Microsoft CA
Configure connection to Microsoft CA and create certificate templates.
Prerequisites
To allow access to the Microsoft CA section:
- Launch the Axidian CertiFlow Configuration Wizard and go to Certification authorities.
- Enable integration with Microsoft Enterprise CA.
Connect to a CA
Follow the instructions for the operating system of the workstation where the Axidian CertiFlow server is installed.
- Windows
- Linux
- Click Add CA.
- In the Server address field, specify the CA address if it was not detected automatically.
- Enter the login in
DOMAIN\Usernameformat and the password of the service account holding the Enrollment Agent certificate. - Click Add.
An Enrollment Agent certificate is required for Axidian CertiFlow to integrate with the CA. The user account holding the Enrollment Agent certificate is used to send certificate enrollment requests to the CA on behalf of Axidian CertiFlow users. You can change the user's credentials after you add the CA to Axidian CertiFlow.
Add a CA located outside the Axidian CertiFlow users domain
- Click Add CA.
- In the Server address field, specify the address of the Axidian CertiFlow MS CA Proxy application. If Axidian CertiFlow is deployed in a domain forest, using Axidian CertiFlow MSCA Proxy is optional.
- In the Username field, enter the login in
DOMAIN\Usernameformat and the password of the service account holding the Enrollment Agent certificate. - Enable the Issue certificates for users from external associated catalog option.
- Specify the path to the external user catalog in the LDAP field.
In the Username field, enter the login of a user with read permissions for all user properties in the external domain. You can use the account specified earlier.
tipTo configure permissions to read only a specific set of properties, go to the Permissions list of the specified user profile and select the required properties.
In the Catalogs associating attribute field, specify the attribute that is used to determine the uniqueness of a user who has accounts in each domain. You can select one of the following attributes: Common name, Email, or Login (sAMAccountName).
- Click Add CA.
- In the Server address field, specify the address of the Axidian CertiFlow MS CA Proxy application.
- In the Client certificate field, select a client authentication certificate to connect to Axidian CertiFlow MS CA Proxy.
- Click Add.
Add a CA located outside the Axidian CertiFlow users domain
- Enable the Issue certificates for users from external associated catalog option.
- Specify the path to the external user catalog in the LDAP field.
In the Username field, enter the login of a user with read permissions for all user properties in the external domain.
tipTo configure permissions to read only a specific set of properties, go to the Permissions list of the specified user profile and select the required properties.
In the Catalogs associating attribute field, specify the attribute that is used to determine the uniqueness of a user who has accounts in each domain. You can select one of the following attributes: Common name, Email, or Login (sAMAccountName).
Certificate templates
Before you configure certificate templates in Axidian CertiFlow, make sure that the required templates are configured and published in the CA. For more information, see CA certificate templates.
To create a certificate template:
- Open policy settings and go to Microsoft CA → Templates section.
- Click Create certificate template.
- Configure the required parameters and click Create.
| Parameter | Description |
|---|---|
| Name | Certificate template name |
| CA | CA name |
| Microsoft CA certificate template | Template is uploaded automatically from the connected CA |
| Key name prefix | If you do not specify a key name prefix, the name of the container with the key pair is generated automatically. If you specify a prefix, it is added in front of the container name. The prefix value is displayed in Axidian CertiFlow and in third-party software for managing private key containers. |
| Include in subject name | Specify the attributes to form the certificate Subject name:Attribute list
To form the certificate's Subject and Subject Alternative Name from the attribute list, open the Microsoft CA template properties, go to the Subject Name tab and select Supply in the request. |
| Include in alternative subject name | Specify the attributes to form the certificate Subject Alternative Name:Attribute list
proxyAddresses. |
| Backup key | When a key pair is generated on a card, its backup copy is saved on the Axidian CertiFlow server. A key pair copy can only be saved once. If this option is disabled, the key pair is generated on the card directly. |
| Copy backup key to temporary card | Certificate and private key copies are written to the card during a temporary replacement. |
| Reuse key | When certificates are renewed, the existing encryption key is reused. |
| Import certificate if exists | Axidian CertiFlow uses the certificate from the card instead of issuing a new certificate (for the specified user, CA, and template). If the card is initialized before issuance, the certificate is removed. |
| Do not remove certificate at card updating/cleaning | When a card is updated or cleared, the expiring or expired certificates are not removed from the card and the certificates are not revoked in the CA. When a card is updated, a new certificate with a new private key is requested and written to the card. If the Reuse key option is enabled, the expiring or expired certificates are removed from the card. New certificates with old private keys are written to the card. The expiring or expired certificates are removed if the card is withdrawn and initialized. |
| Revoke certificate at card revoking/disabling | Certificates are revoked when a card is disabled or revoked. |
| Install certificate to local store | When a card is issued or updated in the Self-Service, the certificates written to the card are added to the user's local certificate store. |
| Publish CRL | When cards are disabled, enabled, or revoked, the Certificate Revocation List (CRL) is published. This prevents users from signing documents with a revoked certificate. This option is available if the Microsoft CAservice account has the Manage CA permission. |
| Accept certificate request automatically | The certificate request is approved automatically. If this option is disabled, you must wait for the CA to approve the request. |
| Accept signed certificate renewal request automatically | The certificate renewal request is approved automatically. If this option is disabled, you must wait for the CA to approve the request to renew the certificate. |
| Require signed certificate document before continuing card issuing/updating | The certificate is written to the card after the user provides a signed certificate form to the administrator for verification. After the CA approves the request, the certificate form becomes available to the user in the Self-Service. The user can download the certificate form, sign and submit it for review. |
| Tracked user attributes | Specify user attributes that trigger a certificate renewal: Common Name, Email, or User Principal Name (UPN). Changing the e-mail causes the certificate renewal if this attribute is included in the Microsoft CA certificate template properties on the Subject Name tab of the Include e-mail name in subject name and E-mail name options. |
| Print templates | Upload the document templates in the Configuration → Print templates section. If there are no document templates, the default print templates are used. |
| Default | This certificate is used by default for logging in to third-party software. |
| Optional certificate | When a card is issued or updated, you can select which optional certificates to write to the card. If this option is disabled, certificates are written to the card by default. |