David Wozny - PKI Bloke (Retired)

​​​​Solution Documents

All of the published documents on this web site are vastly redacted, anonymised and / or truncated.  Links for each document are included in the paragraph summararies below.


Designs

Microsoft ADCS Design Utilising HSMs

A design document which incorporated Active Directory Certificate Services (ADCS) and Thales nShield Hardware Security Modules (HSMs).  The solution had two tiers: a Root CA and four Issuing CAs, one of the Issuing CAs cross-certified with a third-party CA.


Microsoft ADCS Design without Utilising HSMs
A design document which incorporated ADCS deployed entirely on a VMWare networked virtualisation platform.  All CA private key material was solely
protected in software
 (no HSMs).


Gemalto SafeNet HSMs Design

A design document based upon a three tier PKI, which utilised SafeNet HSMs to protect private key material.


HID ActivID Smart Card Management System Design
A design document which incorporated HID ActivID  smart card management, coupled with ADCS and Thales nShield HSMs.


Micosoft FIM-CM Smart Card Management System Design
A design document which incorporated
FIM-CM (Microsoft smart card management) in its solution, for issuing smart cards in sixty countries.  FIM-CM was coupled with ADCS and Thales nShield HSMs.


Engineering

Microsoft ADCS Detailed Engineering
An engineering document which incorporated ADCS.  Essentially, the document describes the purpose of the installation and operational scripts.


Migration of HSM Protected Keys

This overview describes the approach taken to move symmetric keys used by a smart card management system.  The keys had been protected by an HSM deployed at a FIPS 140-2 level 3 security model and needed to be moved to a target HSM deployed at a FIPS 140-2 level 2 security model.  It was not possible to do the key migration directly, an intermediate FIPS 140-2 level 2 security model was required.


Operational Guides

Microsoft ADCS Operation
A support document which incorporated Microsoft PKI in its solution, it includes routine operations such as Root CA CRL publication and transferral (promulgation), scripted or ad hoc certificate enrolment, PKI monitoring, etc.


Microsoft ADCS Key Recovery
A support document describing a process to
recover a decryption private key in the event of its loss.


Java Code Signing

The document describes a tactical code signing exercise: 1) creating a self-signed certificate and private key with PowerShell, 2) converting a PFX to P12 with OpenSSL, 3) importing the P12 into a Java key store.  The approach was described in this technical instruction (note).


Testing Guides
Intercede MyID Smart Card Management
A test plan which incorporated Intercede MyID in its solution and instructed upon how to perform basic smart card tasks, such as requesting cards, issuing cards, certificate revocation, granting operator rights entitlement.


Integration Consulting

Two AD Forests with One Credential
A report which looked into the options of simplifying the logon experience after two banks were merged.  The banks had separate Active Directory (AD) forests which couldn't be 'fully joined' as they had different outsourcing partners (IBM and EDS), who couldn't agree to do anything together!


Key Signing Ceremony (KSC) Documents

Root CA CRL Publication

A KSC for publishing a Root CA CRL in a very prescriptive and disciplined manner.  A laptop running VMWare Workstation hosted a virtual guest on which contained the offline Root CA.


Changing Private Key Protection
A KSC for changing the nCipher 
HSM key protection of an Issuing CA private signing key from Operator Card Set (OCS) to "module only".


Troubleshooting
SSL Problem Dialogue
I'd helped to implement cross-certification between two major UK public sector organisations, but it wasn't working!  The
email dialogue is a partial record of some of the deduction that was involved in understanding why it didn't work as expected, and enabled me to fully understand the problem, leading to an approach to overcome it.


Explaining

PKI Solution Design and Use Cases

I put together a slide show as a background for explaining the PKI Solution I had designed, and how various elements of the infrastructure leveraged it.  There is content related to WPA2 using IEEE 802.1X, RADIUS, LDAP/S, mutual HTTPS and eMail signing using S/MIME.  There is a high-level overview of the solution described here.


Material Not Shared

There are dozens more KSC documents... but they won't be shared!

  • Commissioning an HSM and associated 'paraphernalia'
  • Commissioning a certification authority
  • Commissioning a smart card management system
  • Disaster recovery procedures
  • CA certificate renewal

Over the years, lots of engineering / detailed design documentation has been produced, but the redacting and anonymising process took away about 50% of the content.  In a nutshell - it wasn't worth the bother!