DMW Consulting Limited

Authored PKI Documentation

All of the published documents on my web site are vastly redacted, 'anyonymised' and / or truncated.


Solution Designs

Microsoft ADCS Design with HSM

A design document for a customer which incorporated Active Directory Certificate Services (ADCS) and Thales nShield HSMs.  The solution had two tiers: a Root CA and four Issuing CAs, one of the Issuing CAs cross-certified with a third-party CA.


Microsoft ADCS Design without HSM
A design document for a customer which incorporated Active Directory Certificate Services (ADCS) deployed entirely on VMWare vitualisation platforms (even the Root CA).  All CA private key material was solely protected in the 'software' - there were no HSMs in the solution.


Gemalto SafeNet Hardware Security Modules (HSMs) Design

A design document for a customer based upon a three tier PKI which used SafeNet HSMs to protect private key material.


HID ActivID Smart Card Management System Design
A design document for a customer which incorporated HID ActivID  smart card management, coupled with ADCS and Thales nShield HSMs.


Micosoft FIM CM Smart Card Management System Design
A design document which incorporated FIM CM (Microsoft Smart Card Management) in its solution for issuing smart cards in sixty countries.  FIM CM was coupled with ADCS and Thales nShield HSMs.



Operational Guides

Microsoft ADCS Operation
A support documentwhich incorporated 'Microsoft PKI' in its solution, it include the routine operations such as Root CA CRL publication and transferal, scripted or ad hoc certificate enrolment, PKI monitoring, etc.


Microsoft ADCS Key Recovery
A support document describing a process to recover a decryption private key in the event of its loss.



Testing Guides
Intercede MyID Smart Card Management
A test plan which incorporated Intercede MyID in its solution and instructed upon how to perform basic smart card tasks such as requesting cards, issuing cards, certificate revocation, operator right entitlement.



Integration Consulting:Two AD Forests with One Credential
A report which looked into the options of simplifying the logon experience after two banks were merged.  The banks had separate Active Directory (AD) forests which couldn't be 'fully joined' as they  had different outsourcing partners who couldn't agree to do anything together.



Key Signing Ceremony (KSC) Documents

Root CA CRL Publication

A KSC for creating a Root CA CRL in a very prescriptive and disciplined manner at an offline Root CA hosted as a virtual guest on a laptop VMWare solution.


Changing Private Key Protection
A KSC for changing the HSM key protection of a Root CA private signing key from Operator Card Set (OCS) to 'module only'.  This document was authored in September 2017.



I have dozens more KSC documents... but I don't want to share them!

  • Commissioning an HSM and Associated 'Paraphernalia'
  • Commissioning a Certification Authority
  • Commissioning a Smart Card Management System
  • Disaster Recovery Procedures
  • CA Certificate Renewal
  • Lots more...



Material Not Shared

Over the years I've produced lots of engineering / detailed design documentation, but the redacting and anonymising process took away about 50% of the content.  I decided to give up on that approach altogether - you'll just have to trust that I know how to do it!



Random Documents - for my entertainment!