Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The tab contains parameters of working with Microsoft Certification Authorities. To add a certification authority, click Add CA.

Image ModifiedSet the address of certification authority (if it was not found automatically) and specify the user account data with Enrollment Agent certificate, then click Add.

Warning

Presence of user with Enrollment Agent certificate is mandatory for Indeed CM to work with CA correctly. This user account is utilized to request certificates for other Indeed CM users from the specified certification authority. This user account data can be changed after a CA is added (see Working with Microsoft Enterprise CA section of Indeed CM Installation and configuration).

To change the account data of the user with Enrollment Agent certificate, select the Certification Authority and click Image Modified to the right of user name. To remove a certification authority, click theImage Modified.
Indeed CM supports using multiple certification authorities of an organization. You can add several CA for a single policy or create several policies and define a separate CA for each of them.
To add a CA that is beyond the domain of Indeed CM users (say, in another independent domain of your organization), proceed as follows:

1. Click Add CA.
2. In the Address field, specify the URL of Indeed CM MSCA Proxy application.

Info

See Connecting to Microsoft CA via IndeedCM.MSCA.Proxy section of Indeed CM Installation and configuration.

If Indeed CM is deployed in a domain forest, MSCA Proxy is not required. In this case the CA address is specified in the Address field.

3. Specify the user account and its password (in Domain/Name format) with Enrollment Agent certificate at CA which is beyond the domain of Indeed CM users.
4. Enable the Issue certificates for users from external associated catalog.
5. Specify the path to Indeed CM user directory of the external domain in the LDAP field.

Info
titleExample:

The Indeed CM is deployed in demo.local domain and user certificates are issued by the CA deployed in the same domain. When adding the CA deployed in demo2.local domain, you should specify the path to user directory in the domain, where Indeed CM users have another domain account, for which the added CA should issue the certificates.
Thus, the system would allow to write several certificates issued by CA from different independent domains, onto one device for an employee with accounts in those independent domains.

Warning

The certificates can be issued successfully for external directory users only if the reference property coincides with one of the main user directory.

For example, the e-mail address specified in the user account properties of demo.local domain should be the same as the one specified in the account of the same user in demo2.local domain.


6. Specify the account with privileges to read all user properties of external domain in the User name field (in Domain/User format). You can use the account specified at step 3 for that.

Tip

To configure the permission to read required properties only, please refer to Configuring the user catalog in Active Directory section of Indeed CM Installation and configuration.

7. Specify the attribute, which is to be used by Indeed CM to determine uniqueness of a user with accounts in each of the domains, in the Catalogs associating attribute. Figure shows an example of settings for external Microsoft CA.

Image Modified