Configure Active Directory Certificate Services

Rasmus Tunfalk - Versasec
Rasmus Tunfalk - Versasec
  • Updated

Introduction

This article provides a guide on configuring Active Directory Certificate Services (AD CS) to function as a Certificate Authority (CA) for vSEC:CMS.

The customer is responsible for CA configuration, and the instructions provided here are only to be considered as a general guide.

Prerequisites

Before proceeding with the configuration, ensure the following prerequisites are met:

  • The Microsoft AD CS server role must be enabled, and the Certificate Authority (CA) must be pre-configured.
  • A dedicated service account must be configured for the vSEC:CMS service. Refer to the article Configure Dedicated Service Account for instructions on this.

Configurations on the CA

To allow vSEC:CMS to integrate with AD CS, specific configurations must be enacted within the CA. The following certificate templates must be available:

  • Enrollment Agent (EA)
    • This enables trust to be established between vSEC:CMS and the CA.
  • Smartcard Logon
    • This enables secure authentication via smartcards.

Create an Enrollment Agent Template:

  1. From Microsoft Management Console (MMC), add the Certification Authority Snap-in.
  2. Select the computer you want the CA Snap-in to manage, and click Finish, then OK to close.
  3. Expand the Certification Authority node, then click on the desired CA to manage.
  4. Right-click on Certificate Templates and choose Manage.manage_certificate_templates.png
  5. Locate the Enrollment Agent template, then right-click and select Duplicate Template.duplicate_enrollment-agent_template.png
  6. Go to the General tab and assign a name in the Template display name field.
  7. Proceed by selecting the Security tab and adding the previously configured Dedicated Service Account, ensuring it has at least Enroll permission.

EA-Security-Marked-80.png

  1. Click Apply, and OK to save.

Create Smartcard Login Template:

  1. From the Certificate Templates Console, locate the Smartcard Logon template, then right-click and select Duplicate Template.

duplicate_smartcard-logon_template-w400.png

  1. Go to the General tab and assign a name in the Template display name field.
  2. Navigate to the Issuance Requirements tab, set the number of authorized signatures to 1, and select Certificate Request Agent from the Application policy dropdown.

Smartcard-Logon-Issuance-Marked-80.png

  1. Proceed by selecting the Security tab and adding the previously configured Dedicated Service Account, ensuring it has at least Enroll permission.

Smartcard-Logon-Security-Marked-80.png

  1. Click Apply, and OK to save.

Publish Certificate Templates to Active Directory:

  1. From the Certification Authority Snap-in, right-click on Certificate Templates, select New, and click on Certificate Template to Issue.

issue_certificate_templates-w400.png

  1. Select the two certificate templates you created in the previous steps, and click OK.
  2. The certificate templates should now appear in the Certificate Templates list.

Granting Revocation Permissions on the CA

Additionally, the dedicated service account that vSEC:CMS Service is running under needs to be granted revocation permissions on the CA. Follow these steps to ensure proper configuration.

  1. Right-click on the root of your CA and select Properties.

CA-Properties-80.png

  1. Select the Security tab, Add the vSEC:CMS dedicated service account, and grant it Issue and Manage Certificates permission.

CA-Security-Marked-80.png

  1. Click Apply, and OK to finalize the configuration.

Active Directory Certificate Services is now ready for vSEC:CMS integration. Proceed to the Setup Evaluation Version article.