to restore the ca database and configuration start the certification authority snap in right click the node with the ca name, select all tasks , and then select restore ca in the welcome window, select \[ next ] in the items to restore window, select certificate database and certificate database log select \[ browse ] go to the parent folder that holds the database folder (the folder that contains the ca database files created during the ca database backup) do not select the database folder select its parent folder select \[ next ] and then \[ finish ] select \[ yes ] to start the ca service ( certsvc )