How can we help?

Configure Server-side EA Signing MS CA

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

If you are using a Microsoft Certificate Authority (MS CA) and you have not already configured vSEC:CMS to perform Enrollment Agent (EA) signing on the server-side then follow the instructions in this article to perform such a configuration. This is the recommended way to configure EA signing when using a MS CA with vSEC:CMS.

Note
The instructions in this article are only applicable when your CA connection is configured to Use from domain. You can determine what configuration you have in place from Options - Connections - Certificate Authorities and select the CA connection you use and click Edit. Click the Select CA button and if Use from domain is enabled then you can continue to configure based on the instructions below.

Prerequisites

It will be expected that you have at minimum in place:

  • A fully operational vSEC:CMS already configured and using MS CA;
  • The vSEC:CMS service is configured to run under a dedicated Windows account as described in this article Configure Dedicated Windows Service Account.

CA Configuration

Prerequisites

Important
Versasec is not responsible for CA configuration and setup. It is expected that a skilled PKI engineer is performing these tasks. Information provided here is only as a guide.

Before going into the details on how to re-configure the CA connection in vSEC:CMS such that EA signing will be performed server-side, it is important that you have made the necessary configurations on the CA.

For this article we will presume that you already have an EA and Windows logon template in place and operational on the MS CA. It will be required to give the dedicated Windows account that vSEC:CMS service is running under the appropriate permissions on the certificate templates on the CA.

For example, below we have a Windows dedicated account that vSEC:CMS service is running under. We have given this account permissions for the EA template on the CA in the Security tab with a minimum permission of Enroll.

Additionally, for the EA it is important that the Issuance Requirements tab are set like below.

For the Windows logon certificate template, in this example, you will need to make sure that the dedicated Windows account for vSEC:CMS service is given the appropriate permissions on such template. For example, you should at minimum add the Windows account to the Security tab and grant the permissions like below.

Important
If you have other certificate templates that you use with vSEC:CMS then you should grant the same permissions as above for the dedicated Windows service account.

Finally, the local System account will need to be given revocation permissions on the CA. Right click the root of your CA and select Properties.

From the Security tab click the Add button and add the dedicated Windows account and grant the permissions as in below example.

CA Connection Configuration

It will be required that you RDP directly to vSEC:CMS server and log on with the dedicated Windows account that vSEC:CMS is running under.

With your System Owner (SO) credential attached, open the vSEC:CMS console.

Note
The SO credential is required to be used for this configuration.

Navigate to Options - Connections - Certificate Authorities and select your CA connection and click Edit. In the Enrollment Agent section enable Sign server-side and click the Request button. If more than one EA template is available in your environment a popup dialog will appear from which you need to select the correct EA template to be used. The EA certificate will then be issued and stored in the local certificate store of the dedicated Windows account that vSEC:CMS service is running under.

Additionally, it is recommended to enable the setting Disable retrieving renewed certificates before revocation.

Click Save to save and close.

vSEC:CMS will then use this EA certificate to sign certificate requests regardless of whether the certificate is being issued by an Operator or via the self-service client.

Important
It is recommended to edit any Operator template (from Templates - Card Templates) where previously these Operator templates were configured to issue EA certificates to such operator credentials. Remove the EA template from the Issue card section of the template in these cases.