Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If you need to import a CA and its issued certificates into ADSS Server then follow these instructions:

  1. If the CA key is held in Hardware Crypto Device then:
    1. Configure that device in ADSS Server. Follow the link for more details: 
      http://manuals.ascertia.com/ADSS-Admin-Guide/default.aspx#pageid=creating_a_new_hardware_crypto_profile
    2. Import the key from device in ADSS Server. Follow the link for more details: 
      http://manuals.ascertia.com/ADSS-Admin-Guide/default.aspx#pageid=importing_existing_keys
  2. If the CA key is held in software (PKCS#12) then import the key in ADSS Server from Key Manager module. Follow the link for more details: 
    http://manuals.ascertia.com/ADSS-Admin-Guide/default.aspx#pageid=importing_keys
  3. Configure this CA key in Manage CAs module. Follow the link for more details: 
    http://manuals.ascertia.com/ADSS-Admin-Guide/default.aspx#pageid=configuring_the_adss_ca_module
  4. Go to Manage CAs > Configure Local CAs, select the CA and click the Issued Certificates button as shown below:



  5. On the Issued Certificates page, click the Import Certificates button to import the issued certificates of the CA as shown below:



  6. Browse the certificates detail file in the Certificates Detail File Path field and a zipped certificates in Certificates Zip File Path filed.



    The certificates details file should be a CSV in the following format:



  7. Click OK to complete the action.
  8. To import CRL, go to Manage CAs > Configure Local CAs sub-module, select the CA and click the View CRLs button as shown below:



  9. Now click the Import CRL button as shown below:



  10. Browse the latest CRL for this from the file system as shown below:



  11. Click OK to proceed.
  12. See details as how to configure the CRL publishing settings for this CA

How to configure a Microsoft CA with ADSS Server?

Prior to configuring Microsoft CA with ADSS Server, the operator must make sure that Microsoft CA has properly been installed and deployed by following Microsoft instructions. ADSS Server supports 2012, 2018 2016 and 2019 Microsoft CA. You can follow these instructions to configure Microsoft CA with ADSS Server: 

Generate TLS Server Certificate to secure the Microsoft Web Enrollment site:

The following steps are required to generate request a TLS server certificate from Microsoft CA:

  • Press Win+R to open the run dialog.



  • Type certlm.msc and press OK button to launch Certificate Manager tool:
     
     

  • Expand the Personal folder from the left pan.
  • Right click on the Certificates folder and select the option All Tasks > Request New Certificate:



    Following screen will be shown:



  • Click on the Next button:
     
  • Select option Computer and click on the Enroll button:



  • Click on the Finish button to close the dialog and the newly enrolled certificate will be shown:



Configure Internet Information Services (IIS):

The following steps are required to IIS:

Bind TLS Certificate

To bind an TLS Server certificate in Microsoft IIS Server, perform the following steps:

  • Presses WIN+R key on keyboard to open the Run dialog and types INETMGR to launch the Internet Information Services (IIS) Manager
  • Navigates to the left panel of the IIS and click the server name from the left pane
  • Right click the option Sites > Default Web Site and select the option Edit Bindings


  • In the Site Binding Window, select the https binding and click on the Edit button:



  • From the SSL Certificate drop down, Select the Friendly Name for the TLS Server certificate generated in earlier step:


  • Click OK button to close the edit dialog 
  • Click Close button on the Site Binding dialog

Enable Basic Authentication for Site

Ensure that Basic Authentication is enabled for the CertEnroll virtual Directory and CertSrv Application:

  • Select the option Sites > Default Web Site > CertSrv
    • In the center panel under IIS, double-click Authentication:



    • Ensure that Basic Authentication is enabled, if it is not enabled then right-click Basic Authentication and select the option Enable:


  • Select the option Sites > Default Web Site > CertEnroll
    • In the center panel under IIS, double-click Authentication:



    • Ensure that Basic Authentication is enabled, if it is not enabled then right-click Basic Authentication and select the option Enable:



Test the Web Enrollment Page

  • Launch the IE web browser and access the Web Enrolment URL e.g.: 

    https://[Full Qualified Server Name]/certsrv/

  • Ensure login with windows domain user created for ADSS Server to request certificates

Configure Active Directory Certificate Template:

ADSS Server sends the Subject Distinguished Name in a Certificate Signing Request (CSR) to Active Directory Certificate Services Web Enrollment, each certificate template that ADSS Server will request certificates for needs the following changes:

  • Click Start > Administrative Tools > Certification Authority
  • Expand the CA Node and right click on Certificate Templates > Manage:



    • The Certificate Templates Console will display, right click on the certificate you wish to issue and select Duplicate Template:


    • The properties of the new template will display, select the General tab, enter a new unique name in the Template display name field:


    • Select the Subject Name tab and select the radio button Supply in the request, immediately a warning will display, click OK to close the warning dialog:

       

    • Select the Security Tab, ensure that Domain Users have the Enroll permission:


    • Click OK to close the template, the new template will appear in the Certificate Templates Console:


       
    • Close the Certificate Template Console

  • In the Certificate Authority MMC, right click Certificate Templates, Select New > Certificate Template to Issue:



    • The Enable Certificate Templates will display, Select the new certificate template from the list and click OK:



    • The new template will now appear in the list for the Certificate Authority:


 

Configure ADSS Server:

Launch the web browser and opens the URL (https://[Host Machine]:8774/adss/console) to access the ADSS Server Console:

  • Browser prompts to select the TLS Client Authentication certificate
  • Select the relevant certificate and press the OK button to login the ADSS Server Console (Provide the admin PFX password if prompted/required as per security policy)

Registering Issuing CA in Trust Manager

To register Issuing CA in Trust Manager, follow the instructions below:

  • Navigates to the Trust Manager screen:



  • Press the New button, following screen will displayed:


  • Press the Browse button (selects Choose File button if Browse button doesn’t appear)
  • Select the Issuing CA Certificate File e.g. ACME Corporate Issuing CA2.cer
  • Enable the option CA (will be used to verify other certificates and CRLs) and then clicks Next:


  • On Validation Policy tab, select the Primary Method CRL and Selected Method CDP
  • Click Next, complete rest of the wizard with the default options and clicks “Save” button on the last screen
  • Restart the ADSS Server instance from Windows Services Panel / Linux Daemon for changes to take effect.  Click Here to follow the instructions

Configure External CA:

To configure External CA in ADSS Server, follow the instructions below:

  • Navigates to the Managed CAs > External CAs screen:
  • Press the New button, following screen will display:



  • Select the Microsoft CA as an External CA in the CA Type drop-down. Once selected, enter the credentials information of selected External CA in the respective fields as explained below:
    • Enter the CA Alias which is an operator-defined unique name for easy management of certificate authorities within ADSS Server.
    • Select the issuing CA in the CA Certificate field which is already being configured in the Trust Manager
    • Specify the URL in the CA Address field from where this CA could listen the certificate request messages
    • Specify the Microsoft Certificate Template name which is deployed at Microsoft CA machine. This template contains all the content for the certificate to be generated
    • Under the User Name specify the Domain user name
    • Under the Password specify the Domain user password  
  • Click on the Save button save the changes

 

Configure ADSS Certification Service:

To configure External CA in Certification Service, follow the instructions below:

  • Navigates to the Certification Service > Certification Profiles, the following screen appears:



  • Click the New button to create the new certification profile, the following screen appears:



  • Fill in the fields as following: 
    • Enter the Profile name which is an operator-defined unique name for easy management of certification profiles within ADSS Server
    • Under the CA Details section, Select the option "Use External online CA" and select the newly configured Microsoft External CA
    • Click on the Save button to safe the profile

 

Register Client in Client Manager

To register Client in Client Manager module, follow the instructions below:

  • Navigates to the Client Manager module on the ADSS Server Console and the following screen appears:



  • Either create a new client or edit and existing client and select and move the newly created certification profile to the Selected Certificate Profiles list using >> keys:



  • Click on the Save button.
  • Navigate to Certification Service > Service Manager screen and click on the Restart button to have the changes take effect:

How to configure DigiCert PKI External CA with ADSS Server?

DigiCert PKI can be configured with ADSS Server to act as an External CA. Configuration of DigiCert PKI with ADSS Server can be divided into two main sections:

  • Generation of API key on DigiCert PKI Platform 
  • Configure DigiCert PKI in ADSS Server

Each of these are explained below:

 Generate API Key on DigiCert PKI Platform:

An API Key must be generated on DigiCert PKI admin portal first which will later be referenced in ADSS Server for configuration. Follow the set of instructions below in order to generate the API Key:

  1. Access the PKI Manager admin portal, you will a settings icon (in blue color) at the bottom of the screen:



  2. Clicking on the Settings icon will show following options:



  3. Clicking on the Manage API Key link will lead you to the screen where the required API Key can be created: 



  4. Click on the Add api key link at the top of the screen will show following options:



  5. Set the required Friendly name of the API key for easy recognition and clicking on the Save button will save the name and also generate the required API Key. The generated API key will be displayed on the screen as shown below:



  6. Once the API Key is generated, it must be copied since the operator will not be able to view it again. This API Key will be used while configuring DigiCert in ADSS Server under Manage CA module.

  7. The generated API Key mentioned in the field would be used by ADSS Server to create, renew and revoke the certificates from DigiCert PKI CA.

Configure DigiCert PKI in ADSS Server:

Once an API Key has been generated on DigiCert PKI Platform, it can be referenced within the ADSS Server. To configure DigiCert PKI in ADSS Server, follow these instructions:

  1. Launch the web browser and opens the URL (https://[Host Machine]:8774/adss/console) to access the ADSS Server Console

    1. Browser prompts to select the TLS Client Authentication certificate

    2. Selects the relevant certificate and presses the “OK” button to login the ADSS Server Console (Provide the admin PFX password if prompted/required as per security policy)
     
  2. Navigate to the Trust Manager screen and register the DigiCert High Assurance EV Root CA and DigiCert SHA2 Extended Validation Server CA in Trust Manager one by one by following these instructions:

     

    1. Press the New button, following screen will be displayed:



    2. Press the Choose File button (selects Browse buttonif Choose File button doesn’t appear) and select the [Certificate File] 

    3. Enable the option “CA (will be used to verify other certificates and CRLs)” and then click “Next” 

    4. Complete rest of the wizard with the default options and clicks “Save” button on the last screen

  3. Restart ADSS NT-Services or Linux Daemons.

  4. Navigate to Manage CAs > External CAs screen:

     

  5. Click on the New button and fill in the following details:



  6. Select the DigiCert PKI as an External CA in the CA Type drop-down. Once selected, enter the credentials information of selected External CA in the respective fields as explained below:

    1. Enter the CA Alias which is an operator-defined unique name for easy management of certificate authorities within ADSS Server.

    2. Select the issuing CA DigiCert SHA2 Extended Validation Server CA in the CA Certificate field which is already being configured in the Trust Manager.

    3. Specify the URL in the CA Address field from where this CA could listen the certificate request messages.

    4. Specify the API Key in API Key field which is generated by the operator on the DigiCert PKI Admin portal.

    5. Specify the profile in the Profile field configured at DigiCert PKI Admin Portal by selecting it from drop-down.

  7. Click on the "Save" button to save the changes