Microsoft Certificate Services Certificate Authority
If you have not made any configuration changes yet, please see How to make configuration changes
The idenprotect Core Platform can integrate with an external CA or it can use its own internal CA. Not all parameters are required for all CA Types.
For more information on other Certificate Authorities, see one of the following articles:
To use the Microsoft Certificate Services CA configuration steps are required on the idenprotect Core Platform and on the Microsoft CA Server.
idenprotect Core Platform Configuration
The following Server configuration properties are required for Microsoft CA. For more information, see Certificate Authority Server Configuration
Signing algorithms to use, these can usually be left as the default
- Elliptic Curve Signing Algorithm
- RSA Signing Algorithm
The following setting configure the connection between the idenprotect Core Platform and the Microsoft CA The username and password need to be a valid Active Directory Username and Password
- Certificate Server Allow Self Signed Certificates. To allow idenprotect to connect if the cert services server has a self-signed cert
- Certificate Server Port Port number usually 443
- Certificate Server Host
- Certificate Server User
- Certificate Server Password
- Certificate Server Protocol http or more usually https
You can validate these settings by opening up a browser to the URL https://<host>:<port>/certsrv/
You should be prompted for a username and a password and if you enter those you should reach the home page of the CA
Note that some operations still require the internalCA hence the need to specify Keystore
The following Stores configuration properties are required for EJBCA. For more information see Certificate Authority Stores Configuration
- CA Key Store Alias
- CA Key Store Password
- CA Key Store Path
- CA Key Store Subject
However, the default values should work.
Microsoft CA Configuration
The Microsoft CA will be used to sign the Device, Secure Enclave and Ephemeral Certificates.
When requesting a certificate to be signed, the idenprotect Core Platform will request that a specific certificate templates is used. The templates it will require by default are
- DEVICE The template used for the Device Certificate, usually have a validity period of a year
- SECENC The template used for the Secure Enclave Certificate, usually have a validity period of a year
- ENDUSER The tempalte used for the ephemeral RSA certificates, usually to have a validity period of about 8 hours
However the template names can be different by editing Certificate Authority Profile Name Configuration
The certificate profiles must also have the appropriate key usages, eg digitalSignature,keyEnciphermen,clientAuth, Smartcard Login.
It is also important that the certificate profiles use the subject that is passed within the request as the subject of the certificate rather than import this from Active Directory.
For details on how to create these profiles refer to Microsoft Certificate Services Certificate Templates article