+ All Categories
Home > Documents > Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server...

Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server...

Date post: 02-Jul-2018
Category:
Upload: lamcong
View: 226 times
Download: 2 times
Share this document with a friend
60
sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006
Transcript
Page 1: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Comodo CertificateAuthority Proxy Server

Installation guide

Rev. 0006

Page 2: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

1.Prerequisite

1.1 Server requirementWindows Server 2008 /2008 R2 (Standart/Enterprise/Datacenter)

Active Directory Domain ServicesActive Directory Certificate Services (AD CS), installed as enterprise root Certificate Authority (CA).

Certificate Manager Server (CCM) running under JRE 1.6., must be accessible from Active Directory Certificate Services host. CCM Server's URLs must be assigned to Trusted Zone.

Remarks: Server platform can be 32 or 64 bit, both of them are supported. AD CS must be installed before Comodo CA Proxy. Additional components such as Web Enrollment Services and Network Device Enrollment Services are not included in Standart edition of Windows Server 2008.

Table 1The following features are available on servers running Windows Server 2008 that have been configured as CAs.

AD CS features Standard Enterprise Datacenter

Version 2 and version 3 certificate templates

No Yes Yes

Key archival No Yes Yes

Role separation No Yes Yes

Certificate Manager restrictions No Yes Yes

Delegated enrollment agent restrictions No Yes Yes

Basically, Certificate Authority component can not be installed on Windows Server 2008Web-edition, so there are no corresponding column in this table.

Page 3: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

1.2 Client requirementWindows 7 (32/64 bit) workstation as domain memberDomain user account

2.Configure Active Directory Certificate Services RolePlease, skip this section, if Active Directory Cerfiticate Services role already installedand works properly. This section describes installing CA feature only. For details relatedto installation of other features for AD CS role, please refer to link:http://technet.microsoft.com/en-us/library/cc772393

If Active Directory Domain Services role is planned to use on the same server machine,it must be installed before AD CS role.

1.Log on to appropriate server as a domain administrator.2.Click Start, point to Administrative Tools, and then click Server Manager. Or clickcorresponding button on task bar.

3.Select Roles Summary section and click Add roles

Page 4: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 2.1

4. Read information on this page and make sure, that the server meets all theconditions. Otherwise, serious decreasing of PKI security may take place. PressNext button to continue or Cancel button to terminate installation.

Page 5: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 2.2

Page 6: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

5.On the Select Server page, select the Active Directory Certificate check box, afterthat click Next

Figure 2.3

Figure 2.3. shows the case when AD CS role is installed after Domain Services role.Otherwise, the state of Active Directory Domain Service check box will not be displayedas selected.

Page 7: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

6. Read information from the Introduction page. You can also refer to links in theAddition Information block. Press Next to continue.

Figure 2.4

Page 8: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

7.Select the Certification Authority check box on the Select Role Services page, andthen click Next

Figure 2.5

This list of services can be different in dependence on edition of Windows 2008 Server.Basically, only Certificate Authority service is necessary for certificate enrollment andautoenrollment functionality. Other services are optional and can be added later.Moreover, simultaneous installation of some services from this list can be impossible.

Page 9: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

8. Click Enterprise on the Specify Setup Type page, after that click Next.

Figure 2.6

Only enterprise CA is available to support template-based autoenrollment feature. Incase of using standalone CA templates will be inaccessible.

Page 10: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

9.On the Specify CA Type page, click Root CA, after that click Next.

Figure 2.7

Microsoft CA must be configured as Root CA for installing Comodo CA Proxy.However, self-signed root certificate of this CA will not be used during certificateenrollment process, so it will be not included into certificate chains of user's certificates.

Page 11: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

10.On the Setup Private Key page, select Create a new private key, after that clickNext.

Figure 2.8

Page 12: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

11.On the Configure Cryptography for CA page, leave default values and click Next.

Figure 2.9

Remark: You can configure optional configuration settings at this page, includingcryptographic service providers (CSP), but this private key will not be used forcryptographic operations. Key length and hash algorithm are dependent on selected CSP.

Page 13: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

12. On the Configure CA Name page do the following: 1) In the Common name for this CA field enter Comodo CA Proxy 2) Check the content of Distinquished Name Suffix field. Correct it if necessary 3) Click next button to continue

Figure 2.10

Remark: Comodo CA proxy can work under any common name. The proposed name isrecommended as user friendly name. This name will not be added to issued certificates.Figure 2.8 shows an example with preview of distinguished name for domain nameroot.adtest.tst. Make sure, that generated distinguished name suffix is correct for yourdomain.

Page 14: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

13. On the Set the Certificate Validity Period page, accept the default validityduration for the root CA, after that click Next.

Figure 2.11

Figure 2.12

Page 15: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Also do not change default database and log locations at next page

15. Check information about installation selections and click Install.

Figure 2.13

Remarks: This process can take some minutes. Please wait.

Page 16: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

16. Check the status of installation process. Make sure, that installation succeeded.Press Close on the Installation Results page. Close Server Manager.

Figure 2.13

Remark: You can also print, e-mail or save the installation report by clickingcorresponding link at the bottom of this page.

Page 17: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

3.Install Comodo CA Proxy service

1. Make sure, that you are logged on to appropriate server as a domain administrator.

2. Click Start, point to Administrative Tools, and then click Server Manager. Or clickcorresponding button on task bar.

3. Select Roles Summary section, expand it and then select and expand ActiveDirectory Certificate Services node. Previously installed Microsoft AD CA servicemust be stopped. You can stop it by pressing Stop tool button on the Server Managerpage. See the Figure 3.1 for details.

Figure 3.1

4. Start ad-agent.exe from command line or explorer

Page 18: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

5. Accept End User License Agreement

6. Leave default destination folder or select it by clicking 'Browse' button The destination folder is c:\Program Files\COMODO\CcmADAgent\ for 32-bit platformor c:\Program Files (x86)\COMODO\CcmADAgent\ for 64-bit platform. Press Nextbutton.

7. Provide actual address of CCM server, Account's URI and secret key

Figure 3.2

CCM Server's address format: it is URL: https://<host>:[port]For example: https://ccmhost:8443You can type https://ccmhost, if the server is accessible on 443 port

Account's URI: The Figure 3.2a explains how to obtain it. Log on to CCM as Super Admin, select Customer tab and get rigth value from URL

Page 19: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Extension column.

Figure 3.2a

Secret Key: The figure 3.2b explains how to obtain secret key from CCMLog on to CCM as Super Admin, select Customer tab and click Edit button. Scrolldown the page with customer properties approximately to the middle of the page. Figure 3.2b shows the location of secret key. You can copy it from here and paste intoinstaller window (Figure 3.2). If secret key is empty, or AD Support check box is not set,do next step, otherwise click Cancel button to close current page without saving.

Page 20: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 3.2b

8. Do this step, only if secret key is empty, or (and) AD Support check box is not set.Otherwise, skip this step. Set AD Support check box and enter at least 10 digits forsecret key. Copy this secret key to provide it to installer window (Figure 3.2). Savechanges and close current page by clicking OK button.

Page 21: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

9. Select Cryptographic Services Provider, algorithm and key size for CA's private key,after that press Next button

Figure 3.3

10. Select shortcut folder for Active Directory Agent Setup Utility by clicking 'Browse'button or leave default folder and press Next

11. Press Install and wait some minutes for end of installation process. Press Finishbutton to close setup wizard.

Click Start, point to Administrative Tools, and then click Server Manager. Or clickcorresponding button on task bar. Select Roles Summary section, expand it and thenselect and expand Active Directory Certificate Services node. Locate Comodo CAProxy service. Make sure, that service is started. Figure 3.1 shows running state of thisservice.Otherwise, try to start this service manually.

Page 22: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

You must provide CCM RAO or MRAO credentials to AD Agent settings using SetupUtility. To start it, find corresponding shortcut into Start menu. It's default location isStart-->COMODO-->CcmADAgent-->Start-agent.lnk, or run start-agent.bat fromcommand line

Figure 3.4

The Figure 3.4 demonstrates fields, which was filled with some sample data

4.Configure Certificate enrollment Policy

1. Make sure, that you are logged on to appropriate server as a domain administrator.2. If the window with server manager is not opened, click Start, point toAdministrative Tools, and then click Server Manager. Or click corresponding buttonon task bar.

Page 23: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 4.1

3. Select Features node, expand it according to the Figure 4.1. Select Edit... option ofpopup menu for Default Domain Policy. After that the Group Policy ManagementEditor will be displayed.

Page 24: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 4.2

4. Select Computer configuration-->Policies-->Windows settings->Security Settings-->Public key policies.

5.In the Object Type list double click on the Certificate Service Client – CertificateEnrollment Policy. Switch configuration model to “Enabled” state. Make sure, that thisActive Directory Enrollment Policy is used as default. The Default check box must beselected. Column “Automatic Enrollment” must contain value as “Enabled”.Otherwise, make this policy enabled with next step.

Page 25: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 4.3

6. Press the Properties button. Make sure, that all options in the EnrollmentConfigurations group box are selected. Enrollment policy servers list must contain arecord with “LDAP:” as Server URI and “Windows Integrated” as Authentication type.Such configuration is displayed at Figure 4.4

Page 26: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 4.4

Click the OK button to apply changes and to close this window. Click the OK button onCertificate Services Client - Certificate Enrollment Policy Properties form to applychanges and to close this window.

Remark: This section is about minimal configuration of Certificate Enrollment Policy.Basically, it is required for enrollment and autoenrollment functionality for domain-joined users. But if you need to use extended features, such as web-enrollment services,you must add other enrollment policy.

Page 27: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

7. In the Object Type list (Figure 4.2) double click on the Certificate Service Client –Certificate Autoenrollment. Switch configuration model to “Enabled” state. It isrecommended to activate options, that allow renew expired certificates, update pendingcertificates, renew revoked certificates and update certificates, that use certificatetemplates.

Figure 4.5

Press the OK button to apply changes and close this window.

Page 28: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

5.Deploy Trusted Root Certificates

Import Comodo CA's root and intermediate certificates to Group Policy. Open GroupPolicy Object Editor, go to Computer Configuration->Windows Settings->Security Settings->Public Key Policies->Trusted Root Certificate Authorities(In Windows Server 2008 navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Policies->Trusted Root Certificate Authorities)

Figure 5.1

Click Import... option from popup menu, then click Next button and input location offile with certificates. Basically, trusted cerficicates are located at \Trusted sub-folder ofdestination folder, that was entered to installer program at section 3, step 6. By default itis c:\Program Files\COMODO\CcmADAgent\Trusted\ for 32 bit platform, and

Page 29: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

c:\Program Files (x86)\COMODO\CcmADAgent\Trusted\ for 64 bit platform.

Figure 5.2 Certificate Import Wizard

Page 30: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 5.3 Select certificate to import

Figure 5.4 Select certificate store

Page 31: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 5.5 Import complete.

Press Finish to close wizard. After importing, you should see certificates in GroupPolicy. You should do this action for each file with trusted certificates.

6.Configure templates at Active DirectoryWarning: Before adding new template, please stop CA Proxy Server as shown inFigure 3.1. After adding the template you shoud start CA Proxy Server. This action isrelated to known bug in the current version of CA Proxy Server. This bug will be fixedas soon as possible.

1.Log on to appropriate server as a domain administrator.2.Click Start, point to Administrative Tools, and then click Server Manager. Or clickcorresponding button on task bar. 3.Select Roles =>Active Directory Certificate Services=>Certificate templates4.Choose the most suitable template and click the Duplicate Template option in popupmenu.

Page 32: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 6.1

5. Choose the version of new template. It is recommended to use Windows Server 2008Enterprise version of templates. Click OK button to accept your choice.

Page 33: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 6.2

6. Enter Template Display Name and Template Name

Figure 6.3

7. Set necessary permissions to this template. Switch to Security tab.For users, thatenrolls certificates using this template, you should set Read, Enroll, Autoenrollpermissions.

Page 34: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 6.4

Write persmission means, that the user can modificate properties of this template, so it isnot recommended to set this permissions for all users.

8. Press Apply buttton to apply security changes and to leave this window opened.

9. Open Extention Tab and select Application Policies item. Click Edit... button

Page 35: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 6.5

10. Now you are able to add, edit or remove application policies for this template. Formthe set of application policies according to purposes of this template.

Page 36: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 6.6

11. To view or edit OID of selected application policy press Edit... button.

Page 37: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 6.7

Note each OID for configuring this template at CCM's side.

Remarks: You can add application policy by clicking Add button

Figure 6.8

If you need some application policy and it does not exists at this list, click New... button,

Page 38: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

then enter the name of new application policy and your OID and click the OK.You can use only OIDs, that are supported by current version of CCM. Please viewOIDs list at CCM side. The section 6 explains how to view this list.

12. Select Key Usage item at Extentions tab (Figure 6.5), then click Edit... button.Select suitable options for Key Usage extention (Figure 6.9) of this template, then clickOK button. If you don't need any changes, press Cancel button.

Figure 6.9

Page 39: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

13. Select Cryptography tab of current template property editor (Figure 6.10). Enteralgorithm name, key size and hash algorithm, then click OK button.

Remarks: This tab is available only for version 3 certificate templates. This settingsapplied to certificate request only, not the certificate, that issued from this template.

Figure 6.10

Page 40: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

14. Fill other template properties at different tabs of current template property editoraccording to purposes of this template.

15. To associate new template with Comodo CA Proxy open Server Manager, selectnode Roles=>Active Directory Certificate Services=>Comodo CAProxy=>Certificate Templates, then activate popup-menu on Certificate Templatesub-node and select New=>Certificate Template to Issue, or choose main menuActions=>New=> Certificate Template to Issue.

Figure 6.11Select your template and click OK button to save changes and close the window

Page 41: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 6.12

7.Configure templates at CCM

1. Log on to CCM as Super Admin using Super Admin interface2. Select Setting=>Ku/EKU tab to view available OID codes. Active Directorycertificate templates must use this codes only.

Page 42: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.1

3. Use Add button or Edit button to do corresponding action with available ExtendedKey Usages (EKU) list

Remark: Please, be careful, when you edit or add EKU code (OID) must be enteredcorrectly.

4. Select Settings=>Templates tab to access available templates list. Use Add button orselect a template and use Edit button to do corresponding action. To add or edit templatedo the following:

• Enter or edit template name (Name field)• Enter or edit template description (Description field)• Form or edit Binding Key Usage list. Use > button for bind or

< button for unbind KU item. • Form or edit Binding EKU list. Use > button for bind or <

button for unbind EKU item.

Page 43: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.2

Click OK button to save template and close current page.

Remarks:Key Usage in Active Directory template must be set according to KU bindingsin corresponding CCM template. Application policies list in Active Directory templateand EKU bindings list in CCM template must be equal by used aggregate of OIDs.

5. Switch to Customer tab. Select the customer and click Edit button. Scroll the contentof this page and locate Client Certificate section. Click KUT button.

Page 44: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.2a

6. Select the template from Available Templates list and click > button to add it toAssigned Templates list. You can also remove other template from Assigned Templatelist by selecting it and using < button. Click OK button to save changes and close thispage.

Page 45: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.2b

7. Scroll down the content of Edit Customer page and locate Web Services section. SetAllow web services for SSL processing checkbox and Allow web services for SMIMEprocessing checkbox to selected state. Click OK button to save changes and to close thispage.

Page 46: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.2b1

8. Log on to CCM as MRAO using Client Admin interface. Select the organization tobind it with the template. Click Edit button and switch to Client Cert tab. Make sure,that Web API check box is on, and also Secret Key is valid. Otherwise, set Web APIcheck box and/or enter right Secret Key.

Page 47: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.2c

Click KUT button. Select the template from Available Templates list and click > buttonto add it to Assigned Templates list. You can also remove other template from AssignedTemplate list by selecting it and using < button. Click OK button to save changes andclose this page. The figure, that images this action is fully identical to Figure 7.2b, so itis omitted here. Also click OK on Edit Customer page to finish editing and to close it.

9. Click Departments button. Select the department and click Edit button. Switch toClient Cert tab. Make sure, that Web API check box is on, and also Secret Key is valid.Otherwise, set Web API check box and/or enter right Secret Key for this department.Click OK button to save changes and close this page.

Page 48: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.2d

10. Log on to CCM as RAO using Client Admin interface. Select the organization,which you have planned to use for Active Directory enrollment. SelectSetting=>Organizations tab, then click Edit button. On the page with properties ofselected organization, select Client cert tab and check the Secret Key. It must be sameas ones provided at Section 3, step 7. Otherwise, correct it. Also, select your template inKey Usage Template combo box. Click OK button to save changes and close this page.

Page 49: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.3

11. Skip this step, if selected organization does not have any department. Otherwise, dofollowing. Click Departments button, then select the department, which you haveplanned to use for Active Directory enrollment with this organization. Click Edit button.On the page with properties of selected department, select Client cert tab and check theSecret Key. It must be same as ones provided at Section 3, step 7. Otherwise, correct it.Also, select your template in Key Usage Template combo box. Click OK button to savechanges and close this page.

Page 50: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 7.4

8.Configure Active Directory usersPlease, check that next attributes are filled properly for users accounts in ActiveDirectory:

• First Name• Last Name• E-mail• Company• Department [optionally]•

To check this, do following.1.Make sure, that you are logged on to appropriate server as a domain administrator.

Page 51: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

2. If the window with Server Manager is not opened, click Start, point toAdministrative Tools, and then click Server Manager. Or click corresponding buttonon task bar. Select node Roles=>Active Directory Domain Services=> ActiveDirectory Users and Computers, then expand the node with your domain name. Findyour user and double click it. Check this user according to following figures in thissection.

Figure 8.1 Double click on selected user

Page 52: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 8.2 Check First name, Last Name, E-mail

Page 53: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 8.3 Check Department and Company

3. Click OK button to apply changes and close this window

Page 54: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

9.Enrollment and autoenrollment starting

1. Log on to user's workstation as domain-joined user. Autoenrollment must be initiateby system automatically. For details see Microsoft technical documentation related tocertificate autoenrollment.

2. Run certmgr.msc from command line or by any other way. Select node Certificates –Current User=>Personal. If sub-node Certificates is present, select it and try to viewthe list of certificates. Otherwise, the autoenrollment is in progress, or is not started. 3.To start manual enrollment, select popup menu, or main menu option AllTask=>Request New Certificate...

Figure 9.1

Page 55: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

4. Read information in new window and click next button

Figure 9.2

5. Select Active Directory Enrollment Policy and click Next button

Figure 9.36. Select you template for enrollment and click Enroll button

Page 56: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 9.4

7. Make sure, that operation complete and click Finish button. Remark: You can also view detailed information about enrolled certificate by clickingDetail button from window at Figure 9.5

Page 57: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 9.5

8. Double click on new certificate from the list under Personal=>Certificatesnode. Now you are able to view the most of certificate properties.

Page 58: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

Figure 9.6

Page 59: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

9. On Comodo CA Server console you also can see this certificate under Issuedcertificates node. To view it's detailes, double click it in the list. The result is same asfrom client certificates console and is displayed at Figure 9.6

Figure 9.7

10.TroubleshootingSee *.log files under \Log sub-folder for details of troubles. Logs can be opened

with any text viewer or editor.In case of enrollment failure, please make sure that the following is completed:

1) Names of the organization and the department in user's properties at ActiveDirectory side match with corresponding settings at CCM side.

2) The email in user's properties at Active Directory side is valid.

3) Selected domain is delegated to appropriate organization and department in CCM.

4) Active Directory certificate template has Read, Enroll, Autoenroll permitions for

Page 60: Comodo Certificate Authority Proxy Server · sonaltton Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

sonaltton

appropriate users and/or groups. Also enrollment and autoenrollment is allowedby Public Key Policies of the domain.

5) Key Usage in Active Directory template is set according to KU bindings incorresponding CCM template. Application policies list in Active Directorytemplate and EKU bindings list in CCM template are equal by used aggregate ofOIDs. Each Application policy in AD template have corresponding EKU bindingin CCM template.

6) ccm_ca32.exe is trusted for domain network and allowed by Windows Firewall


Recommended