David Wozny - PKI Bloke (Retired)

​​​​Solution Documents

All of the published documents on this web site are vastly redacted, 'anonymised' and / or truncated.  Links for each document are included in each paragraph summary below.


Microsoft ADCS Design Utilising HSMs

A design document which incorporated Active Directory Certificate Services (ADCS) and Thales nShield Hardware Security Modules (HSMs).  The solution had two tiers: a Root CA and four Issuing CAs, one of the Issuing CAs cross-certified with a third-party CA.

Microsoft ADCS Design without Utilising HSMs
A design document which incorporated ADCS deployed entirely on a VMWare networked virtualisation platform.  All CA private key material was solely
protected in software
 (no HSMs).

Gemalto SafeNet HSMs Design

A design document based upon a three tier PKI, which utilised SafeNet HSMs to protect private key material.

HID ActivID Smart Card Management System Design
A design document which incorporated HID ActivID  smart card management, coupled with ADCS and Thales nShield HSMs.

Micosoft FIM CM Smart Card Management System Design
A design document which incorporated
FIM CM (Microsoft smart card management) in its solution, for issuing smart cards in sixty countries.  FIM CM was coupled with ADCS and Thales nShield HSMs.


Microsoft ADCS Detailed Engineering
An engineering document which incorporated ADCS.  Essentially, the document describes the purpose of the installation and operational scripts.

Migration of HSM Protected Keys

This overview describes the approach taken to move symmetric keys used by a smart card management system.  The keys had been protected by an HSM deployed at a FIPS 140-2 level 3 'security model' and needed to be moved to a target HSM deployed at a FIPS 140-2 level 2 'security model'.  It was not possible to do the key migration directly, an intermediate FIPS 140-2 level 2 'security model' was required.

Operational Guides

Microsoft ADCS Operation
A support document which incorporated 'Microsoft PKI' in its solution, it includes routine operations such as Root CA CRL publication and transferral (promulgation), scripted or ad hoc certificate enrolment, PKI monitoring, etc.

Microsoft ADCS Key Recovery
A support document describing a process to
recover a decryption private key in the event of its loss.

Java Key Signing

The document describes: 1) creating a self-signed certificate and private key with PowerShell, 2) converting a PFX to P12 with OpenSSL, 3) importing the P12 into a Java Key Store.  The solution was a purely tactical one, described in this technical instruction (note).

Testing Guides
Intercede MyID Smart Card Management
A test plan which incorporated Intercede MyID in its solution and instructed upon how to perform basic smart card tasks, such as requesting cards, issuing cards, certificate revocation, granting operator right entitlement.

Integration Consulting

Two AD Forests with One Credential
A report which looked into the options of simplifying the logon experience after two banks were merged.  The banks had separate Active Directory (AD) forests which couldn't be 'fully joined' as they had different outsourcing partners (IBM and EDS), who couldn't agree to do anything together!

Key Signing Ceremony (KSC) Documents

Root CA CRL Publication

A KSC for creating a Root CA CRL in a very prescriptive and disciplined manner, at an offline Root CA hosted as a virtual guest on a 'laptop VMWare Workstation' based solution.

Changing Private Key Protection
A KSC for changing the
HSM key protection of an Issuing CA private signing key from Operator Card Set (OCS) to 'module only'.

SSL Problem Dialogue
I'd helped to implement cross-certification between two major UK public sector organisations, but it wasn't working!  The
email dialogue is a partial record of some of the deduction that was involved in understanding why it didn't work as it was expected to and enabled me to fully understand the problem, leading to an approach to overcome it.


PKI Solution Design and Use Cases

I put together a slide show as a background for explaining the PKI Solution I had designed, and how various elements of the infrastructure leveraged it.  There is content related to WPA2 using IEEE 802.1X, RADIUS, LDAP/S, mutual HTTPS and eMail signing using S/MIME.  There is a high-level overview of the solution described here.

Material Not Shared

There are dozens more KSC documents... but they won't be shared!

  • Commissioning an HSM and associated 'paraphernalia'
  • Commissioning a certification authority
  • Commissioning a smart card management system
  • Disaster recovery procedures
  • CA certificate renewal

Over the years, lots of engineering / detailed design documentation has been produced, but the redacting and anonymising process took away about 50% of the content.  In a nutshell - it wasn't worth the bother!