Microsoft IIS nShield HSM Integration Guide

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology alliance partners.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

Introduction
- Product configuration
  - Supported nShield features
  - Supported nShield hardware and software versions
- Requirements
Procedures

Introduction

Microsoft Internet Information Services (IIS) for Windows Server is a Web server application. nShield Hardware Security Modules (HSMs) integrate with IIS 10.0 to provide full key life-cycle management with FIPS-certified hardware and to reduce the cryptographic load on the host server CPU. Integration of the nShield HSM with IIS 10.0 provides the following benefits:

Uses hardware validated to the FIPS 140-3 standards
Improves server performance by offloading cryptographic processing
Enables secure storage of the IIS keys
Enables management of the full life cycle of the keys

Product configuration

We have successfully tested the nShield HSM integration with IIS in the following configuration:

Product	Version
Operating System	Windows 2019 Server
IIS version	10.0

Supported nShield features

We have successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	No
Module-only key	Yes
OCS cards	Yes

Supported nShield hardware and software versions

We have successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.60.11	12.50.11	12.60.10	✓		✓

Connect +

Security World Software	Firmware	Image	OCS	Softcard	Module
12.60.11	12.50.8	12.60.10	✓		✓

Requirements

Before installing the software, we recommend that you familiarize yourself with the IIS documentation and setup process, and that you have the nShield documentation available. We also recommend that there is an agreed organizational Certificate Practices Statement and a Security Policy/Procedure in place covering administration of the HSM. In particular, these documents should specify the following aspects of HSM administration:

The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards
Whether the application keys are protected by the HSM module key or an Operator Card Set (OCS) protection
Whether the Security World should be compliant with FIPS 140-2 Level 3
Key attributes such as the key algorithm, key length and key usage.

For more information, see the User Guide for the HSM.

Procedures

Integration procedures include:

Installing the nShield HSM.
Installing the Security World Software, and configuring the Security World.
Installing IIS.
Install and register the CNG provider
Creating a certificate request
Getting the signed certificate
Installing the certificate.
Integrate an nShield HSM with an existing IIS deployment

Install the nShield HSM

Install the HSM and Security World software using the instructions in the Installation Guide for the HSM. We recommend that you do this before installing and configuring IIS.

Install the Security World Software and configure the Security World

Install the latest version of the Security World Software as described in the User Guide for the HSM.
Initialize a Security World as described in the User Guide for the HSM.

You can also use the CNG Configuration Wizard to create a Security World. If you are using an OCS, to adhere to IIS requirements it must be a 1-of-N with no passphrase, where N is the number of cards in the set.

Install IIS

To install Microsoft Internet Information Services:

Open Server Manager by selecting Start > Server Manager .
Select Manage and then select Add Roles and Features .
On the Before you begin screen, select Next .
On the Select installation type screen, ensure the default selection of Role or Feature Based Installation is selected and select Next .
On the Server Selection screen, select a server from the server pool and select Next .
On the Select server roles screen, select the Web Server (IIS) Role and select Next
When prompted to install Remote Server Administration Tools, select Add Features and select Next .
On the Select features screen, keep the default selection and select Next .
On the Web Server Role (IIS) screen, select Next .
On the Select Role Service screen, select Next .
On the confirmation screen, select Install .
Once the installation completes, Select Close .

Install and register the CNG provider

Open a command window as administrator and type the following to put the HSM in pre-initialization mode. This operation takes about a minute to complete.

>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        BD10-03E0-D947
 mode                 operational
 ...

>nopclearfail -I -m 1
Module 1, command ClearUnitEx: OK

>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        BD10-03E0-D947
 mode                 pre-initialization
 ...

Select the Start button to access all applications. Look for the recently installed nShield utilities.
Double-click the CNG configuration wizard and run it as Administrator.
Select Next on the CNG Install welcome screen.
Select Next on the Enable HSM Pool Mode screen. Leave the Enable HSM Pool Mode for CNG Providers check box un-checked.
At the Security World screen, select:
- Use the existing security world if you already have a Security World that you intend to use for Always Encrypted. The corresponding world and module_xxxx-xxxx-xxxx files most be present in the %NFAST_KMDATA%\local folder. Be prepared to present the quorum of Administrator cards.
- Create a new Security World if you do not currently have a Security World or would like to create a new Security World.
  
  In this integration, we used an existing Security World. For instructions on how to create and configure a new Security World, see the Installation Guide and User Guide for your HSM.
  
  Select Next .
The Set Module States pop-up shows the available HSM(s). Select the desired HSM. The state of the selected HSM should be (pre-)initialisation . Select Next .
At the Module Programming Options screen, clear Enable this module as a remote target and select Next . It will take about a minute before the screen changes.

Note
Please be aware that this is not to be confused with the nShield Remote Administration utility.
Insert the first Administrator Card in the HSM, enter the passphrase and select Next . Repeat this step for the other Administrator Cards as required.

Loading or creating the Security World takes about a minute.

Return the HSM to Operational mode.

This operation takes about a minute to complete.

>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        BD10-03E0-D947
 mode                 initialization
 ...

>nopclearfail -O -m 1
Module 1, command ClearUnitEx: OK

C:\Windows\system32>enquiry -m 1
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        BD10-03E0-D947
 mode                 operational
 ...

The module state will change to Usable .

Select Next .

Select the protection method.

Note	Due to limitations of IIS itself, any OCS protection must be passphrase-less 1/n quorum, and any softcard protection is not supported. For this reason, use only OCS or module protection.

Operator Card Set protection
1. Select Operator Card Set in the Key Protection Setup , then select Next .
2. Enter the OCS name, K of N values, select Persistent and Usable remotely , then select Next .
3. Insert a blank Operator Card in the HSM.
4. In Insert Next Card , enter a name to for the OCS card. Leave the Card requires a pass phrase checkbox unchecked as OCS protection must be passphrase-less, then select Next .
Module protection
1. In Key Protection Setup , select Module protection , then select Next .
2. Select Next and Finish .

The nShield CNG providers are installed and the key Storage Provider is registered.

Open a command window as administrator and type the following to confirm that the KSP has been successfully registered. Look for nCipher Security World Key Storage Provider .

> cnglist.exe --list-providers
Microsoft Key Protection Provider
Microsoft Passport Key Storage Provider
Microsoft Platform Crypto Provider
Microsoft Primitive Provider
Microsoft Smart Card Key Storage Provider
Microsoft Software Key Storage Provider
Microsoft SSL Protocol Provider
Windows Client Key Protection Provider
nCipher Primitive Provider
nCipher Security World Key Storage Provider

Check the registry in CNGRegistry :
```
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider
```

Create a certificate request

IIS Manager does not support the creation of certificates protected by CNG Keys and these need to be created using the Microsoft command line utilities. Commands executed in this section are run on a PowerShell in Windows.

Note	Due to limitations of IIS itself, no GUI prompts (even via nShield Service Agent) can be displayed, so any OCS protection must be passphrase-less 1/n quorum. For this reason, use only OCS or module protection.

Complete the following steps to create a certificate request:

To make sure the nCipher Primitive Provider and nCipher Security World Key Storage Providers are listed, run:

% cnglist.exe --list-providers

Microsoft Key Protection Provider
Microsoft Passport Key Storage Provider
Microsoft Platform Crypto Provider
Microsoft Primitive Provider
Microsoft Smart Card Key Storage Provider
Microsoft Software Key Storage Provider
Microsoft SSL Protocol Provider
Windows Client Key Protection Provider
nCipher Primitive Provider
nCipher Security World Key Storage Provider

Note	If the `nCipher Primitive Provider` and `nCipher Security World Key Storage Provider` are not listed, please follow the steps in the `Install and register the CNG provider` section.

Set up a template file:
1. Generate a request for an SSL certificate linked to a 2K RSA key by creating a file called request.inf with the following information:
  [Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=interop.com,C=US,ST=Florida,L=Sunrise,O=InteropCom,OU=WebServer" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "nCipher Security World Key Storage Provider" KeyUsage = 0xf0 MachineKeySet = True [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1
  Your request.inf file does not have to contain exactly the code given above. This is an example, not a definitive model.
2. Specify the subject details of the Domain Controller which is issuing the certificate.
3. Specify the key algorithm and key length as required, for example RSA 2048.
4. Specify the Provider name as nCipher Security World Key Storage Provider .
5. When you have set up the template successfully, save it as request.inf on the C:\ drive.
Open a command prompt and go to the local drive, in this case C:\ .
To create the certificate request for the Certification Authority, execute the command:
```
% certreq.exe -new request.inf IISCertRequest.csr

CertReq: Request Created
```
A certificate request called IISCertRequest.csr is generated and placed on the C:\ drive. This file is used to be sent to a Certificate Authority.

Get the signed certificate

Submit the CSR file to a CA such as VeriSign, Entrust, and so on.
The CA authenticates the request and returns a signed certificate or a certificate chain.
Save the reply from the CA in the current working directory.

In this guide the signed certificate file is IISCertRequest.cer .

Install the certificate

Make the certificate available to be used in IIS and bind the certificate with the https settings in IIS.

Commands used in this section are run from a Windows PowerShell.

Make the certificate available for use in IIS

To make the certificate available for use in IIS, run the following command:

% certreq --accept IISCertRequest.cer

Where IISCertRequest.cer is the binary certificate exported from the CA. Running this command makes the CA certificate trusted on the Web Server.

Installed Certificate:
  Serial Number: 67790b108e551446903d999aabeaaf5e003fb66f
  Subject: C=US, CN=Hostname
  NotBefore: 6/22/2021 1:22 PM
  NotAfter: 6/22/2022 1:22 PM
  Thumbprint: cd3135f897ab0b44dfe6f451bcd63076ed4228e8

Bind the certificate with a secure IIS web server

Go to Start > Internet Information Service Manager .
Select the hostname, then double-click Server Certificates and verify the certificate you accepted in the previous step is listed.
Click Default website under Sites on the left-hand side of the IIS Manager screen.
Select Bindings link on the right-hand side of the IIS Manager.
On the Site Bindings screen, select Add if the https protocol is not listed, but if it is, select it.
If you have to add it select the protocol as HTTPS and select the certificate from the list.

If you are editing the settings, select the certificate from the list.
Select OK to complete the certificate binding for SSL connection.
Select Close on the Site Bindings screen.
Restart the IIS server.
Open the browser and type https://machinename:443 .
Accept the certificate on the browser to continue with SSL connection with IIS server.

Integrate an nShield HSM with an existing IIS deployment

This section describes how to upgrade an existing IIS server installation to use an nShield HSM to protect the private key. It is assumed that the existing certificate must continue to be used by the server after the Prerequisites to integrate are:

An IIS setup with software-protected certificate and private key
nShield Software installed and a Security World created using The CNG Configuration Wizard, or the front panel of an nShield Connect

Export the software-protected certificate

Complete the following procedure to export the software-protected certificate:

Type MMC at the command prompt and select OK .

The Microsoft Management Console opens.
On the initial screen, select File > Add/Remove Snap-in and select Add .
Select Certificates from Available Standalone Snap-ins and select Add .
On the Certificates snap-in screen, select Computer account and select Next .
On the Select Computer screen, select Local computer , select Finish then OK .
Navigate to the Certificates directory ( Certificates (Local Computer) > Personal > Certificates ).
Right-select the certificate file and select All Tasks > Export .
The Welcome to the Certificate Export Wizard screen appears. Select Next .
On the Export Private Key screen, select No, do not export the private key and select Next .
On the Export File Format screen, select Base-64 encoded X.509 (.Cer) and select Next .
On the File to Export screen, select an absolute path and filename to save the exported Certificate.

Select Next .
The Completing the Certificate Export Wizard screen appears.

Select Finish .
After exporting the certificate, delete the certificate from the certificate store.

Import a Microsoft CAPI key into the nCipher Security World Key Storage Provider

To import a Microsoft CAPI key into the nCipher Security World Key Storage Provider:

Navigate to the C:\Program Files (x86)\nCipher\nfast\bin folder and run cngimport.exe :

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "MS CAPI key"  "imp_key_name"

The Microsoft CNG key is in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

Example:

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "48753e97af4e829f_b2885b-321a-42b9-9122-81d377654436" "Importedkeyname"

To check the success of the import, list the keys in the Security World:

C:\Program Files (x86)\nCipher\nfast\bin\cnglist64.exe --list-key Importedkeyname: RSA machine

Import a certificate into the certificate store

Go to the command prompt and type MMC , then select OK to open the Microsoft Management Console.
On the initial screen, select File > Add/Remove Snap-in and select Add .
From Available Standalone Snap-ins , select Certificates and select Add .
On the Certificates snap-in screen, select Computer account and select Next .
On the Select Computer screen, select Local computer , select Finish and select OK .
Navigate to the Certificates directory ( Certificates (Local Computer) > Personal > Certificates ).
Right-select the certificate folder and select All Tasks > Import .
The Welcome to the Certificate Import Wizard screen appears. Select Next .
Navigate to the location of the certificate from the Origin Server and select Next .
On the Certificate Store screen, select Place all certificates in the following store .
Make sure that the default selection in Certificate Store is Personal , then select Next .
The Completing the Certificate Import Wizard screen appears.

Select Next , then select OK .

Run the following command from the Windows terminal:

C:\Program Files (x86)\nCipher\nfast\bin>certutil -f -csp "nCipher Security World Key Storage Provider" -repairstore my <serial number of certificate>

Open the IIS Manager from Start > Internet Information Services (IIS) Manager .
Under Sites on the left-hand side of the IIS Manager screen, select the required web site.
On the right-hand side of the IIS Manager screen, select Bindings .
On the Site Bindings screen, select Add .
Select the protocol HTTPS .
Select the certificate from the drop-down list.
To complete the certificate binding for SSL connection, select OK .
Open the browser and type https://machinename:443 .

If necessary, accept the certificate in the browser to continue with SSL connection to the IIS Web Server.

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
Microsoft IIS nShield HSM Integration Guide

Table of Contents