Active Directory Certificate Services with Azure Key Vault Virtual HSM

Peter Holland · ‎Feb 28 2023

Hi all (an I hope also Microsoft folk in the security and AD CS arenas),

With Azure adoption etc and the GA a while ago of Azure Key Vault virtual HSM it seems to me that it would make a significant enhancement of AD CS security to use Azure Key Vault virtual HSM to host the AD CS server certificate keys.

Most third party (virtual) HSMs come with instructions, agents, custom key service providers etc to enable the external hosting and access from the windows host to the certificate key. I can only find (quite old) information for SQL which adds a custom KSP to SQL seemingly rather than to the OS.

Has anyone else had a go at or implemented this yet?

krestfield · ‎Mar 14 2023

I don’t think there is a CNG/KSP provider to the Azure Key Vault, so AD CA cannot use this directly. This is a problem we had and ended up using AWS Cloud HSMs for our cloud-based key stores

It must be a conscious decision on Microsoft’s part, as you also have the ability to utilise a managed HSM under Key Vault, which makes use of the Marvell Liquid Security HSMs. These are the same as AWS Cloud HSM use, but AWS expose the direct HSM interfaces, Microsoft don’t seem to. I guess Microsoft want to migrate certificate services into Key Vault or other services in Azure and leave AD CS to on-prem

Azure does offer a dedicated HSM (which are Thales Luna HSMs). These HSMs can be used with AD CS but as far as I recall, this option is fairly costly

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Active Directory Certificate Services with Azure Key Vault Virtual HSM

Active Directory Certificate Services with Azure Key Vault Virtual HSM

Re: Active Directory Certificate Services with Azure Key Vault Virtual HSM