Part 2: Group Policies and Certificate Templates

The following sections cover how to install and configure Certificate Enrollment Policies and the Policy Server.

The examples below use the following denotations:

  • The domain used is yourcompany.com (YOURCOMPANY).

  • The EJBCA server hostname is ejbcaserver.yourcompany.com.

Labels indicated in bold should be replaced with the names of your environment and in the examples below, the text enclosed in angle brackets should be replaced with names in your environment.

Step 1 - Configure Certificate Enrollment Policy Service

To configure EJBCA as the Certificate Enrollment Policy Server, first create and prepare the Service Account according to the instructions below.

To prepare the Service Account:

  1. If not done yet, create the service account (<ra-service>) for EJBCA CEP and CES enrollment servlets on the Active Directory (AD) Domain Services Server.
    images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg Use the single service account if performing this installation with a single service account on a single host.

  2. Open the Command Prompt with Admin permissions.

  3. Set the service principal name for the service account by running the following commands as admin and ensure to replace the server <FQDN> and account names with your own configuration.

    setspn -s HTTP/ejbcaserver.yourcompany.com ra-service
  4. Open a PowerShell prompt with Admin permissions.

  5. Create a Key Tab file for the ra-service service account. This file will later be used when enabling Kerberos authentication for the EJBCA CEP and CES Services in Part 3b: EJBCA Policy Server Configuration.

    > ktpass /out raservice.keytab /mapuser ra-service@YOURCOMPANY.COM /princ HTTP/ejbcaserver.yourcompany.com@YOURCOMPANY.COM /pass foo123 /pType KRB5_NT_PRINCIPAL /crypto all

    images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg The crypto parameter may be changed to only allow specific cipher suites. However, the krb5.conf file configured created in Step 3b: EJBCA Policy Server Configuration must support the same ciphers. If crypto is restricted to AES, the service user account option must be updated accordingly.

images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg The password used for the Key Tab must meet the password requirements for the domain. Passwords that are not complex may result in the Key Tab generation command being "Aborted!"

Step 2 - Configure Certificate Templates

To configure Certificate Templates:

  1. Open Microsoft Management Console (mmc.exe).

  2. Click File, then click Add/Remove Snap-in.

  3. Choose Certificate Templates and then click Add, then click OK.

  4. Double-click on Certificate Templates.

  5. Right-click the Computer template, select Duplicate Template and specify the following:

    • Under Compatibility Settings, specify Certification Authority=Windows Server 2003 and Certificate recipient=Windows XP/Server 2003.

    • Click the General tab, and change the Template display name to Computer_Auto_Enrollment.

    • Click the Security tab, and give "Domain Computers" permissions to Read, Enroll and Autoenroll.

    • Additionally, give 'Domain Controllers' permissions to Read, Enroll and Autoenroll. This is required as the DC computer account will request the policy server for validation rather than the logged-in user.

    • Select the Subject Name tab, and change the Subject name format to DNS Name.

    • Select DNS Name in the subject alternative name.

    • Under the Request Handling tab, clear Allow private key to be exported.
      images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg If the requirement is to be able to export private key, leave this checked.

    • Click OK to go back to the template list.

  6. Right-click the User template and select Duplicate Template and specify the following:

    • Under Compatibility Settings, specify Certification Authority=Windows Server 2003 and Certificate recipient=Windows XP/Server 2003.

    • Click the General tab, and change the Template display name to User_Auto_Enrollment.
      images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg If the requirement is to Publish the User certificate in Active Directory and Credential Roaming is enabled, ensure to s
      elect both Publish certificate in Active Directory and Do not automatically re-enroll if a duplicate certificate exists in Active Directory.

    • Select the Security tab, and give "Domain Users" permissions to Enroll and Autoenroll.

    • Select the Subject Name tab, and change the Subject name format to Common name.

    • Clear Include email name in subject name and clear Email name in the subject alternative name.

    • Select User principal name (UPN).

    • Under the Request Handling tab, clear Allow private key to be exported.
      images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg If the requirement is to be able to export private key, leave this checked.

    • Click OK to go back to the template list and then c lose the Certificate Templates Console window.

Next: EJBCA Configuration

Next, configure Certification Authorities (CAs) and profiles in EJBCA, see Part 3a: EJBCA Configuration.