Configuring the Microsoft template object

To enable Trust Protection Platform to manage Microsoft certificates, you must configure the Microsoft CA template object. This object provides the information Trust Protection Platform needs to request, retrieve, and install certificates issued by the Microsoft CA driver. These instructions apply to Microsoft Active Directory Certificate Services (ADCS) - Enterprise and Standalone CA.

IMPORTANT  Trust Protection Platform can issue and renew certificates based on Enterprise Microsoft CA templates that build the Subject Name from the request. However, Enterprise Microsoft CA templates that build the Subject Name from Active Directory are not supported.

BEST PRACTICE  Consider managing CA Template object settings using a policy. For more information, see Managing CA templates using policies.

To create a Microsoft CA template object

  1. From the TLS Protect menu bar, click Policy Tree.
  2. From the Tree drop-down menu, click Policy.
  3. In the Policy tree, select the folder where you want to create the CA Template object, and then click Add.
  4. Click CA Template, then select Microsoft to create it.
  5. In the CA Name box, type a name for the new Microsoft object.

  1. Refer to the following table to complete the remaining CA template settings:

    Field

    Description

    Connection

    Hostname

    IP Address or DNS name of the Microsoft CA server.

    Trust Protection Platform supports both IPv4 or IPv6 connections.

    Service Name

    Name of the Microsoft CA service. This will match the Common Name (CN) of the CA's certificate.

    Credential

    User name credential required to connect to the Microsoft CA.

    This account must have Read, Issue and Manage Certificates, Request Certificates permission on the CA. If this is an Enterprise CA, the account also requires Read and Enroll permissions applied to any templates that TLS Protect will use.

    The credential can be expressed in any of the following formats, although the format you use depends upon your Active Directory environment:

    • SAM account name
    • Domain name syntax (domain_name\username)
    • User Principle Name syntax (valid_user@orgUnit.domain.com)

    To select a credential

    1. Click the Browse button.

      The Credential Selector dialog appears.

    2. Select the user name credential that stores the user name and password required to connect to the Microsoft CA server, and then click Select.

    Options

    Template

    The Microsoft CA template that you want to associate with the current CA Template object. Trust Protection Platform references this template when it submits the CSR. The template menu is automatically populated when you click Retrieve.

    If new templates are added to the CA, you must click Retrieve to update the list of available templates.

    The template referenced by Venafi's Microsoft CA template object must be configured to have its Subject Name supplied in the request.

    Allow Users to Specify End Date

    Lets users specify expiration (end) dates for certificates requested from the CA so that they do not expire during your known freeze periods.

    Typically, renewing certificates that expire during freeze periods requires a more challenging approval process. Setting expiration (or end) dates that fall outside of freeze periods avoids potential interruptions.

    When a specific end date has been specified, the issued certificate has that date as its expiration date.

    This check box is cleared after a successful enrollment so that the validity period takes effect thereafter.

    TIP  To use the Allow Users to Specify End Date feature, you might need to enable the EDITF_ATTRIBUTEENDDATE flag on the CA, which is typically done using the certutil command-line tool:

    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE

    You would then restart the certsvc service.

    For more information, refer to the following Microsoft articles:

    You can verify Microsoft CA settings by entering the following at a command prompt:

    certutil -getreg policy\EditFlags

    Manual Approvals

    Requires manual approval for all CSRs submitted using the current CA Template object.

    When you enable Manual Approval, the administrator must log in to the Microsoft CA service and manually approve the renewing certificate.

    Subject Alt Name Enabled

    Configures the current CA template object to support CSRs with DNS-based subject alt name (SAN) values.

    NOTE  DNS SANs are included in the Unified Communications Certificates that are used with Microsoft Exchange 2007 and Microsoft Office Communications Server.

    If you do not select this option, the current CA template object will not accept CSRs with SAN values. If Trust Protection Platform attempts to submit a CSR with SAN values, the CA Template object returns the following error:

    Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA.

    IMPORTANT  Before selecting this option, you must also verify the SAN feature is enabled on your CA engine. It it isn't, the CA returns the same error message when Trust Protection Platform attempts to submit a CSR with SAN values.

    For additional information on defining SAN values in the certificate, see Subject Alt Name in the topic About certificate object settings.

    Automatically include CN as DNS SAN

    Makes it so that every certificate enrolled using the CA template will have the its Common Name included as a DNS Subject Alternative Name (SAN).

    As of v1.1.7 of the CA/Browser Forum Baseline Requirements, usage of the Common Name is considered deprecated and to be represented instead by an equivalent DNS SAN.

    Enrollment Agent

    Lets you assign a certificate credential containing an Enrollment Agent certificate for signing requests prior to submitting them to the Microsoft CA.

    For more information, see Establish Restricted Enrollment Agents in the Microsoft TechNet Library.
  2. (Optional) To see additional attributes, review the settings on the Support tab.

  3. Click Save.

What's next?

After you create a CA object, you can select it from the Policy tree, and then view important information and manage various settings.

  • Click the General tab to view and modify log and permissions settings.

    • Click the Log sub-tab to view any logged events that are triggered by the template object.

      IMPORTANT  You must have the Read permission to view the Log tab.

      For more information about options found on the Log tab, see Viewing log events.

    • On the Permissions sub-tab, you can configure the users or groups to whom you want to grant permissions to the new template object.

      Consider managing object permissions via parent objects so that you can take advantage of inheritance. For more information, see Permission inheritance and flow down.

Related Topics Link IconRelated Topics