Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Indeed Certificate Manager can interact Axidian CertiFlow can work with Microsoft CA CAs that are beyond the boundaries located outside of the domain of Indeed CM server. Say, in a configuration, when an organization hosting the CertiFlow server.
This could be a scenario where a company has several independent domains with an independent CA separate CAs in each of them, and Indeed CM is deployed at only one of the domains. Meanwhile, the user accounts are the same in the domains.domain, with Axidian CertiFlow deployed only in one of those domains. 

When issuing a smart card, Axidian CertiFlow The IndeedCM.MSCA.Proxy component allows to request and write certificates to devices using Indeed CM from all CA that reside beyond the domain where Indeed CM is deployed. In this case, the MSCA Proxy address is added to the usage policy of Indeed CM devices. The said proxy is deployed in an external domain with user directory and certification authority. When issuing a device, the Indeed CM addresses the MSCA Proxy, and the latter Proxy sends the corresponding a request to the target certification authority CA using the Enrollment Agent certificate (which resides in the storage of a workstation with IndeedCM.MSCA.Proxy component installed). To

Follow these steps to install and configure the MSCA Proxy application, proceed as follows:

  1. Create a service account to use with for Microsoft CA in an external domain (see Creating a service account for working with Microsoft CA).
  2. Configure the Enrollment Agent certificate template for the

    account created in the previous step (see Settings of certificate templates to use with Indeed CM) and issue a certificate for the account using this template (see Issuing the Enrollment Agent certificate)

    service account and issue the certificate.

    Warning

    The Enrollment Agent certificate

has to
  1. must reside in the certificate storage of a workstation (

Local
  1. local computer) with

IndeedCM
  1. CertiFlow.MSCA.Proxy component installed.

3.

  1. Install the

IndeedCM
  1. CertiFlow.MSCA.Proxy.msi component

onto
  1. on a workstation running in

a
  1. one domain with an external CA.

    Note

    System requirements for

the component
  1. Proxy installation are the same as

ones for installation of Indeed CM server
  1. for Axidian CertiFlow server components.

4.

  1. Switch to C:\inetpub\wwwroot\mscaproxy folder and open Web.config file in Notepad as administrator.
5.
  1. Specify the
certification authority
  1. following settings in caProxySettings section:
    • CA name in the
caProxySettings section,
    • ca parameter
, and credentials
    • .
    • Credentials of the account
(username and password)
    • with Enrollment Agent certificate (userName and password
, respectively). 
    • ).
    • Thumbprint of the Enrollment Agent certificate in enrollmentAgentCertificateThumbprint parameter.

      Code Block
      languagexml
Infoiconfalse
    • titleExample
of the section filled in:
    • <caProxySettings ca="
server
    • servercm.
demo
    • external.
local
    • com\
Indeed-DEMO
    • EXTERNAL-CA"

    •  userName="
DEMO
    • EXTERNAL\
serviceca
    • extserviceca" password="p@ssw0rd"
      enrollmentAgentCertificateThumbprint="
password1
    • dbd1859d27395860843643ebe17e2ee3fc463aba"/>
6.

  1. Specify the service account

to use with certification authority
  1. for the CA in the allow users parameter of authorization section.

info
  1. Code Block
icon
  1. language
false
  1. xml
    titleExample
of the section filled in:
  1. <authorization>

  1. 
    	<deny users="?" />

  1. 
    	<allow users="
DEMO
  1. EXTERNAL\
serviceca
  1. extserviceca" />

  1. 
    	<deny users="*" />

  1. 
    </authorization>
7.

  1. Save
the changes
  1. your settings.