If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA.

Before you begin

  • Create a Windows Server 2008 R2 or Windows Server 2012 R2 virtual machine.

  • Verify that the virtual machine is part of the Active Directory domain for the Horizon 7 deployment.

  • Verify that you are using an IPv4 environment. This feature is currently not supported in an IPv6 environment.

  • Verify that the system has a static IP address.

About this task

If you do already have an enterprise CA set up, verify that you are using the settings described in this procedure.

You must have at least one enterprise CA, and VMware recommends that you have two for purposes of failover and load balancing. The enrollment server you will create for True SSO communicates with the enterprise CA. If you configure the enrollment server to use multiple enterprise CAs, the enrollment server will alternate between the CAs available. If you install the enrollment server on the same machine that hosts the enterprise CA, you can configure the enrollment server to prefer using the local CA. This configuration is recommended for best performance.

Part of this procedure involves enabling non-persistent certificate processing. By default, certificate processing includes storing a record of each certificate request and issued certificate in the CA database. A sustained high volume of requests increases the CA database growth rate and could consume all available disk space if not monitored. Enabling non-persistent certificate processing and can help reduce the CA database growth rate and frequency of database management tasks.

Procedure

  1. Log in to the virtual machine operating system as an administrator and start Server Manager.
  2. Select the settings for adding roles.

    Operating System

    Selections

    Windows Server 2012 R2

    1. Select Add roles and features.

    2. On the Select Installation Type page, select Role-based or feature-based installation.

    3. On the Select Destination Server page, select a server.

    Windows Server 2008 R2

    1. Select Roles in the navigation tree.

    2. Click Add Roles to start the Add Role wizard.

  3. On the Select Server Roles page, select Active Directory Certificate Services.
  4. In the Add Roles and Features wizard, click Add Features, and leave the Include management tools check box selected.
  5. On the Select Features page, accept the defaults.
  6. On the Select Role Services page, select Certification Authority.
  7. Follow the prompts and finish the installation.
  8. When installation is complete, on the Installation Progress page, click the Configure Active Directory Certificate Services on destination server link to open the AD CS Configuration wizard.
  9. On the Credentials page, click Next and complete the AD CS Configuration wizard pages as described in the following table.

    Option

    Action

    Role Services

    Select Certification Authority, and click Next (rather than Configure).

    Setup Type

    Select Enterprise CA.

    CA Type

    Select Root CA or Subordinate CA. Some enterprises prefer two-tier PKI deployment. For more information, see http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx.

    Private Key

    Select Create a new private key.

    Cryptography for CA

    For hash algorithm, you can select SHA1, SHA256, SHA384, or SHA512. For key length, you can select 1024, 2048, 3072, or 4096.

    VMware recommends a minimum of SHA256 and a 2048 key.

    CA Name

    Accept the default or change the name.

    Validity Period

    Accept the default of 5 years.

    Certificate Database

    Accept the defaults.

  10. On the Confirmation page, click Configure, and when the wizard reports a successful configuration, close the wizard.
  11. Open a command prompt and enter the following command to configure the CA for non-persistent certificate processing:

    certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS

  12. Enter the following command to ignore offline CRL (certificate revocation list) errors on the CA:
    certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

    This flag is required because the root certificate that True SSO uses will usually be offline, and thus revocation checking will fail, which is expected.

  13. Enter the following commands to restart the service:
    sc stop certsvc
    sc start certsvc

What to do next

Create a certificate template. See Create Certificate Templates Used with True SSO.