This topic describes how to install the Microsoft Certification Authority on the Forefront Unified Access Gateway (UAG) server, in order to provide privileged clients with certificates.
The following steps are required:
- Installing a CA
- Defining a CA policy
- Specifying an automatic policy with
delay
- Setting pending timeout for a manual CA
policy
- Customizing user information
properties
- Adding the CA to the certified trust
list
- Backing up the certificate
settings
- Viewing and processing CA requests
Installing a CA
Install a CA as follows:
To install a Microsoft Certification Authority
-
Before beginning installation, set the Server service to automatic and ensure it is started. In addition, stop the Forefront UAG services, and the Internet Information Services (IIS) service if required.
-
On the Windows desktop, click Start, click Settings, click Control Panel, and then click Add/Remove Programs. The Add/Remove Programs Properties dialog box is displayed.
-
Click Add/Remove Windows Component.
The Windows Components Wizard is displayed.
-
In the Components list, check Certificate Services, and click Next.
The CA Type window of the Windows Components Wizard is displayed.
-
Select Stand-alone root CA.
-
Select Use custom settings to generate the key pair and CA certificate, and click Next.
The Public and Private Key Pair window of the Windows Components Wizard is displayed.
-
Select the following, and then click Next:
- In the CSP list, select Microsoft
Enhanced Cryptographic Provider v1.0.
- In the Hash algorithm list, select
SHA-1.
- In the Key length drop down list,
select 2048.
The CA Identifying Information window of the Windows Components Wizard is displayed.
- In the CSP list, select Microsoft
Enhanced Cryptographic Provider v1.0.
-
Enter the Common name for this Certification Authority, and click Next.
A cryptographic key is generated, and the Certificate Database Settings window of the Windows Component Wizard is displayed.
-
Do not change the default values displayed in the Certificate Database Settings window. Click Next.
If Internet Information Services (IIS) is running, you are prompted to stop IIS.
-
Click Yes to stop IIS on your computer.
A progress bar appears and the Microsoft Certification Authority is installed.
-
Click Finish to exit the Windows Components Wizard.
-
To verify that the Certification Authority is installed and working on your computer, in the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
The Certification Authority window with the CA you just installed is displayed.
Defining a CA policy
The Microsoft CA provides two policies for issuing certificates:
- Manual—The user’s request is defined
as pending until the administrator manually issues the
certificate.
- Automatic—The certificate is
automatically issued after the request is received.
When the CA is installed, the default certification policy is Manual. You can change this policy type at any time. If you select the Automatic certification policy, by default, the certificate is issued immediately after the certification request is received. If required, you can change the policy to Automatic with Delay, whereby the certificate is issued only after the specified delay period.
Note: |
---|
When you change the certification policy, the change only affects new certification requests. Requests that were entered prior to the change will be treated according to the policy that prevailed when the request was entered. |
Use the following procedure to select a certification policy:
To select a certification policy
-
In the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
The Certification Authority window is displayed.
-
Right-click the home folder of the CA, and select Properties.
The CA’s Properties dialog box is displayed.
-
Select the Policy Module tab.
-
Click Properties.
The Properties dialog box is displayed.
-
In the Request Handling tab, select one of the following actions:
- For manual mode, select the option:
Set the certificate request status to pending. The administrator must explicitly issue the certificate.
- For automatic mode, select the option:
Follow the settings in the certificate template, if applicable.
Otherwise, automatically issue the certificate.
- For manual mode, select the option:
-
Click OK.
The default action is set. It will be applied to all new requests. Existing requests are treated according to the policy that prevailed when the request was entered.
Specifying an automatic policy with delay
In addition to the policies you can select via the Certification Authority interface, Forefront UAG enables you to specify an Automatic with Delay policy. This policy automatically issues the certificate, but only after a defined delay interval.
To define an automatic policy with delay
-
On the Forefront UAG server, access the following file:
…\Microsoft Forefront Unified Access Gateway\Von\ CertifiedEndpointEnrollment\inc\info.inc
-
Copy the file you accessed in step 1 to the following custom folder:
…\ Microsoft Forefront Unified Access Gateway \Von\ CertifiedEndpointEnrollment\inc\CustomUpdate
If this folder does not already exist, create it.
If such a file already exists, use the existing file.
-
In the file under the CustomUpdate folder, locate the line:
nAutoModeDelayInMinutes=0
-
Replace the value
0
with the required delay interval value. -
Save the file.
The default policy is set to Automatic with Delay.
Note: If at a later time you change the policy to either Automatic or Manual, you must manually reset the value of nAutoModeDelayInMinutes
to 0:nAutoModeDelayInMinutes=0
Setting pending timeout for a manual CA policy
This procedure describes how to change the pending timeout interval of the Manual certification policy.
To set the pending timeout interval
-
On the Forefront UAG server, open the following file:
…\Microsoft Forefront Unified Access Gateway\Von\CertifiedEndpointEnrollment\inc\certdat.inc
Note: This file is only available in Forefront UAG after you install the CA on the server. -
Change the value of
nPendingTimeoutDays
. For example,nPendingTimeoutDays=25
. -
Save the file.
The pending timeout interval is updated to the new value specified. It will be applied to all new requests. The pending timeout interval for existing requests is the interval that prevailed when the request was entered.
Customizing user information properties
This section describes how to change the properties of the fields that are displayed to users requesting certificates in the Certified Endpoint Certificate - User Information window. The default properties are determined during the installation of the CA on Forefront UAG, in the CA Identifying Information window.
To edit the properties of the data fields in the User Information window
-
On the Forefront UAG server, access the following file:
…\Microsoft Forefront Unified Access Gateway\Von\CertifiedEndpointEnrollment\inc\info.inc
-
Copy the file you accessed in step 1 to the following custom folder:
…\ Microsoft Forefront Unified Access Gateway \Von\CertifiedEndpointEnrollment\inc\CustomUpdate
If this folder does not exist, create it.
If such a file already exists, use the existing file. The file contains the definitions of the User Information data fields.
-
In the file under the CustomUpdate folder, change the properties of the data fields as required. For each field, you can assign a status, as follows:
- FIELD_READONLY—Read-only. A read-only
field is displayed in the User Information window, but users cannot
edit its value.
- FIELD_EDITABLE—Read-write. A
read-write field is displayed in the User Information window with a
text box, enabling users to enter a value.
- FIELD_HIDDEN—Hides the field. A hidden
field is not displayed in the User Information window.
Note: The content of all fields except the editEmail field is automatically filled in, based on the certificate, therefore it is recommended that these fields retain their default READONLY status.A sample of how this code is implemented is provided in Sample Code: info.inc.
- FIELD_READONLY—Read-only. A read-only
field is displayed in the User Information window, but users cannot
edit its value.
-
Save the file.
When users next request a certificate, the data fields in the User Information window will display according to the properties you set here.
Sample Code: info.inc
<%' CODEPAGE=65001 'UTF-8
' info.inc - global (DAT)a
if Session(INFO_INC) <> FILE_NOT_EXIST
then
include Session(INFO_INC)
else
'Delay between certificate request and
certificate issue in
'automatic mode. Default value should be 0
nAutoModeDelayInMinutes=0
'default data fields edit status FIELD_READONLY,
FIELD_EDITABLE,
'FIELD_HIDDEN
editCommonName=FIELD_READONLY
editEmail=FIELD_EDITABLE
editCompany=FIELD_READONLY
editDepartment=FIELD_READONLY
editLocalCity=FIELD_READONLY
editState=FIELD_READONLY
editCountry=FIELD_READONLY
end if%>
Adding the CA to the certified trust list
The Certificate Trust List (CTL) is a signed list of CA certificates that have been judged reputable by the administrator. In order to use a CA, you must notify Forefront UAG that you trust the CA by adding it to the CTL for the portal, as follows:
Note: |
---|
If you are using a remote CA, import your server certificate into the local computer’s Trusted Root Certification Authorities/Certificate store before proceeding. |
To add a CA to the CTL
-
In the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services.
The Internet Information Services (IIS) Manager window is displayed.
-
Right-click the portal and select Properties.
The portal Properties dialog box is displayed.
-
Click the Directory Security tab.
-
In the Secure communications area, click Edit.
The Secure Communications dialog box is displayed.
-
Check the option Enable certificate trust list, and click New.
The Welcome to the Certificate Trust List Wizard page is displayed.
-
Click Next.
The Certificates in the CTL page of the Certificate Trust List Wizard is displayed.
-
Click Add from Store.
The Select Certificate dialog box is displayed.
-
Select the certificate you want to use and click OK.
The Certificates in the CTL page of the Certificate Trust List Wizard is displayed with the certificate you selected.
-
Click Next.
The Name and Description page of the Certificate Trust List Wizard is displayed.
-
Enter a name and description for the new Certificate Trust List, and click Next.
The Completing the Certificate Trust List Wizard page of the Certificate Trust List Wizard displays a summary of your settings.
-
Click Finish.
The Certification Authority is added to the Certificate Trust List. The configuration process is complete. End-users can proceed to make their computers Certified Endpoints, in one of the following ways:
- Local CA installation, as described in
End-User Interaction (Local CA Only).
- Remote CA installation—End-users need
to request a certificate by means determined by the
administrator.
- Local CA installation, as described in
End-User Interaction (Local CA Only).
Backing up the certificate settings
Make sure that you have a backup of the private key. If not, create backup files via the certificate store. After the initial backup, make sure to back up the certificate settings from time to time, especially before any software upgrade or installation, or before you make any other changes to system settings.
Viewing and processing CA requests
After a certificate is requested, depending on your Certification Authority Policy, you can perform one of the following actions for the certificate request:
- Issue a certificate for the pending
request.
- Deny a certificate for the pending
request.
You can view requests for Certification Authorities in the Certification Authority window.
To view certificate information
-
In the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
The Certification Authority window is displayed.
-
Select the Certification Authority, and double-click one of the following folders:
- Revoked Certificates
- Issued Certificates
- Pending Requests
- Failed Requests
The information in the selected folder is displayed in the right pane of the Certification Authority window.
- Revoked Certificates
To issue a certificate from a pending request
-
Right-click the pending request in the Certification Authority window, point to All Tasks, and then click Issue.
The certificate is issued. The pending request is moved from the Pending Requests folder to the Issued Certificates folder.
To deny a pending request for a certificate
-
Right-click the pending request in the Certification Authority window, point to All Tasks, and then click Deny.
The pending request is denied and is placed in the Failed Requests folder. When the end-user checks the status of the Certified Endpoint request, a screen is displayed informing the end-user that the request was denied.