Public Key Infrastructure (PKI) is used to establish a chain of trust so that a user, service, computer, or application can be authenticated, a secure connection can be established or the origin of software or documents can be validated. This is done through certificates, which a PKI creates, manages, distributes, but also can revoke. A certificate contains the public key, its corresponding private key must be kept safe and secret. It must be kept in a hardware security module (HSM).
The Microsoft (MS) Server package already contains a PKI. With that PKI a Certificate Authority (CA) can be established, it serves as root of trust. It is the anchor for the chain of trust for all certificates derived from it. The MS PKI then also provides a Registration Authority (RA) or subordinate CA. It can issue certificates as permitted by the Root-CA. Both CA and RA run a certificate database that saves certificate requests, issues, and revocations. Both, CA and RA, must securely store the corresponding private keys of all their certificates. In an MS PKI this can be handed off to a HSM.
The MS PKI can connect to a Securosys Primus X-Series HSM through a Windows CNG provider. Thereby device keys, authentication keys and personal keys can be securely generated, managed, and distributed. Moreover, certificates, like SSL-certificates or EV-certificates (extended validation), are independently generated and have their corresponding private key securely stored in the HSM.
Not found what you were looking for?