Microsoft Certificate Services Certificate Authority

From iDENprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

Introduction

The idenprotect Core Platform can integrate with an external CA or it can use its own internal CA. Not all parameters are required for all CA Types.

Other CA configuration articles are Certificate Authority Server Configuration, Certificate Authority Profile Name Configuration, Certificate Authority Stores Configuration

For more information on other Certificate Authorities, see one of the following articles:

Required Configuration

To use the Microsoft Certificate Services CA configuration steps are required on the idenprotect Core Platform and on the Microsoft CA Server.

idenprotect Core Platform Configuration

The following Server configuration properties are required for Microsoft CA. For more information, see Certificate Authority Server Configuration

Signing algorithms to use, these can usually be left as the default

  • Elliptic Curve Signing Algorithm
  • RSA Signing Algorithm

The following setting configure the connection between the idenprotect Core Platform and the Microsoft CA The username and password need to be a valid Active Directory Username and Password

  • Certificate Server Allow Self Signed Certificates. To allow idenprotect to connect if the cert services server has a self-signed cert
  • Certificate Server Port Port number usually 443
  • Certificate Server Host
  • Certificate Server User
  • Certificate Server Password
  • Certificate Server Protocol http or more usually https

You can validate these settings by opening up a browser to the URL https://<host>:<port>/certsrv/

You should be prompted for a username and a password and if you enter those you should reach the home page of the CA

MicrosoftCA.png

Stores Configuration

Note that some operations still require the internalCA hence the need to specify Keystore

The following Stores configuration properties are required for EJBCA. For more information see Certificate Authority Stores Configuration

  • CA Key Store Alias
  • CA Key Store Password
  • CA Key Store Path
  • CA Key Store Subject

However, the default values should work.

Microsoft CA Configuration

The Microsoft CA will be used to sign the Device, Secure Enclave and Ephemeral Certificates.

When requesting a certificate to be signed, the idenprotect Core Platform will request that a specific certificate templates is used. The templates it will require by default are

  • DEVICE The template used for the Device Certificate, usually have a validity period of a year
  • SECENC The template used for the Secure Enclave Certificate, usually have a validity period of a year
  • ENDUSER The tempalte used for the ephemeral RSA certificates, usually to have a validity period of about 8 hours

However the template names can be different by editing Certificate Authority Profile Name Configuration

The certificate profiles must also have the appropriate key usages, eg digitalSignature,keyEnciphermen,clientAuth, Smartcard Login.

It is also important that the certificate profiles use the subject that is passed within the request as the subject of the certificate rather than import this from Active Directory.

For details on how to create these profiles refer to Microsoft Certificate Services Certificate Templates article