Forum Discussion
Active Directory Certificate Services with Azure Key Vault Virtual HSM
Hi all (an I hope also Microsoft folk in the security and AD CS arenas),
With Azure adoption etc and the GA a while ago of Azure Key Vault virtual HSM it seems to me that it would make a significant enhancement of AD CS security to use Azure Key Vault virtual HSM to host the AD CS server certificate keys.
Most third party (virtual) HSMs come with instructions, agents, custom key service providers etc to enable the external hosting and access from the windows host to the certificate key. I can only find (quite old) information for SQL which adds a custom KSP to SQL seemingly rather than to the OS.
Has anyone else had a go at or implemented this yet?
3 Replies
Hello
Did anyone receive an answer from Microsoft regarding this topic? Nothing from Microsoft confirms that managed HSM can be integrated with ADCS.
The only thing that has been documented is the dedicated HSM through Thales.Hello
Did anyone receive an answer from Microsoft regarding this topic? Nothing from Microsoft confirms that managed HSM can be integrated with ADCS.
The only thing that has been documented is the dedicated HSM through Thales.- I don’t think there is a CNG/KSP provider to the Azure Key Vault, so AD CA cannot use this directly. This is a problem we had and ended up using AWS Cloud HSMs for our cloud-based key stores
It must be a conscious decision on Microsoft’s part, as you also have the ability to utilise a managed HSM under Key Vault, which makes use of the Marvell Liquid Security HSMs. These are the same as AWS Cloud HSM use, but AWS expose the direct HSM interfaces, Microsoft don’t seem to. I guess Microsoft want to migrate certificate services into Key Vault or other services in Azure and leave AD CS to on-prem
Azure does offer a dedicated HSM (which are Thales Luna HSMs). These HSMs can be used with AD CS but as far as I recall, this option is fairly costly
