Hi,We have a problem with our Administrator Card Set for our nCipher Security World that we use for out PCI nCipher HSMs. We have a Quorum of 2/3 and one card has been lost and another has an invalid passphrase (the one other was ok but not much use on its own) First question is there anyway we can recover this? (I dont hold out much hope for this!) Secondly I guess I will need to create much of the PKI infrastructure again but I dont know how much. To put some detail on it we have...... 1.EASM offline root CA (with nCipher HSM)2.Another Windows Server 2003 subordinate policy and issuing CA not using a HSM (CA1)3.A Windows Server 2003 subordinate policy and issuing CA (with nCipher HSM all using the same Security World) (CA2)4.Smart Cards that are managed and deployed using Microsoft Certificate Lifecycle Manager 2007. The CLM agent private keys etc are stored in the HSM using the same security world. All smart cards are enrolled using CA2. We have the OCS card set so are are still able to carry out signing operations etc but should we have a failed HSM or server we would have no way of duplicating the security world and this is very worrying.Is there a way I can keep the subordinate CAs and re-sign with a new root? I presume this wouldnt help CA2 as the private key would still be stuck in the Security World?Can I maintain the validity of the smart card certificates issued from this CA if I have to create a new CA certificate? Any advice would be greatly appreciated!

How did you go about handling this? I'm thinking that you'd have to create a new CA using a new security world, which I'm sure must be a tough pill to swallow, and run your first CA with the lost ACS, but hopefully not issue any more certs from this CA and eventually phase it out...

First question, have you contacted nCipher/Thales support yet.They may have a way of migrating the keys (no promises)Brian

AFAIKthere is no way migrating keys from one world to another without ACS. That is the purpose of ACS. Martin

Just confirmed with Thales that Martin is correct (I thought that too, but decided to talk to one of the support engineers directly, just in case)You are basically in a scenario where every key needs to be regenerated that uses or was signed by the HSM.Before you do it, you have to decide what you are goind to do with revocation.This is not the kind of answer that you can give in a newsgroup, as there is a lot of questions and issues to address that are too long to go into here.To give a high level though:- What are you going to do about all of the existing certificates/smart cards? - replace - maintain old PKI as long as possible to keep revocation possible- What are you going to do with the CA/CLM server that use the HSM - As soon as you want to move to a new security world, the HSM must come out- What are you going to do when an HSM fails - You cannot replace it without a quorum of ACS holders - You cannot replace the OCS if the OCS loses quorumWhen you build new, what do you do - New CA hierarchy (cross certified) - Same hierarchy using new security world Brian