DMW Consulting Limited

​​​​Solution Documents

All of the published documents on my web site are vastly redacted, 'anonymised' and / or truncated.  Links for each document are included in each paragraph summary below.


Microsoft ADCS Design utilising HSMs

A design document for a customer which incorporated Active Directory Certificate Services (ADCS) and Thales nShield Hardware Security Modules (HSMs).  The solution had two tiers: a Root CA and four Issuing CAs, one of the Issuing CAs cross-certified with a third-party CA.

Microsoft ADCS Design without utilising HSMs
A design document for a customer which incorporated ADCS deployed entirely on VMWare virtualisation platforms (even the Root CA).  All CA private key material was solely
protected in 'software'
 (no HSMs).

Gemalto SafeNet HSMs Design

A design document for a customer based upon a three tier PKI, which utilised SafeNet HSMs to protect private key material.

HID ActivID Smart Card Management System Design
A design document for a customer which incorporated HID ActivID  smart card management, coupled with ADCS and Thales nShield HSMs.

Micosoft FIM CM Smart Card Management System Design
A design document which incorporated
FIM CM (Microsoft Smart Card Management) in its solution, for issuing smart cards in sixty countries.  FIM CM was coupled with ADCS and Thales nShield HSMs.


Microsoft ADCS Detailed Engineering
Anengineering document for a customer which incorporated ADCS.  Essentially, the document describes the purpose of the installation and operational scripts.

Operational Guides

Microsoft ADCS Operation
A support document which incorporated 'Microsoft PKI' in its solution, it includes routine operations such as Root CA CRL publication and transferral (promulgation), scripted or ad hoc certificate enrolment, PKI monitoring, etc.

Microsoft ADCS Key Recovery
A support document describing a process to
recover a decryption private key in the event of its loss.

Java Key Signing

The document describes: 1) creating a self-signed certificate and private key with PowerShell, 2) converting a PFX to P12 with OpenSSL, 3) importing the P12 into a Java Key Store.  The solution was a purely tactical one, described in this technical instruction (note).

Testing Guides
Intercede MyID Smart Card Management
A test plan which incorporated Intercede MyID in its solution and instructed upon how to perform basic smart card tasks, such as requesting cards, issuing cards, certificate revocation, granting operator right entitlement.

Integration Consulting

Two AD Forests with One Credential
A report which looked into the options of simplifying the logon experience after two banks were merged.  The banks had separate Active Directory (AD) forests which couldn't be 'fully joined' as they had different outsourcing partners (IBM and EDS), who couldn't agree to do anything together!

Key Signing Ceremony (KSC) Documents

Root CA CRL Publication

A KSC for creating a Root CA CRL in a very prescriptive and disciplined manner, at an offline Root CA hosted as a virtual guest on a 'laptop VMWare Workstation' based solution.

Changing Private Key Protection
A KSC for changing the
HSM key protection of an Issuing CA private signing key from Operator Card Set (OCS) to 'module only'.

Material Not Shared

There are dozens more KSC documents... but they won't be shared!

  • Commissioning an HSM and associated 'paraphernalia'
  • Commissioning a certification authority
  • Commissioning a smart card management system
  • Disaster recovery procedures
  • CA certificate renewal

Over the years, lots of engineering / detailed design documentation has been produced, but the redacting and anonymising process took away about 50% of the content.  In a nutshell - it wasn't worth the bother!