Create CA Templates

Introduction

In this page we will walk you through how to set up your ADCS CA to have an enrollment agent certificate and use that enrollment certificate to issue certificates.

Creating Enrollment Certificate

EZSmartCard will use a certificate issued by your CA to sign the requests and authenticate that the request was issued by our EZSmartCard agent. In the following steps I will walk you through how to create the template for this certificate.

  1. Open The Certificate Authority management console.
  2. Right click the Certificate Templates Folder. ADCS Setup
  3. Click Manage.
  4. Right click the Enrollment Agent Template ADCS Setup
  5. Select the Duplicate option.
  6. Switch to the General tab.
  7. Change the Name to EZCA Enrollment Agent.
  8. Change validity period to 2 months. ADCS Setup
  9. Navigate to the Security tab.
  10. Click Add.
  11. Click Object Types. ADCS Setup
  12. Add Service Accounts.
  13. Click OK.
  14. Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs ADCS Setup
  15. Click OK.
  16. Back in the security tab, make sure the gMSA has read and enroll rights to this template. ADCS Setup
  17. Navigate to the Subject Name tab.
  18. Select the “Supply in the request” option. ADCS Setup
  19. Save the changes and exit the dialog by Clicking the OK button.
  20. Back in the Certificate Authority management console, click on Certificate Templates.
  21. Once in the Certificate Templates page, right click any whitespace and select New > Certificate Template to Issue. ADCS Setup
  22. Select the EZCA Enrollment Template that we just created. ADCS Setup
  23. Your CA can now issue this certificate to the EZCA gMSA. Repeat the last 3 steps on each CA that you want to enable this template.

Create EZSmartCard Test Certificate Template

To ensure high uptime, EZSmartCard will create test certificates in each of the registered CAs every few minutes. To enable this, we will create a short lived template for EZSmartCard to Issue.

  1. Open The Certificate Authority management console.
  2. Right click the Certificate Templates Folder. ADCS Setup
  3. Click Manage.
  4. Right click the Web Server Template ADCS Setup
  5. Select the Duplicate option.
  6. Switch to the General tab.
  7. Change the Name to EZCA Test Template.
  8. Change validity period to 1 hour. ADCS Setup
  9. Navigate to the Security tab.
  10. Click Add.
  11. Click Object Types. ADCS Setup
  12. Add Service Accounts.
  13. Click OK.
  14. Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs ADCS Setup
  15. Click OK.
  16. Back in the security tab, make sure the gMSA has read and enroll rights to this template. ADCS Setup
  17. Navigate to the Issuance Requirements tab
  18. Select the option of “This number of authorized signatures” and make sure the number is one.
  19. Change the application policy to the “Certificate Request Agent” ADCS Setup
  20. Save the changes and exit the dialog by Clicking the OK button.
  21. Back in the Certificate Authority management console, click on Certificate Templates.
  22. Once in the Certificate Templates page, right click any whitespace and select New > Certificate Template to Issue. ADCS Setup
  23. Select the EZCATestTemplate that we just created. ADCS Setup
  24. Your CA can now issue this certificate to the EZCA gMSA if it signs the request with its enrollment agent certificate. Repeat the last 3 steps on each CA that you want to enable this template.

Creating the Smart Card Template

The last template we have to create is the smart card template you want EZSmartCard to issue.

  1. Open The Certificate Authority management console.
  2. Right click the Certificate Templates Folder. ADCS Setup
  3. Click Manage.
  4. Right click the Smartcard Logon template. SmartCard Template
  5. Select the Duplicate option.
  6. Change the Name to EZSmartCard.
  7. Set the validity period to your desired SmartCard validity period. SmartCard Template
  8. Navigate to the Security tab.
  9. Click Add.
  10. Click Object Types. SmartCard Template Permissions
  11. Add Service Accounts.
  12. Click OK.
  13. Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs SmartCard Template permissions
  14. Click OK.
  15. Back in the security tab, make sure the gMSA has read and enroll rights to this template. SmartCard Template
  16. Navigate to the Issuance Requirements tab
  17. Select the option of “This number of authorized signatures” and make sure the number is one.
  18. Change the application policy to the “Certificate Request Agent” SmartCard Template Request Requirements
  19. Navigate to the Subject Name tab.
  20. Select “Supply in the request” SmartCard Template Subject Name
  21. Save the changes and exit the dialog by clicking the OK button.
  22. Now EZSmartCard will be able to issue certificates for this template.