Export and install a software-based CSP key

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2

When you installed RMS, you were able to select private key protection managed by RMS or cryptographic storage provider (CSP)-based key protection. Private key protection offers decreased administrative overhead because the RMS private key is stored in the RMS configuration database, and as servers are added to the RMS cluster, they share this key. A hardware-based CSP provides more security because the private key is not stored in software anywhere. A software-based CSP stores the RMS private key locally on each RMS server. This option is not recommended because of this.

If you are using a software-based CSP, you must export and install the RMS private key on a new computer that is joining the RMS cluster as part of the migration or upgrade to AD RMS. If you are using a hardware-based CSP, you should consult the manufacturer about steps for migrating the key.

Note

When selecting a key to use for the RMS private key, only keys exported from a successfully provisioned ADRMS service are supported. Ad-hoc keys created by other mechanisms are not supported.

Important

The .NET Framework 2.0 must be installed on the server that you are exporting the RMS private key from and the new server on which the private key will be installed. The .NET Framework 2.0 is available by using Windows Update.

Warning

If you are installing AD RMS on a domain controller that was upgraded from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2 and you are using a software-based CSP, you must add the AD RMS Service Group and the Domain Admins groups to the private key. The private key is found in the %systemdrive%\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

To retrieve the private key container name

  1. Log on to the server hosting the RMS configuration database with a user account that is a member of the System Administrators database role.

  2. Click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.

  3. When the Connect to Server windows appears, ensure that the server hosting the RMS configuration database is in the Server name box, and then click Connect.

  4. Expand Databases.

  5. Expand the RMS configuration database, and then expand Tables.

  6. Right-click the DRMS_LicensorPrivateKey table, and then click Open Table.

    The key container name is stored in the column named KeyContainerName.

To export the RMS private key from a software-based CSP

  1. Log on to the RMS server that has the RMS private key installed.

  2. Click Start, and then click Command Prompt.

  3. Type cd %windir%\Microsoft.NET\Framework\v2.0.50727, and then press ENTER.

  4. Type aspnet_regiis.exe –px “keycontainername” privatekey.xml –pri, where keycontainername is the key container name that you retrieved from the procedure named “To retrieve the private key container name.”

  5. Copy privatekey.xml to the server that will be joined to the RMS cluster.

To install a RMS private key protected by a software-based CSP

  1. Log on to the server that will be joined to the RMS cluster.

  2. Click Start, and then click Command Prompt.

  3. Type cd %windir%\Microsoft.NET\Framework\v2.0.50727, and then press ENTER.

  4. Type aspnet_regiis.exe –pi “keycontainername” privatekey.xml -exp, where keycontainername is the key container name that you retrieved from the procedure named “To retrieve the private key container name,” and then press ENTER.