Configuring the CSP

This topic provides instruction on configuring the CSP. After installing the CSP, the configuration wizard opens, which is where this procedure begins. After completing this procedure, the CSP will be able to communicate with the Trust Protection Foundation for authentication and virtual HSM functions.

Configuring the CSP using the configuration wizard

1. If the CSP Configuration wizard is already open, skip to the next step. If not, navigate to C:\Program Files\Venafi CodeSign Protect\MMC and run Venafi Csp Configuration.msc.

2. In the left navigation pane, select the client that you want to configure.

   Learn more about Current User and Local Machine

   The Enable access for Current User and Enable access for Local Machine checkboxes control what grants get issued to this workstation by the Trust Protection Foundation server.

   • Enable access for Current User issues a grant that is valid only for the user who is logged in when installing the CSP. This grant is stored in the registry under HKEY_CURRENT_USER\Software\Venafi\CSP.
   • Enable access for Local Machine issues a grant that is valid for the workstation itself. This grant allows code to be signed from this workstation even if no user is currently signed in. This grant is stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Venafi\CSP. It is considered less secure than the Current User grant.

   Selecting both issues two separate grants, although the scope and the user the grant is associated with are the same. For instructions on getting new grants, see the following:

   • For getting a grant using the CSP Configuration Console graphical user interface, see Using the CSP Configuration Console

   • For getting a grant using the CSPConfig.exe command line utility, see CSPConfig.exe configuration utility reference.

3. In the Actions pane on the right, click Set URLs. Enter the addresses for your Authentication server and your HSM server.

   EXAMPLE  If your company's Trust Protection Foundation URL is TPP_SERVER_URL, enter the following:

   • Authentication Server URL: https://TPP_SERVER_URL/vedauth
   • HSM Server URL: https://TPP_SERVER_URL/vedhsm

4. In the Actions pane, click Request Access. From the Method drop-down menu, select one of the following options:

   • Username/Password: Enter your Trust Protection Foundation Key User username and password
   • Integrated Windows Authentication: Authenticates a user with Windows username and password.
   • Device Authorization: Gets authorization for the device from the SCIM authentication server. Requires the SCIM Identity connector to be configured.

For more information about the CSP Configuration Console, see Using the CSP Configuration Console.

Installing and configuring the CSP using the command line

To make mass deployments easier, you can script the CSP installation and configuration.

In order to script the configuration, you'll need an answer file. If you don't already have an answer file, follow the steps in Configuring the CSP using the configuration wizard. At the end of that procedure, you'll have the chance to save an answer file, which you can then use to script configuration of the CSP.

To install the CSP

To configure the CSP

Use the CSPConfig, PKCS11Config, or GPGConfig commands to script configuration.

Understanding and configuring the blocklist to block calling applications

The Blocklist registry key, located in SOFTWARE\Venafi\CSP , specifies a list of blocked calling applications. This key can be either a REG_SZ or REG_MULTI_SZ type. If the key has no value, the blocklist is disabled.

By default, if the registry key is not set, the client will block calls from IIS (specifically w3wp). This behavior helps prevent loading the Code Sign Manager - Self-Hosted CSP/KSP from Trust Protection Foundation, which runs within IIS.

To allow the CSP/KSP to run from IIS, create the registry key with an empty list.