PKI

SafeNet KSP: Provider DLL failed

Best practices of code signing

Read Time: 5 minutes

In this blog, we will cover a common error while Installing Active Directory Certificate Services. While configuring the setup on Server Manager, the option for SafeNet Luna Cryptographic Key Provider wasn’t available.

Issue

CA Service wasn’t working.

Error Code

Provider Name: SafeNet Key Storage Provider
SafeNet Key Storage Provider: Provider DLL failed to initialize correctly.
CertUtil: -csplist command FAILED: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
CertUtil: The device that is required by this cryptographic provider is not ready for use.

Description

We weren’t getting an option for SafeNet Luna Cryptographic Key Provider while configuring ADCS for Issuing CA despite installing KSPConfig and successfully completing all the HSM setups.

Steps done

  • We did run certutil -csplist to check whether the SafeNet Key Storage Provider was configured correctly.
  • Checked the vtl verify is working.
  • Tried to re-install the KSP configuration again.
  • We ran Regedit to check whether the options for SafeNet are available in the Registry

Solution

This comes out to be a generic error with SafeNet HSM Configuration. To solve it, we did is to re-configure the HSM by Re-registering the account and rebooting the system. It did solve the issue in this case.

Configuring the KSP Using the GUI

You can use the KspConfig utility to configure the KSP with your partitions. The Crypto Officer must complete this procedure using Administrator privileges on the client.

You can register the following user/domain combinations with the KSP:

  • Administrator user with the domain-specific to the client. Default Windows domains are in the format WIN-XXXXXXXXXXX.
  • SYSTEM user with the NT-AUTHORITY domain

The configuration tool registers a Crypto Officer password/challenge to a specific user so only that user can unlock the partition.

Steps to configure the KSP using the GUI

1. In Windows Explorer, navigate to the Luna KSP install directory and launch KspConfig as the Administrator user.

2. In the left panel, double-click Register or View Security Library. Enter the filepath to cryptoki.dll or click Browse to locate it.

<client_install_dir>\cryptoki.dll

Click Register to complete the registration.

3. In the left panel, double-click Register HSM Slots. Select the Administrator user, client domain, and an available slot to register. Enter the CO password/challenge and click Register Slot.

4. Select the SYSTEM user and NT-AUTHORITY domain and register for the slot.

5. Repeat steps 3-4 for any other available slots you want to register with the KSP.

(One common mistake is to just reconfigure it without rebooting the system).

References

https://thalesdocs.com/gphsm/luna/7/docs/network/Content/sdk/microsoft/ksp_cng.htm

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk