How-To: Create CA Templates For Entra CBA Smart Cards

How to create an ADCS Template for SmartCard creation and authentication using EZCMS the leader in passwordless bootstrapping.

Introduction

In this page we will walk you through how to set up your ADCS CA to have an enrollment agent certificate and use that enrollment certificate to issue certificates.

Creating Enrollment Certificate

EZCMS will use a certificate issued by your CA to sign the requests and authenticate that the request was issued by our EZCMS agent. In the following steps I will walk you through how to create the template for this certificate.

  1. Open The Certificate Authority management console.
  2. Right click the Certificate Templates Folder. ADCS Certification Authority console with Certificate Templates folder highlighted in red
  3. Click Manage.
  4. Right click the Enrollment Agent Template Certificate Templates console showing Enrollment Agent template selected in the list
  5. Select the Duplicate option.
  6. Switch to the General tab.
  7. Change the Name to EZCA Enrollment Agent.
  8. Change validity period to 2 months. New certificate template general tab showing EZCA Enrollment Agent name and 2-month validity period
  9. Navigate to the Security tab.
  10. Click Add.
  11. Click Object Types. Select Users or Groups dialog with Object Types button highlighted for adding service accounts
  12. Add Service Accounts.
  13. Click OK.
  14. Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs Select Users dialog with gMSA account name entered in the object name field
  15. Click OK.
  16. Back in the security tab, make sure the gMSA has read and enroll rights to this template. Certificate template Security tab showing gMSA with Read and Enroll permissions granted
  17. Navigate to the Subject Name tab.
  18. Select the “Supply in the request” option. Certificate template Subject Name tab with Supply in the request option selected
  19. Save the changes and exit the dialog by Clicking the OK button.
  20. Back in the Certificate Authority management console, click on Certificate Templates.
  21. Once in the Certificate Templates page, right click any whitespace and select New > Certificate Template to Issue. Certification Authority console context menu showing New Certificate Template to Issue option
  22. Select the EZCA Enrollment Template that we just created. Enable Certificate Templates dialog with EZCA Enrollment Agent template selected
  23. Your CA can now issue this certificate to the EZCA gMSA. Repeat the last 3 steps on each CA that you want to enable this template.

Create EZCMS Test Certificate Template

To ensure high uptime, EZCMS will create test certificates in each of the registered CAs every few minutes. To enable this, we will create a short lived template for EZCMS to Issue.

  1. Open The Certificate Authority management console.
  2. Right click the Certificate Templates Folder. ADCS Certification Authority console with Certificate Templates folder highlighted in red
  3. Click Manage.
  4. Right click the Web Server Template Certificate Templates console with Web Server template highlighted at the bottom of the list
  5. Select the Duplicate option.
  6. Switch to the General tab.
  7. Change the Name to EZCA Test Template.
  8. Change validity period to 1 hour. New certificate template general tab showing EZCA Test Template name and 1-hour validity period
  9. Navigate to the Security tab.
  10. Click Add.
  11. Click Object Types. Select Users or Groups dialog with Object Types button highlighted for adding service accounts
  12. Add Service Accounts.
  13. Click OK.
  14. Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs Select Users dialog with gMSA account name entered in the object name field
  15. Click OK.
  16. Back in the security tab, make sure the gMSA has read and enroll rights to this template. Certificate template Security tab showing gMSA with Read and Enroll permissions granted
  17. Since this certificate template will be used for testing and will be issued frequently, it would break the ADCS database if save it to the Database. To prevent this, navigate to the Server tab and select the option of “Do not store certificates and requests in the CA database” EZCMS Passwordless Onboarding certificate template Server tab with Do not store certificates in CA database option checked
  18. Navigate to the Issuance Requirements tab
  19. Select the option of “This number of authorized signatures” and make sure the number is one.
  20. Change the application policy to the “Certificate Request Agent” Certificate template Issuance Requirements tab with Certificate Request Agent application policy configured
  21. Save the changes and exit the dialog by Clicking the OK button.
  22. Back in the Certificate Authority management console, click on Certificate Templates.
  23. Once in the Certificate Templates page, right click any whitespace and select New > Certificate Template to Issue. Certification Authority console context menu showing New Certificate Template to Issue option
  24. Select the EZCATestTemplate that we just created. Enable Certificate Templates dialog with EZCA Test Template selected for issuance
  25. Your CA can now issue this certificate to the EZCA gMSA if it signs the request with its enrollment agent certificate. Repeat the last 3 steps on each CA that you want to enable this template.

Creating the Smart Card Template

The last template we have to create is the smart card template you want EZCMS to issue.

  1. Open The Certificate Authority management console.
  2. Right click the Certificate Templates Folder. ADCS Certification Authority console with Certificate Templates folder highlighted in red
  3. Click Manage.
  4. Right click the Smartcard Logon template. Certificate Templates console with Smartcard Logon template highlighted at the bottom of the list
  5. Select the Duplicate option.
  6. Change the Name to EZCMS.
  7. Set the validity period to your desired SmartCard validity period. New certificate template general tab showing EZSmartCard name with 1-year validity period
  8. Navigate to the Security tab.
  9. Click Add.
  10. Click Object Types. Select Users or Groups dialog with Object Types button highlighted for adding service accounts
  11. Add Service Accounts.
  12. Click OK.
  13. Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs Select Users dialog with gMSA account name entered in the object name field
  14. Click OK.
  15. Back in the security tab, make sure the gMSA has read and enroll rights to this template. Certificate template Security tab showing gMSA with Read and Enroll permissions granted
  16. Navigate to the Issuance Requirements tab
  17. Select the option of “This number of authorized signatures” and make sure the number is one.
  18. Change the application policy to the “Certificate Request Agent” Certificate template Issuance Requirements tab with Certificate Request Agent application policy configured
  19. Navigate to the Subject Name tab.
  20. Select “Supply in the request” EZSCTemplate Subject Name tab with Supply in the request option selected
  21. Save the changes and exit the dialog by clicking the OK button.
  22. Now EZCMS will be able to issue certificates for this template.

How to Enable SmartCard Revocation in Active Directory Certificate Services (ADCS)

When a user leaves or a smartcard is declared lost, EZCMS will automatically revoke the certificate, blocking that smartcard from being used. To enable this feature, you must give the gMSA the ability to revoke certificates.

  1. Open The Certificate Authority management console.
  2. Right click the Certificate Authority Name. Certification Authority console with CA name highlighted in red for right-click access
  3. Click Properties.
  4. Navigate to the Security tab.
  5. Click Add.
  6. Click Object Types. Select Users or Groups dialog with Object Types button highlighted for adding service accounts
  7. Add Service Accounts.
  8. Click OK.
  9. Enter the name of your gMSA.
  10. Click OK.
  11. Back in the security tab, make sure the gMSA has “Issue and Manage Certificates” and “Request Certificates” rights. CA Properties Security tab showing gMSA with Issue and Manage Certificates and Request Certificates permissions
  12. Click OK.