In order for the Microsoft CA to work with Axidian CertiFlow, you must have an Enrollment Agent registration template, as well as all other certificate templates that will be used by Axidian CertiFlow.As an example, let's create a Сopy of Smartсard Logon template that will be used to issue certificates for logging in to the operating system using a smart card.
Configuring Enrollment Agent certificate template
- Open the Certification Authority snap-in.
- Switch to Certificate Templates section section in the Certification Authority console tree, right-click and select the Manage item.
- Right click on Smartcard Logon template Enrollment Agent template and select Duplicate Template.
- Open properties of the created template Copy of Smartcard Logon and switch to Issuance Requirements tab.
- Activate the This number of authorized signatures option and set the number of signatures equal to 1 (default value).
- Define the Application Policy and Certificate Request Agent policies:
- Go to General tab and enter Axidian Enrollment Agent in the Template display name field. Change the Validity period according to your company's needs.
Go to Cryptography tab and set the
required key size
.
Tip This option is available for Microsoft CA 2008/2008R2 and higher.
Warning To mitigate the risk of unauthorized access to confidential information, Microsoft issued a non-security update (KB2661254) for all supported Microsoft Windows versions. This update blocks cryptographic keys that are less than 1024 bits long. This update does not work in Windows 8 and later or Windows Server 2012 and later, since these systems can block weak RSA keys less than 1024 bits long
.
- Go to Extensions tab, select Application Policies extension and click Edit. Click Add and select Client Authentication application policy, click OK.
- Go to Security tab and click Add:
- In Enter the object names to select field, enter the service account name and click OK.
- In Permissions for, check Read and Enroll boxes.
- Click OK to save the template settings.
Configuring User certificate templates
Prepare certificate templates to issue certificates for end users.
Go through the following steps to create and configure the Smartcard Logon certificate template. It will be used to issue certificates so that a user can log in to the operating system via a smart card.
8.- Open the Certification Authority snap-in.
- Switch to Certificate Templates section in the Certification Authority console tree, right-click and select Manage.
- Right click on Smartcard Logon template and select Duplicate Template.
- Go to General tab and enter Axidian Smart Card Logon in Template display name field. Change Validity period and Renewal period according to your company's needs.
- Go to Cryptography tab and set the required key size.
- Go to Issuance Requirements tab:
- Check CA certificate manager approval option.
- CheckThis number of authorized signatures option and set 1 (default value).
- Set Application Policy and Certificate Request Agent policies.
- Select Same criteria as for enrollment option.
- Click OK to save the settings.
- Go to the Subject Name tab and activate Build from this Active Directory option.
- Select Fully distinguished name in Subject name format list.
- Check User principal name (UPN).
- If you need to issue certificates for users with no e-mail specified in the account,
- disable Include e-mail name in subject name and E-mail name
- check boxes.
- Go to Security tab, add
- your service account
- and grant it permissions to Read and Enroll. Click OK.
| Warning |
|---|
Make sure to issue similar permissions for the Enrollement Agent template and for grant Read and Enroll permissions to all certificate templates to be used by in Axidian CertiFlow. |
