Activation error when using a UAG SSL certificate with a nCipher HSM

This post is about configuring a Unified Access Gateway (UAG) trunk with a SSL certificate using the nCipher HSM cryptographic services provider (CSP).

If you have created a certificate request manually and assigned the certificate to a UAG trunk, activating the UAG configuration may fail with the following error:

Forefront Unified Access Gateway failed to activate the Internet Information Service configuration. This might be due to a problem accessing the site’s certificate in the Certificate Store. Reinstalling the certificate may resolve the problem.

To make UAG work with a SSL certificate that is maintained by a nCipher CSP, you must follow the instructions as described in the Integration Guide Microsoft Internet Information Services IIS (7.0) and nCipher Modules. In my case, I used a Windows Server 2003 certification authority (CA) and therefore CNG keys are not supported. The Thales documentation explains how to create a certificate with a CNG key. I had to slightly modify the request file (as illustrated in step #3 below) to make it work with the Windows Server 2003 CA.

After setting up the HSM security world and making the HSM available to the UAG server, follow these steps:

  1. Execute the following command in a command window with Administrator permissions to make the web server service depend on the “nFast Server” service:
    %NFAST_HOME%\bin\ncsvcdep.exe –a http
  2. Make sure that the nCipher Security World Key Storage Provider is available to the system. You can verify the registered CSPs with the following command:
    certutil –csplist
    If the CSP is not part of the list of CSPs, execute the CNG configuration wizard from the Start menu.
  3. Create a certificate request file ncipher.inf that looks similar to the following sample:

    [Version]
    Signature= "$Windows NT$

    [NewRequest]
    Subject = "CN=app.contoso.com" ; put the public application name here
    KeyLength = 2048
    MachineKeySet = TRUE
    SMIME = FALSE
    ProviderName = "nCipher Security World Key Storage Provider"
    KeyUsage = 0xf0
    HashAlgorithm = SHA1
    KeyAlgorithm = RSA

    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1

    [RequestAttributes]
    CertificateTemplate=WebServer

  4. Compile the certificate request with the following command. This will generate the key material in the HSM and the certificate request in the file system. For related information see also How Certificates Are Created.

    certreq –new ncipher.inf ncipher.req

  5. Submit the ncipher.req file to the certification authority and safe the issued certificate as ncipher.cer.
  6. Once the certificate was issued by the CA, you have to install the certificate on the UAG computer with the following command:

    certreq –accept ncipher.cer

  7. Once the certificate was installed, it appears in the General tab of any HTTPS trunk configuration. After linking a certificate with a trunk, you must activate the UAG configuration again.
Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s