Microsoft Certificate Services Certificate Templates

From iDENprotect Knowledge Base
Jump to: navigation, search

Introduction

These instructions provide the necessary steps required to setup certificate templates on Microsoft Certification Authorities (CA) servers so that device and user keys within the iDENprotect solution can be signed and trusted by external Microsoft CA.

The instructions include:

  • Certificate Template Creation for idenprotect Device Certificate - DEVICE
  • Certificate Template Creation for idenprotect Secure Secure Certificate - SECENC
  • Certificate Template Creation for idenprotect Secure User Certificate -ENDUSER
  • Adding a Certificate Template to the CA

Pre-quisites

  • Knowledge of Microsoft Certification Authorities and Microsoft Active Directory Services
  • Microsoft Certificate Services running on Microsoft Windows Server
  • Web enrolment for Microsoft Certificate Services needs to be enabled.
  • SSL enabled on Microsoft Internet Information Services (IIS).
  • IIS configured to accept client certificate authentication.
  • Web Enrolment Service root URL http(s)://<RootCA-URL>/certsrv/ should be reachable.

Adding Snap In

In order to create certificate templates on the CA the Certificate Template Snap-In must be installed. On the CA server

  1. Click Start, type run, select run and type mmc
  2. Once the Console has opened, go to File - Add or Remove Snap-ins
  3. Add the following snap-ins: Certificate Templates
  4. Expand the Certificate Template Snap-in


Creating Device Template

The Device template will be created from a copy of the Web Server Template.

Expand Certificate Templates, Right-click Web Server template - Duplicate Template.

Webservertemplate.png

Compatibility Settings

In the dialog box that appears, use the drop down to change the Compatibility Settings

Properiesodnewtemplate.png

Certification Authority: Windows Server 2008 R2 Certificate Recipient: Windows 8 / Windows Server 2012 R2

General Settings

Provide the duplicate template a name (“iDENprotect Device Certificate” for example)

The template name needs to match the one defined in the Certificate Profiles definition, refer to associated article. The default value for this is DEVICE.

TemplateName.png

There is no need to select the Publish certificate in Active Directory as this is managed by iDENprotect.

The validity period needs to be sufficiently long to prevent over loading your CA, so one year is a sensible value.

Subject Name

Click on the Subject Name tab and ensure that the “Supply in the request” is selected.

This will use the information within the CSR provided by idenprotect.


CertSubject.png


You will receive a warning box, please select OK.

Security

Select the security tab.

CertSecurity.png

Ensure that the “everyone” group is added and is allowed to read, enrol and autoenroll to this template.

Failure to do so will prevent the certificate from being issued


Cryptography

Under the Cryptography tab, ensure you select Key Storage Provider and the algorithm name of ECDH_P256.

CertCrypto.png

Ensure the minimum key size is set to 256.

Ensure that the requests must use one of the following providers and that is set to Microsoft Software Key Storage Provider Request hash is also set to SHA256

Extensions

Under the Extensions tab, highlight the application policies within the “Extensions included in this template” and click edit.

CertExtensions.png

Find the “Client Authentication” policy and add.


Creating Secure User (SECENC) Certficate Template

The Device template will be created from a copy of the User Template.

Expand Certificate Templates, Right-click User template - Duplicate Template

Compatibility Settings

In the dialog box that appears, use the drop down to change the Compatibility Settings

Properiesodnewtemplate.png

Certification Authority: Windows Server 2008 R2 Certificate Recipient: Windows 8 / Windows Server 2012 R2

General Settings

Provide the duplicate template a name (“iDENprotect Device Certificate” for example)

The template name needs to match the one defined in the Certificate Profiles definition, refer to associated article. The default value for this is SECENC

There is no need to select the Publish certificate in Active Directory as this is managed by iDENprotect.

The validity period needs to be sufficiently long to prevent over loading your CA, so one year is a sensible value.

Subject Name

Click on the Subject Name tab and ensure that the “Supply in the request” is selected.

This will use the information within the CSR provided by idenprotect.


CertSubject.png


You will receive a warning box, please select OK.

Security

Select the Security tab.

CertSecurity.png

Ensure that the “everyone” group is added and is allowed to read, enrol and autoenroll to this template.

Failure to do so will prevent the certificate from being issued

Request Handling

Click on the “Request Handling” tab and change the purpose of the certificate to “Signature”

CertHandling.png

A warning box will appear, click “Yes”

Ensure that the “Allow private key to be exported” is unchecked.

Cryptography

Under the Cryptography tab, ensure you select Key Storage Provider and the algorithm name of ECDH_P256.

CertCrypto.png

Ensure the minimum key size is set to 256.

Ensure that the requests must use one of the following providers and that is set to Microsoft Software Key Storage Provider Request hash is also set to SHA256

Extensions

Under the Extensions tab, highlight the application policies within the “Extensions included in this template” and click edit.

CertExtendsionSecenc.png

Remove “Encrypting file system”, and then add “Smartcard Authentication” and “Document Signing” policies and add.

The policies should be listed are “Client Authentication”, “Document Signing”, “Secure Email” and “Smart Card Logon”

The “Key Usage” item within the “Extensions included in this template” should have the signature requirements of “Digital Signature”, “Signature is proof of Origin (nonrepudiation)” and “Critical Extension”.

CertExtendsionSecencKeyUsage.png

If your screen does not show this, please use Edit and make the changes.

Adding Certificate Template to CA

Go to Certificate Authority and select Certificate Templates in the MMC Console.

Right-click in the right pane and select New - Certificate Template to Issue.

CertTemplateToIssue.png

Select the template you had created in the previous section and click OK to add it to the Certificate Authority