none
KeyVault as an HSM cryptographic provider for ADCS? RRS feed

  • Question

  • I'm looking at the feasibility of setting up a PKI environment (AD CS) in Azure.  When installing/configuring the Root CA, you get a choice of where to store the CA's private key - this would be a perfect use for KeyVault, assuming that the server could be configured to use it as a cryptographic source.

    Is this possible?

    Friday, March 6, 2015 5:47 AM

Answers

All replies

  • Hi James,

    Thank you for your feedback!

    There is no out-of-the-box mechanism (yet) to configure ADCS in an Azure VM to use the Key Vault service.

    Sumedh

    Sunday, March 8, 2015 6:38 AM
  • Well, if not out of the box, how to do it manualy? :)

    Ratko Stibric


    • Edited by Stibra Wednesday, March 25, 2015 4:16 PM
    Wednesday, March 25, 2015 4:16 PM
  • Stibra,

    At this time, this requires development. ADCS works with crypto providers registered on the ADCS server as CAPI CSPs / KSPs. Such a CSP/KSP does not yet exist for Key Vault.

    Sumedh

    Tuesday, March 31, 2015 7:03 AM
  • Hi Sumedh

    I'm also interested at setting up ADCS on an Azure Server using Key Vault to store the key material and by using KSP as provider. 

    Is there any plan to provide access via CSP / KSP for Key Vault? What would be the planned schedule?

    Kind regards, John


    • Edited by alphalz Friday, July 17, 2015 9:27 AM
    Friday, July 17, 2015 9:24 AM
  • Hi Sumedh

    I'm also interested at setting up ADCS on an Azure Server using Key Vault to store the key material and by using KSP as provider. 

    Is there any plan to provide access via CSP / KSP for Key Vault? What would be the planned schedule?

    Kind regards, John


    +1

    www.twitter.com/danielullmark

    Thursday, August 20, 2015 7:33 AM
  • Hi Sumedh,

    Any updates on this?


    Casper Pieterse - Snr. Solution Architect - Dimension Data

    Monday, February 1, 2016 10:03 AM
  • Hi Casper,

    No. This feature, while interesting, has been trumped by others that are even more interesting!

    Sumedh

    Wednesday, February 10, 2016 6:51 AM
  • Hi Casper,

    No. This feature, while interesting, has been trumped by others that are even more interesting!

    Sumedh

    Hi Sumedh

    this is interesting news. Can you tell what could be used instead? Any details?

    Best, John

    Thursday, February 11, 2016 3:36 PM
  • The nearest approximation would be running ADCS in an Azure VM that is connected via VPN/ExpressRoute to an external HSM that is hosted either on your premises or at a hoster.

    The ADCS team supports this topology. https://support.microsoft.com/en-us/kb/2721672 is in the process of being updated to reflect this. The best practices to secure the connection from the VM to the HSM are specific to each HSM brand, and it's best to seek help from that HSM vendor's support.

    Friday, February 12, 2016 11:35 PM
  • I have crafted several architectures like this and have discussed with Sumedh and others at Microsoft. It can be done and works, but does require on-prem HSMs. But I would argue that is more secure - at least for the time being, than any other options out there.

    President & CTO, MTM Software

    Thursday, March 17, 2016 8:46 PM
  • From a security perspective, I think it might be splitting hairs. HSMs are secure, adding another layer of complexity might make it "more secure" but that, in my mind at least, is like saying "we developed a nuclear bomb is better than the previous versions version as it generates less radiation." - Might be technically true, but if you need that extra layer of protection everything else around you is probably already destroyed.

    At the end of the day, the ideal solution would be not to require an HSM at all. They feel more an more like a grudge purchase and with software and aaS out there.

    Just being able to store the keys in Azure directly would have been awesome.


    Casper Pieterse - Snr. Solution Architect - Dimension Data

    Friday, March 18, 2016 1:31 PM
  • Hi Sumedh,

    Any update on this during this time or its still the same ?

    Thanks,

    Mahesh

    Wednesday, December 21, 2016 7:34 AM
  • But currently Azure Key Vault does provide an HSM backed option (with Thales nShield HSMs). That would avoid (to some degree) the need to have an on-premise HSM, isn't it?.
    Saturday, May 27, 2017 5:29 PM
  • There is an Key Vault KSP in beta that might meet this requirement at xorble.com

    https://www.xorble.com/AddIns/AddInsView


    David Hoyle

    Wednesday, June 26, 2019 10:24 PM