Microsoft Windows Certificate Authority Integration Guide Page 4 of 37
Contents
1 Introduction ............................................................................................................................... 6
1.1 ECC support ................................................................................................................................ 6
1.2 Hardware and software requirements .......................................................................................... 6
1.2.1 User Account Control ................................................................................................................... 6
1.2.2 Failover clustering ........................................................................................................................ 6
1.3 Change history ............................................................................................................................. 7
2 Before Installing MyID .............................................................................................................. 8
2.1 Domain considerations ................................................................................................................ 8
2.1.1 Certificate policy domain considerations ...................................................................................... 8
2.2 Naming and special characters .................................................................................................... 8
2.3 MyID user account ....................................................................................................................... 9
2.4 Application Policy attribute ........................................................................................................... 9
2.5 Certificate expiry .......................................................................................................................... 9
2.6 Enrollment Agent Certificate ........................................................................................................ 9
2.6.1 Manually requesting the Enrollment Agent certificate ................................................................ 10
2.7 Published certificates ................................................................................................................. 10
2.8 Encryption key recovery ............................................................................................................ 11
2.9 Enable key archiving .................................................................................................................. 11
2.9.1 Additional MyID application servers ........................................................................................... 11
2.9.2 Key Recovery Agent certificate requirements ............................................................................ 12
2.9.3 Publishing the Key Recovery Agent (KRA) certificate ................................................................ 12
2.9.4 Obtaining the Key Recovery Agent (KRA) certificate ................................................................. 12
2.9.5 Enable key archiving and load the KRA certificate into the CA .................................................. 13
2.9.6 Define certificate templates that support key archival ................................................................ 15
2.10 Enable certificate templates for issuance to the CA ................................................................... 17
2.11 Role separation .......................................................................................................................... 17
2.12 Using the DeviceSerialNumber X500 attribute ........................................................................... 18
2.13 Configuring ECC certificates ...................................................................................................... 20
3 After Installing MyID ............................................................................................................... 21
3.1 Known issues ............................................................................................................................. 21
3.1.1 Unable to issue certificates ........................................................................................................ 21
3.1.2 Certificates fail to issue if the DN is too long .............................................................................. 21
3.1.3 CAs not detected ....................................................................................................................... 21
3.2 Registering a Microsoft CA within MyID ..................................................................................... 21
3.2.1 Manually registering a Microsoft CA within MyID ....................................................................... 21
3.2.2 Enabling the mapping of extended attributes ............................................................................. 22
3.3 Setting a certificate store ........................................................................................................... 22
3.4 Enable certificate templates for issuance within MyID ............................................................... 22
3.5 Deleting a CA ............................................................................................................................. 25
3.6 Multiple forest support for Microsoft Enterprise CAs .................................................................. 26
3.6.1 Setting up MyID for multiple forest support ................................................................................ 26
3.6.2 Publishing the root certificate into the account forest ................................................................. 26
3.7 Attribute mapping for PIV systems ............................................................................................. 27
3.7.1 Example attribute mapping for PIV systems .............................................................................. 27
3.7.2 Example attribute mapping for PIV-I systems ............................................................................ 27
3.8 Unpublishing the Enrollment Agent and Key Recovery Agent certificates ................................. 27
3.9 Controlling the content of subject alternative names ................................................................. 28
3.10 Setting certificate lifetime ........................................................................................................... 29
3.10.1 Controlling the certificate lifetime from MyID .............................................................................. 29
3.10.2 Specific certificate expiry time .................................................................................................... 30
3.11 Adding extensions to certificate templates for PIV ..................................................................... 30
3.12 Setting up certificates for imported users ................................................................................... 31
3.13 Setting the effective revocation date .......................................................................................... 31