How To Create ADCS CA Templates For EZCA Integration
Introduction
In this page we will walk you through how to set up your ADCS CA to have an enrollment agent certificate and use that enrollment certificate to issue certificates.
Creating Enrollment Certificate
- Open The Certificate Authority management console.
- Right click the Certificate Templates Folder.
- Click Manage.
- Right click the Enrollment Agent Template
- Select the Duplicate option.
- Switch to the General tab.
- Change the Name to EZCA Enrollment Agent.
- Change validity period to 2 months.
- Navigate to the Security tab.
- Click Add.
- Click Object Types.
- Add Service Accounts.
- Click OK.
- Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs
- Click OK.
- Back in the security tab, make sure the gMSA has read and enroll rights to this template.
- Navigate to the Subject Name tab.
- Select the “Supply in the request” option.
- Save the changes and exit the dialog by Clicking the OK button.
- Back in the Certificate Authority management console, click on Certificate Templates.
- Once in the Certificate Templates page, right click any whitespace and select New > Certificate Template to Issue.
- Select the EZCA Enrollment Template that we just created.
- Your CA can now issue this certificate to the EZCA gMSA. Repeat the last 3 steps on each CA that you want to enable this template.
Create EZCA Test Certificate Template
To ensure high uptime, EZCA will create test certificates in each of the registered CAs every few minutes. To enable this, we will create a short lived template for EZCA to Issue.
- Open The Certificate Authority management console.
- Right click the Certificate Templates Folder.
- Click Manage.
- Right click the Web Server Template
- Select the Duplicate option.
- Switch to the General tab.
- Change the Name to EZCA Test Template.
- Change validity period to 1 hour.
- Navigate to the Security tab.
- Click Add.
- Click Object Types.
- Add Service Accounts.
- Click OK.
- Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs
- Click OK.
- Back in the security tab, make sure the gMSA has read and enroll rights to this template.
- Navigate to the Issuance Requirements tab
- Select the option of “This number of authorized signatures” and make sure the number is one.
- Change the application policy to the “Certificate Request Agent”
- Save the changes and exit the dialog by Clicking the OK button.
- Back in the Certificate Authority management console, click on Certificate Templates.
- Once in the Certificate Templates page, right click any whitespace and select New > Certificate Template to Issue.
- Select the EZCA Test Template that we just created.
- Your CA can now issue this certificate to the EZCA gMSA if it signs the request with its enrollment agent certificate. Repeat the last 3 steps on each CA that you want to enable this template.
Modify Certificate Template for EZCA
The final change we have to make to our ADCS configuration is modify the certificate template that you will want EZCA to manage to be able to be issued by EZCA.
- Open The Certificate Authority management console.
- Right click the Certificate Templates Folder.
- Click Manage.
- Right click the template you want to modify
- Click properties
- Navigate to the Security tab.
- Click Add.
- Click Object Types.
- Add Service Accounts.
- Click OK.
- Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs
- Click OK.
- Back in the security tab, make sure the gMSA has read and enroll rights to this template.
- Navigate to the Issuance Requirements tab
- Select the option of “This number of authorized signatures” and make sure the number is one.
- Change the application policy to the “Certificate Request Agent”
- Save the changes and exit the dialog by Clicking the OK button.
- Now EZCA will be able to issue certificates for this template.
How to Enable Revocation in Active Directory Certificate Services (ADCS)
EZCA will need to revoke certificates that it issues. To enable this, you will need to enable revocation in your ADCS configuration.
- Open The Certificate Authority management console.
- Right click the Certificate Authority Name.
- Click Properties.
- Navigate to the Security tab.
- Click Add.
- Click Object Types.
- Add Service Accounts.
- Click OK.
- Enter the name of your gMSA.
- Click OK.
- Back in the security tab, make sure the gMSA has “Issue and Manage Certificates” and “Request Certificates” rights.
- Click OK.