|
| 1 | +PKI Proxy |
| 2 | +--------- |
| 3 | + |
| 4 | +This document explains the usage of PKI Proxy with NetHSM. |
| 5 | +PKI Proxy enables the usage of NetHSM with the Microsoft Windows CSP and KSP. |
| 6 | +Additionally it provides PKCS#11 access to the NetHSM, but this can also be achieved with the NetHSM PKCS#11 driver alone. |
| 7 | + |
| 8 | +The deployment of NetHSM with PKI Proxy looks like this. |
| 9 | + |
| 10 | +NetHSM -- PKI Proxy -- Client (CSP, KSP, PKCS11) |
| 11 | + |
| 12 | +The NetHSM provides the REST API which is used by NetHSM PKCS#11 driver. |
| 13 | +PKI Proxy uses this driver to connect to the NetHSM and access its keys and certificates. |
| 14 | +Clients to the PKI Proxy use either a CSP or KSP to access the keys and certificates through native Windows APIs or a PKCS#11 driver. |
| 15 | +The communication between the NetHSM and PKI Proxy, and PKI Proxy and the clients is encrypted. |
| 16 | + |
| 17 | +Prerequisits |
| 18 | +============ |
| 19 | + |
| 20 | +- NetHSM (hardware or containerized) |
| 21 | + - Provisioned |
| 22 | + - IP address of the NetHSM must be known, and the HTTPS port must be reachable. |
| 23 | +- Windows machine |
| 24 | + - Nitrokey NetHSM PKCS#11 driver installed and configured. |
| 25 | + |
| 26 | +Installation |
| 27 | +============ |
| 28 | + |
| 29 | +1. Download PKI Proxy installer from the `nsoftware website <https://www.nsoftware.com/pkiproxy/download>`__. |
| 30 | +2. Open the installer and follow the installation wizard. |
| 31 | + |
| 32 | +Configuration |
| 33 | +============= |
| 34 | + |
| 35 | +Open PKI Proxy by opening it from the Start Menu. |
| 36 | +If you installed it to the default location you can also run it with the following command from the Run dialog or the PowerShell. |
| 37 | + |
| 38 | +.. code-block:: shell-session |
| 39 | +
|
| 40 | + C:\Program Files\PKI Proxy 2024\PKIProxy.exe |
| 41 | +
|
| 42 | +.. tip:: |
| 43 | + PKI Proxy will minimize to the system tray, even if the main window is closed. |
| 44 | + |
| 45 | +PKI Proxy |
| 46 | +~~~~~~~~~ |
| 47 | + |
| 48 | +The instructions below configure the PKI Proxy. |
| 49 | + |
| 50 | +1. Make sure the PKI Proxy main window is open. |
| 51 | +2. Change to the **Settings** tab. |
| 52 | +3. TODO |
| 53 | + |
| 54 | +Publish certificates from the NetHSM |
| 55 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 56 | + |
| 57 | +In the following we configure which certificates from the NetHSM are made available through PKI Proxy. |
| 58 | + |
| 59 | +1. Make sure the PKI Proxy main window is open. |
| 60 | +2. Change to the **Certificates** tab. |
| 61 | +3. Click on the **New...** button. |
| 62 | + This will open the **Share Certificate** window. |
| 63 | +4. Click on the **Select Certificate** button. |
| 64 | + This will open the **Select a Private Key** window. |
| 65 | +5. Change to the **Security Key** tab. |
| 66 | +6. Click the **Browse..** button and select the NetHSM PKCS#11 driver library file. |
| 67 | + The text field **PKCS#11 Library** now shows the path to the library file. |
| 68 | +7. From the dropdown menu **Security Key (PKCS#11)** choose the slot which contains the certificate. |
| 69 | + The listed slots depend on your configuration of the PKCS#11 module. |
| 70 | +8. Click the **Open** button. |
| 71 | +9. The text list below **Certificates** now shows a list of the available certificates on the NetHSM. |
| 72 | + Select the certificate you want to use with PKI Proxy. |
| 73 | +10. Click on the **OK** button to confirm the selection. |
| 74 | + This will bring you back to the **Share Certificate** window. |
| 75 | + The window will now show the details of the selected certificate. |
| 76 | +11. TODO There are more options one can make. Decide how detailed we want to go in this document. |
| 77 | +12. Click on the **OK** button to publish the certificate. |
| 78 | + This will bring you back to the main window of PKI Proxy. |
| 79 | +13. The text list below **Certificate Management** now shows the published certificate. |
| 80 | + |
0 commit comments