Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Indeed Certificate Manager can interact with Microsoft CA that are beyond the boundaries of the domain of Indeed CM server. Say, in a configuration, when an organization has several independent domains with an independent CA in each of them, and Indeed CM is deployed at only one of the domains. Meanwhile, the user accounts are the same in the domains.

The IndeedCM.MSCA.Proxy component allows to request and write certificates to devices using Indeed CM from all CA that reside beyond the domain where Indeed CM is deployed. In this case, the MSCA Proxy address is added to the usage policy of Indeed CM devices. The said proxy is deployed in an external domain with user directory and certification authority. When issuing a device, the Indeed CM addresses the MSCA Proxy, and the latter sends the corresponding request to the target certification authority using the Enrollment Agent certificate (which resides in the storage of a workstation with IndeedCM.MSCA.Proxy component installed). To install and configure the MSCA Proxy application, proceed as follows:

  1. Create a service account to use with Microsoft CA in an external domain (see Creating a service account for working with Microsoft CA).
  2. Configure the Enrollment Agent certificate template for the account created in the previous step (see Settings of certificate templates to use with Indeed CM) and issue a certificate for the account using this template (see Issuing the Enrollment Agent certificate).

    Warning

    The Enrollment Agent certificate has to reside in the certificate storage of a workstation (Local computer) with IndeedCM.MSCA.Proxy component installed.

3.

  1. Install the IndeedCM.MSCA.Proxy.msi component onto a workstation in a domain with external CA.

    Note

    System requirements for the component installation are the same as ones for installation of Indeed CM server.

4.

  1. Switch to C:\inetpub\wwwroot\mscaproxy folder and open Web.config file in Notepad as administrator.
5.
  1. In the caProxySettings section:
    • Specify the certification authority name in the
caProxySettings section,
    • ca parameter
, and credentials
    • .
    • Specify credentials of the account (userName and password) with Enrollment Agent certificate.
    • Specify the Thumbprint of the Enrollment Agent certificate in the parameter enrollmentAgentCertificateThumbprint.

 
    • Code Block
      languagexml
      titleExample of the section filled in:
      <caProxySettings ca="
srv
    • servercm.external.com\EXTERNAL-CA"
    •  userName="EXTERNAL\extserviceca" password="p@ssw0rd"
      enrollmentAgentCertificateThumbprint="dbd1859d27395860843643ebe17e2ee3fc463aba"/>
6.

  1. Specify the service account to use with certification authority in the allow users parameter of authorization section.

    Code Block
    languagexml
    titleExample of the section filled in:
    <authorization>
    	<deny users="?" />
    	<allow users="EXTERNAL\extserviceca" />
    	<deny users="*" />
    </authorization>
7.

  1. Save the changes.