In order for Microsoft CA to work with Axidian CertiFlow, you must have an Enrollment Agent registration template, as well as all other certificate templates that will be used in Axidian CertiFlow.

Configuring Enrollment Agent certificate template

  1. Open the Certification Authority snap-in.
  2. Switch to Certificate Templates section in the Certification Authority console tree, right-click and select Manage.
  3. Right click on Enrollment Agent template and select Duplicate Template.
  4. Go to General tab and enter Axidian Enrollment Agent in the Template display name field. Change the Validity period according to your company's needs.

  5. Go to Cryptography tab and set the required key size.

    This option is available for Microsoft CA 2008/2008R2 and higher. 

    To mitigate the risk of unauthorized access to confidential information, Microsoft issued a non-security update (KB2661254) for all supported Microsoft Windows versions. This update blocks cryptographic keys that are less than 1024 bits long. This update does not work in Windows 8 and later or Windows Server 2012 and later, since these systems can block weak RSA keys less than 1024 bits long.

  6. Go to Extensions tab, select Application Policies extension and click Edit. Click Add and select Client Authentication application policy, click OK.
  7. Go to Security tab and click Add:
    1. In Enter the object names to select field, enter the service account name and click OK.
    2. In Permissions for, check Read and Enroll boxes.
  8. Click OK to save the template settings.

Configuring User certificate templates

Prepare certificate templates for end users.

Go through the following steps to create and configure the Smartcard Logon certificate template. It will be used to issue certificates so that a user can log in to the operating system via a smart card. 

  1. Open the Certification Authority snap-in.
  2. Switch to Certificate Templates section in the Certification Authority console tree, right-click and select Manage.
  3. Right click on Smartcard Logon template and select Duplicate Template.
  4. Go to General tab and enter Axidian Smart Card Logon in Template display name field. Change Validity period and Renewal period according to your company's needs.
  5. Go to Cryptography tab and set the required key size.
  6. Go to Issuance Requirements tab:
    1. Check CA certificate manager approval option.
    2. Check This number of authorized signatures option and set 1 (default value).
    3. Set Application Policy and Certificate Request Agent policies.
    4. Select Same criteria as for enrollment option.
    5. Click OK to save the settings.
  7. Go to the Subject Name tab and activate Build from this Active Directory option.
    1. Select Fully distinguished name in Subject name format list.
    2. Check User principal name (UPN).
    3. If you need to issue certificates for users with no e-mail specified in the account, disable Include e-mail name in subject name and E-mail name check boxes.
  8. Go to Security tab, add your service account and grant it permissions to Read and Enroll. Click OK.

Make sure to grant Read and Enroll permissions to all certificate templates to be used in Axidian CertiFlow.

Adding certificate templates

  1. Open the Certification Authority tool and double-click the name of the CA.
  2. Right-click the Certificate Templates container, select NewCertificate Template to Issue.
  3. Select Axidian Enrollment Agent certificate template (mandatory) and all other certificate templates (e.g. Axidian Smart Card Logon) that you need to add.
  4. Click OK to save.


  • No labels