Comodo Certificate Authority Proxy Server Installation guide

Transcription

1 Comodo Certificate Authority Proxy Server Installation guide Rev. 0006

2 1.Prerequisite 1.1 Server requirement Windows Server 2008 /2008 R2 (Standart/Enterprise/Datacenter) Active Directory Domain Services Active Directory Certificate Services (AD CS), installed as enterprise root Certificate Authority (CA). Certificate Manager Server (CCM) running under JRE 1.6., must be accessible from Active Directory Certificate Services host. CCM Server's URLs must be assigned to Trusted Zone. Remarks: Server platform can be 32 or 64 bit, both of them are supported. AD CS must be installed before Comodo CA Proxy. Additional components such as Web Enrollment Services and Network Device Enrollment Services are not included in Standart edition of Windows Server Table 1 The following features are available on servers running Windows Server 2008 that have been configured as CAs. Datace AD CS features Standard Enterprise nter Version 2 and version 3 certificate templates No Yes Yes Key archival No Yes Yes Role separation No Yes Yes Certificate Manager restrictions No Yes Yes Delegated enrollment agent restrictions No Yes Yes Basically, Certificate Authority component can not be installed on Windows Server 2008 Web-edition, so there are no corresponding column in this table.

3 1.2 Client requirement Windows 7 (32/64 bit) workstation as domain member Domain user account 2.Configure Active Directory Certificate Services Role Please, skip this section, if Active Directory Cerfiticate Services role already installed and works properly. This section describes installing CA feature only. For details related to installation of other features for AD CS role, please refer to link: If Active Directory Domain Services role is planned to use on the same server machine, it must be installed before AD CS role. 1.Log on to appropriate server as a domain administrator. 2.Click Start, point to Administrative Tools, and then click Server Manager. Or click corresponding button on task bar. 3.Select Roles Summary section and click Add roles

4 Figure Read information on this page and make sure, that the server meets all the conditions. Otherwise, serious decreasing of PKI security may take place. Press Next button to continue or Cancel button to terminate installation.

5 Figure 2.2

6 5.On the Select Server page, select the Active Directory Certificate check box, after that click Next Figure 2.3 Figure 2.3. shows the case when AD CS role is installed after Domain Services role. Otherwise, the state of Active Directory Domain Service check box will not be displayed as selected.

7 6. Read information from the Introduction page. You can also refer to links in the Addition Information block. Press Next to continue. Figure 2.4

8 7.Select the Certification Authority check box on the Select Role Services page, and then click Next Figure 2.5 This list of services can be different in dependence on edition of Windows 2008 Server. Basically, only Certificate Authority service is necessary for certificate enrollment and autoenrollment functionality. Other services are optional and can be added later. Moreover, simultaneous installation of some services from this list can be impossible.

9 8. Click Enterprise on the Specify Setup Type page, after that click Next. Figure 2.6 Only enterprise CA is available to support template-based autoenrollment feature. In case of using standalone CA templates will be inaccessible.

10 9.On the Specify CA Type page, click Root CA, after that click Next. Figure 2.7 Microsoft CA must be configured as Root CA for installing Comodo CA Proxy. However, self-signed root certificate of this CA will not be used during certificate enrollment process, so it will be not included into certificate chains of user's certificates.

11 10.On the Setup Private Key page, select Create a new private key, after that click Next. Figure 2.8

12 11.On the Configure Cryptography for CA page, leave default values and click Next. Figure 2.9 Remark: You can configure optional configuration settings at this page, including cryptographic service providers (CSP), but this private key will not be used for cryptographic operations. Key length and hash algorithm are dependent on selected CSP.

13 12. On the Configure CA Name page do the following: 1) In the Common name for this CA field enter Comodo CA Proxy 2) Check the content of Distinquished Name Suffix field. Correct it if necessary 3) Click next button to continue Figure 2.10 Remark: Comodo CA proxy can work under any common name. The proposed name is recommended as user friendly name. This name will not be added to issued certificates. Figure 2.8 shows an example with preview of distinguished name for domain name root.adtest.tst. Make sure, that generated distinguished name suffix is correct for your domain.

14 13. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, after that click Next. Figure 2.11 Figure 2.12

15 Also do not change default database and log locations at next page 15. Check information about installation selections and click Install. Figure 2.13 Remarks: This process can take some minutes. Please wait.

16 16. Check the status of installation process. Make sure, that installation succeeded. Press Close on the Installation Results page. Close Server Manager. Figure 2.13 Remark: You can also print, or save the installation report by clicking corresponding link at the bottom of this page.

17 3.Install Comodo CA Proxy service 1. Make sure, that you are logged on to appropriate server as a domain administrator. 2. Click Start, point to Administrative Tools, and then click Server Manager. Or click corresponding button on task bar. 3. Select Roles Summary section, expand it and then select and expand Active Directory Certificate Services node. Previously installed Microsoft AD CA service must be stopped. You can stop it by pressing Stop tool button on the Server Manager page. See the Figure 3.1 for details. Figure Start ad-agent.exe from command line or explorer

18 5. Accept End User License Agreement 6. Leave default destination folder or select it by clicking 'Browse' button The destination folder is c:\program Files\COMODO\CcmADAgent\ for 32-bit platform or c:\program Files (x86)\comodo\ccmadagent\ for 64-bit platform. Press Next button. 7. Provide actual address of CCM server, Account's URI and secret key Figure 3.2 CCM Server's address format: it is URL: For example: You can type if the server is accessible on 443 port Account's URI: The Figure 3.2a explains how to obtain it. Log on to CCM as Super Admin, select Customer tab and get rigth value from URL

19 Extension column. Figure 3.2a Secret Key: The figure 3.2b explains how to obtain secret key from CCM Log on to CCM as Super Admin, select Customer tab and click Edit button. Scroll down the page with customer properties approximately to the middle of the page. Figure 3.2b shows the location of secret key. You can copy it from here and paste into installer window (Figure 3.2). If secret key is empty, or AD Support check box is not set, do next step, otherwise click Cancel button to close current page without saving.

20 Figure 3.2b 8. Do this step, only if secret key is empty, or (and) AD Support check box is not set. Otherwise, skip this step. Set AD Support check box and enter at least 10 digits for secret key. Copy this secret key to provide it to installer window (Figure 3.2). Save changes and close current page by clicking OK button.

21 9. Select Cryptographic Services Provider, algorithm and key size for CA's private key, after that press Next button Figure Select shortcut folder for Active Directory Agent Setup Utility by clicking 'Browse' button or leave default folder and press Next 11. Press Install and wait some minutes for end of installation process. Press Finish button to close setup wizard. Click Start, point to Administrative Tools, and then click Server Manager. Or click corresponding button on task bar. Select Roles Summary section, expand it and then select and expand Active Directory Certificate Services node. Locate Comodo CA Proxy service. Make sure, that service is started. Figure 3.1 shows running state of this service. Otherwise, try to start this service manually.

22 You must provide CCM RAO or MRAO credentials to AD Agent settings using Setup Utility. To start it, find corresponding shortcut into Start menu. It's default location is Start-->COMODO-->CcmADAgent-->Start-agent.lnk, or run start-agent.bat from command line Figure 3.4 The Figure 3.4 demonstrates fields, which was filled with some sample data 4.Configure Certificate enrollment Policy 1. Make sure, that you are logged on to appropriate server as a domain administrator. 2. If the window with server manager is not opened, click Start, point to Administrative Tools, and then click Server Manager. Or click corresponding button on task bar.

23 Figure Select Features node, expand it according to the Figure 4.1. Select Edit... option of popup menu for Default Domain Policy. After that the Group Policy Management Editor will be displayed.

24 Figure Select Computer configuration-->policies-->windows settings->security Settings -->Public key policies. 5.In the Object Type list double click on the Certificate Service Client Certificate Enrollment Policy. Switch configuration model to Enabled state. Make sure, that this Active Directory Enrollment Policy is used as default. The Default check box must be selected. Column Automatic Enrollment must contain value as Enabled. Otherwise, make this policy enabled with next step.

25 Figure Press the Properties button. Make sure, that all options in the Enrollment Configurations group box are selected. Enrollment policy servers list must contain a record with LDAP: as Server URI and Windows Integrated as Authentication type. Such configuration is displayed at Figure 4.4

26 Figure 4.4 Click the OK button to apply changes and to close this window. Click the OK button on Certificate Services Client - Certificate Enrollment Policy Properties form to apply changes and to close this window. Remark: This section is about minimal configuration of Certificate Enrollment Policy. Basically, it is required for enrollment and autoenrollment functionality for domainjoined users. But if you need to use extended features, such as web-enrollment services, you must add other enrollment policy.

27 7. In the Object Type list (Figure 4.2) double click on the Certificate Service Client Certificate Autoenrollment. Switch configuration model to Enabled state. It is recommended to activate options, that allow renew expired certificates, update pending certificates, renew revoked certificates and update certificates, that use certificate templates. Figure 4.5 Press the OK button to apply changes and close this window.

28 5.Deploy Trusted Root Certificates Import Comodo CA's root and intermediate certificates to Group Policy. Open Group Policy Object Editor, go to Computer Configuration->Windows Settings-> Security Settings->Public Key Policies->Trusted Root Certificate Authorities (In Windows Server 2008 navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Policies->Trusted Root Certificate Authorities) Figure 5.1 Click Import... option from popup menu, then click Next button and input location of file with certificates. Basically, trusted cerficicates are located at \Trusted sub-folder of destination folder, that was entered to installer program at section 3, step 6. By default it is c:\program Files\COMODO\CcmADAgent\Trusted\ for 32 bit platform, and

29 c:\program Files (x86)\comodo\ccmadagent\trusted\ for 64 bit platform. Figure 5.2 Certificate Import Wizard

30 Figure 5.3 Select certificate to import Figure 5.4 Select certificate store

31 Figure 5.5 Import complete. Press Finish to close wizard. After importing, you should see certificates in Group Policy. You should do this action for each file with trusted certificates. 6.Configure templates at Active Directory Warning: Before adding new template, please stop CA Proxy Server as shown in Figure 3.1. After adding the template you shoud start CA Proxy Server. This action is related to known bug in the current version of CA Proxy Server. This bug will be fixed as soon as possible. 1.Log on to appropriate server as a domain administrator. 2.Click Start, point to Administrative Tools, and then click Server Manager. Or click corresponding button on task bar. 3.Select Roles =>Active Directory Certificate Services=>Certificate templates 4.Choose the most suitable template and click the Duplicate Template option in popup menu.

32 Figure Choose the version of new template. It is recommended to use Windows Server 2008 Enterprise version of templates. Click OK button to accept your choice.

33 Figure Enter Template Display Name and Template Name Figure Set necessary permissions to this template. Switch to Security tab.for users, that enrolls certificates using this template, you should set Read, Enroll, Autoenroll permissions.

34 Figure 6.4 Write persmission means, that the user can modificate properties of this template, so it is not recommended to set this permissions for all users. 8. Press Apply buttton to apply security changes and to leave this window opened. 9. Open Extention Tab and select Application Policies item. Click Edit... button

35 Figure Now you are able to add, edit or remove application policies for this template. Form the set of application policies according to purposes of this template.

36 Figure To view or edit OID of selected application policy press Edit... button.

37 Figure 6.7 Note each OID for configuring this template at CCM's side. Remarks: You can add application policy by clicking Add button Figure 6.8 If you need some application policy and it does not exists at this list, click New... button,

38 then enter the name of new application policy and your OID and click the OK. You can use only OIDs, that are supported by current version of CCM. Please view OIDs list at CCM side. The section 6 explains how to view this list. 12. Select Key Usage item at Extentions tab (Figure 6.5), then click Edit... button. Select suitable options for Key Usage extention (Figure 6.9) of this template, then click OK button. If you don't need any changes, press Cancel button. Figure 6.9

39 13. Select Cryptography tab of current template property editor (Figure 6.10). Enter algorithm name, key size and hash algorithm, then click OK button. Remarks: This tab is available only for version 3 certificate templates. This settings applied to certificate request only, not the certificate, that issued from this template. Figure 6.10

40 14. Fill other template properties at different tabs of current template property editor according to purposes of this template. 15. To associate new template with Comodo CA Proxy open Server Manager, select node Roles=>Active Directory Certificate Services=>Comodo CA Proxy=>Certificate Templates, then activate popup-menu on Certificate Template sub-node and select New=>Certificate Template to Issue, or choose main menu Actions=>New=> Certificate Template to Issue. Figure 6.11 Select your template and click OK button to save changes and close the window

41 Figure Configure templates at CCM 1. Log on to CCM as Super Admin using Super Admin interface 2. Select Setting=>Ku/EKU tab to view available OID codes. Active Directory certificate templates must use this codes only.

42 Figure Use Add button or Edit button to do corresponding action with available Extended Key Usages (EKU) list Remark: Please, be careful, when you edit or add EKU code (OID) must be entered correctly. 4. Select Settings=>Templates tab to access available templates list. Use Add button or select a template and use Edit button to do corresponding action. To add or edit template do the following: Enter or edit template name (Name field) Enter or edit template description (Description field) Form or edit Binding Key Usage list. Use > button for bind or < button for unbind KU item. Form or edit Binding EKU list. Use > button for bind or < button for unbind EKU item.

43 Figure 7.2 Click OK button to save template and close current page. Remarks:Key Usage in Active Directory template must be set according to KU bindings in corresponding CCM template. Application policies list in Active Directory template and EKU bindings list in CCM template must be equal by used aggregate of OIDs. 5. Switch to Customer tab. Select the customer and click Edit button. Scroll the content of this page and locate Client Certificate section. Click KUT button.

44 Figure 7.2a 6. Select the template from Available Templates list and click > button to add it to Assigned Templates list. You can also remove other template from Assigned Template list by selecting it and using < button. Click OK button to save changes and close this page.

45 Figure 7.2b 7. Scroll down the content of Edit Customer page and locate Web Services section. Set Allow web services for SSL processing checkbox and Allow web services for SMIME processing checkbox to selected state. Click OK button to save changes and to close this page.

46 Figure 7.2b1 8. Log on to CCM as MRAO using Client Admin interface. Select the organization to bind it with the template. Click Edit button and switch to Client Cert tab. Make sure, that Web API check box is on, and also Secret Key is valid. Otherwise, set Web API check box and/or enter right Secret Key.

47 Figure 7.2c Click KUT button. Select the template from Available Templates list and click > button to add it to Assigned Templates list. You can also remove other template from Assigned Template list by selecting it and using < button. Click OK button to save changes and close this page. The figure, that images this action is fully identical to Figure 7.2b, so it is omitted here. Also click OK on Edit Customer page to finish editing and to close it. 9. Click Departments button. Select the department and click Edit button. Switch to Client Cert tab. Make sure, that Web API check box is on, and also Secret Key is valid. Otherwise, set Web API check box and/or enter right Secret Key for this department. Click OK button to save changes and close this page.

48 Figure 7.2d 10. Log on to CCM as RAO using Client Admin interface. Select the organization, which you have planned to use for Active Directory enrollment. Select Setting=>Organizations tab, then click Edit button. On the page with properties of selected organization, select Client cert tab and check the Secret Key. It must be same as ones provided at Section 3, step 7. Otherwise, correct it. Also, select your template in Key Usage Template combo box. Click OK button to save changes and close this page.

49 Figure Skip this step, if selected organization does not have any department. Otherwise, do following. Click Departments button, then select the department, which you have planned to use for Active Directory enrollment with this organization. Click Edit button. On the page with properties of selected department, select Client cert tab and check the Secret Key. It must be same as ones provided at Section 3, step 7. Otherwise, correct it. Also, select your template in Key Usage Template combo box. Click OK button to save changes and close this page.

50 Figure Configure Active Directory users Please, check that next attributes are filled properly for users accounts in Active Directory: First Name Last Name Company Department [optionally] To check this, do following. 1.Make sure, that you are logged on to appropriate server as a domain administrator.

51 2. If the window with Server Manager is not opened, click Start, point to Administrative Tools, and then click Server Manager. Or click corresponding button on task bar. Select node Roles=>Active Directory Domain Services=> Active Directory Users and Computers, then expand the node with your domain name. Find your user and double click it. Check this user according to following figures in this section. Figure 8.1 Double click on selected user

52 Figure 8.2 Check First name, Last Name,

53 Figure 8.3 Check Department and Company 3. Click OK button to apply changes and close this window

54 9.Enrollment and autoenrollment starting 1. Log on to user's workstation as domain-joined user. Autoenrollment must be initiate by system automatically. For details see Microsoft technical documentation related to certificate autoenrollment. 2. Run certmgr.msc from command line or by any other way. Select node Certificates Current User=>Personal. If sub-node Certificates is present, select it and try to view the list of certificates. Otherwise, the autoenrollment is in progress, or is not started. 3.To start manual enrollment, select popup menu, or main menu option All Task=>Request New Certificate... Figure 9.1

55 4. Read information in new window and click next button Figure Select Active Directory Enrollment Policy and click Next button Figure Select you template for enrollment and click Enroll button

56 Figure Make sure, that operation complete and click Finish button. Remark: You can also view detailed information about enrolled certificate by clicking Detail button from window at Figure 9.5

57 Figure Double click on new certificate from the list under Personal=>Certificates node. Now you are able to view the most of certificate properties.

58 Figure 9.6

59 9. On Comodo CA Server console you also can see this certificate under Issued certificates node. To view it's detailes, double click it in the list. The result is same as from client certificates console and is displayed at Figure 9.6 Figure Troubleshooting See *.log files under \Log sub-folder for details of troubles. Logs can be opened with any text viewer or editor. In case of enrollment failure, please make sure that the following is completed: 1) Names of the organization and the department in user's properties at Active Directory side match with corresponding settings at CCM side. 2) The in user's properties at Active Directory side is valid. 3) Selected domain is delegated to appropriate organization and department in CCM. 4) Active Directory certificate template has Read, Enroll, Autoenroll permitions for

60 appropriate users and/or groups. Also enrollment and autoenrollment is allowed by Public Key Policies of the domain. 5) Key Usage in Active Directory template is set according to KU bindings in corresponding CCM template. Application policies list in Active Directory template and EKU bindings list in CCM template are equal by used aggregate of OIDs. Each Application policy in AD template have corresponding EKU binding in CCM template. 6) ccm_ca32.exe is trusted for domain network and allowed by Windows Firewall