Export and install a software-based CSP key

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2

When you installed AD RMS, you were able to select private key protection managed by AD RMS or cryptographic storage provider (CSP)-based key protection. Private key protection offers decreased administrative overhead because the AD RMS private key is stored in the AD RMS configuration database, and as servers are added to the AD RMS cluster, they share this key. A hardware-based CSP provides more security because the private key is not stored in software anywhere. A software-based CSP stores the AD RMS private key locally on each AD RMS server. This option is not recommended because of this.

If you are using a software-based CSP, you must export and install the AD RMS private key on a new computer that is joining the AD RMS cluster as part of the migration or upgrade to AD RMS. If you are using a hardware-based CSP, you should consult the manufacturer about steps for migrating the key.

Important

The .NET Framework 2.0 must be installed on the server that you are exporting the AD RMS private key from and the new server on which the private key will be installed. The .NET Framework 2.0 is available by using Windows Update.

To retrieve the private key container name

  1. Log on to the server hosting the AD RMS configuration database with a user account that is a member of the System Administrators database role.

  2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click SQL Server Management Studio.

  3. When the Connect to Server windows appears, ensure that the server hosting the AD RMS configuration database is in the Server name box, and then click Connect.

  4. Expand Databases.

  5. Expand the AD RMS configuration database, and then expand Tables.

  6. Right-click the DRMS_LicensorPrivateKey table, and then click Open Table.

    The key container name is stored in the column named KeyContainerName.

To export the RMS private key from a software-based CSP

  1. Log on to the AD RMS server that has the AD RMS private key installed.

  2. Click Start, and then click Command Prompt.

  3. Type cd %windir%\Microsoft.NET\Framework\v2.0.50727, and then press ENTER.

  4. Type aspnet_regiis.exe –px “<keycontainername>” privatekey.xml –pri, where <keycontainername> is the key container name that you retrieved from the procedure named “To retrieve the private key container name.”

  5. Copy privatekey.xml to the server that will be joined to the AD RMS cluster.

To install a RMS private key protected by a software-based CSP

  1. Log on to the server that will be joined to the AD RMS cluster.

  2. Click Start, and then click Command Prompt.

  3. Type cd %windir%\Microsoft.NET\Framework\v2.0.50727, and then press ENTER.

  4. Type aspnet_regiis.exe –pi “<keycontainername>” privatekey.xml -exp, where <keycontainername> is the key container name that you retrieved from the procedure named “To retrieve the private key container name,” and then press ENTER.