Microsoft IIS nShield® HSM Integration Guide Version: 2.5

Date: Wednesday, June 30, 2021

Copyright © 2019-2021 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced modified, adapted, published, translated in any material form (including storage in any medium by electronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior written permission of nCipher Security Limited neither shall it be used otherwise than for the purpose for which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EU and other countries.

Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries.

Information in this document is subject to change without notice. nCipher Security Limited makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher Security Limited shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance or use of this material.

Where translations have been made in this document English is the canonical language. nCipher Security Limited Registered Office: One Station Square Cambridge, UK CB1 2GA Registered in England No. 11673268 nCipher is an Entrust company.

Entrust, Datacard, and the Hexagon Logo are trademarks, registered trademarks, and/or service marks of Entrust Corporation in the U.S. and/or other countries. All other brand or product names are the property of their respective owners. Because we are continuously improving our products and services, Entrust Corporation reserves the right to change specifications without prior notice. Entrust is an equal opportunity employer.

2 of 27 Microsoft IIS nShield® HSM Integration Guide Contents

1. Introduction...... 4

1.1. Product configuration...... 4

1.2. Requirements ...... 5

2. Procedures ...... 6

2.1. Install the nShield HSM ...... 6

2.2. Install the Security World Software and configure the Security World ...... 6

2.3. Install IIS ...... 6

2.4. Install and register the CNG provider...... 12

2.5. Create a certificate request ...... 21

2.6. Get the signed certificate ...... 22

2.7. Install the certificate ...... 22

2.8. Integrate an nShield HSM with an existing IIS deployment ...... 24

Contact Us ...... 27

Microsoft IIS nShield® HSM Integration Guide 3 of 27 1. Introduction

Microsoft Internet Information Services (IIS) for Windows Server is a Web server application. nShield Hardware Security Modules (HSMs) integrate with IIS 10.0 to provide full key life-cycle management with FIPS-certified hardware and to reduce the cryptographic load on the host server CPU. Integration of the nShield HSM with IIS 10.0 provides the following benefits:

• Uses hardware validated to the FIPS 140-3 standards • Improves server performance by offloading cryptographic processing • Enables secure storage of the IIS keys • Enables management of the full life cycle of the keys

1.1. Product configuration

We have successfully tested the nShield HSM integration with IIS in the following configuration:

Product Version

Operating System Windows 2019 Server

IIS version 10.0

1.1.1. Supported nShield features

We have successfully tested nShield HSM integration with the following features:

Feature Support

Softcards No

Module-only key Yes

OCS cards Yes

1.1.2. Supported nShield hardware and software versions

We have successfully tested with the following nShield hardware and software versions:

4 of 27 Microsoft IIS nShield® HSM Integration Guide 1.1.2.1. Connect XC

Security Firmware Image OCS Softcard Module World Software

12.60.11 12.50.11 12.60.10 ✓ ✓

1.1.2.2. Connect +

Security Firmware Image OCS Softcard Module World Software

12.60.11 12.50.8 12.60.10 ✓ ✓

1.2. Requirements

Before installing the software, we recommend that you familiarize yourself with the IIS documentation and setup process, and that you have the nShield documentation available. We also recommend that there is an agreed organizational Certificate Practices Statement and a Security Policy/Procedure in place covering administration of the HSM. In particular, these documents should specify the following aspects of HSM administration:

• The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards • Whether the application keys are protected by the HSM module key or an Operator Card Set (OCS) protection • Whether the Security World should be compliant with FIPS 140-2 level 3 • Key attributes such as the key algorithm, key length and key usage.

For more information, see the User Guide for the HSM.

Microsoft IIS nShield® HSM Integration Guide 5 of 27 2. Procedures

Integration procedures include:

• Installing the nShield HSM. • Installing the Security World Software, and configuring the Security World. • Installing IIS. • Install and register the CNG provider • Creating a certificate request • Getting the signed certificate • Installing the certificate. • Integrate an nShield HSM with an existing IIS deployment

2.1. Install the nShield HSM

Install the HSM and Security World software using the instructions in the Installation Guide for the HSM. We recommend that you do this before installing and configuring IIS.

2.2. Install the Security World Software and configure the Security World

1. Install the latest version of the Security World Software as described in the User Guide for the HSM. 2. Initialize a Security World as described in the User Guide for the HSM.

You can also use the CNG Configuration Wizard to create a Security World. If you are using an OCS, to adhere to IIS requirements it must be a 1-of-N with no passphrase, where N is the number of cards in the set.

2.3. Install IIS

To install Microsoft Internet Information Services:

1. Open Server Manager by selecting Start > Server Manager.

6 of 27 Microsoft IIS nShield® HSM Integration Guide 2. Select Manage and then select Add Roles and Features.

3. On the Before you begin screen, select Next.

Microsoft IIS nShield® HSM Integration Guide 7 of 27 4. On the Select installation type screen, ensure the default selection of Role or Feature Based Installation is selected and select Next.

5. On the Server Selection screen, select a server from the server pool and select Next.

8 of 27 Microsoft IIS nShield® HSM Integration Guide 6. On the Select server roles screen, select the Web Server (IIS) Role and select Next

7. When prompted to install Remote Server Administration Tools, select Add Features and select Next.

Microsoft IIS nShield® HSM Integration Guide 9 of 27 8. On the Select features screen, keep the default selection and select Next.

9. On the Web Server Role (IIS) screen, select Next.

10 of 27 Microsoft IIS nShield® HSM Integration Guide 10. On the Select Role Service screen, select Next.

11. On the confirmation screen, select Install.

Microsoft IIS nShield® HSM Integration Guide 11 of 27 12. Once the installation completes, Select Close.

2.4. Install and register the CNG provider

1. Open a command window as administrator and type the following to put the HSM in pre-initialization mode. This operation takes about a minute to complete.

12 of 27 Microsoft IIS nShield® HSM Integration Guide >enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode operational ...

>nopclearfail -I -m 1 Module 1, command ClearUnitEx: OK

>enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode pre-initialization ...

2. Select the Start button to access all applications. Look for the recently installed nShield utilities. 3. Double-click the CNG configuration wizard and run it as Administrator.

4. Select Next on the CNG Install welcome screen.

Microsoft IIS nShield® HSM Integration Guide 13 of 27 5. Select Next on the Enable HSM Pool Mode screen. Leave the Enable HSM Pool Mode for CNG Providers check box un-checked.

6. At the Security World screen, select: ◦ Use the existing security world if you already have a Security World that you intend to use for Always Encrypted. The corresponding world and module_xxxx- xxxx-xxxx files most be present in the %NFAST_KMDATA%\local folder. Be prepared to present the quorum of Administrator cards. ◦ Create a new Security World if you do not currently have a Security World or would like to create a new Security World.

In this integration, we used an existing Security World. For instructions on how to create and configure a new Security World, see the Installation Guide and User Guide for your HSM.

Select Next.

14 of 27 Microsoft IIS nShield® HSM Integration Guide 7. The Set Module States pop-up shows the available HSM(s). Select the desired HSM. The state of the selected HSM should be (pre-)initialisation. Select Next.

8. At the Module Programming Options screen, clear Enable this module as a remote target and select Next. It will take about a minute before the screen changes.

Please be aware that this is not to be confused with the nShield  Remote Administration utility.

Microsoft IIS nShield® HSM Integration Guide 15 of 27 9. Insert the first Administrator Card in the HSM, enter the passphrase and select Next. Repeat this step for the other Administrator Cards as required.

Loading or creating the Security World takes about a minute.

10. Return the HSM to Operational mode.

This operation takes about a minute to complete.

16 of 27 Microsoft IIS nShield® HSM Integration Guide >enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode initialization ...

>nopclearfail -O -m 1 Module 1, command ClearUnitEx: OK

C:\Windows\system32>enquiry -m 1 Module #1: enquiry reply flags none enquiry reply level Six serial number BD10-03E0-D947 mode operational ...

The module state will change to Usable.

Select Next.

11. Select the protection method.

Due to limitations of IIS itself, any OCS protection must be  passphrase-less 1/n quorum, and any softcard protection is not supported. For this reason, use only OCS or module protection.

◦ Operator Card Set protection a. Select Operator Card Set in the Key Protection Setup, then select Next.

Microsoft IIS nShield® HSM Integration Guide 17 of 27 b. Enter the OCS name, K of N values, select Persistent and Usable remotely, then select Next.

c. Insert a blank Operator Card in the HSM. d. In Insert Next Card, enter a name to for the OCS card. Leave the Card requires a pass phrase checkbox unchecked as OCS protection must be passphrase-less, then select Next. ◦ Module protection a. In Key Protection Setup, select Module protection, then select Next.

18 of 27 Microsoft IIS nShield® HSM Integration Guide b. Select Next and Finish. The nShield CNG providers are installed and the key Storage Provider is registered.

Microsoft IIS nShield® HSM Integration Guide 19 of 27 12. Open a command window as administrator and type the following to confirm that the KSP has been successfully registered. Look for nCipher Security World Key Storage Provider.

> cnglist.exe --list-providers Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider Windows Client Key Protection Provider nCipher Primitive Provider nCipher Security World Key Storage Provider

13. Check the registry in CNGRegistry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\nCipherSecurityWorldKeyStorageProvider

20 of 27 Microsoft IIS nShield® HSM Integration Guide 2.5. Create a certificate request

IIS Manager does not support the creation of certificates protected by CNG Keys and these need to be created using the Microsoft command line utilities. Commands executed in this section are run on a PowerShell in Windows.

Due to limitations of IIS itself, no GUI prompts (even via nShield Service  Agent) can be displayed, so any OCS protection must be passphrase- less 1/n quorum. For this reason, use only OCS or module protection.

Complete the following steps to create a certificate request:

1. To make sure the nCipher Primitive Provider and nCipher Security World Key Storage Providers are listed, run:

% cnglist.exe ‑‑list‑providers

Microsoft Key Protection Provider Microsoft Passport Key Storage Provider Microsoft Platform Crypto Provider Microsoft Primitive Provider Microsoft Smart Card Key Storage Provider Microsoft Software Key Storage Provider Microsoft SSL Protocol Provider Windows Client Key Protection Provider nCipher Primitive Provider nCipher Security World Key Storage Provider

If the nCipher Primitive Provider and nCipher Security World Key  Storage Provider are not listed, please follow the steps in the Install and register the CNG provider section.

2. Set up a template file: a. Generate a request for an SSL certificate linked to a 2K RSA key by creating a file called request.inf with the following information:

[Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=interop.com,C=US,ST=Florida,L=Sunrise,O=InteropCom,OU=WebServer" HashAlgorithm = SHA256 KeyAlgorithm = RSA KeyLength = 2048 ProviderName = "nCipher Security World Key Storage Provider" KeyUsage = 0xf0 MachineKeySet = True [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1

Your request.inf file does not have to contain exactly the code given above. This is an example, not a definitive model.

Microsoft IIS nShield® HSM Integration Guide 21 of 27 b. Specify the subject details of the Domain Controller which is issuing the certificate. c. Specify the key algorithm and key length as required, for example RSA 2048. d. Specify the Provider name as nCipher Security World Key Storage Provider. e. When you have set up the template successfully, save it as request.inf on the C:\ drive. 3. Open a command prompt and go to the local drive, in this case C:\. 4. To create the certificate request for the Certification Authority, execute the command:

% certreq.exe -new request.inf IISCertRequest.csr

CertReq: Request Created

A certificate request called IISCertRequest.csr is generated and placed on the C:\ drive. This file is used to be sent to a Certificate Authority.

2.6. Get the signed certificate

1. Submit the CSR file to a CA such as VeriSign, Entrust, and so on. 2. The CA authenticates the request and returns a signed certificate or a certificate chain. 3. Save the reply from the CA in the current working directory.

In this guide the signed certificate file is IISCertRequest.cer.

2.7. Install the certificate

Make the certificate available to be used in IIS and bind the certificate with the https settings in IIS.

Commands used in this section are run from a Windows PowerShell.

2.7.1. Make the certificate available for use in IIS

To make the certificate available for use in IIS, run the following command:

% certreq --accept IISCertRequest.cer

Where IISCertRequest.cer is the binary certificate exported from the CA. Running this command makes the CA certificate trusted on the Web Server.

22 of 27 Microsoft IIS nShield® HSM Integration Guide Installed Certificate: Serial Number: 67790b108e551446903d999aabeaaf5e003fb66f Subject: C=US, CN=Hostname NotBefore: 6/22/2021 1:22 PM NotAfter: 6/22/2022 1:22 PM Thumbprint: cd3135f897ab0b44dfe6f451bcd63076ed4228e8

2.7.2. Bind the certificate with a secure IIS web server

1. Go to Start > Internet Information Service Manager. 2. Select the hostname, then double-click Server Certificates and verify the certificate you accepted in the previous step is listed. 3. Click Default website under Sites on the left-hand side of the IIS Manager screen.

4. Select Bindings link on the right-hand side of the IIS Manager. 5. On the Site Bindings screen, select Add if the https protocol is not listed, but if it is, select it. 6. If you have to add it select the protocol as HTTPS and select the certificate from the list.

If you are editing the settings, select the certificate from the list.

7. Select OK to complete the certificate binding for SSL connection. 8. Select Close on the Site Bindings screen. 9. Restart the IIS server. 10. Open the browser and type https://machinename:443. 11. Accept the certificate on the browser to continue with SSL connection with IIS server.

Microsoft IIS nShield® HSM Integration Guide 23 of 27 2.8. Integrate an nShield HSM with an existing IIS deployment

This section describes how to upgrade an existing IIS server installation to use an nShield HSM to protect the private key. It is assumed that the existing certificate must continue to be used by the server after the Prerequisites to integrate are:

• An IIS setup with software-protected certificate and private key • nShield Software installed and a Security World created using The CNG Configuration Wizard, or the front panel of an nShield Connect

2.8.1. Export the software-protected certificate

Complete the following procedure to export the software-protected certificate:

1. Type MMC at the command prompt and select OK.

The Microsoft Management Console opens.

2. On the initial screen, select File > Add/Remove Snap-in and select Add. 3. Select Certificates from Available Standalone Snap-ins and select Add. 4. On the Certificates snap-in screen, select Computer account and select Next. 5. On the Select Computer screen, select Local computer, select Finish then OK. 6. Navigate to the Certificates directory (Certificates (Local Computer) > Personal > Certificates). 7. Right-select the certificate file and select All Tasks > Export. 8. The Welcome to the Certificate Export Wizard screen appears. Select Next. 9. On the Export Private Key screen, select No, do not export the private key and select Next. 10. On the Export File Format screen, select Base-64 encoded X.509 (.Cer) and select Next. 11. On the File to Export screen, select an absolute path and filename to save the exported Certificate.

Select Next.

12. The Completing the Certificate Export Wizard screen appears.

Select Finish.

13. After exporting the certificate, delete the certificate from the certificate store.

24 of 27 Microsoft IIS nShield® HSM Integration Guide 2.8.2. Import a Microsoft CAPI key into the nCipher Security World Key Storage Provider

To import a Microsoft CAPI key into the nCipher Security World Key Storage Provider:

1. Navigate to the C:\Program Files (x86)\nCipher\nfast\bin folder and run cngimport.exe:

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "MS CAPI key" "imp_key_name"

The Microsoft CNG key is in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

Example:

C:\Program Files (x86)\nCipher\nfast\bin\cngimport -m -M -k "48753e97af4e829f_b2885b-321a-42b9-9122-81d377654436" "Importedkeyname"

2. To check the success of the import, list the keys in the Security World:

C:\Program Files (x86)\nCipher\nfast\bin\cnglist64.exe --list-key Importedkeyname: RSA machine

2.8.3. Import a certificate into the certificate store

1. Go to the command prompt and type MMC, then select OK to open the Microsoft Management Console. 2. On the initial screen, select File > Add/Remove Snap-in and select Add. 3. From Available Standalone Snap-ins, select Certificates and select Add. 4. On the Certificates snap-in screen, select Computer account and select Next. 5. On the Select Computer screen, select Local computer, select Finish and select OK. 6. Navigate to the Certificates directory (Certificates (Local Computer) > Personal > Certificates). 7. Right-select the certificate folder and select All Tasks > Import. 8. The Welcome to the Certificate Import Wizard screen appears. Select Next. 9. Navigate to the location of the certificate from the Origin Server and select Next. 10. On the Certificate Store screen, select Place all certificates in the following store. 11. Make sure that the default selection in Certificate Store is Personal, then select Next. 12. The Completing the Certificate Import Wizard screen appears.

Select Next, then select OK.

Microsoft IIS nShield® HSM Integration Guide 25 of 27 13. Run the following command from the Windows terminal:

C:\Program Files (x86)\nCipher\nfast\bin>certutil -f -csp "nCipher Security World Key Storage Provider" -repairstore my

14. Open the IIS Manager from Start > Internet Information Services (IIS) Manager. 15. Under Sites on the left-hand side of the IIS Manager screen, select the required web site. 16. On the right-hand side of the IIS Manager screen, select Bindings. 17. On the Site Bindings screen, select Add. 18. Select the protocol HTTPS. 19. Select the certificate from the drop-down list. 20. To complete the certificate binding for SSL connection, select OK. 21. Open the browser and type https://machinename:443.

If necessary, accept the certificate in the browser to continue with SSL connection to the IIS Web Server.

26 of 27 Microsoft IIS nShield® HSM Integration Guide Contact Us

Web site https://www.entrust.com

Support https://nshieldsupport.entrust.com

Email Support [email protected]

Online documentation: Available from the Support site listed above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444 One Station Square Cambridge, UK CB1 2GA

Americas

Toll Free: +1 833 425 1990

Fort Lauderdale: +1 954 953 5229 Sawgrass Commerce Center – A Suite 130 13800 NW 14 Street Sunrise, FL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070 World Trade Centre Northbank Wharf Siddeley St Melbourne VIC 3005 Australia

Japan: +81 50 3196 4994

Hong Kong: +852 3008 3188 31/F, Hysan Place, 500 Hennessy Road, Causeway Bay

Microsoft IIS nShield® HSM Integration Guide 27 of 27 To get help with Entrust nShield HSMs [email protected]

nshieldsupport.entrust.com

ABOUT ENTRUST CORPORATION Entrust keeps the world moving safely by enabling trusted identities, payments, and data protection. Today more than ever, people demand seamless, secure experiences, whether they’re crossing borders, making a purchase, accessing e-government services, or logging into corporate networks. Entrust offers an unmatched breadth of digital security and credential issuance solutions at the very heart of all these interactions. With more than 2,500 colleagues, a network of global partners, and customers in over 150 countries, it’s no wonder the world’s most entrusted organizations trust us.