Configuring public URLs of AIA and CDP addresses if ADSS Server is running in MZ
AIA -> OCSP Responder
If you are running the ADSS Server in MZ (Militarized Zone) and you want to redirect the AIA requests from DMZ (Demilitarized Zone) machine to ADSS Server then follow these instructions:
- Create a website (e.g. http://ocsp.ascertia.com) in IIS on MZ machine and set the Physical Path to C:\inetpub\wwwroot
- Configure the AJP Connector in this website as documented in Appendix A of SigningHub Installation Guide
- Now go to C:\tomcat_iis_connector\conf directory and edit the file uriworkermap.properties and set the worker2 as /*=worker2 instead of adss/*=worker2
- Edit the workers.properties.minimal file and set the value of worker.worker1.host and worker.worker2.host to your ADSS Server machine name/IP instead of localhost
- Restart the IIS Service and access the website (e.g. http://ocsp.ascertia.com). If it showing the blue page as below, it means your configurations are correct and send an OCSP request to double check it
CDP and AIA -> CA Cert
If you are running the ADSS Server in MZ (Militarized Zone) and you want to redirect the CDP requests from DMZ (Demilitarized Zone) machine to ADSS Server then follow these instructions:
- Create a directory on MZ machine file system (e.g. C:\data) and grant Read permissions to IUSR user on this directory
- Create a website (e.g. http://downloads.ascertia.com) in IIS on MZ machine and set the Physical Path to C:\data
- Create two directories in C:\data as C:\data\crls and C:\data\certs
- Share the C:\data\crls directory over the network and configure the shared path (e.g. \\mz-server\data\crls) in Manage CAs > Local CAs module in the respective CA to publish the CRLs at this path
- Run the ADSS Server Console and Core Services under the Windows User who have access to this shared path (e.g. administrator). Click here for details.
- After services restart publish the CRLs from Manage CAs > Local CAs module, the CRLs will be published in the shared directory (e.g. \\mz-server\data\crls)
- Put the issuer certificates in the C:\data\certs directory
- Access these URLs from the internet to check its working (e.g. http://downloads.ascertia.com/crls/crl-file-name.crl and http://downloads.ascertia.com/certs/ca-cert-file-name.cer)
CRL is not publishing for the Local CA [current and new CRL numbers are same]
This situation is caused when there was a database update failure during the publishing of the last CRL. ADSS Server prints an error in core.log that the new CRL number must be greater than the current one. The error message will be like the following in core.log:
Follow these steps to resolve this issue:
Connect to the ADSS Server database and execute the following SQL query:
Replace the [**new CRL number] with next CRL number e.g. 6 in this example and [CA name from Manage CAs > Local CAs] accordingly:
- Now go to Manage CAs > Local CAs
- Click the CA Name for which the problem is occurring. Clicking the Publish CRL Now button will publish the CRL with next CRL number
- Restart the ADSS Server Core from Server Manager module for the changes to take effect
What is meant by an external CA?
The term “External CA” refers to any CA that is operated by an externally managed certificate service provider to issue certificates for business applications or RA managed services. ADSS Server provides support to work with external CAs like Microsoft CA Server 2003, GlobalSign EPKI, EJBCA, Ascertia ADSS CA Server, and offline external CA. Integration of ADSS Server with other CAs is also possible because ADSS Server uses standard data structures for certificate requests and responses, i.e. PKCS#10 for certificate requests and PKCS#7 for certificate responses. See Manage CAs > Configure External CA for more details.
How to replace an existing local CA?
When the local CAs have already been used to issue certificates, then ADSS Server would restrict deleting these CAs. As CAs are responsible to publish CRLs (revocation information) along with issuing new certificates. However, there are certain business scenarios, which require replacing a previously configured CA with a new CA, i.e.
- The previously configured CA was used for evaluation purpose, and needs to be replaced before moving into production.
- The old CA key has been compromised, so its usage should be discontinued.
- The existing CA is about to expire. So there is a requirement to add a new CA in place of an existing CA, without extending the license.
- Browse the Key Manager > Service Keys module and create a new key with the purpose "Certificate/CRL Signing" and self-certify it, or re-certify an existing key with the same purpose.
- Browse the Manage CAs > Configure Local CA(s) module and edit the details of local CA, which is to replace.
- From the "CA Certificate Info" area, change the certificate for this local CA in the "CA Certificate" drop down. Select the new certificate from the list which was created through step 1.
- Click the "Update" button to save the changes.
How to import a CA and its issued certificates into ADSS Server?
If you need to import a CA and its issued certificates into ADSS Server then follow these instructions:
- If the CA key is held in Hardware Crypto Device then:
- Configure that device in ADSS Server. Follow the link for more details:
- Import the key from device in ADSS Server. Follow the link for more details:
- Configure that device in ADSS Server. Follow the link for more details:
- If the CA key is held in software (PKCS#12) then import the key in ADSS Server from Key Manager module. Follow the link for more details:
- Configure this CA key in Manage CAs module. Follow the link for more details:
- Go to Manage CAs > Configure Local CAs, select the CA and click the Issued Certificates button as shown below:
- On the Issued Certificates page, click the Import Certificates button to import the issued certificates of the CA as shown below:
- Browse the certificates detail file in the Certificates Detail File Path field and a zipped certificates in Certificates Zip File Path filed.
The certificates details file should be a CSV in the following format:
- Click OK to complete the action.
- To import CRL, go to Manage CAs > Configure Local CAs sub-module, select the CA and click the View CRLs button as shown below:
- Now click the Import CRL button as shown below:
- Browse the latest CRL for this from the file system as shown below:
- Click OK to proceed.
- See details as how to configure the CRL publishing settings for this CA
How to configure a Microsoft CA with ADSS Server?
This section describes how business applications can register users, have ADSS Server generate keys and then have an external Microsoft CA certify these.
This section describes the steps required to configure the ADSS Server certification module (ADSS_msca) within the Internet Information Services (IIS) on the Windows 2003 CA server so that this CA can be used by ADSS Server Certification Service.
For installation and configuration of Windows 2003 Certification Authority (CA) itself, consult the separate ADSS – Microsoft CA 2003 Installation & Configuration Manual.
Microsoft .NET framework is needed to be installed on the target server in order to run the ADSS_msca module.
Configuration of ADSS_MSCA module in IIS:
The following steps are required to configure the ADSS_msca module with IIS:
- Unzip and extract the "ADSS_msca.zip" contents in a folder e.g. "C:\ADSS_msca". This module is present at the location: “<ADSS Server installation directory>/support”. ADSS_msca is an application built using ASP.Net. This application acts as middle-ware between the ADSS Server which requests certificates and the Windows 2003 CA which accepts these certificate requests and generates corresponding certificates.
- Click the "Start" button > Control Panel > Administrative Tools > Internet information Services Manager (IIS). The Internet Information Services window opens.
- Expand Web Sites (as shown below):
- Right click the Default web Site > click New > Virtual directory. The Directory Creation wizard will pop-up, click the "Next" button below to start the process:
- On the next screen, type alias "ADSS_msca" and click the "Next" button:
- Browse "C:\ADSS_msca" for the contents to publish for this virtual directory and click OK to select the path. Click Next to complete the procedure, when done click Finish in next window to complete virtual directory creation wizard.
- Right click the "adss_msca" virtual directory in IIS and click on properties and change the executable permissions to Scripts only then click OK:
- You will now need to restart Microsoft Internet Information Service.
- Make sure Microsoft Windows .NET framework runtime v1 or greater is installed on the machine where Windows 2003 CA server is deployed.
- Click the "Start" button in task bar and then click "Run" and type "C:\windows\system32\certsrv\certdat.inc" and copy the value of "ServerConfig" global state.
Edit c:\ADSS\adss_msca\Web.config extracted in step 1 (in Section A.1) and paste the above value to the add tag as value of the key "CertificateServer". e.g. if the value of "CertificateServer" is "W2K-BSPSIGN.AD.UK\Test CA" then the add tag in Web.config. It will look like this:
- Save and close this file.
- Restart the IIS service