Microsoft CA

Configure Microsoft Enterprise CA integration with Axidian CertiFlow:

1. Create a service account.
2. Configure certificate templates.
3. Add the certificate templates to Certificate Templates to Issue list.
4. Issue an Enrollment Agent certificate for the service account.

Follow these steps to connect to Microsoft CA using the Axidian CertiFlow MS CA Proxy component in the following cases:

• If Microsoft CA is installed outside the domain where the Axidian CertiFlow server running Windows OS is deployed;
• If the Axidian CertiFlow server is installed on Linux OS.

Create a service account

Configure a service account that Axidian CertiFlow uses to request certificates from the CA:

1. Create a user account in Active Directory.
2. Open the Certification Authority snap-in, select the CA and go to Properties.
3. On the Security tab, click Add and specify the name of the created account.
4. Set the Issue and Manage Certificates permission. The Request Certificates permission is set by default.
5. Click OK to save the settings.

info

Enable the Manage CA permission to be able to publish the certificate revocation list when you configure certificate templates for the CA in Axidian CertiFlow.

caution

If you plan to use Axidian CertiFlow with multiple CAs, ensure that the service account has the same set of permissions for all CAs.

Configure certificate templates

Configure the Enrollment Agent certificate template and user certificate templates.

Enrollment Agent

The Enrollment Agent certificate is used to request certificates on behalf of end users.

caution

The Enrollment Agent certificate is added to Axidian CertiFlow only once and is issued only for the service account.
To prevent security issues, do not add the Enrollment Agent certificate to card usage policies in Axidian CertiFlow. Otherwise, users could bypass the normal procedure and generate their own certificates in the CA.

Create and configure the Enrollment Agent certificate template:

1. Open the Certification Authority snap-in and click the CA to expand the root folder.
2. Right-click the Certificate Templates section and select Manage.
3. Right-click the Enrollment Agent template and select Duplicate Template.
4. Go to the General tab and enter Axidian Enrollment Agent in the Template display name field. Change the Validity period according to your company's regulations.
5. Go to the Cryptography tab and set the required key size. The recommended key size is 2048 bits.
6. On the Extensions tab, select the Application Policies extension and click Edit....
   1. Click Add..., select the Client Authentication application policy from the list and click OK.
   2. Select the Client Authentication application policy from the provided list.
   3. Click OK.
7. On the Security tab, click Add....
   1. In the Enter the object names to select field, enter the service account name and click OK.
   2. In the Permissions for section, assign the Read and Enroll permissions.
8. Click OK to save the template settings.

User certificates

Prepare certificate templates for application policies that are used to issue certificates to Axidian CertiFlow end users.

Use the following instruction to create and configure the Smartсard Logon certificate template. The Smartсard Logon certificate template is used to issue certificates for logging into the operating system using a smart card.

1. Open the Certification Authority snap-in and click the CA to expand the root folder.
2. Right-click the Certificate Templates section and select Manage.
3. Right-click the Smartсard Logon template and select Duplicate Template.
4. Go to the General tab and enter Axidian Smart Сard Logon in the Template display name field. Change the Validity period according to your company's regulations.
5. Go to the Cryptography tab and set the required Key size.

About minimum key size

The minimum key size can be configured for Microsoft CA 2008/2008R2 and higher. In previous versions, the minimum key size is configured on the Request Handling tab.

To prevent unauthorized access to confidential information, Microsoft issued an update (KB2661254) for all supported Microsoft Windows versions. This update blocks cryptographic keys that are less than 1024 bits long. This update is not supported in Windows 8 and higher or Windows Server 2012 and higher, since these systems can block weak RSA keys less than 1024 bits long.

6. On the Issuance Requirements tab, configure the following properties:
   1. Check the CA Certificate manager approval box.
   2. Check the This number of authorized signatures box. Type 1 in the text box.
   3. Select Application policy from the Policy type required in signature list.
   4. Select Certificate Request Agent from the Application policy list.
   5. Under Require the following for reenrollment, select Same criteria as for enrollment.
7. Go to the Subject Name tab. Depending on the certificate purpose, select:

• Supply in the request if certificates with Secure Email (OID 1.3.6.1.5.5.7.3.4) and Document Signing (OID 1.3.6.1.4.1.311.10.3.12) purposes are issued based on this template.

  info

  Certificate subject name is formed from the certificate request.
  You can define attributes for Subject and Subject Alternative Name in the Axidian CertiFlow Management Console. Go to Configuration→Policies→PKI Settings→Microsoft→Templates.

• Built from this Active Directory information if certificates with SmartCard Logon (OID 1.3.6.1.4.1.311.20.2) and Client Authentication (OID 1.3.6.1.5.5.7.3.2) purposes are issued based on this template. Follow these steps:

  1. Select Fully distinguished name from the Subject name format list.
  2. Check the User principal name (UPN) box.
  3. Clear the Include e-mail name in subject name and E-mail name check boxes if certificates based on this template are issued for users without email addresses defined in Active Directory.

8. Go to the Security tab and click Add....

   1. In the Enter the object names to select field, enter the service account name and click OK.
   2. In the Permissions for section, assign the Read and Enroll permissions.
   caution

   Grant similar permissions to the service account for all certificate templates that are used in Axidian CertiFlow.

9. Click OK to save the template settings.

Add certificate templates

1. Open the Certification Authority snap-in and click the CA to expand the root folder.
2. Right-click the Certificate Templates section.
3. Select New→Certificate Template to Issue.
4. Select the Axidian CertiFlow Enrollment Agent certificate template and other required certificate templates.
5. Click OK.

Issue the Enrollment Agent certificate

There are two ways to create the Enrollment Agent certificate:

• Using the Certiflow.CertEnroll.MsCA tool
• Using the Certificates tool (certmgr.msc)

Certiflow.CertEnroll.MsCA

To issue an Enrollment Agent certificate:

1. Open the Axidian CertiFlow installation package and open the AxidianCertiflow.WindowsServer\Misc catalog.

2. Run Certiflow.CertEnroll.MsCA.exe on the Axidian CertiFlow server as local administrator with /e userName password and /t templateName parameters:

   • userName – a service account name
   • password – a service account password
   • templateName – Enrollment Agent certificate template name. Templates with any names that have the Certificate Request Agent EKU are supported.
   Command example

   Certiflow.CertEnroll.MsCA.exe /e serviceca p@ssw0rd /t="AxidianEnrollmentAgent"
   Results

   CA: msca.demo.local\Axidian-Demo-CA
   Certificate has been enrolled successfully.

3. If the certificate request is approved by a CA operator, the tool prompts to accept the request and continue, indicating the request serial number and the key container name:

   CA: msca.demo.local\Axidian-Demo-CA
   Certificate request is pending.
   Request id: 27
   Container name: lr-AxidianEnrollmentAgent-175d9490-7481-4a29-b567-503d39747354
   Please accept request and then install certificate.

4. After approving the request in the CA, install the certificate in the certificate store. To install the certificate in the certificate store, run the Certiflow.CertEnroll.MsCA.exe with /i userName password requestId containerName parameters:

   • userName – a service account name
   • password – a service account password
   • requestId – a certificate request serial number
   • containerName – a key container name

Command example and results

Certiflow.CertEnroll.MsCA.exe /i serviceca p@ssw0rd 27 lr-AxidianEnrollmentAgent-175d9490-7481-4a29-b567-503d39747354
CA: msca.demo.local\Axidian-Demo-CA
Certificate has been installed successfully.

As a result, the Certificate Request Agent (Enrollment Agent) certificate is installed in the certificate store of the machine where the Axidian CertiFlow server is installed.

If you need to issue an Enrollment Agent certificate from a specific CA (for example, if there are multiple CAs in the domain), run Certiflow.CertEnroll.MsCA.exe with the /c parameter. Specify the CA name in the CAMachineName\CAName format:

• CAMachineName – the DNS name of a server with the CA role
• CAName – the name of the CA

Certiflow.CertEnroll.MsCA.exe /e serviceca p@ssw0rd /t="AxidianEnrollmentAgent" /c="msca.demo.local\Axidian-Demo-CA"

Certificate Manager

1. Log in to the OS under the service account and open the User Certificates snap-in (certmgr.msc).
2. Start the certificate request:
   1. Under Certificates, expand the Personal folder.
   2. Right-click Certificates and select All Tasks → Request New Certificate.
3. In the Certificate Enrollment wizard, select Enrollment Agent, expand the details and go to Properties.
4. Go to the Private key tab, expand the Key options menu and check the Make private key exportable box.
5. Save the issued certificate and its private key to the certificate store of the machine where the Axidian CertiFlow server is installed.
6. Grant the service account read permissions for the private key of the Enrollment Agent certificate:
   1. Go to the Computer Certificates snap-in and right-click the Enrollment Agent certificate.
   2. Select All tasks→Manage Private Keys....
   3. Click Add and specify the service account.
   4. Assign the Full control permission.
   5. Click Apply.

Connect to Microsoft CA using Axidian CertiFlow MS CA Proxy

Axidian CertiFlow can work with CAs located outside the domain of the Axidian CertiFlow server using the Axidian CertiFlow MS CA Proxy component.

Configuration examples:

• There are several independent domains with separate CAs in each, Axidian CertiFlow is deployed in only one of these domains.
• Axidian CertiFlow is deployed on a non-domain Linux OS server and is used to request and issue certificates in a domain with Microsoft CA.

When issuing a certificate, Axidian CertiFlow uses the Enrollment Agent certificate to connect to the Axidian CertiFlow MS CA Proxy and forwards the request to the target CA.

Install and configure the Axidian CertiFlow MS CA Proxy

The Axidian CertiFlow MS CA Proxy application can only be installed on a machine running Windows OS. System requirements match the server requirements.

1. Create a service account for Microsoft CA in an external domain.

2. Configure the Enrollment Agent certificate template for the service account and issue the Enrollment Agent certificate. Install the Enrollment Agent certificate in the certificates store of a machine (Local computer) where you plan to install the Axidian CertiFlow MS CA Proxy.

3. Install the Axidian CertiFlow MS CA Proxy on a machine within the external CA domain:

   1. Open the Axidian CertiFlow installation package and open the AxidianCertiflow.Server catalog.
   2. Run the Axidian CertiFlow MS CA Proxy Installation Wizard AxidianCertiflow.MSCA.Proxy-version number.x64.en-us.msi.

4. In the Installation Wizard, select the authentication method depending on the OS of the machine where the Axidian CertiFlow server is installed, and specify the required settings in the configuration files:

   Windows

   1. Select the Windows authentication method. After the installation is complete, click Finish.
   2. Open the appsettings.json file (C:\inetpub\wwwroot\certiflow\mscaproxy) in Notepad in administrator mode.
   3. Specify the following settings in the caProxySettings section:

   • ca – the CA name in the CAMachineName\CAName format. CAMachineName is the DNS name of the server with the CA role, CAName is the name of the CA.

   • userName and password – login and password of the service account with an Enrollment Agent certificate.

   • enrollmentAgentCertificateThumbprint – the thumbprint of the Enrollment Agent certificate.

     "caProxySettings": {
     "ca": "servercertiflow.external.com\\EXTERNAL-CA",
     "userName": "EXTERNAL\\serviceca",
     "password": "p@ssw0rd",
     "enrollmentAgentCertificateThumbprint": "dbd1859d27395860843643ebe17e2ee3fc463aba"
     }

   4. Save changes and close the appsettings.json file.

   Linux

   1. Select the certificate authentication method. After the installation is complete, click Finish.
   2. Open the appsettings.json file (C:\inetpub\wwwroot\certiflow\mscaproxy) in Notepad in administrator mode.
   3. Specify the following settings in the caProxySettings section:

   • ca – the CA name in the CAMachineName\CAName format. CAMachineName is the DNS name of the server with the CA role, CAName is the name of the CA.

   • userName and password – login and password of the service account with an Enrollment Agent certificate.

   • enrollmentAgentCertificateThumbprint – the thumbprint of the Enrollment Agent certificate.

     "caProxySettings": {
     "ca": "servercertiflow.external.com\\EXTERNAL-CA",
     "userName": "EXTERNAL\\serviceca",
     "password": "p@ssw0rd",
     "enrollmentAgentCertificateThumbprint": "dbd1859d27395860843643ebe17e2ee3fc463aba"
     }

   4. In the authSettings section, specify the Enrollment Agent certificate thumbprint in the allowedCertificateThumbprints parameter. Make sure that the Enhanced Key Usage field of the certificate contains Client Authentication and the certificate is installed in the certificate store of the Axidian CertiFlow server.

      "authSettings": {
      "authorizeByCertificate": "true",
      "allowedCertificateThumbprints": "aba8b93d73343f2182e3c1c40482b2ae2d75b6ec"
      }

   5. Save changes and close the appsettings.json file.

5. To apply changes, restart the Axidian CertiFlow MS CA Proxy application pool:

   1. Open the Internet Information Services Manager (IIS). In the Connections pane, expand the server name, and then click Application Pools.
   2. Select the Axidian CertiFlow MS CA Proxy application and click Recycle... under Actions on the right.