Restoring Standalone Root CA using existing key and associated certificate (Thales nCipher HSM)
Hi Guys, i have trouble installing a Microsoft Root CA in combination with a existing keypair and certificate generated by nChiper Enhanced CSP (CAPI) and protected by Operator Card Set. I have the same issue on Windows 2003, Windows 2008 and 2008 R2 Server Standard. nCipher Security World, HSM contact and status as well es keys are all ok. Steps: · Backed up all required data (capolicy.inf, ca database, security world etc.) · Prepared target server (same computername) · Restore of key material to %nfast_kmdata%\local C:\Windows\system32>cspcheck64 Output: cspcheck: information: 1 container and 1 key found. cspcheck: everything seems to be in order. So the key is there. Now I installed nCipher CSP and select to use existing Security World. Key protection is using OCS. Now I installed the existing Root certificate (crt) in Trusted Root CAs store on the new Root CA machine. Then added CA certificate to my store using certutil certutil -addstore my "Test Root CA v2.crt" CertUtil: -addstore command completed successfully. No I assigned the corresponding private key (stored in HSM and protected by operator cards) – that’s what I found in the nCipher/Thales Integration Guide: certutil -f -repairstore -csp "nCipher Enhanced Cryptographic Provider" my "6d e0 a9 0a f1 23 62 bc 34 e1 7a 83 55 97 47 31" Output ok: blabla … Key Container = Test Root CA v2 Provider = nCipher Enhanced Cryptographic Provider Private key is NOT exportable Signature test passed CertUtil: -repairstore command completed successfully. OK, now the imported CA certificate in the computer store tells me, that I have a corresponding private key - if I view the certificate Then I restored capolicy.inf to %windir% and run the servermanager to add the new ADCS Role “Certification Authority”. Selected Standalone Root CA Choose “Use existing private key” and “Select a certificate and use its associated private key” The list is empty :-( (Im sure, the certificate should be in the list) If I select the other option called "Select an existing private key on this computer" i can change CSP to nChiper Enhanced CSP and enter CAs common name, then I can select the key. But then the wizard asks me for DN suffix and lifetime of the certificate and it seems like he is generating a new certificate or keypair too. I tested the same on windows 2003 server as the procedure is a bit different and i can see that the option "use the certificate associated with this key" is grayed out. What I am doing wrong? Of course I want to use existing key AND certificate. Thanks for any help J Carsten
April 21st, 2010 2:02pm

Hi, I downloaded the Integration Guide from the Internet. If I understand correctly, we should be able to import the certificate and the corresponding private key by using nCipher CSP Key Storage Wizard (section 8.5). Can you import the certificate by using the wizard on the server? Meanwhile, you may consider contacting the HSM vendor for assistance. They should be able to provide you with more information about the migration. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2010 9:52am

Hi, thanks. But as you can read in my post, i did this already, it works pretty well :-) HSM vendor told me, i must import the certificate in a Base64 encoded .cer. I used DER (.crt) maybe, that could be the problem, but i can hardly believe. I will inform you on my further steps.
April 22nd, 2010 8:39pm

Hi, How's everything going? Any update on the issue? If you need further assistance on our side, please do not hesitate to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2010 12:27pm

Hi, i tested it with the Base64 encoded certificate, as i expected it doesn´t work. now we defintitely need the HSMs vendors help. As we currently in budget discussions with the customer regarding HSM maintenance and technical support, we are on hold with the project. if anyone here knows the ultimate solution, pls. post :-) remember we are not able to export the key inkl. certificate as pkcs#12 as it was generated in the modules crypto cpu! greetz
April 30th, 2010 2:46pm

This is a known issue that pops up from time to time. 1) Verify that the certificate is truly functional by running certutil -verifystore my 2) Check in the output that the key is protected by the nCipher Enhanced CSP and passes all tests 3) When you run the wizard, state that you want to use an existing private key (yes this creates a new certificate) 4) After restore, either restore the previous registry from the other CA, or... modify the following registry key to use the original certificate's thumbprint: hklm\system\currentcontrolset\services\certsvc\Configuration\CAName\CACertHash Because the same key pair is used, when you restart the CA, it will now use the original CA certificate Works like a charm (and only one last step for you to do)! Brian
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2010 6:45pm

Brian! Thank you very much, you´re really the "god of Microsoft CA" :-) It works! Unfortunately i couldnt find this solution anywhere in the web. Hope this will help other users having the same issue! When migrating the issuing CA using keys which protected by the nCiphers Security World Module Key it works using the existing certificate after first importing the certificate and assignment of private key using certutil -repair. So the problem is only available when using OCS protected keys. Bye the way: This seems to be a issue with the nCipher CSP, cause in the debug logs i can see, that the HSM wants to have a PIN for the operator cards but no popus is shown, so maybe it is a issue with non-persistent card sets like it was in this case! Thanks again and a nice day! Colt
May 26th, 2010 2:54pm

Ran into the similar problem with the similar task: nCipher HSM Security World protected with the operator cards set. Migrating CA from Windows Server 2003 to Windows Server 2008 R2 Enterprise Edition It looks like a Microsoft bug in the Certificate Services installation wizard. If private key requires interaction with the desktop, then associated certificate won't appear in the certificates list. In my case, if I choose "Use existing private key” and “Select a certificate and use its associated private key” certificate list is also empty. And if I look into C:\Windows\certocm.log, I find following: 114.4622.948:<2010/8/12, 13:16:22>: Begin: CCertSrvSetup::GetExistingCACertificates 419.411.0:<2010/8/12, 13:16:22>: 0x80090022 (-2146893790) 114.4776.949:<2010/8/12, 13:16:22>: End: CCertSrvSetup::GetExistingCACertificates 0x80090022 Provider could not perform the action since the context was acquired as silent" So I think in the wizard Microsoft should place checkbox "Allow interaction with the desktop" and use it for all API calls to acquire context. Yaroslav
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2010 12:29am

Thanks a lot for this hint, Brian! I was just running into exactly the same issue while testing the recovery process! This workaround works like a charm!
May 22nd, 2011 11:13am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics