MS-CAPI/CNG
ADSS Server can use the keys from MSCAPI (that already exists in it) for the signing operations but it cannot create the new keys in MSCAPI from ADSS Server. To use the keys from MSCAPI, you need to run the ADSS Server Services under the Windows user and then Import the keys from ADSS Server > Key Manager > Crypto Source module in ADSS Server.
To import the keys from MSCAPI to use within the ADSS Server, the following conditions must be satisfied:
- Operating System is Windows.
- MSCAPI crypto source is enabled in the license.
- Set ENABLE_MSCAPI_CRYPTO = TRUE in Global Settings > Advanced Settings under General category.
- ADSS Server Service instances (ADSS Core, ADSS Console and ADSS Service) must be running under the windows user whose keys you are wishing to utilize. Here is a screenshot of how you can configure it:
You can't import keys from MSCAPI in ADSS Server with TLS Client Authentication or TLS Server Authentication purpose. |
The password protected keys are not supported and if such keys are imported and used for signing then execution at server would halt to capture the user's password and even password dialog may not be shown at server in this case. |
MSCAPI does not support SHA3 Hashing Algorithm. |
See also
Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM
Azure Managed HSM
MS-CAPI/CNG
Importing Existing Keys