Microsoft Active Directory Certificate Services PKI

Prerequisites

  • The EverTrust ADCS Connector component must be installed

To install the EverTrust ADCS Connector component, follow these steps:

  1. On a Windows Server 2016+ installed with ADCS, double-click on the EverTrust ADCS Connector MSI.

  2. Follow the installation wizard.

  3. If not already present, enroll a Web Server certificate for the server, so that it is available in the Local Machine store.

  4. Edit the file located in C:\Program Files\EverTrust\ADCSConnector\EverTrustADCSConnector.exe.config and set the value of the key CertHash to the hash of the Web Server Certificate mentioned in the previous step.

  5. Open the port 4443 on the firewall.

  6. Start the service EverTrust ADCS Connector.

Finally, you must also create in the ADCS domain a technical user for Horizon, grant the appropriate permissions within ADCS to manage and issue and revoke certificates, and issue an Enrollment Agent certificate in PKCS#12 format.

  • A technical account with appropriate permissions and an enrollment agent certificate must be created.

It is possible to install the EverTrust ADCS Connector on another machine than an ADCS server. You then need to copy C:\Windows\System32\certadm.dll onto that server, and call regsvr32 C:\Windows\System32\certadm.dll from an elevated command prompt.

Limitations

  • All limitations induced by the use of ADCS.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI > PKI Connectors.

3. Click on Add HTTP Proxy.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • Queue PKI (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be in valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

  • Endpoint* (string input):
    URL to access the Web Enrollment ADCS component.

  • Active Directory Domain Netbios Name* (string input):
    The Active Directory domain where to find the technical user and the ADCS server.

  • Profile* (string input):
    It is recommended to duplicate default template, and grant the enrolment permissions to the created technical user. Example: Web Server

  • CA Config* (string input):
    The CaConfig string, as given out by certutil -config for the considered ADCS CA. It’s usually in the form <ADCS Hostname>\<CA CommonName>

9. Click on the next button.

Authentication tab

10. Fill in the PKI-authentication fields:

  • Signer PKCS#12* (import):
    Import the PKCS#12 file containing the signature certificate used to sign the CMP messages.

  • Sign certificate password* (string input):
    Enter the password used to secure the aforementioned PKCS#12.

  • Technical account MSUPN* (string input):
    Create a user that has certificate issuance, revocation and management permissions at CA level and for the relevant certificates template.

  • Technical account password* (string input):
    Password associated with aforementioned defined user.

11. Click on the save button.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the Microsoft Active Directory Certificate Services PKI connector.