Update Enrollment Agent Certificate

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

If you are using a Microsoft Certificate Authority (CA) as the PKI when using vSEC:CMS it will normally be required to have Enrollment Agent (EA) certificates available for the Operator’s who are issuing credentials on behalf of users and when a user issues credential’s themselves via the self-service client. This article will describe how you can reissue an EA certificate when it is about to expire or when it has already expired.

The EA certificate(s) can either be available to vSEC:CMS server-side or on the Operator credential that the Operator uses to log into the vSEC:CMS console. This article will be divided into different sections depending on how that configuration is set up in your environment.

Additionally, in a separate section we will cover the scenario where the System Owner token needs an EA certificate installed on it.

EA Certificate Installed Server-Side

This section will describe how you can reissue the EA certificate if it is configured server-side on vSEC:CMS.

Step 1 - Determine What Configuration

From Options - Connections - Certificate Authorities select the CA connection that is used and click Edit. In the Enrollment Agent section, if the Sign server side checkbox is enabled then you know that this configuration is used.

Important
If Sign server side option is not available then it means you are running a version that does not support this feature. Additionally if Sign server side is not enabled then it means you are not using this feature. In either case AND you use an EA for self-service issuances and renewals, you should (after completing the steps below) navigate to Options - Operators and click the Cert request signing button and make sure that the updated or new EA is selected in the Certificate(s) drop-down field.
Additionally, it is recommended that you make a note of the certificate serial number so you can determine later what certificate is being used. Click the View button and from the Details tab make a note of the serial number.

Step 2 - Determine Service Account

It will be necessary to determine what Windows service account the vSEC:CMS service is running under as this is the account that the EA certificate is issued to. Open up the Windows services console on the server where vSEC:CMS is installed and for the vSEC:CMS Service check what account the service is running under.

Step 3 - Update EA Certificate

Depending on what status the current EA certificate is in different processes will need to be followed to perform the update.

EA Certificate Not Expired

If the EA is still valid, i.e. the certificate has not expired yet, then follow the instructions in this section to renew the current EA certificate.

Open up Microsoft Management Console (MMC) with the Windows account that vSEC:CMS service is running under. You can either log onto the server where vSEC:CMS is installed as the server account or you can use the Windows runas command to achieve this. If you use runas you can do this as in example below:

Open a command prompt and run this command:

Command
runas /user:<cms-service-account> “cmd”

Where <cms-service-account> is the account that vSEC:CMS service is running under.

Then from the subsequent command prompt open mmc:

> mmc

From MMC goto File - Add/Remove Snap-in and select Certificates and click the Add button. Select My user account and Finish.

Under Personal - Certificates select the EA certificate that needs to be renewed. You can verify that you select the correct EA certificate by opening the certificate (double click) and compare the serial number from the details tab to the one recorded earlier above in step 1. Right click the EA certificate and select All Tasks and depending on how you want to renew the certificate select Renew Certificate with New Key or under Advanced Operations select Renew This Certificate with the Same Key and follow the wizard to renew.

Finally, from Options - Connections - Certificate Authorities select the CA connection that is used and click Edit. In the Enrollment Agent section select the EA just renewed from the drop-down list and click Save to save and close the dialog.

EA Certificate Expired

If the EA certificate has expired then follow the instructions in this section to issue a new EA certificate.

In this case it will not be possible to renew the certificate. A new EA certificate will need to be issued in this case.

Open up Microsoft Management Console (MMC) with the Windows account that vSEC:CMS service is running under. You can either log onto the server where vSEC:CMS is installed as the server account or you can use the Windows runas command to achieve this. If you use runas you can do this as in example below:

Open a command prompt and run this command:

Command
runas /user:<cms-service-account> “cmd”

Where <cms-service-account> is the account that vSEC:CMS service is running under.

Then from the subsequent command prompt open mmc:

> mmc

From MMC goto File - Add/Remove Snap-in and select Certificates and click the Add button. Select My user account and Finish.

Under Personal - Certificates select the EA certificate that has expired and right click and select Delete. You can verify that you select the correct EA certificate by opening the certificate (double click) and compare the serial number from the details tab to the one recorded earlier above in step 1.

Right click Certificates - All Tasks - Request New Certificate and follow the wizard to issue a new EA certificate using the same template that was used to issue the previous EA certificate in your environment.

Finally, from Options - Connections - Certificate Authorities select the CA connection that is used and click Edit. In the Enrollment Agent section select the EA just renewed from the drop-down list and click Save to save and close the dialog.

EA Certificate Installed on Operator Token

This section will describe how you can renew or reissue the EA certificate if it is already installed onto an Operator token and is used by the vSEC:CMS when the operator is issuing certificate credentials on behalf of a user.

Step 1 - Determine What Configuration

From Options - Connections - Certificate Authorities select the CA connection that is used and click Edit. In the Enrollment Agent section if there is a certificate selected in the drop-down list, the checkbox Sign server side is not enabled and the label Stored on Operator Token appears then the EA certificate is taken from the Operator token.

Step 2 - Update EA Certificate

Depending on what status the current EA certificate is in different processes will need to be followed to perform the update.

EA Certificate Not Expired - Update via Operator Console

If the EA is still valid, i.e. the certificate has not expired yet, then follow the instructions in this section to renew the current EA certificate via the Operator Console.

Log onto the operator console with an Operator token that can perform EA certificate issuance. Navigate to Actions - Certificate(s)/keys and attach the Operator token whose EA certificate is to be renewed. You should see the EA certificate listed in the table. Select the EA certificate that you need to renew and click the Reissue button and follow the on-screen wizard to complete the renewal.

EA Certificate Not Expired - Update via Self-Service

If the EA is still valid, i.e. the certificate has not expired yet, then follow the instructions in this section to renew the current EA certificate via vSEC:CMS User Self-Service (USS).

Before attempting this you should verify that the credential template used to issue the Operator token is configured for USS support. From Templates - Card Templates select the template used to issue the Operator token and click Edit. In the General section ensure that self-service check box is enabled and a template is selected in the drop-down list like in sample below.

Additionally, the USS connection needs to be already configured both on the server (under Options - Connections) and on the client the USS application needs to be pointing to the backend connection. See the article Manage Hardware Credentials using vSEC:CMS User Self-Service for example how this configuration would be set up.

Open the My Smartcard (USS) application on the client and with the credential attached navigate to My Certificates and select the certificate that is to be renewed and click Reissue. Follow the on-screen wizard to complete the renewal.

EA Certificate Expired

If the EA certificate has expired on the Operator token then follow the instructions in this section to issue a new EA certificate to the Operator token.

In this case it will not be possible to renew the certificate. A new EA certificate will need to be issued in this case.

Log onto the operator console with an Operator token that can perform EA certificate issuance. Navigate to Actions - Certificate(s)/keys and attach the Operator token whose EA certificate has expired. You should see the EA certificate listed in the table. Select the EA certificate that has expired and click the Delete button to remove it from the token.

Then ensure that nothing is selected in the certificate table and select the EA template from the drop-down list and click the Issue button to issue a new EA certificate to the Operator token. Follow the on-screen wizard to complete the issuance.

Issue EA Certificate on System Owner Token

Normally it would not be required to have an EA certificate installed onto a System Owner (SO) token, but if it is then follow the instructions here.

Log onto the Operator console with the SO token and from Options - Connections - Certificate Authorities select the CA connection that is used and click Edit. In the Enrollment Agent section ensure that the checkbox Sign server side is not enabled and click the Request button. Follow the instructions to complete the issuance.

Note
If more than one EA certificate template is configured in your environment you will need to select the template that is applicable to you.