Before you start, you have to plan your CA hierarchy. The following is only an example and may not fit for your organization.
For more information see:
To carry out the following steps, you need a running Active Directory, all necessary licenses and an external web server.
In the following example, only a single root is chosen. The CA uses a SHA-512 hash algorithm, a 4096 character key and a 5-year validation time. Set the parameters according to your company guidelines.
The CRL in this example is available here (you may adapt it for your organization):
http://localhost/certenroll/<CA common name>.crl
For information about how to use your Public Key Infrastructure (PKI) with the Fabasoft Cloud, see chapter “Configure the Certificate Log-in for a Fabasoft Cloud Organization”.
The Active Directory is used for the automatic user certificate enrollment.
To add the “Active Directory Certificate Services” role, proceed as follows:
To configure Active Directory Certificate Services, proceed as follows:
Make sure that the every domain user can auto-enroll the specific certificate template.
Start certmgr.msc and export the root certificate (“Trusted Root Certification Authority” > “Certificates” > certificate’s context menu > “All Tasks” > “Export” > “DER encoded binary X.509”). If you have intermediate CAs, repeat the export for all these certificates.
The usage of these files is described in the next chapter.