How-To: Register ADCS Agent in EZCA

The last step to linking EZCA to your existing ADCS CAs is registering the CA in EZCA. Once linked, EZCA enables your ADCS CA to connect to the latest protocols such as ACME and automatic AKV certificate creation.

Prerequisites

  1. Setup IIS
  2. Create Certificate Templates In CA
  3. Setup EZCA Agent

Introduction

The last step to linking EZCA to your existing ADCS CAs is registering the CA in EZCA.

Registering the CA in EZCA

  1. Navigate to the EZCA portal.
  2. Navigate to Certificate Authorities. EZCA Cloud PKI portal dashboard with Certificate Authorities menu item highlighted in left navigation
  3. Click on the “Create CA”. EZCA Cloud PKI My CAs list page with Create CA button highlighted
  4. Select ADCS CA. EZCA Cloud PKI Create CA wizard showing ADCS CA type selected to connect to existing Active Directory CA
  5. Press Next.

Connect CAs

Now we will connect EZCA to all the CAs you want to manage with EZCA.

  1. First, enter the CA Friendly Name. This name is only for your reference in the EZCA portal.
  2. Upload the CAs certificate (Only the public part. Do not upload the private key).
  3. Enter the Agent URL.

  1. Enter the CA name with the format HOST.DNS\CA Name.

  2. Press “Test Connection”.

    EZCA Cloud PKI Configure CAs page showing CA certificate upload field, agent URL, CA name, and Test Connection button

  3. Once the connection is validated, Press Add CA. EZCA Cloud PKI Configure CAs page with successful connection test and Add CA button highlighted

  4. If you want to add more CAs to this CA group (this will enable you to manage domains and requests as if they are all part of one big geo-redundant CA), repeat steps 2-6 for all CAs.

  5. Once you are done adding the CAs, press Next. EZCA Cloud PKI Configure CAs page showing configured ADCS CA with Next button highlighted to proceed

Adding Templates

Once the CAs are connected to EZCA, we have to add the templates that you want EZCA to manage certificates for.

  1. First select the template type this will be used for.
  2. Then enter the template name as it appears in the CA.
  3. Press Test Template to verify EZCA has access to request certificates for this template. EZCA Cloud PKI Configure Templates page showing SSL template type, template name field, and Test Template button
  4. Enter the maximum lifetime for a certificate that can be issued by EZCA.
  5. (Optional) EZCA templates have advance settings that can be set such as domain restrictions, require approval or restrict who can request domain registrations. [Read More]
  6. Press Add template.
  7. Once you have added and configured all the desired templates, press the create button.

(Optional) Templates (Advanced Settings)

  1. Click the expand button. EZCA Cloud PKI Configured Templates section showing SSL template with certificate lifetime and Advance Settings expanded

Pre-Approved List of domains

  1. Since this is not a publicly trusted CA, by default EZCA will allow requesters to register any domains. If you want to limit which domains can this CA issue, Select the “Allow Only Pre-Approved List of Domains” option.
  2. Upload a .txt file with your Pre-Approved domains (one per line), or enter them in the portal. EZCA Cloud PKI Advance Settings Domain Rules section showing pre-approved domains list with Upload TXT File option

Allow Wildcard Domains

By default EZCA does not allow users to request certificates with wildcard domains (a domain that starts with *. which allows you to use that same certificate for all other subdomains). If you want EZCA to issue wildcard certificates, select the “Allow wild-card certificates” option.

Issuance Rules

To enable more granular control who can request domain ownership in EZCA, we created to extra knobs PKI administrators can adjust to control domain ownership.

  1. Require domain registration approval. This option enables PKI administrators to set a group of approvers that must approve each domain registration before a user or group of users are registered as domain owners.
    1. To enable this option select the “require approval” option.
    2. Enter the users or AAD groups that can approve domain requests. Require Approval
  2. The second way PKI administrators can control the registration of domains is to only allow specific users to request domains. This option enables PKI administrators to set a list of users that can request domains for this CA.
    1. To enable this option deselect the “Allow all users” option.
    2. Enter the users or AAD groups that can register domains. Specific Domain Admins