Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication



Similar documents
Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Entrust Managed Services PKI

Using Internet or Windows Explorer to Upload Your Site

Using etoken for Securing s Using Outlook and Outlook Express

etoken Enterprise For: SSL SSL with etoken

Setting Up SSL on IIS6 for MEGA Advisor

Application Notes for Microsoft Office Communicator Clients with Avaya Communication Manager Phones - Issue 1.1

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

ECA IIS Instructions. January 2005

Troubleshooting smart card logon authentication on active directory

Document Classification: Public Document Name: SAPO Trust Centre - Generating a SSL CSR for IIS with SAN Document Reference:

Security Certificate Configuration for IM and Presence Service

X.509 Certificate Generator User Manual

Technical Support Set-up Procedure

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cclass Onboard Administrator

Avatier Identity Management Suite

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Exchange 2010 PKI Configuration Guide

WHITE PAPER Citrix Secure Gateway Startup Guide

Installation and Configuration Guide

Using Microsoft s CA Server with SonicWALL Devices

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

User Documentation for SmartPolicy. Version 1.2

PaperStream Connect. Setup Guide. Version Copyright Fujitsu

Smart Policy - Web Collector. Version 1.1

Certificates for computers, Web servers, and Web browser users

DigitalPersona Pro. Password Manager. Version 5.x. Application Guide

Symantec Managed PKI. Integration Guide for ActiveSync

Desktop Web Access Single Sign-On Configuration Guide

Windows Live Mail Setup Guide

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

DIGIPASS CertiID. Getting Started 3.1.0

ADFS Integration Guidelines

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Yale Software Library

WebLogic Server 6.1: How to configure SSL for PeopleSoft Application

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

How-to: HTTP-Proxy and Radius Authentication and Windows IAS Server settings. Securepoint Security System Version 2007nx

EJBCA with GemSAFE Toolbox Part1 Workstation Logon

Security Assertion Markup Language (SAML) Site Manager Setup

EJBCA with GemSAFE Toolbox Part2 Sign. and Encrypt

How to Time Stamp PDF and Microsoft Office 2010/2013 Documents with the Time Stamp Server

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Secure IIS Web Server with SSL

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

Zanibal Plug-in For Microsoft Outlook Installation & User Guide Version 1.1

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Working With Your FTP Site

WirelessOffice Administrator LDAP/Active Directory Support

Check Point FDE integration with Digipass Key devices

Entrust Managed Services PKI Administrator Guide

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

For details for obtaining this later version; see the Known issues & Limitations, section at the end of this document.

Windows Intune Walkthrough: Windows Phone 8 Management

Egnyte Single Sign-On (SSO) Installation for Okta

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

NTP Software File Auditor for Windows Edition

How to Copy A SQL Database SQL Server Express (Making a History Company)

Bitrix Site Manager ASP.NET. Installation Guide

Test Automation Integration with Test Management QAComplete

PageScope Router. Version 1.5. Configuration Guide

How to Install and Configure ArchiveOne Express

How to Use Certificates for Additional Security

Implementation notes on Integration of Avaya Aura Application Enablement Services with Microsoft Lync 2010 Server.

Installation Guide. SafeNet Authentication Service

Using the Synchronization Client

MS SQL Server Database Management

USER GUIDE WWPass Security for Windows Logon

Types of certification authorities

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

Code Signing Digital IDs GCC Certificate Installation Guide Rev 1.4

Web Hosting Getting Started Guide

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Managing Software and Configurations

App Orchestration 2.5

XCM Internet Explorer Settings

BlackBerry Enterprise Server Resource Kit

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Kaseya 2. User Guide. Version 6.1

Yubico PIV Management Tools

ThorApp s. License Activation Guide. No nonsense tools, apps and add-ons for SharePoint. Author: Adrian Bear. Date: 22 Sep Version: 1.

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006

Advanced Event Viewer Manual

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Chapter 10 Encryption Service

An Introduction To The Web File Manager

RoomWizard Synchronization Software Manual Installation Instructions

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Title: How to set up SSL between CA SiteMinder Web Access Manager - SiteMinder Policy Server and Active Directory (AD)

Transcription:

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication Contents Domain Controller Certificates... 1 Enrollment for a Domain Controller Certificate... 1 Issuing a Domain Controller Certificate... 2 Installing the Domain Controller Certificate... 3 Smart Card Logon Certificates... 4 Enrollment for a Smart Card Logon Certificate... 4 Issuing a Smart Card Logon Certificate... 4 Installing a Smart Card Logon Certificate... 5 Domain Controller Certificates Enrollment for a Domain Controller Certificate To initiate the process of obtaining a suitable certificate, a system administrator on the domain controller system should do the following: 1. Generate an offline domain controller certificate request following the instructions on the Microsoft Technet website: http://technet.microsoft.com/en us/library/cc783835%28ws.10%29.aspx 2. Open a browser and go to the Upload Certificate Request page of the CertAgent public site and submit the request file (typically named <dcname>-req) to an appropriate CA. 3. Once your request has been accepted, please make a note of the request ID generated by the CertAgent system to aid in the certificate retrieval process (described below).

Issuing a Domain Controller Certificate The CertAgent CA to whose account the request has been submitted should follow these steps in issuing the domain controller certificate: 1. Login to the appropriate CertAgent CA account; this is the account that you will be using to issue the domain controller certificate. 2. Open the pending certificate request list and click on the request you wish to process. This will open the advanced options dialog. 3. If you already know the globally unique identifier (GUID) of the domain controller for which the certificate will be issued, skip to the next step. Otherwise, you may determine the required GUID as follows: click Export and save the certificate request to a file open a Command Prompt and run the following command: certutil dump <request file> the required domain controller GUID may be found in the output of this command as the value associated with the OID 1.3.6.1.4.1.311.25.1 as illustrated below: Subject Alternative Name Other Name: 1.3.6.1.4.1.311.25.1= 0410 6661 6135 3636 3234 3831 6263 3866 6662 copy the entire domain controller GUID to the clipboard and return to CertAgent 4. Select Issue certificate with customized settings from the Action drop down list. 5. Customize the included extensions as described here (if they are not already so specified in the active CA s default certificate profile settings): under CRL Distribution Point, enter a valid CRL distribution point URL. under Key Usage, make sure that only the digital signature and key encipherment checkboxes are checked. under Extended Key Usage, check only the following checkboxes: client authentication, server authentication, and MS: Smart Card Logon. under Subject Alternative Name, add an Other Name field and complete its attributes as follows: specify an OID of 1.3.6.1.4.1.311.25.1 set Octet String as the type of this attribute and enter the domain controller s GUID as its value; then carefully remove the first four characters (04??) and all spaces and insert 0x at the front of the string (to ensure it is interpreted in hex). For example, if the GUID was originally 0410 6661 6135 3636 3234 3831 6263 3866 6662 as above, you would enter 0x666135363632343831626338666662 as the hexadecimal value of the new attribute.

under Subject Alternative Name, add a DNS Name and specify the DNS name of the domain controller. enter the following base64 encoded data as a Custom Extension: MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcg== (When you copy and paste this value be sure to capture the two trailing equal signs. This extension is required to ensure that the certificate is accepted and processed as a domain controller certificate by the default policy module in the domain controller.) Basic Constraints are optional, but if you include them be sure to uncheck the CA checkbox. 6. Review your changes then click Submit to issue the certificate. If you are doing this often, you should of course configure a CA account or subaccount to include the custom extensions automatically so that only minor editing of attribute values is required on a perrequest basis. For a detailed discussion of the constraints on the contents of a Microsoft domain controller certificate, see http://support.microsoft.com/kb/291010. Installing the Domain Controller Certificate Once the domain controller certificate has been issued, the system administrator may install it by following these steps: 1. Go to the Retrieve Certificate page of the CertAgent public site. 2. Enter the request ID and click Retrieve. 3. Click the link labeled Download this certificate path to a local base64 encoded PKCS#7 file and save the PKCS#7 file to a convenient folder on your system. 4. Now install the domain controller certificate by executing this command at a Command Prompt: certreq accept <PKCS#7 filename>. For a more detailed discussion of the installation process for a domain controller certificate, see http://technet.microsoft.com/en us/library/cc785678%28ws.10%29.aspx.

Smart Card Logon Certificates Enrollment for a Smart Card Logon Certificate Any entity wishing to obtain a smart card logon certificate for use with Active Directory can initiate the process by following these steps: 1. Go to the Enroll Certificate using Browser page for an appropriate CA account/subaccount on the public side of the CertAgent website. 2. Select the CSP associated with your smart card. 3. Select Both for the Key Usage value. 4. Uncheck the checkbox labeled Mark keys as exportable. 5. Fill in the rest of the form and click Submit. 6. Once your certificate request has been accepted please make a note of the request ID generated by the system. Issuing a Smart Card Logon Certificate A CertAgent CA may follow these steps to issue the certificate: 1. Login to the CertAgent CA account to which the certificate request has been submitted. 2. Click on the desired certificate request from the pending list to open the advanced dialog. 3. Select Issue certificate with customized settings from the Action drop down list. 4. Customize the extensions for this certificate as follows: under CRL Distribution Point, enter a CRL distribution point URL. under Key Usage, check only the digital signature checkbox. under Extended Key Usage, check only the client authentication and MS: Smart Card Logon checkboxes. under Subject Alternative Name, add an Other Name field and complete its attributes as follows: specify an OID of 1.3.6.1.4.1.311.20.2.3 set UTF8 String as the type of the attribute and enter the principal name as its value (e.g., user1@infoseccorp.com). Basic Constraints are optional, but if you include them be sure to uncheck the CA checkbox. 5. Review your changes then click Submit to issue the certificate. For more detailed instructions on enabling smart card logon, see http://support.microsoft.com/kb/281245.

Installing a Smart Card Logon Certificate Once a smart card logon certificate has been issued, the entity who requested it may retrieve it and install it on their system as follows: 1. Go to the Retrieve Certificate page of the CertAgent public site. 2. Enter the request ID for your certificate and click Retrieve. 3. Click the link labeled Install this certificate path into CAPI/CNG and follow the prompts to install your certificate.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information