3.6 Install nShield KSP or CSP

The nShield KSP or CSP is installed once the security world has been initialized via an icon on the desktop.

Since the MyID server is designed to run as a background task with a minimum of administrator intervention, it is important that card swaps are not required on the HSM card-reader, and that no PIN prompts appear on the MyID Server. For this reason it is recommended that:

• If maximum availability is the prime goal, then module protection can be used instead of card protection. In this scenario cards are not required to be present in the HSM card-reader in order to access the keys.

• If Card-Protection is used for the HSM KSP or CSP, then a ‘1 of n’ card set is used with cards that are not PIN protected. One of these cards would then sit permanently in the HSM card-reader.

• If Card-Protection is used for the HSM KSP or CSP and for the Keyserver database key protection, then the same card set is used to protect both the KSP or CSP and the keyserver database key. This will guarantee that no card-swaps are required on the HSM card-reader (which will be locked away in a server room).

The nShield KSP or CSP can be used for the following purposes:

• Protection of the Microsoft CA private key

  The Microsoft CA private key is used to sign every certificate, and CRL that is issued by the CA. In order to increase confidence that bogus certificates are not created, the CA private key can be stored within the hardware nShield KSP or CSP (as opposed to the default Microsoft software KSP or CSP.)

  This private key resides on the CA computer. In a distributed environment where the CA is not hosted on the MyID COM server, a separate HSM would be required (installed on the CA computer) to protect this key.

  Note that the Certificate Services Components must be installed after installation of the nShield KSP or CSP, so that the nShield KSP or CSP is available when configuring the certificate services.

• Protection of the Microsoft W2k3 CA Key Recovery Agent (KRA) private key

  This key is used to decrypt users’ archived private keys. In order to enable private key recovery for users’ certificates, a KRA certificate must be requested on the MyID COM server to enable decryption of the recovered keys. By default the Microsoft default (software) KSP or CSP is used to protect this private key. Additional security can be added by generating this private key within the hardware nShield KSP or CSP. In order to facilitate this, the certificate template that defines the KRA certificate must be edited to allow the nShield KSP or CSP to be used for this type of certificate (by default only the Microsoft Software KSP or CSPs are allowed for this certificate type.) For further instruction on requesting the KRA certificate see and Key Recovery Agent certificate requirements section of the Microsoft Windows CA Integration Guide.

  This private key would reside in an HSM on the MyID application server (not the CA computer).

• Protection of any KSP or CSP protected X509 certificate’s private key

  Any certificate that is requested for the nShield KSP or CSP will store the private key securely within the HSM.

When you are creating the required certificates, if you are duplicating existing certificates make sure of the following:

• Check all the settings. In particular, on the Issuance Requirements tab, make sure that you set the Number of authorized signatures to 1, the Policy type required in signature option to Application policy and the Application policy option to Certificate Request Agent.

Note: In FIPS 140-2 L3 mode, some aspects of the KSP or CSP are not supported; for example, you cannot request a KSP or CSP-backed certificate.

3.6.1 Using KSP instead of CSP

You are recommended to use the KSP in preference to the CSP. MyID can use the KSP instead of the CSP for server certificates. See the following for details of setting up server certificates:

• The Enrollment Agent certificate and Key Recovery Agent certificate requirements sections of the Microsoft Windows CA Integration Guide (for Enrollment Agent and KRA certificates)

• The Setting the content signing certificate section of the Mobile Identity Management guide (for mobile badge layout content signer certificate)

• The Setting up the CVC signing certificate section of the Smart Card Integration Guide (for OPACITY signing certificate)

• The Signing and encryption certificates for SCEP section of the Administration Guide (for SCEP signing certificate)