How to configure Microsoft AD CS server with Scalefusion

The standard method requiring admins to upload a certificate for each user and manually deploy it to devices may not be feasible for organizations with a large user base, leading IT admins to prefer automated certificate distribution. Scalefusion now provides a solution with which IT admins can configure Microsoft Active Directory Certificate Services (AD CS) server.

Active Directory Certificate Services (AD CS) is a server role in Microsoft Windows Server that provides public key infrastructure (PKI) and digital certificate management. It is used to create, distribute, and manage digital certificates within an organization, providing secure access to applications, networks, and systems. AD CS enables organizations to implement authentication, encryption, and digital signature services to improve security and ensure the integrity of communications and data.

Prerequisites

1.NDES must be installed on Windows Server machine

Please refer to the following Microsoft guide on how to configure NDES.

2.Choosing the correct Challenge/Password Method

Microsoft AD CS offers the ability to configure a static challenge/password to generate a certificate and a dynamic method where the password is generated periodically.

Depending upon your use-cases you may choose to configure a static password or a dynamic password. Below we explain the steps to set each type of challenge password.

2.1 Set Static Challenge/Password

1. Open the Registry Editor in NDES machine and navigate to HKEY_LOCAL_MACHINE - > SOFTWARE -> Microsoft -> Cryptography -> MSCEP -> UseSinglePassword

2. Set the value for UseSinglePassword to 1.
   

   

3. Restart the IIS server.

4. You can use this enrollment challenge password in below mentioned How to configure with Static Challenge steps.
   

   

2.2 Set Dynamic Challenge/Password

1. Open the Registry Editor in NDES machine and navigate to HKEY_LOCAL_MACHINE - > SOFTWARE -> Microsoft -> Cryptography -> MSCEP -> UseSinglePassword

2. Set the value for UseSinglePassword to 0.

3. Restart the IIS server

4. By configuring this, every time we hit the NDES admin URL, it will generate a unique challenge password which you can use in How to configure with Dynamic Challenge step. Admin URL: https:///certsrv/mscep_admin/mscep.dll.
   

   

5. A problem with this configuration is that NDES will only generate 5 passwords each hour. We can resolve this, by increasing the Password cache limit of the NDES.
   

   

   1. Increasing password cache limit of NDES:

      1. Open the Registry Editor in NDES machine and navigate to HKEY_LOCAL_MACHINE - > SOFTWARE -> Microsoft -> Cryptography -> MSCEP -> PasswordMax

      2. Set the value for UseSinglePassword to say 500, for example.
         

   

6. Restart the IIS server

How the AD CS set up works?

• Step 1: Setup Microsoft AD CS CA Server 

• Step 2: Add Template(s) or the blueprints to generate a certificate

• Step 3: Enable Template(s) from Device Profile

These are explained in detail in below sections.

Step 1: Setup Microsoft AD CS CA Server

To configure a Certificate server for automatic deployment of certificates:

1. On Scalefusion Dashboard, navigate to Device Profiles & Policies > Certificate Management

2. Under Certificate (CA) Servers tab, click on Add CA Server
   

   

3. This will open the Add CA Server window. Enter the following:

   1. CA Server Name: Enter a name for CA Server

   2. CA Server Provider: Choose Microsoft AD CS from the drop-down menu list.

   3. SCEP URL: Provide AD CS URL. It is the URL to reach the Certificate Authority (CA) Server and its shared secret key

   4. Click Save
      

      

4. The CA server (you have added) will display as a card on Dashboard under Certificate (CA) Servers tab with details like active/expired certificates, certificate templates etc.

5. Clicking on View Details will show the server details in the side card.
   

   

Step 2: Add Template

Add Template to start generating certificates using the CA server. To do so, follow these steps:

1. On the side card, click on Create under Templates tab.
   

   

2. This opens the Add Template window having three sections:

   1. Subject

   2. Subject Alternative Name

   3. Certificate Type
      
      Points to Note:

      1. Subject and Subject Alternative Name are a part of these details that need to be provided in the request. 

      2. The Subject is the name of the end entity for whom the certificate is being generated. 

      3. The certificate's Subject info is expected to be in a specific format called LDAP DN format. It works similar to a key values format where each key means something. For Eg. CN=$user.email,OU=Engineering,O=Example Corp,C=US. ere, CN stands for Common Name, C is Country, O is Organization etc.
         

         

3. Subject: This section allows admins to define a subject for their user based devices and user agnostic devices. Enter the following details:

   1. Template Name: Provide a name for the template

   2. For User Based Devices, enter the following in User Based Devices section:

      1. Subject: The subject should be in a valid LDAP DN format. For example, CN=$user.name,CN=$user.mail,DC=com,DC=co.in. As these are user based certificates, therefore we need to allow only $user.

      2. Alias Name: Enter the alias name under which certificate should be installed.

   3. For User Agnostic Devices, enter the following in User Agnostic Devices section:

      1. Subject: The subject should be in a valid LDAP DN format. For example, CN=$device.name,CN=$device.imei,DC=com,DC=co.in. As these are user agnostic certificates, therefore we need to allow only $device.

      2. Alias Name:Enter the alias name under which certificate should be installed.

         It is mandatory to enter at least one subject name

4. Subject Alternative Name

   1. Subject Alternative Name: By default, it is set to None. Select one from the drop-down:

      1. DNS Name

      2. RFC 822 Name

      3. Uniform Resource Identifier

   2. Subject Alternative Name Value: Provide Subject Alternate Name Value. For example, $user.name for user-based devices and $device.name for User Agnostic Devices.

   3. NT Principal Name

      Subject Alternative Name Value and NT Principal Name will be enabled if any one of the following conditions are met:

      • If Alternate name is not set to None 

      • If values for user-based devices and user agnostic devices are configured in Subject

5. Certificate Type: From this section, admins can define the properties of the certificate

   1. Challenge / Secret Key: Select Static from the drop-down and enter the certificate Enrollment challenge in the text box.

      1. How to configure with Static Challenge:

         If you choose Static from the drop-down menu list, you will have to enter a Static Challenge.
         

         

      2. How to configure with Dynamic Challenge:

         If you choose Dynamic from the drop-down list, you will have to enter the details for Dynamic Challenge.
         

         

   2. Key Size: Select the size of key (in bits) from the following:

      1. 1024

      2. 2048

      3. 4096

   3. Certificate Usage: Select from the following (Both can be selected):

      1. Digital Signature

      2. Key Encipherment

   4. Auto-Renew Certificate: Select whether you want the certificate to be auto-renewed whenever it expires

   5. Renew before (days): If you have selected to auto-renew the certificate, specify the no. of days in which the certificate should be renewed.

6. Click Save

7. The template gets created and is listed under Templates

Step 3: Enable certificate template from Device Profile

Next step is to associate templates with Device Profiles. Once the profile is saved, a certificate is generated for the devices in the profile. Follow these steps:

1. Navigate to Device Profiles & Policies > Device Profiles and edit an existing Windows Device Profile.

2. Navigate to Settings > Device Management > Certificates

3. On the template which you want to grant access, enable the Install toggle. On enabling, the row will become expandable downwards.
   

   

4. Select Policy Target by choosing one of the options from the drop-down:

   1. Device: When you select Device as the policy target, user certificates will be installed at the device level upon user login.

   2. Enrolled User: Choosing Enrolled user as the policy target will deploy the certificate to the specific user who initially enrolled the device.

5. Once you have provided necessary grants, click on Update Profile

6. On the devices associated with the profile, certificates will be generated, and the apps will now be granted certificate.

7. Notice the CA server certificates that are generated will be listed under Certificate Management
   

Actions on CA Certificates

Following actions can be taken on CA certificates:

1. Renew: Renews the certificate on an immediate basis

2. Deactivate / Activate: The certificate can be deactivated or activated. If you deactivate, it will be uninstalled from the device on which it is installed.

3. Download: Downloads the certificate in zip format.
   

   

CA Certificates on device

On Windows devices: 

1. Device level CA Certificates are stored in Certificate Manager on your system. You can check and validate whether certificates are installed on the device through Certificate Manager application on your device.
   

   

   
   
   

2. Enrolled User level certificates are available in Control Panel
   

   

On Android devices:

On Android devices, CA Certificates are stored under Settings > Security & Location > Encryption & Credentials > User Credentials.

On iOS devices:

On iOS devices, CA certificates are stored under Settings > General > VPN & Device Management > Profile > More Details.

On macOS devices

On macOS devices, Certificates & Templates are Visible under Privacy & Security > Others > Profiles.