The term “External CA” refers to any CA whose private key does not reside on the ADSS Server. A service URL is registered within ADSS Server so that certification requests can be sent to this CA. Any supported CA can be used and these can be operated internally. It can be a CA run by a managed certificate service provider, see Manage CAs > Configure External CA for more details.
This section describes how business applications can register users, have ADSS Server generate keys and then have an external Microsoft CA certify these.
This section describes the steps required to configure the ADSS Server certification module (ADSS_MSCA) within the Internet Information Services (IIS) on the Windows 2003 CA server so that this CA can be used by ADSS Server Certification Service.
For installation and configuration of Windows 2003 Certification Authority (CA) itself, consult the separate ADSS – Microsoft CA 2003 Installation & Configuration Manual.
Microsoft .NET framework is needed to be installed on the target server in order to run the ADSS_MSCA module.
Configuration of ADSS_MSCA module in IIS:
The following steps are required to configure the ADSS_MSCA module with IIS:
- You will now need to restart Microsoft Internet Information Service.
Edit c:\ADSS\adss_msca\Web.config extracted in step 1 (in Section A.1) and paste the above value to the add tag as value of the key "CertificateServer". e.g. if the value of "CertificateServer" is "W2K-BSPSIGN.AD.UK\Test CA" then the add tag in Web.configwill look like this:
<appSettings> <add key="CertificateServer" value="W2K-BSPSIGN.AD.Test.UK\Test CA"> </add> </appSettings>
- Save and close this file.
- Restart the IIS service
The Windows 2003 CA server can be installed on the same machine where ADSS Server is running.
Make sure to change the policy module inside the Windows 2003 CA server to issue certificates automatically before any requests are sent by the ADSS Server. Restart the CA service if this setting is updated.
You will need to configure the ADSS certification policy to point to this web application running on IIS in order to ADSS Server to connect to the Windows 2003 CA server. This is described in the ADSS Admin Manual.
delta CRLs published by the Microsoft CA within ADSS Server?
With the default Microsoft CA configurations ADSS Server fails to download the delta CRLs as the delta CRL file name contains a + sign. You can tune the Microsoft CA configurations so that it does not include the + sign in the delta CRL file names. Follow these instructions to make required configurations in the MS CA: