Microsoft Active Directory Certificate Services PKI

Setup of the ADCS Connector

To set up a Microsoft Active Directory Certificate Services Connector (EverTrust ADCS Connector), you will need to have a machine running on Windows Server 2016+ with .NET 4.5.2 or later installed.

The connector can be installed on the ADCS server itself or on another machine in the same domain. For the latter, you will need to copy the C:\Windows\System32\certadm.dll file from the ADCS server to that server at the same place and call regsvr32 C:\Windows\System32\certadm.dll from an elevated command prompt.

If all the pre-requisites are met then follow these steps:

1. Download the MSI installer from the EverTrust Repo (in the horizon-win folder) on the machine you wish to install it onto;

2. Start the setup and follow the installation wizard;

3. Once completed, enroll a TLS Web Server certificate with a SAN DNS that will have the DNS name you are going to use for this ADCS machine and import it in the certificate store of the ADCS machine;

4. Retrieve the hash of that certificate through certlm.msc. Be careful as some special characters may be copied alongside with the hash, so ensure that you get rid of them should they be present;

5. Edit the C:\Program Files\EverTrust\ADCSConnector\EverTrustADCSConnector.exe.config file and paste the previously copied hash to be the value of the "CertHash" line, then save the file;

6. Ensure that the port 4443 is opened in the firewall of this machine and that the machine can indeed be reached from the Horizon machine;

7. Using services.msc, start the "EverTrust ADCS Connector" service. To see whether the service started successfully, start Internet Explorer and go to https://localhost:4443/api/certificate. This should download a json file that says "OK" if everything is good;

8. Create a new certificate template on the ADCS (or use an existing one) that the connector will use to enroll the certificates;

9. Create a technical account and give it the right to enroll on the previously created template. This technical user also needs to be able to log-in on the machine where the connector is installed;

10. Create an enrollment agent certificate and export it as PKCS#12. This certificate will be the one used to sign the CMC messages from Horizon.

Now that the configuration on ADCS-side is over, we can tackle the configuration on Horizon side.

Creating the ADCS PKI Connector in Horizon

The previous steps are considered as pre-requisites to continue the setup. If you haven’t yet configured the ADCS Connector on the ADCS side, please refer to the Setup of the ADCS Connector. The rest of this section assumes that the EverTrust ADCS Connector is installed and correctly set-up on the ADCS side.

Limitations

All limitations induced by the use of ADCS.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI PKI Connectors.

3. Click on Add icon .

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

Connector Name* (string input):
Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.
Proxy (string select):
If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.
PKI Queue (string select):
The PKI Queue used to manage the PKI Requests (enrollment, revocation).
Timeout (finite duration):
Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

Endpoint* (string input):
URL to access the machine where the ADCS connector is running on port 4443.
Active Directory Domain Netbios Name* (string input):
The NETBIOS name of the Active Directory domain where to find the technical user and the ADCS server.
Profile* (string input):
The technical name of the template that you created at step 8 of the Setup of the ADCS Connector section. Example: WebServer
CA Config* (string input):
The CaConfig string, as given out by certutil -getconfig for the considered ADCS CA. It’s usually in the form <ADCS Hostname>\<CA CommonName>

9. Click on the next button.

Authentication tab

10. Fill in the ADCS authentication fields:

Enrollment agent certificate* (select):
Select Certificate credentials containing the PKCS#12 enrollment agent certificate that was exported at step 10 of the Setup of the ADCS Connector section.
MS ADCS user account* (select):
Select Login credentials containing the username and password of the technical account created at step 9 of the Setup of the ADCS Connector section.

Specify only the username of the technical account on the ADCS machine, without the Netbios domain name.
For example, in PKI\Technical do not include the PKI\ part.

11. Click on the save button.

You can edit Edit PKI , duplicate Duplicate PKI or delete Delete PKI the Microsoft Active Directory Certificate Services PKI connector.