Using SmartKey with Microsoft PKI

Updated: Nov 30, 2017


This article describes how to set up a Microsoft PKI service, namely Active Directory Certificate Services with SmartKey.

Before starting, follow the steps in the CNG Developers Guide to install the SmartKey CNG Key Storage Provider.

Use certutil to verify the correct installation of the Fortanix CNG KSP.

Configuring Microsoft Active Directory Certificate Services

Open Server Manager and select Active Directory Certificate Services (AD CS) as one of the services to install.


Select Certification Authority (CA) as one of role services to install for AD CS.


The CA installed in the previous step must have a private key to sign and issue certificates to clients. There are 3 ways to associate a private key with the CA:

  • By creating a new private key
  • By selecting an existing certificate and using its associated private key
  • By selecting an existing private key

The Fortanix KMS KSP supports all the above three options.


If you select the option to create a new private key, you will next be asked to select the cryptographic provider. Select RSA#Fortanix SDKMS Provider as the cryptographic provider if you want to use a RSA key for the CA.


After confirming your selections, verify that a new key has been generated in the SmartKey web UI. The CA is now ready to issue certificates.