0

First, my apologies as I know very little about certificates and cryptography. I was thrown into a project where I need to create a CSR but have a HSM Device create and store the private key.

My intension was to use Windows AD CS and change the Crypto Service Provider (CSP) to use the HSM vendor.

That's about all I know at this point, and still educating myself in the realm of PKI. If someone can share some C# code or ideas how to change the CSP, I would appreciate it.

Thanks

Bob P
  • 65
  • 5
  • This isn't a programming question. Rather it's a question on configuring Windows to use an HSM. It would be easier to answer this if you explained how you were planning to generate this CSR if you were not using an HSM. `certreq.exe`? PowerShell? The ADCS installation GUI or PS Cmdlets? Knowing that, someone could probably help. Or better, someone on serverfault.com might be able to help. – garethTheRed Sep 29 '22 at 20:09
  • Thanks for the feedback. Previously I was using certreq in Power Shell to test the process out. I created an .INF file that contains the subject, SAN and ProviderName and issued the certreq -new command. It appears the provider creates an unsigned CSR which I can then -submit and -accept. I was looking for a way to perform these steps in C# so not to use certReq. Hope that helps a bit. – Bob P Oct 05 '22 at 17:36

2 Answers2

0

You can use an open-source projects like "Pkcs11Interop" to use HSM in C# (base on PKCS#11 interface) To create a CSR using C# code, this project can help you.

Roohollah Yeylaghi Ashrafi
  • 11
  • 1
0

You can use pkcs11interop, as described in another answer.

If you are locked into using CSP, the HSM provider will have a CSP/CNG provider that connects the windows crypto subsystems into the HSMs front-end. Each HSM vendor will have a their own provider, specific to their own equipment. Done this way, the front-end you are using will use the same techniques -- you don't need to change what you are doing, only how you are configuring it.

Once you have the provider installed (usually done by the HSM vendors Windows-installation media, nothing you need to do manually), the HSM becomes available to use.

When you create your .inf file, there will be two or three additional entries in the file that tell the crypto subsystem where the key is or should be created -- by telling it which provider to use, name of the key, etc. Keys can be already existing or can be created by the tools you are using.

You use the .inf to locate the key, and then certreq will generate a .csr that includes information about the key and where it is maintained.

You have the .csr signed. You may need to -repairstore with the certificate in order to provide the necessary indexing or map from the signed certificate to the underlying private key in the HSM.

Once they are linked, Windows may want you to use the certificate whenever you want to make use of the key, because the certificate is used by Windows to index where the private key is held. I say this here because a lot of people have the assumption that the private key is in the cert since they use the cert when they want to sign something with the key. They don't realize that the cert is a pointer to, not the holder of, that key.

Anyway: Your HSM vendor will have documentation that describes processes and techniques for installing their CNG providers. Once that is done, you just use the tools the same way, but with enough added information to route to the right key provider. Usually the vendor has additional documentation related to this, but the reality is once the provider is in place and working... it's mostly just Windows at that point.

rip...
  • 996
  • 5
  • 20