PKI

SafeNet KSP: Provider DLL failed

Last updated on

Read Time: 5 minutes

In this blog, we will cover a common error while Installing Active Directory Certificate Services. While configuring the setup on Server Manager, the option for SafeNet Luna Cryptographic Key Provider wasn’t available.

Issue

CA Service wasn’t working.

Error Code

Provider Name: SafeNet Key Storage Provider
SafeNet Key Storage Provider: Provider DLL failed to initialize correctly.
CertUtil: -csplist command FAILED: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
CertUtil: The device that is required by this cryptographic provider is not ready for use.

Description

We weren’t getting an option for SafeNet Luna Cryptographic Key Provider while configuring ADCS for Issuing CA despite installing KSPConfig and successfully completing all the HSM setups.

Steps done

  • We did run certutil -csplist to check whether the SafeNet Key Storage Provider was configured correctly.
  • Checked the vtl verify is working.
  • Tried to re-install the KSP configuration again.
  • We ran Regedit to check whether the options for SafeNet are available in the Registry

Solution

This comes out to be a generic error with SafeNet HSM Configuration. To solve it, we did is to re-configure the HSM by Re-registering the account and rebooting the system. It did solve the issue in this case.

Configuring the KSP Using the GUI

You can use the KspConfig utility to configure the KSP with your partitions. The Crypto Officer must complete this procedure using Administrator privileges on the client.

You can register the following user/domain combinations with the KSP:

  • Administrator user with the domain-specific to the client. Default Windows domains are in the format WIN-XXXXXXXXXXX.
  • SYSTEM user with the NT-AUTHORITY domain

The configuration tool registers a Crypto Officer password/challenge to a specific user so only that user can unlock the partition.

Steps to configure the KSP using the GUI

1. In Windows Explorer, navigate to the Luna KSP install directory and launch KspConfig as the Administrator user.

2. In the left panel, double-click Register or View Security Library. Enter the filepath to cryptoki.dll or click Browse to locate it.

<client_install_dir>\cryptoki.dll

Click Register to complete the registration.

3. In the left panel, double-click Register HSM Slots. Select the Administrator user, client domain, and an available slot to register. Enter the CO password/challenge and click Register Slot.

4. Select the SYSTEM user and NT-AUTHORITY domain and register for the slot.

5. Repeat steps 3-4 for any other available slots you want to register with the KSP.

(One common mistake is to just reconfigure it without rebooting the system).

References: https://thalesdocs.com/gphsm/luna/7/docs/network/Content/sdk/microsoft/ksp_cng.htm

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

Download

About the Author

Yathaarth Swaroop is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

You might also be interested in

What is SCEP service? How does SCEP protocol work?
What is SCEP service? How does SCEP protocol work? May 14, 2021
Identifying and Mitigating PKI Assessment Risks
Identifying and Mitigating PKI Assessment Risks December 2, 2022
PKI – IoT’s Path to Security
PKI – IoT’s Path to Security September 29, 2018
Insight Into TLS Handshake For Building Secure Communications Over The Internet.
Insight Into TLS Handshake For Building Secure Communications Over The Internet. June 13, 2022

Explore More Topics

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo