Can you use a (Microsoft) offline root CA with a networked HSM? If the root CA is offline, how does it communicate with the HSM?Identity & Metadirectory, Hewlett-Packard UK

On Tue, 25 Jan 2011 15:59:46 +0000, MMS_guru wrote: Can you use a (Microsoft) offline root CA with a networked HSM? If the root CA?is offline, how does it communicate with the HSM? Depends on the HSM and your Certificate Practice Statement. On the nCipher neShield Connects for example they have two network interfaces, one routeable and one not. We have lots of customers that will use the non-routed interface for the offline CAs. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca My girlfriend always laughs during sex - no matter what she's reading. - Steve Jobs (Founder: Apple Computers)

Paul, thanks. In this scenario, we hope to use a Luna SA HSM. I'm assuming that we could use the HSM to protect the private key material for our MS root CA? I also notice a guide for Installing and Configuring a LunaSA Hardware Security Module (HSM) with FIM CM 2010, we aim to use FIM CM for issuing and managing smart cards (for logon), but the private key material for the smart card logon certificates are stored on the smart cards, so why do I need to do this? Thanks, & apologies fairly new to PKI, FIM CM , etc. Cheers, MMS_guruIdentity & Metadirectory, Hewlett-Packard UK

I will keep it really simple. You plan to issue medium to high assurance certificates protected by a smart card. How can you state that these certificates are medium or high assurance when the CA that issued them is a low assurance CA. If you do not protect the CA's private keys with an HSM, then any one who is an administrator can export the CA certificate and keys and install a "stealth" CA, the CA is also subject to buffer over flow attacks that could expose the CA private key. Brian

On Fri, 18 Feb 2011 17:15:16 +0000, MMS_guru wrote: In this scenario, we?hope to use a?Luna SA HSM. I'm assuming that we could use the HSM to protect the private key material for our MS root CA? I also notice a guide for Installing and Configuring a LunaSA Hardware Security Module (HSM) with FIM CM 2010 <http://social.technet.microsoft.com/wiki/contents/articles/installing-and-configuring-a-lunasa-hardware-security-module-hsm-with-fim-cm-2010.aspx>, we aim to use FIM CM for issuing and managing smart cards (for logon), but the private key material for the smart card logon certificates are stored on the smart cards, so why do I need to do this? Thanks, & apologies fairly new to PKI, FIM CM , etc. No apologies necessary MMS_Guru. When using an HSM with FIM CM the goal is not to protect the private keys of the smart cards or certificates that you're going to manage with FIM CM. Instead, the goal is to protect the private keys of the 3 certificates that get issued to the CM Agent, CM Enrollment Agent, and CM Key Recovery Agent accounts. If you don't use an HSM then the private keys for the certificate issued to these 3 accounts are simply protected with a software based CSP and are stored in the user profile directories on the FIM CM server(s). Hope this makes it a little clearer. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Brian, Paul, thanks for the responses. Fully understand the reason for HSM in PKI/FIM CM scenarios. Cheers, MMS_guruIdentity & Metadirectory, Hewlett-Packard UK