Introduction
This article provides a guide on configuring Active Directory Certificate Services (AD CS) to function as a Certificate Authority (CA) for vSEC:CMS.
The customer is responsible for CA configuration, and the instructions provided here are only to be considered as a general guide.
Prerequisites
Before proceeding with the configuration, ensure the following prerequisites are met:
- The Microsoft AD CS server role must be enabled, and the Certificate Authority (CA) must be pre-configured.
- A dedicated service account must be configured for the vSEC:CMS service. Refer to the article Configure Dedicated Service Account for instructions on this.
Configurations on the CA
To allow vSEC:CMS to integrate with AD CS, specific configurations must be enacted within the CA. The following certificate templates must be available:
- Enrollment Agent (EA)
- This enables trust to be established between vSEC:CMS and the CA.
- Smartcard Logon
- This enables secure authentication via smartcards.
Create an Enrollment Agent Template:
- From Microsoft Management Console (MMC), add the Certification Authority Snap-in.
- Select the computer you want the CA Snap-in to manage, and click Finish, then OK to close.
- Expand the Certification Authority node, then click on the desired CA to manage.
- Right-click on Certificate Templates and choose Manage.
- Locate the Enrollment Agent template, then right-click and select Duplicate Template.
- Go to the General tab and assign a name in the Template display name field.
- Proceed by selecting the Security tab and adding the previously configured Dedicated Service Account, ensuring it has at least Enroll permission.
- Click Apply, and OK to save.
Create Smartcard Login Template:
- From the Certificate Templates Console, locate the Smartcard Logon template, then right-click and select Duplicate Template.
- Go to the General tab and assign a name in the Template display name field.
- Navigate to the Issuance Requirements tab, set the number of authorized signatures to 1, and select Certificate Request Agent from the Application policy dropdown.
- Proceed by selecting the Security tab and adding the previously configured Dedicated Service Account, ensuring it has at least Enroll permission.
- Click Apply, and OK to save.
Publish Certificate Templates to Active Directory:
- From the Certification Authority Snap-in, right-click on Certificate Templates, select New, and click on Certificate Template to Issue.
- Select the two certificate templates you created in the previous steps, and click OK.
- The certificate templates should now appear in the Certificate Templates list.
Granting Revocation Permissions on the CA
Additionally, the dedicated service account that vSEC:CMS Service is running under needs to be granted revocation permissions on the CA. Follow these steps to ensure proper configuration.
- Right-click on the root of your CA and select Properties.
- Select the Security tab, Add the vSEC:CMS dedicated service account, and grant it Issue and Manage Certificates permission.
- Click Apply, and OK to finalize the configuration.
Active Directory Certificate Services is now ready for vSEC:CMS integration. Proceed to the Setup Evaluation Version article.