Active Directory Certificate Services: Certificate Storage with SafeNet Enterprise HSM


Microsoft Active Directory Certificate Services (AD CS) is a management tool for the administration of cryptographic materials used in public key infrastructures (PKI). More specifically, AD CS is the service that provides the core functionality for Windows Server’s certification authority (CA). Certificates enhance security by assigning the identity of a person, device, or service to a specific private key to ensure proper identity verification during sensitive cryptographic transactions. For organizations that rely on PKI, AD CS offers a cost-effective, efficient, secure way to manage the distribution and use of these certificates.

Fundamental to the integrity of this infrastructure is the CA’s root cryptographic signing key, which is used to sign the public keys of certificate holders and its own public key. The compromise of a CA’s root key either by malicious intent or by accident can have catastrophic consequences. Best practice dictates that this root-signing key be diligently stored in a tamper-proof hardware security module (HSM). 

Organizations that use AD CS in their infrastructure can store their encryption keys and certificates in Gemalto's SafeNet Enterprise (formerly Luna SA) hardware security modules.  

In addition, certificates issued by AD CS can also be provisioned to Gemalto's SafeNet smart card authentication tokens for certificate-based authentication, and managed in SafeNet Authentication Manager.

Additional Resources: