View Source

Axidian CertiFlow must have a user with an Enrollment Agent certificate. On behalf of that user the system requests certificates for all other users.

There are two ways to create the Enrollment Agent certificate:

using the Cm.CertEnroll.MsCA utility
using the Certificates (certmgr.msc)

Cm.CertEnroll.MsCA

To issue the Enrollment Agent certificate, run the Cm.CertEnroll.MsCA.exe utility of Axidian CertiFlow package with /e <userName> <password> /t <templateName> parameter as local administrator.

userName – service account name (e.g. cfServiceCA)
password – service account password
templateName – name of the Enrollment Agent certificate template. Templates with any name that have Extended Key Usage Certificate Request Agent are supported.

Cm.CertEnroll.MsCA.exe /e cfServiceCA p@ssw0rd /t=”AxidianEnrollmentAgent”

CA: msca.demo.local\Axidian-Demo-CA
Certificate has been enrolled successfully.

If the certificate request must be approved by the CA operator, the utility will suggest to accept the request and continue with the request sequence number and key container name:

CA: msca.demo.local\Axidian-Demo-CA
Certificate request is pending.
Request id: 27
Container name: lr-EnrollmentAgent-175d9490-7481-4a29-b567-503d39747354
Please accept request and then install certificate.

Once the operator approves the request, run the command to install the certificate in your storage. To do this, run the Cm.CertEnroll.MsCA.exe utility with /i <service username> <password><requestId> <containerName> parameter:

userName – service account name
password – service account password
requestId – certificate request sequence number
containerName – key container name

Cm.CertEnroll.MsCA.exe /i cfServiceCA p@ssw0rd 27 lr-EnrollmentAgent-175d9490-7481-4a29-b567-503d39747354
CA: msca.demo.local\Axidian-Demo-CA
Certificate has been installed successfully.

The Enrollement Agent certificate will appear in the certificate store of the computer running the system server. This certificate features an exportable private key and the service user account now has permissions to manage this private key.

If you need to issue an Enrollment Agent certificate from a specific CA (e.g. there are several CAs deployed in the domain), run the utility with /c parameters, where you must specify the CA name in this format <CAMachineName\CAName>:

CAMachineName – DNS name of the server with CA role
CAName – CA name

Cm.CertEnroll.MsCA.exe /e cfServiceCA p@ssw0rd /t=”AxidianEnrollmentAgent” /c=”msca.demo.local\Axidian-Demo-CA”

Certificates tool

1. Log in to Axidian CertiFlow under your service account and open the Certificates tool for the User.
2. Run the New certificate issuance wizard.
3. Select the Enrollment Agent certificate type, expand the Details section and click Properties.

Axidian CertiFlow Documentation > Issuing the Enrollment Agent certificate > enrollagenttemp.png

4. Go to Private key and expand the Key options menu. Activate Make private key exportable option.

Axidian CertiFlow Documentation > Issuing the Enrollment Agent certificate > enrollagenttempprivatekey.png

5. Move the issued certificate and its private key to certificate storage of the PC, where Axidian CertiFlow server is deployed.
6. Allow the service user to read the private key of Enrollment Agent certificate:

- Right-click the certificate in the Certificates tool of the PC.
- Select All tasks→Manage Private Keys.
- ??Item, click Add, specify the service account.
- Set Full control option and click Apply.