Help, I am migrating en existing CA to a new virtual 2008R2 box. I have found quite a few helpful KBs on migration from beginning to end but they are referencing a Hardware Security Module. I have not found how to verify the absence or existence of an HSM. I am only two months into this job and do nont have access to the person who built this server. It seems that there should be a limited number of files/programs to look for to verify the HSM status. Any ideas how to do so?

The HSM (Hardware Security Module) is a piece of hardware that is traditionally either a PCI (x or express) expansion card (usually with a smart card slot) or an appliance (also usually with a smart card slot). With that said, operationally, when you start up your CA do you have to insert a smart card into a slot? This would be a good indicator that you have an HSM.

I thought it would be a specific step or something similar. I am quite certain that there is no HSM present since it is virtual and there are no special requirements on startup. Any other specific indications are appreciated.

An HSM is used in CA's to add protection to the CA certificate's private key(s). With a virtual machine you could still have an appliance HSM like a rackmount unit (such as an nCipher/Thales netHSM or nShield Connect). Upon up the registry editor on your CA and go to the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\%Name_Of_Your_CA%\CSP Note: Replace %Name_Of_Your_CA% with the actual name of your CA What is the value of Provider?

That is Microsoft Strong Cryptographic Provider. EncryptionCSP says the same.

There you go, you are NOT using an HSM, the key is protected by windows. So whenever you see anything mentioning an HSM you can pretty much ignore it. If you are doing the upgrade I would suggest building a play box to learn about installing and upgrading a Microsoft CA. It's not extremely hard, but it's also not hard to screw up. Make sure you back up all of the data that is required to restore the CA in case something doesn't go right. At the very least you will need to backup the CA database, CA certificate (including private key and a password that you can remember or better yet write it down and store it securely), and the CA part of the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration).

There you go, you are NOT using an HSM, the key is protected by windows. So whenever you see anything mentioning an HSM you can pretty much ignore it. If you are doing the upgrade I would suggest building a play box to learn about installing and upgrading a Microsoft CA. It's not extremely hard, but it's also not hard to screw up. Make sure you back up all of the data that is required to restore the CA in case something doesn't go right. At the very least you will need to backup the CA database, CA certificate (including private key and a password that you can remember or better yet write it down and store it securely), and the CA part of the registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration).

Thanks. Now we are getting into the meat of this. I will open a new question for the followup stuff.