Set Up a Certification Authority by Using a Hardware Security Module
Updated: June 24, 2013
Applies To: Windows Server 2008
Using a hardware security module (HSM) can enhance the security of a certification authority (CA) and public key infrastructure (PKI).
An HSM is a dedicated hardware device that is managed separately from the operating system. These modules provide a secure hardware store for CA keys, as well as a dedicated cryptographic processor to accelerate signing and encrypting operations. Windows utilizes the HSM through the CryptoAPI interfaces—the HSM functions as a cryptographic service provider (CSP) device.
|Installation instructions for HSMs should be provided by the HSM vendor because there are typically pre-installation requirements as well as device specific settings that are required during CA installation.|
HSMs typically are PCI adapters but are also available as network-based appliances. If an organization plans to implement two or more CAs, you can install a single network-based HSM and share it among multiple CAs.
In order to set up a CA by using an HSM, the HSM must be installed and configured before you set up any CAs whose keys will be stored on the HSM.