In order for the Microsoft CA to work with Axidian CertiFlow, you must have an Enrollment Agent registration template, as well as all other certificate templates that will be used by Axidian CertiFlow.
As an example, let's create a Сopy of Smartсard Logon template that will be used to issue certificates for logging in to the operating system using a smart card.
- Open the Certification Authority snap-in.
- Switch to Certificate Templates section in the Certification Authority console tree, right-click and select the Manage item.
- Right click on Smartcard Logon template and select Duplicate Template.
- Open properties of the created template Copy of Smartcard Logon and switch to Issuance Requirements tab.
- Activate the This number of authorized signatures option and set the number of signatures equal to 1 (default value).
- Define the Application Policy and Certificate Request Agent policies:
7. If it is necessary to use private key of specific length, go to Cryptography tab and set the necessary key size in Minimum key size field.
This option is available for Microsoft CA 2008/2008R2 and higher.
To mitigate the risk of unauthorized access to confidential information, Microsoft issued a non-security update (KB2661254) for all supported Microsoft Windows versions. This update blocks cryptographic keys that are less than 1024 bits long. This update does not work in Windows 8 and later or Windows Server 2012 and later, since these systems can block weak RSA keys less than 1024 bits long.
8. If you need to issue certificates for users with no e-mail specified in the account, go to Subject Name tab, deactivate Include e-mail name in subject name and E-mail name options in the certificate template properties.
9. Go to Security tab, add the service account (serviceca) and grant it permissions to Read and Enroll.
Make sure to issue similar permissions for the Enrollement Agent template and for all certificate templates to be used by Axidian CertiFlow. Click OK.
