2018 February Release

User Certificates with Microsoft CAPermanent link for this heading

Before you start you have to choose the architecture of your CA. The following is only an example and may not fit for your organization!

For more information see also:

We assume a running Active Directory (AD), all necessary licenses and an external webserver.

CA Design, Parameter and CRLPermanent link for this heading

In that description only a single root is chosen. The CA uses a 2048 character key and 5 year validation time. Set the parameters for your needs.

To use your PKI with Fabasoft Cloud see “Configure Login With Certificates for Your Organization in Fabasoft Cloud”.

The user certificate enrollment is automatically done with AD.

The CRL in this example is available under http://localhost/certenroll/rootca1.crl . Adapt it for your organization.

Active Directory Certificate Services Step-by-Step GuidePermanent link for this heading

Set up the Enterprise Root CAPermanent link for this heading

  1. Log on as an administrator.
  2. Start the “Add Roles” Wizard.
  3. On the “Select Server Roles” page select the “Active Directory Certificate Services” check box, and then click “Next” two times.
  4. On the “Select Role Services” page select the “Certification Authority” check box and then click “Next”.
  5. On the “Specify Setup Type” page click “Enterprise” and then click “Next”.
  6. On the “Specify CA Type” page click “Root CA”, and then click “Next”.
  7. On the “Set Up Private Key” and “Configure Cryptography for CA” pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking “Next” twice.
  8. In the “Common name for this CA” box type the common name of the CA (e.g. “<Name of your compan> Root CA”) and then click “Next”. In the following just ROOTCA1 is used.
  9. On the “Set the Certificate Validity Period” page accept the default validity duration for the root CA and then click “Next”.
  10. On the “Configure Certificate Database” page accept the default values or specify other storage locations for the certificate database and the certificate database log and then click “Next”.
  11. After verifying the information on the “Confirm Installation Options” page click “Install”.

How to install Web Enrollment Support for CRLPermanent link for this heading

  1. Click “Start” point to “Administrative Tools” and then click “Server Manager”.
  2. Click “Manage Roles”. Under “Active Directory Certificate Services” click “Add Role Services”. If a different AD CS role service has already been installed on this computer, select the “Active Directory Certificate Services” check box in the “Role Summary” pane and then click “Add Role Services”.
  3. On the “Select Role Services” page select the “Certification Authority Web Enrollment” check box.
  4. Click “Add Required Role Services” and then click “Next”.
  5. On the “Specify CA” page if a CA is not installed on this computer, click “Browse” to select the CA that you want to associate with Web enrollment, click “OK” and then “Next”.
  6. Click “Next” review the information listed and click “Next” again.
  7. On the “Confirm Installation Selections” page click “Install”.
  8. When the installation is complete, review the status page to verify that the installation was successful.
  9. The CRL is available under http://localhost/certenroll/rootca1.crl

Define an Automatic Rollout of User CertificatesPermanent link for this heading

To enable an automatic rollout of user certificates via Group Policies check the corresponding properties in the default domain policy.

Make sure that the every domain user can auto enroll the specific certificate template.

Exporting Root and Issuing CertificatePermanent link for this heading

Start certmgr.msc and export the root Certificate:

If you have intermediate CAs repeat this for all instances.

The usage of these files is described in “Configure Login With Certificates for Your Organization in Fabasoft Cloud” below.