User Certificates with Microsoft CA
Before you start you have to choose the architecture of your CA. The following is only an example and may not fit for your organization!
For more information see also:
We assume a running Active Directory (AD), all necessary licenses and an external webserver.
CA Design, Parameter and CRL
In that description only a single root is chosen. The CA uses a 2048 character key and 5 year validation time. Set the parameters for your needs.
To use your PKI with Fabasoft Cloud see “Configure Login With Certificates for Your Organization in Fabasoft Cloud”.
The user certificate enrollment is automatically done with AD.
The CRL in this example is available under http://localhost/certenroll/rootca1.crl . Adapt it for your organization.
Active Directory Certificate Services Step-by-Step Guide
Set up the Enterprise Root CA
- Log on as an administrator.
- Start the “Add Roles” Wizard.
- On the “Select Server Roles” page select the “Active Directory Certificate Services” check box, and then click “Next” two times.
- On the “Select Role Services” page select the “Certification Authority” check box and then click “Next”.
- On the “Specify Setup Type” page click “Enterprise” and then click “Next”.
- On the “Specify CA Type” page click “Root CA”, and then click “Next”.
- On the “Set Up Private Key” and “Configure Cryptography for CA” pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking “Next” twice.
- In the “Common name for this CA” box type the common name of the CA (e.g. “<Name of your compan> Root CA”) and then click “Next”. In the following just ROOTCA1 is used.
- On the “Set the Certificate Validity Period” page accept the default validity duration for the root CA and then click “Next”.
- On the “Configure Certificate Database” page accept the default values or specify other storage locations for the certificate database and the certificate database log and then click “Next”.
- After verifying the information on the “Confirm Installation Options” page click “Install”.
How to install Web Enrollment Support for CRL
- Click “Start” point to “Administrative Tools” and then click “Server Manager”.
- Click “Manage Roles”. Under “Active Directory Certificate Services” click “Add Role Services”. If a different AD CS role service has already been installed on this computer, select the “Active Directory Certificate Services” check box in the “Role Summary” pane and then click “Add Role Services”.
- On the “Select Role Services” page select the “Certification Authority Web Enrollment” check box.
- Click “Add Required Role Services” and then click “Next”.
- On the “Specify CA” page if a CA is not installed on this computer, click “Browse” to select the CA that you want to associate with Web enrollment, click “OK” and then “Next”.
- Click “Next” review the information listed and click “Next” again.
- On the “Confirm Installation Selections” page click “Install”.
- When the installation is complete, review the status page to verify that the installation was successful.
- The CRL is available under http://localhost/certenroll/rootca1.crl
Define an Automatic Rollout of User Certificates
To enable an automatic rollout of user certificates via Group Policies check the corresponding properties in the default domain policy.
Make sure that the every domain user can auto enroll the specific certificate template.
Exporting Root and Issuing Certificate
Start certmgr.msc and export the root Certificate:
If you have intermediate CAs repeat this for all instances.
The usage of these files is described in “Configure Login With Certificates for Your Organization in Fabasoft Cloud” below.