SafeNet KSP: Provider DLL failed
Read Time: 5 minutes
In this blog, we will cover a common error while Installing Active Directory Certificate Services. While configuring the setup on Server Manager, the option for SafeNet Luna Cryptographic Key Provider wasn’t available.
CA Service wasn’t working.
Provider Name: SafeNet Key Storage Provider
SafeNet Key Storage Provider: Provider DLL failed to initialize correctly.
CertUtil: -csplist command FAILED: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
CertUtil: The device that is required by this cryptographic provider is not ready for use.
We weren’t getting an option for SafeNet Luna Cryptographic Key Provider while configuring ADCS for Issuing CA despite installing KSPConfig and successfully completing all the HSM setups.
- We did run certutil -csplist to check whether the SafeNet Key Storage Provider was configured correctly.
- Checked the vtl verify is working.
- Tried to re-install the KSP configuration again.
- We ran Regedit to check whether the options for SafeNet are available in the Registry
This comes out to be a generic error with SafeNet HSM Configuration. To solve it, we did is to re-configure the HSM by Re-registering the account and rebooting the system. It did solve the issue in this case.
Configuring the KSP Using the GUI
You can use the KspConfig utility to configure the KSP with your partitions. The Crypto Officer must complete this procedure using Administrator privileges on the client.
You can register the following user/domain combinations with the KSP:
- Administrator user with the domain-specific to the client. Default Windows domains are in the format WIN-XXXXXXXXXXX.
- SYSTEM user with the NT-AUTHORITY domain
The configuration tool registers a Crypto Officer password/challenge to a specific user so only that user can unlock the partition.
Steps to configure the KSP using the GUI
1. In Windows Explorer, navigate to the Luna KSP install directory and launch KspConfig as the Administrator user.
2. In the left panel, double-click Register or View Security Library. Enter the filepath to cryptoki.dll or click Browse to locate it.
Click Register to complete the registration.
3. In the left panel, double-click Register HSM Slots. Select the Administrator user, client domain, and an available slot to register. Enter the CO password/challenge and click Register Slot.
4. Select the SYSTEM user and NT-AUTHORITY domain and register for the slot.
5. Repeat steps 3-4 for any other available slots you want to register with the KSP.
(One common mistake is to just reconfigure it without rebooting the system).
If you need help with your PKI environment, feel free to email us at firstname.lastname@example.org.