Versions Compared

Old Version 5

changes.mady.by.user Mikhail Yakovlev

Saved on

compared with

New Version Current

changes.mady.by.user Daliya Agletdinova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: +adding certificate templates

To In order for Microsoft CA to work with Indeed Certificate Manager, a registration template Enrollment Agent is requiredAxidian CertiFlow, you must have an Enrollment Agent registration template, as well as all other certificate templates that will be used by Indeed CM.in Axidian CertiFlow.

Configuring Enrollment Agent certificate template

  1. Open the Certification Authority snap-in.
  2. Switch to Certificate Templates section in the Certification Authority console tree, right-click and select Manage.
  3. Right click on Enrollment Agent template and select Duplicate Template.
  4. Go to General tab and enter Axidian Enrollment Agent in the Template display name field. Change the Validity period according to your company's needs.

  5. Go to Cryptography tab and set the required key size.

    Tip

    This option is available for Microsoft CA 2008/2008R2 and higher. 


    Warning

    To mitigate the risk of unauthorized access to confidential information, Microsoft issued a non-security update (KB2661254) for all supported Microsoft Windows versions. This update blocks cryptographic keys that are less than 1024 bits long. This update does not work in Windows 8 and later or Windows Server 2012 and later, since these systems can block weak RSA keys less than 1024 bits long.


  6. Go to Extensions tab, select Application Policies extension and click Edit. Click Add and select Client Authentication application policy, click OK.
  7. Go to Security tab and click Add:
    1. In Enter the object names to select field, enter the service account name and click OK.
    2. In Permissions for, check Read and Enroll boxes.
  8. Click OK to save the template settings.

Configuring User certificate templates

Prepare certificate templates for end users.

Go through the following steps to create and configure the Smartcard Logon certificate template. It For example, create a Сopy of Smartсard Logon template that will be used to issue certificates for logging so that a user can log in to the operating system using via a smart card. 

  1. Open the Certification Authority snap-in.
  2. Switch to Certificate Templates section section in the Certification Authority console tree, right-click and select the Manage item from the context menu.
  3. Right click on the template Smartcard Logon template and select Duplicate Template.
  4. Open the properties of the created template Copy of Smartcard Logon and switch to Issuance Requirements tab.
  5. Go to General tab and enter Axidian Smart Card Logon in Template display name field. Change Validity period and Renewal period according to your company's needs.
  6. Go to Cryptography tab and set the required key size.
  7. Go to Issuance Requirements tab:Activate the This number of authorised signatures option and set the number of signatures equal to
    1. Check CA certificate manager approval option.
    2. CheckThis number of authorized signatures option and set
    1. 1 (default value).
    Define the
    1. Set Application Policy and Certificate Request Agent policies.
    See Figure 7:

Image RemovedFigure 7 – Microsoft CA certificate template setup: Issuance Requirements.

7. If it is necessary to use private key of specific length, then set the necessary key size at the Cryptography tab in the Minimum key size field.

Info

Request Handling tab for Microsoft CA 2008/2008R2.

8. In the Subject Name tab, deactivate the Include e-mail name in subject name and E-mail name options in the certificate template properties, if it is necessary to issue certificates to

Image RemovedFigure 8 – Microsoft CA certificate template setup: Subject name.

9. In the 
    2. Select Same criteria as for enrollment option.
    3. Click OK to save the settings.
  2. Go to the Subject Name tab and activate Build from this Active Directory option.
    1. Select Fully distinguished name in Subject name format list.
    2. Check User principal name (UPN).
    3. If you need to issue certificates for users with no e-mail specified in the account
(see Figure 8).
    1. , disable Include e-mail name in subject name and E-mail name check boxes.
  2. Go to
  1. Security tab, add
the
  1. your service account
(serviceca)
  1. and
set
  1. grant it permissions
to 
  1. to Read and Enroll
 for it (see Figure 9)
  1. . Click OK.
Warning

Be Make sure to issue similar permissions for the Enrollement Agent template and for grant Read and Enroll permissions to all certificate templates to be used by Indeed CMin Axidian CertiFlow.

Image Removed

Figure 9 – Microsoft CA certificate template setup: Security.

Adding certificate templates

  1. Open the Certification Authority tool and double-click the name of the CA.
  2. Right-click the Certificate Templates container, select NewCertificate Template to Issue.
  3. Select Axidian Enrollment Agent certificate template (mandatory) and all other certificate templates (e.g. Axidian Smart Card Logon) that you need to add.
  4. Click OK to save
10. Save the settings by clicking OK
  1. .