Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Table of Contents
excludeTable of Contents

Configuring public URLs of AIA and CDP addresses if ADSS Server is running in MZ

AIA -> OCSP Responder

If you are running the ADSS Server in MZ (Militarized Zone) and you want to redirect the AIA requests from DMZ (Demilitarized Zone) machine to ADSS Server then follow these instructions:

  1. Create a website (e.g. http://ocsp.ascertia.comin IIS on MZ machine and set the Physical Path to C:\inetpub\wwwroot
  2. Configure the AJP Connector in this website as documented in Appendix A of SigningHub Installation Guide
  3. Now go to C:\tomcat_iis_connector\conf directory and edit the file uriworkermap.properties and set the worker2 as /*=worker2 instead of adss/*=worker2
  4. Edit the workers.properties.minimal file and set the value of worker.worker1.host and worker.worker2.host to your ADSS Server machine name/IP instead of localhost
  5. Restart the IIS Service and access the website (e.g. http://ocsp.ascertia.com). If it showing the blue page as below, it means your configurations are correct and send an OCSP request to double check it

CDP and AIA -> CA Cert

If you are running the ADSS Server in MZ (Militarized Zone) and you want to redirect the CDP requests from DMZ (Demilitarized Zone) machine to ADSS Server then follow these instructions:

  1. Create a directory on MZ machine file system (e.g. C:\data) and grant Read permissions to IUSR user on this directory
  2. Create a website (e.g. http://downloads.ascertia.comin IIS on MZ machine and set the Physical Path to C:\data
  3. Create two directories in C:\data as C:\data\crls and C:\data\certs
  4. Share the C:\data\crls directory over the network and configure the shared path (e.g. \\mz-server\data\crls) in Manage CAs > Local CAs module in the respective CA to publish the CRLs at this path
  5. Run the ADSS Server Console and Core Services under the Windows User who have access to this shared path (e.g. administrator). Click here for details.
  6. After services restart publish the CRLs from Manage CAs > Local CAs module, the CRLs will be published in the shared directory (e.g. \\mz-server\data\crls)
  7. Put the issuer certificates in the C:\data\certs directory
  8. Access these URLs from the internet to check its working (e.g. http://downloads.ascertia.com/crls/crl-file-name.crl and http://downloads.ascertia.com/certs/ca-cert-file-name.cer)

CRL is not publishing for the Local CA [current and new CRL numbers are same] 

This situation is caused when there was a database update failure during the publishing of the last CRL. ADSS Server prints an error in core.log that the new CRL number must be greater than the current one. The error message will be like the following in core.log: 

Info
titlecore.log error
[CA Name] CRL invalid because new CRL's CRLNumber '5' is not greater than the current CRL's CRLNumber '5'
Failed to update CRL in database : CRL invalid because new CRL's CRLNumber '5' is not greater than the current CRL's CRLNumber '5'


Follow these steps to resolve this issue: 

  1. Connect to the ADSS Server database and execute the following SQL query:
    Replace the [**new CRL number] with next CRL number e.g. 6 in this example and [CA name from Manage CAs > Local CAs] accordingly:

    Code Block
    themeMidnight
    UPDATE LocalCertificateAuthorities SET CrlNo = [new CRL number] where Id = [CA name from Manage CAs > Local CAs]
  2. Now go to Manage CAs > Local CAs
  3. Click the CA Name for which the problem is occurring. Clicking the Publish CRL Now button will publish the CRL with next CRL number
  4. Restart the ADSS Server Core from Server Manager module for the changes to take effect

What is meant by an external CA? 

The term “External CA” refers to any CA that is operated by an externally managed certificate service provider to issue certificates for business applications or RA managed services. ADSS Server provides support to work with external CAs like Microsoft CA Server 2003, GlobalSign EPKI, EJBCA, Ascertia ADSS CA Server, and offline external CA. Integration of ADSS Server with other CAs is also possible because ADSS Server uses standard data structures for certificate requests and responses, i.e. PKCS#10 for certificate requests and PKCS#7 for certificate responses. See Manage CAs > Configure External CA for more details.

Info

Microsoft CA Server 2008 and 2012 are not supported.

How to replace an existing local CA?

When the local CAs have already been used to issue certificates, then ADSS Server would restrict deleting these CAs. As CAs are responsible to publish CRLs (revocation information) along with issuing new certificates. However, there are certain business scenarios, which require replacing a previously configured CA with a new CA, i.e.

  • The previously configured CA was used for evaluation purpose, and needs to be replaced before moving into production.
  • The old CA key has been compromised, so its usage should be discontinued.
  • The existing CA is about to expire. So there is a requirement to add a new CA in place of an existing CA, without extending the license.

Workaround:

  1. Browse the Key Manager > Service Keys module and create a new key with the purpose "Certificate/CRL Signing" and self-certify it, or re-certify an existing key with the same purpose.
  2. Browse the Manage CAs > Configure Local CA(s) module and edit the details of local CA, which is to replace.
  3. From the "CA Certificate Info" area, change the certificate for this local CA in the "CA Certificate" drop down. Select the new certificate from the list which was created through step 1.
  4. Click the "Update" button to save the changes.

Info
iconfalse
titleImportant Considerations
  • If a CA is renewed with the same details (e.g. Subject Information, Key pair), then all the previously issued certificates by this CA will remain valid.
  • If a new key is used to sign the CA certificate, then all the previously issued certificates by this CA will become invalid.
  • The CA that has been marked as "Default" can not be deleted.

How to import a CA and its issued certificates into ADSS Server?

If you need to import a CA and its issued certificates into ADSS Server then follow these instructions:

  1. Create a ZIP file containing all the Base64 encoded certificates issued by the CA. Note that there should be only certificate files in the zip and must not contain any folder in it

  2. Download the following sample CertificateDetail.xlsx file or create a new certificate detail file using following schema format and fill in the details accordingly:

    Field NameData TypeConstraintDescription
    ALIASNumberNOT NULLA unique identifier for the certificate (as provided by the client application within the request message).
    ISSUANCE_DATEDateNOT NULL

    The certificate “valid from” date/time in UTC format e.g. 2019-06-27 16:33:48

    CERT_FILEGeneralNOT NULLName of the certificate file available in certificates ZIP file
    EXPIRY_DATEDateNOT NULL

    The certificate “valid to” date/time in UTC format e.g. 2019-06-27 16:33:48

    REVOCATION_DATEDateNULL

    If Status is ‘REVOKED’ this contains the certificate revocation date/time in *UTC format e.g. 2019-06-27 16:33:48. If Status is ‘GOOD’ this is set to Null.

    REVOCATION_REASONGeneralNULLThe reason with which the certificate is revoked. This basically relates to the "Reason Code" CRL entry extension. The value must be from valid reason codes defined in RFC 5280.
  3. Download the latest CRL of the CA
  4. Import the CA private key in ADSS Server by following these instructions:
    1. Launch the ADSS Server Console and navigate to Key Manager screen
    2. If the CA key is held in Hardware Crypto Device then:
      1. Navigate to Key Manager > Crypto Source screen and configure this hardware crypto device
      2. Navigate to Key Manager > Service Keys screen and use the Import Key button to Import the key by providing the details accordingly in the Import Key screen
    3. If the CA key is held in software (PKCS#12) then navigate to Key Manager > Service Keys screen and use the Import Key button to Import the key by providing the details accordingly in the Import Key screen

  5. Configure the newly Imported CA as Local CA in ADSS Server by following these instructions:
    1. Navigate to Manage CA > Local CAs screen and click on the new button:


      Following screen will be shown:
    2. Fill in the details and click on the OK button to save the changes

  6. Import the issued certificates by following these instructions
    1. Select the newly configured CA and click the Issued Certificates button as shown below:


    2. On the Issued Certificates page, click the Import Certificates button to import the issued certificates of the CA as shown below:


    3. Browse the certificates detail file in the Certificates Detail File Path field and a zipped certificates in Certificates Zip File Path filed.


    4. Click OK to complete the action.

  7. Import the CRL for the CA by following these instructions:
    1. Navigate to Manage CAs > Configure Local CAs sub-module
    2. select the CA and click the View CRLs button as shown below:


    3. Click the Import CRL button as shown below:


    4. Browse the latest CRL for this from the file system as shown below:


    5. Click OK to proceed.
    6. See details as how to configure the CRL publishing settings for this CA

How to configure a Microsoft CA with ADSS Server?

Prior to configuring Microsoft CA with ADSS Server, the operator must make sure that Microsoft CA has properly been installed and deployed by following Microsoft instructions. ADSS Server supports 2012, 2016 and 2019 Microsoft CA. You can follow these instructions to configure Microsoft CA with ADSS Server: 

Generate TLS Server Certificate to secure the Microsoft Web Enrollment site:

The following steps are required to request a TLS server certificate from Microsoft CA:

  • Press Win+R to open the run dialog.



  • Type certlm.msc and press OK button to launch Certificate Manager tool:
     
     

  • Expand the Personal folder from the left pan.
  • Right click on the Certificates folder and select the option All Tasks > Request New Certificate:



    Following screen will be shown:



  • Click on the Next button:
     
  • Select option Computer and click on the Enroll button:



  • Click on the Finish button to close the dialog and the newly enrolled certificate will be shown:



Configure Internet Information Services (IIS):

The following steps are required to IIS:

Bind TLS Certificate

To bind an TLS Server certificate in Microsoft IIS Server, perform the following steps:

  • Presses WIN+R key on keyboard to open the Run dialog and types INETMGR to launch the Internet Information Services (IIS) Manager
  • Navigates to the left panel of the IIS and click the server name from the left pane
  • Right click the option Sites > Default Web Site and select the option Edit Bindings


  • In the Site Binding Window, select the https binding and click on the Edit button:



  • From the SSL Certificate drop down, Select the Friendly Name for the TLS Server certificate generated in earlier step:


  • Click OK button to close the edit dialog 
  • Click Close button on the Site Binding dialog

Enable Basic Authentication for Site

Ensure that Basic Authentication is enabled for the CertEnroll virtual Directory and CertSrv Application:

  • Select the option Sites > Default Web Site > CertSrv
    • In the center panel under IIS, double-click Authentication:



    • Ensure that Basic Authentication is enabled, if it is not enabled then right-click Basic Authentication and select the option Enable:


  • Select the option Sites > Default Web Site > CertEnroll
    • In the center panel under IIS, double-click Authentication:



    • Ensure that Basic Authentication is enabled, if it is not enabled then right-click Basic Authentication and select the option Enable:



Test the Web Enrollment Page

  • Launch the IE web browser and access the Web Enrolment URL e.g.: 

    https://[Full Qualified Server Name]/certsrv/

  • Ensure login with windows domain user created for ADSS Server to request certificates

Configure Active Directory Certificate Template:

ADSS Server sends the Subject Distinguished Name in a Certificate Signing Request (CSR) to Active Directory Certificate Services Web Enrollment, each certificate template that ADSS Server will request certificates for needs the following changes:

  • Click Start > Administrative Tools > Certification Authority
  • Expand the CA Node and right click on Certificate Templates > Manage:



    • The Certificate Templates Console will display, right click on the certificate you wish to issue and select Duplicate Template:


    • The properties of the new template will display, select the General tab, enter a new unique name in the Template display name field:


    • Select the Subject Name tab and select the radio button Supply in the request, immediately a warning will display, click OK to close the warning dialog:

       

    • Select the Security Tab, ensure that Domain Users have the Enroll permission:


    • Click OK to close the template, the new template will appear in the Certificate Templates Console:


       
    • Close the Certificate Template Console

  • In the Certificate Authority MMC, right click Certificate Templates, Select New > Certificate Template to Issue:



    • The Enable Certificate Templates will display, Select the new certificate template from the list and click OK:



    • The new template will now appear in the list for the Certificate Authority:


 

Configure ADSS Server:

Launch the web browser and opens the URL (https://[Host Machine]:8774/adss/console) to access the ADSS Server Console:

  • Browser prompts to select the TLS Client Authentication certificate
  • Select the relevant certificate and press the OK button to login the ADSS Server Console (Provide the admin PFX password if prompted/required as per security policy)

Registering Issuing CA in Trust Manager

To register Issuing CA in Trust Manager, follow the instructions below:

  • Navigates to the Trust Manager screen:



  • Press the New button, following screen will displayed:


  • Press the Browse button (selects Choose File button if Browse button doesn’t appear)
  • Select the Issuing CA Certificate File e.g. ACME Corporate Issuing CA2.cer
  • Enable the option CA (will be used to verify other certificates and CRLs) and then clicks Next:


  • On Validation Policy tab, select the Primary Method CRL and Selected Method CDP
  • Click Next, complete rest of the wizard with the default options and clicks “Save” button on the last screen
  • Restart the ADSS Server instance from Windows Services Panel / Linux Daemon for changes to take effect.  Click Here to follow the instructions

Configure External CA:

To configure External CA in ADSS Server, follow the instructions below:

  • Navigates to the Managed CAs > External CAs screen:
  • Press the New button, following screen will display:



  • Select the Microsoft CA as an External CA in the CA Type drop-down. Once selected, enter the credentials information of selected External CA in the respective fields as explained below:
    • Enter the CA Alias which is an operator-defined unique name for easy management of certificate authorities within ADSS Server.
    • Select the issuing CA in the CA Certificate field which is already being configured in the Trust Manager
    • Specify the URL in the CA Address field from where this CA could listen the certificate request messages
    • Specify the Microsoft Certificate Template name which is deployed at Microsoft CA machine. This template contains all the content for the certificate to be generated
    • Under the User Name specify the Domain user name
    • Under the Password specify the Domain user password  
  • Click on the Save button save the changes

 

Configure ADSS Certification Service:

To configure External CA in Certification Service, follow the instructions below:

  • Navigates to the Certification Service > Certification Profiles, the following screen appears:



  • Click the New button to create the new certification profile, the following screen appears:



  • Fill in the fields as following: 
    • Enter the Profile name which is an operator-defined unique name for easy management of certification profiles within ADSS Server
    • Under the CA Details section, Select the option "Use External online CA" and select the newly configured Microsoft External CA
    • Click on the Save button to safe the profile

 

Register Client in Client Manager

To register Client in Client Manager module, follow the instructions below:

  • Navigates to the Client Manager module on the ADSS Server Console and the following screen appears:



  • Either create a new client or edit and existing client and select and move the newly created certification profile to the Selected Certificate Profiles list using >> keys:



  • Click on the Save button.
  • Navigate to Certification Service > Service Manager screen and click on the Restart button to have the changes take effect:

How to configure DigiCert PKI External CA with ADSS Server?

DigiCert PKI can be configured with ADSS Server to act as an External CA. Configuration of DigiCert PKI with ADSS Server can be divided into two main sections:

  • Generation of API key on DigiCert PKI Platform 
  • Configure DigiCert PKI in ADSS Server

Each of these are explained below:

 Generate API Key on DigiCert PKI Platform:

An API Key must be generated on DigiCert PKI admin portal first which will later be referenced in ADSS Server for configuration. Follow the set of instructions below in order to generate the API Key:

  1. Access the PKI Manager admin portal, you will a settings icon (in blue color) at the bottom of the screen:



  2. Clicking on the Settings icon will show following options:



  3. Clicking on the Manage API Key link will lead you to the screen where the required API Key can be created: 



  4. Click on the Add api key link at the top of the screen will show following options:



  5. Set the required Friendly name of the API key for easy recognition and clicking on the Save button will save the name and also generate the required API Key. The generated API key will be displayed on the screen as shown below:



  6. Once the API Key is generated, it must be copied since the operator will not be able to view it again. This API Key will be used while configuring DigiCert in ADSS Server under Manage CA module.

  7. The generated API Key mentioned in the field would be used by ADSS Server to create, renew and revoke the certificates from DigiCert PKI CA.

Configure DigiCert PKI in ADSS Server:

Once an API Key has been generated on DigiCert PKI Platform, it can be referenced within the ADSS Server. To configure DigiCert PKI in ADSS Server, follow these instructions:

  1. Launch the web browser and opens the URL (https://[Host Machine]:8774/adss/console) to access the ADSS Server Console

    1. Browser prompts to select the TLS Client Authentication certificate

    2. Selects the relevant certificate and presses the “OK” button to login the ADSS Server Console (Provide the admin PFX password if prompted/required as per security policy)
     
  2. Navigate to the Trust Manager screen and register the DigiCert High Assurance EV Root CA and DigiCert SHA2 Extended Validation Server CA in Trust Manager one by one by following these instructions:

     

    1. Press the New button, following screen will be displayed:



    2. Press the Choose File button (selects Browse buttonif Choose File button doesn’t appear) and select the [Certificate File] 

    3. Enable the option “CA (will be used to verify other certificates and CRLs)” and then click “Next” 

    4. Complete rest of the wizard with the default options and clicks “Save” button on the last screen

  3. Restart ADSS NT-Services or Linux Daemons.

  4. Navigate to Manage CAs > External CAs screen:

     

  5. Click on the New button and fill in the following details:



  6. Select the DigiCert PKI as an External CA in the CA Type drop-down. Once selected, enter the credentials information of selected External CA in the respective fields as explained below:

    1. Enter the CA Alias which is an operator-defined unique name for easy management of certificate authorities within ADSS Server.

    2. Select the issuing CA DigiCert SHA2 Extended Validation Server CA in the CA Certificate field which is already being configured in the Trust Manager.

    3. Specify the URL in the CA Address field from where this CA could listen the certificate request messages.

    4. Specify the API Key in API Key field which is generated by the operator on the DigiCert PKI Admin portal.

    5. Specify the profile in the Profile field configured at DigiCert PKI Admin Portal by selecting it from drop-down.

  7. Click on the "Save" button to save the changes