From HSM

Keys that already exist on a PKCS#11 hardware device can be used within ADSS Server once they have been assigned a specific key usage purpose. To import keys select a crypto profile and Click on the Import Existing Keys button on the Crypto Source page. This will show a list of the keys found on the PKCS#11 device as shown in the example below. The public key details that need to be imported can be selected and assigned a particular certificate template:



It should be noted that the private key never leaves the PKCS#11 device (this is not desirable or possible), however the Key Alias and other public key details are made available to the ADSS Server so that these keys can be used within the ADSS Service modules.


The configuration items are as follows:


Items

Description

Key Alias

This is the alias of the key present on the HSM.  The list contains the keys on the HSM that can be imported into the ADSS Server Key Manager.

Key Algorithm

Specifies the public key encryption algorithm for the relevant keys present on the HSM.

Key Length

Specifies the key length for the keys present on the HSM.

Certificate Template

Select an appropriate certificate template for the keys on the HSM prior to importing them into the ADSS Server Key Manager. The keys will be imported with the purpose defined by the selected certificate template.

Import Existing Keys

Click this button to import the selected keys on the HSM into Key Manager.


The user can also import key pairs of a CVCA or DVCA with the purpose Country Verifying CA (CVCA) or Document Verifier CA (DVCA). For details, click here

From MSC​API

In-order to import the keys from MSCAPI to use within the ADSS Server, the following conditions must be satisfied:

  1. Operating System is Windows.
  2. MSCAPI is enabled in the license.
  3. Set ENABLE_MSCAPI_CRYPTO = TRUE in Global Settings > Advanced Settings under General category.
  4. ADSS Server service instances (ADSS Core, ADSS Console and ADSS Service) must be running under the windows user whose keys you are wishing to utilize. Here is a screenshot of how you can configure it:


You can't import keys with TLS Client Authentication or TLS Server Authentication purpose.


The import/export key mechanisms are not supported for: 

  1. Azure Key Vault
  2. AWS CloudHSM
  3. Azure Managed HSM


The password protected keys are not supported and if such keys are imported and used for signing then execution at server would halt to capture the user's password and even password dialog may not be shown at server in this case.


See also

PKCS#11 Standard

Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM

Azure Managed HSM

MS-CAPI/CNG

Importing Existing Keys