To work with Indeed Certificate Manager, a registration template Enrollment Agent is required, as well as all other certificate templates that will be used by Indeed CM.

For example, create a Сopy of Smartсard Logon template that will be used to issue certificates for logging in to the operating system using a smart card.

  1. Open the Certification Authority snap-in.
  2. Switch to Certificate Templates section in the Certification Authority console tree, right-click and select the Manage item from the context menu.
  3. Right click on the template Smartcard Logon and select Duplicate Template.
  4. Open the properties of the created template Copy of Smartcard Logon and switch to Issuance Requirements tab.
  5. Activate the This number of authorised signatures option and set the number of signatures equal to 1 (default value).
  6. Define the Application Policy and Certificate Request Agent policies. See Figure 7:

Figure 7 – Microsoft CA certificate template setup: Issuance Requirements.

7. If it is necessary to use private key of specific length, then set the necessary key size at the Cryptography tab in the Minimum key size field.

Request Handling tab for Microsoft CA 2008/2008R2.

To mitigate the risk of unauthorized access to confidential information, the Microsoft company issued a non-security update (KB2661254) for all supported Microsoft Windows versions. This update blocks cryptographic keys, whose length is less than 1024 bits. The update is not available for Windows 8 and later or Windows Server 2012 and later, since these systems already can block weak RSA keys of less than 1024 bits in size. For more details about this update, please refer to Microsoft support service website: http://support.microsoft.com/kb/2661254

8. In the Subject Name tab, deactivate the Include e-mail name in subject name and E-mail name options in the certificate template properties, if it is necessary to issue certificates to users with no e-mail specified in the account (see Figure 8).

Figure 8 – Microsoft CA certificate template setup: Subject name.

9. In the Security tab, add the service account (serviceca) and set permissions to Read and Enroll for it (see Figure 9).

Be sure to issue similar permissions for the Enrollement Agent template and for all certificate templates to be used by Indeed CM.

Figure 9 – Microsoft CA certificate template setup: Security.

10. Save the settings by clicking OK.


  • No labels