Ensure CA Servers Use Hardware Security Modules
Microsoft AD CS private keys need a hardware module for secure storage.
Plain language
This control means that the private keys for your Microsoft Active Directory Certificate Services (AD CS) servers need to be stored in a specially designed hardware device, known as a hardware security module (HSM). It's important because HSMs make it much harder for hackers to steal these keys, which are like the master keys to your network's security systems. Without this protection, your organisation is at risk of serious security breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Private keys for Microsoft AD CS CA servers are protected by a hardware security module.
Why it matters
Without HSMs securing CA server keys, attackers could forge certificates, undermining trust and compromising sensitive communications.
Operational notes
Regularly check HSM logs for anomalies and ensure key backups are securely managed to mitigate loss or hardware failure risks.
Implementation tips
- The IT team should identify which Microsoft AD CS servers are handling private keys and plan for the integration of a hardware security module. Start by listing all servers involved in certificate management to ensure no servers are overlooked.
- The procurement officer should research and select a hardware security module that is compatible with your existing systems. Use a checklist of requirements specific to your organisation, such as capacity and compatibility with Microsoft AD CS.
- The IT team should configure the selected HSM to store and protect the private keys of the AD CS servers. Follow the setup instructions provided by the HSM vendor carefully, and ensure all configurations are documented.
- Management should schedule regular training sessions for the IT staff to ensure all team members understand how to manage and maintain the HSM effectively. These training sessions can be run internally or by hiring experts from the HSM provider.
- Security team should periodically review and test the configuration of the HSM to ensure it is securely set up and operating as intended. Perform these checks at least annually or whenever there is a major change in your infrastructure.
Audit / evidence tips
-
Askdocumentation of the hardware security module acquisition: Request purchase records or vendor contracts
Goodshows records of a due diligence process in selecting the HSM
-
Aska list of servers integrated with the HSM: Request a detailed server inventory document showing which servers are using the hardware security module
Goodincludes a signed-off list that is updated regularly
-
AskHSM configuration records: Request the latest configuration settings of the HSM and how they are applied on each server
Goodprovides step-by-step configuration details and approvals
-
Asktraining logs of IT staff: Request records or certificates showing staff training related to HSM use and management
Goodhas recent certifications from the last two years
-
Askrecords of periodic security audits: Request audit reports or logs that verify the security settings of the HSM
Goodincludes a report of a recent audit with no major security findings
Cross-framework mappings
How ISM-1957 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 7.2 | ISM-1957 requires that Microsoft AD CS CA private keys are stored and protected in an HSM | |
| link Related (1) expand_less | ||
| Annex A 8.24 | Annex A 8.24 requires organisations to implement effective key management rules, including protection of private keys | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.