Versions Compared

Old Version 10

changes.mady.by.user Alexandra Larionova

Saved on

compared with

New Version Current

changes.mady.by.user Daliya Agletdinova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: +adding certificate templates

To In order for Microsoft CA to work with Indeed Certificate Manager, a registration template Enrollment Agent is requiredAxidian CertiFlow, you must have an Enrollment Agent registration template, as well as all other certificate templates that will be used by Indeed CM.For example, create a Сopy of Smartсard Logon template that will be used to issue certificates for logging in to the operating system using a smart card.in Axidian CertiFlow.

Configuring Enrollment Agent certificate template

  1. Open the Certification Authority snap-in.
  2. Switch to Certificate Templates section section in the Certification Authority console tree, right-click and select the Manage item from the context menu.
  3. Right click on the template Smartcard Logon Enrollment Agent template and select Duplicate Template.
  4. Open the properties of the created template Copy of Smartcard Logon and switch to Issuance Requirements tab.
  5. Activate the This number of authorised signatures option and set the number of signatures equal to 1 (default value).
  6. Define the Application Policy and Certificate Request Agent policies:

Image Removed

7. If it is necessary to use private key of specific length, then set the necessary key size at the Cryptography tab in the Minimum key size field.

TipThe
  1. Go to General tab and enter Axidian Enrollment Agent in the Template display name field. Change the Validity period according to your company's needs.

  2. Go to Cryptography tab and set the required key size.

    Tip

    This option is available for Microsoft CA 2008/2008R2 and higher. 


    Warning

    To mitigate the risk of unauthorized access to confidential information,

the

  1. Microsoft

company

  1. issued a non-security update (KB2661254) for all supported Microsoft Windows versions. This update blocks cryptographic keys

, whose length is

  1. that are less than 1024 bits long.

The

  1. This update

is

  1. does not

available for

  1. work in Windows 8 and later or Windows Server 2012 and later, since these systems

already

  1. can block weak RSA keys

of

  1. less than 1024 bits

in size. For more details about this update, please refer to Microsoft support service website: http://support.microsoft.com/kb/2868626

  1. long.


  2. Go to Extensions tab, select Application Policies extension and click Edit. Click Add and select Client Authentication application policy, click OK.
  3. Go to Security tab and click Add:
    1. In Enter the object names to select field, enter the service account name and click OK.
    2. In Permissions for, check Read and Enroll boxes.
  4. Click OK to save the template settings.

Configuring User certificate templates

Prepare certificate templates for end users.

Go through the following steps to create and configure the Smartcard Logon certificate template. It will be used to issue certificates so that a user can log in to the operating system via a smart card. 

  1. Open the Certification Authority snap-in.
  2. Switch to Certificate Templates section in the Certification Authority console tree, right-click and select Manage.
  3. Right click on Smartcard Logon template and select Duplicate Template.
  4. Go to General tab and enter Axidian Smart Card Logon in Template display name field. Change Validity period and Renewal period according to your company's needs.
  5. Go to Cryptography tab and set the required key size.
  6. Go to Issuance Requirements tab:
    1. Check CA certificate manager approval option.
    2. CheckThis number of authorized signatures option and set 1 (default value).
    3. Set Application Policy and Certificate Request Agent policies.
    4. Select Same criteria as for enrollment option.
    5. Click OK to save the settings.
  7. Go to the Subject Name tab and activate Build from this Active Directory option.
    1. Select Fully distinguished name in Subject name format list.
    2. Check User principal name (UPN).
    3. If you need to issue certificates for
8. In the Subject Name tab, deactivate the Include e-mail name in subject name and E-mail name options in the certificate template properties, if it is necessary to issue certificates to In the 
    1. users with no e-mail specified in the account
.

Image Removed

9.
    1. , disable Include e-mail name in subject name and E-mail name check boxes.
  2. Go to
  1. Security tab, add
the
  1. your service account
(serviceca)
  1. and
set
  1. grant it permissions
to 
  1. to Read and Enroll
 for it
  1. . Click OK.
Warning

Be Make sure to issue similar permissions for the Enrollement Agent template and for grant Read and Enroll permissions to all certificate templates to be used by Indeed CMin Axidian CertiFlow.

Image Removed

10. Save the settings by clicking OK

Adding certificate templates

  1. Open the Certification Authority tool and double-click the name of the CA.
  2. Right-click the Certificate Templates container, select NewCertificate Template to Issue.
  3. Select Axidian Enrollment Agent certificate template (mandatory) and all other certificate templates (e.g. Axidian Smart Card Logon) that you need to add.
  4. Click OK to save.