Tip O' The Day: 01/21/2007 Exporting and Importing the Microsoft Enhanced CSP v 1.0 Certificates

  • Article

As I'm sure some of you are aware, when you provision RMS, you are given the option of selecting the CSP (Cryptographic Service Provider) for your private keys. If you choose to use the software based private keys, then you are prompted to enter a password, and this is stored encrypted in the database. The good thing about this is that, each server that you join to the cluster will be able to use the same keys as they are centrally located in the DB. If you choose the other option, then the keys are typically stored on your HSM (Hardware Security Module), and you need to export, and import those keys to each RMS server in the cluster manually. Typically if you are using something like an nCipher module, and you need to export and import the keys, we will refer you to the CSP provider to get instructions for doing that. Well, what happens if you didn't use an HSM, and you just decided to use something like the Microsoft Enhanced Cryptographic Service Provider. Well...WE are the provider, and as I found out the other day, have no instructions for doing this.

First of all, choosing this option would not be recommended, as it stores the keys on the local RMS machine (C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys), and there is no real benefit. An HSM actually secures the keys, and is the most secure way to handle this. Maybe you did it by accident like a recent customer of mine, and now you want to re-do your whole setup, but still need to be able to open the old content created using these keys, or maybe...you meant to do this, and now you need to export the keys so you can import them into another RMS install.

After many hours of research, and trial and error here are the steps for doing that.

Install the .NET framework 2.0 on both servers.

-Export the publishing cert from the original server using the RMS Administration Trust Policies UI

-Copy the value of the 'keycontainername' field out of the DRMS_LicensorPrivateKey table in the DRMS_Configuration database using RMSConfigEditor (from the RMS toolkit)

-Go to a command prompt and CD to C:\Winnt\Microsoft.NET\Framework\v2.0.50727

-Type aspnet_regiis.exe –px “keycontainernameyoucopied” c:\keys.xml –pri

You should get a Succeeded message, and have a file called keys.xml on the root of C.

-Take the publishing cert you exported from the UI, and the public/private RSA key container you just exported (keys.xml), and move them over to the new RMS server.

-Import the publishing cert through the RMS Administration Trust Policies UI.

-Copy the value of the 'keycontainername' field out of the DRMS_LicensorPrivateKey table in the DRMS_Configuration database using RMSConfigEditor (from the RMS toolkit)

-Go to a command prompt and CD to C:\Winnt\Microsoft.NET\Framework\v2.0.50727

-Type aspnet_regiis.exe –pi -exp “keycontainernameyoucopied” c:\keys.xml

You should get a Succeeded message, and should be able to open content that was created using those keys now.

There you go. I'll probably update this with more detailed steps later, but I wanted to get it out here while I had some time. I'm considering also writing an RMS specific tool, that will do this, and putting it up here so you don't have to install the .NET 2.0 framework.

-Jason