Microsoft Active Directory Certificate Services PKI

Setup of the ADCS Connector

ADCS Connector installation guide must be completed prior to the configuration of this connector.

Creating the ADCS PKI Connector in Horizon

The previous steps are considered as pre-requisites to continue the setup. If you haven’t yet configured the ADCS Connector on the ADCS side, please refer to the Setup of the ADCS Connector. The rest of this section assumes that the EverTrust ADCS Connector is installed and correctly set-up on the ADCS side.

Limitations

All limitations induced by the use of ADCS.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI PKI Connectors.

3. Click on Add icon .

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

Connector Name* (string input):
Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.
Proxy (string select):
If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.
PKI Queue (string select):
The PKI Queue used to manage the PKI Requests (enrollment, revocation).
Timeout (finite duration):
Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

Endpoint* (string input):
URL to access the machine where the ADCS connector is running on port 4443.
Active Directory Domain Netbios Name* (string input):
The NETBIOS name of the Active Directory domain where to find the technical user and the ADCS server.
Profile* (string input):
The technical name of the template that you created at step 8 of the Setup of the ADCS Connector section. Example: WebServer
CA Config* (string input):
The CaConfig string, as given out by certutil -getconfig for the considered ADCS CA. It’s usually in the form <ADCS Hostname>\<CA CommonName>

9. Click on the next button.

Authentication tab

10. Fill in the ADCS authentication fields:

Enrollment agent certificate* (select):
Select Certificate credentials containing the PKCS#12 enrollment agent certificate that was exported at step 10 of the Setup of the ADCS Connector section.
MS ADCS user account* (select):
Select Login credentials containing the username and password of the technical account created at step 9 of the Setup of the ADCS Connector section.

Specify only the username of the technical account on the ADCS machine, without the Netbios domain name.
For example, in PKI\Technical do not include the PKI\ part.

11. Click on the save button.

You can edit Edit PKI , duplicate Duplicate PKI or delete Delete PKI the Microsoft Active Directory Certificate Services PKI connector.