Set up Microsoft AD CS for issuing and importing certificates
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Set up Microsoft AD CS for issuing and importing certificates
The steps below will take you through everything you need to do to get your AD CS service integrated with Next-Gen Trust Security. After completing these steps, you'll be able to import existing certificates and issue new certificates.
Before you begin
Have the following ready before you start:
- Linux server to run VSatellite.See Pre-requisites for installing VSatellites for a list of system and network requirements.
- Windows server to run VSatellite Worker. The server must meet the following minimum requirements:
- Separate server from the server running AD CS
- Windows Server 2019
- Microsoft .NET Framework 4.7.0 or higher
- Visual C++ Redistributable is required. You can download it from Latest supported Visual C++ Redistributable downloads.
- Access to ports 135 and 49152 - 65535 on AD CS Service
- VSatellite connectivity to the VSatellite Worker - port 8085 (default) or the custom port specified during VSatellite Worker installation
- 4 GB RAM
- 2 CPUs
- 300 MB free disk space (before Worker install)
- IP or hostname of your Microsoft AD CS server
- Username and password used to authenticate to Microsoft AD CS
- Microsoft AD CS Issuing Certificate Common Name
Step 1: Connect your AD CS server to Next-Gen Trust Security
First, we'll set up the connection between your Microsoft AD CS server and Next-Gen Trust Security. If you don't already have a VSatellite or VSatellite Worker, these steps will walk you through those installations. If you do, then you can just select them during setup.
- Sign in to Next-Gen Trust Security.
- Click Configuration > Certificate Authorities.
- Click New > Microsoft AD CS.
- Enter a Name for the Certificate Authority.Tip: This is the name that will be used throughout Next-Gen Trust Security for this CA.
- From the VSatellite Worker drop-down, select the VSatellite Worker to use in this configuration.
If you don't have a VSatellite Worker yet, follow the steps below to set one up.
Don’t have a VSatellite Worker yet? Follow these steps to set one up.
Important: The VSatellite Worker must not be installed on the same server running AD CS.
- If you are not already on the Microsoft AD CS creation screen, follow the steps above to navigate there.
- Click Deploy VSatellite Worker.
If you're installing the VSatellite Worker on a Windows server that has internet access, refer to Online Installation below. If the server does not have internet access, refer to Offline Installation.
Online Installation
- Copy the VSatellite Worker installation command, and then run the script in a PowerShell prompt on the Windows server where you're setting up your VSatellite Worker.
- To use a port other than the default port 8085, replace the port number following the --port flag before running the installation command.
Offline Installation
- Copy the VSatellite Worker download command, and run it in a PowerShell prompt from a machine with internet connectivity.This downloads the VSatellite Worker installer (VSatelliteWorkerInstaller.msi) and VSatellite Worker (vsatworkectl.exe).
- Move both files to the same directory on the Windows server you want to install VSatellite Worker on.
- After moving the files, copy the VSatellite Worker installation command, and then run the script in a PowerShell prompt on the Windows server you're setting up as your VSatellite Worker.
To use a port other than the default port 8085, replace the port number following the --port flag before running the installation command.
- Follow the on-screen prompts to complete the installation.
- Check if the VSatellite Worker service is running on the Windows server by going to the Start menu and typing Services. From there, open the Services app, and in the Name column, look for VSatWorkerService.
- After the VSatellite Worker is up and running, return to the Next-Gen Trust Security screen, and click Continue.
- In the VSatellite Worker server address, enter the FQDN or IP address of the Windows server where you installed the VSatellite Worker. Include the port number. The default port is 8085, but if you set a different port during installation, enter that port instead.
- Click Set.
- To complete the setup, the VSatellite Worker needs to be paired with a VSatellite. If you already have a VSatellite in place, you can select it from the VSatellite drop-down.
Do you also need to set up a VSatellite? Follow these steps.
A VSatellite Worker needs to be paired with a VSatellite in order to communicate with Next-Gen Trust Security.
- Click Deploy VSatellite. The Deploy a VSatellite page opens.
- From the VSatellite deployment script, click Copy Code to copy the entire command.
- Run the command on the Linux server you've set up to be your VSatellite. Follow the on-screen instructions to complete the installation.Note: The installation may take up to 10 minutes.
- After installation, return to the Deploy a VSatellite screen in Next-Gen Trust Security, and click Test Connection.Note: Activating the VSatellite takes a few seconds. If Test Connection fails initially, click the button again to re-test the connection until it succeeds, and the Done button at the bottom of the screen is enabled.
- Click Done. You are returned to the Deploy VSatellite Worker page.
- The VSatellite drop-down should now show the VSatellite you just deployed. Click Pair to connect the VSatellite Worker to the VSatellite.
- Click Done. You are returned to the Connection page, and the VSatellite Worker drop-down is populated with the VSatellite Worker you just set up.
- Click Next.
Step 2: Enter your AD CS information
Next, we'll enter your Microsoft AD CS server information and credentials so that Next-Gen Trust Security can authenticate to your AD CS server.
- In the AD CS administrative address field, enter the IP address or hostname of your Microsoft AD CS server.
- In the Common Name (CN) of the CA's certificate box, enter the Common Name of the Microsoft AD CS Issuing (root) Certificate.
- Enter the Username and Password to authenticate with Microsoft AD CS.Note (AD CS Permissions): The account you use must have Read, Issue and Manage Certificates, and Request Certificates permissions to the Microsoft AD CS server.
- Click Test credentials.
Step 3: Select AD CS issuance templates to map to Next-Gen Trust Security
Now that the connection is made, we can set up certificate issuance through Next-Gen Trust Security.
- Click in the Issuance templates field.
- Select the AD CS issuance templates that you want to map to Next-Gen Trust Security.
- Click Add.
Next-Gen Trust Security tests all the templates you selected. Templates with a Passed result are available to map to Certificate Issuing Templates in Next-Gen Trust Security. Those with a Failed result are not.
Why did some templates fail?
After adding templates, Next-Gen Trust Security issues test certificates using each of the AD CS issuance templates. Next-Gen Trust Security supports issuance through templates that:
- Have Server Authentication set in the Application Policies setting of the Extensions tab on the issuance template
- Allow issuing certificates using RSA keys
- Supply the Subject Name in the request
Issuance templates that are incapable of issuing such certificates fail the Next-Gen Trust Security issuance test. This is expected.
Issuance tests use a static 2048-bit CSR and may fail for templates requiring larger key sizes. You can still issue certificates using those templates.
- Click Next.
On the Statistics tab of your Microsoft AD CS certificate authority, you see a summary of
your certificates. Click on any number to open a pre-filtered Certificate Inventory page to see those certificates.
Step 4: Import existing certificates from AD CS
This step is required only if you want to import existing certificates from AD CS.
- Click in the Import templates box.
- Select the AD CS templates that you want to import certificates from.
- Click Add.
- (Optional) Enable AD CS Import and configure the import interval.
- Under Import options, select whether to import revoked or expired certificates.
- Click Done.
Next-Gen Trust Security imports the certificates.
On the Statistics tab of your Microsoft AD CS certificate authority, you see a summary of
your certificates. Click on any number to open a pre-filtered Certificate Inventory page to see those certificates.
Need help? See the Next-Gen Trust Security Troubleshooting guide.