You must configure the certificate template on the CA. The certificate template is the basis for the certificates that the CA generates.

Prerequisites

Complete the steps described in Install and Configure a Windows Server 2012 R2 Certificate Authority.

Procedure

  1. Create a new Universal Security Group.
    This allows you to have a single Security Group to which you can assign the permissions required for issuing certificates on behalf of users. All the computers where VMware Enrollment Servers are installed can inherit those permissions by becoming a member of this group.
    1. Click Start and type dsa.msc.
      The Active Directory Users and Computers dialog displays.
    2. In the tree, right-click the Users folder for the domain controller and select New > Group.
      The New Object - Group dialog displays.
    3. In the Group Name field, enter a name for the new group. For example, TrueSSO Enrollment Servers.
    4. Make settings as described below.
      Setting Value
      Group scope Universal
      Group type Security
    5. Click OK.
      The new group appears in the tree in the Active Directory Users and Computers dialog dialog.
    6. Right-click the group and select Properties.
    7. On the Member Of tab, add the computer where the Enrollment Server will be installed, and then click OK.
    8. Restart the computer(s) where the Enrollment Server(s) will be installed
  2. Configure the certificate template.
    1. Select Control Panel > Administrative Tools > Certificate Authority.
    2. In the tree, expand the local CA name.
    3. Right-click on the Certificate Templates folder and select Manage.
      The Certificate Templates Console displays.
    4. Right-click on the Smartcard Logon template and select Duplicate Template.
      The Properties of New Template dialog displays.
    5. Enter information on the tabs of the dialog as described below.
      Tab Settings
      Compatibility
      • Select 'Show resulting changes' check box
      • Certification Authority - Windows Server 2008 R2
      • Certificate recipient - Windows 7 / Server 2008 R2
      General
      • Template display name - Name of your choice. For example, True SSO Template.
      • Template name - Name of your choice. For example, True SSO Template.
      • Validity period - 1 hours
      • Renewal period - 0 weeks
      Request Handling
      • Purpose - Signature and smartcard logon
      • Select 'For automatic renewal of smart card certificates . . .' check box
      • Select 'Prompt the user during enrollment' radio button
      Cryptography
      • Provider Category - Key Storage Provider
      • Algorithm name - RSA
      • Minimum key size - 2048
      • Select 'Requests can use any provider available . . . .' radio button
      • Request hash - SHA256
      Subject Name
      • Select 'Build from this Active Directory Information' radio button
      • Subject name format - Fully distinguished name
      • Select 'User principal name (UPN) check box
      Server Select 'Do not store certificates and requests in the CA database' check box
      Issuance Requirements
      • Require the following for enrollment - Select 'This number of authorized signatures' and enter 1
      • Policy type required in signature - Application policy
      • Application policy - Certificate Request Agent
      • Require the following for enrollment - Valid existing certificate
      Security In the upper part of the tab select the new group you created. Then in the lower part of the tab select 'Allow' for Read and Enroll permissions.
    6. Click OK.
  3. Issue the template for True SSO.
    1. Right-click again on the Certificate Templates folder and select New > Certificate Template to Issue.
      The Enable Certificate Templates dialog displays.
    2. Select TrueSsoTemplate and click OK.
  4. Issue the Enrollment Agent template.
    1. Right-click again on the Certificate Templates folder and select New > Certificate Template to Issue.
      The Enable Certificate Templates dialog displays.
    2. Select the Enrollment Agent computer and click OK.
      Note: This template must have the same security settings as the template issued in the previous step.
    The CA is now set up and configured with a certificate template suitable for use with True SSO.
  5. Download the Horizon Cloud pairing bundle by following the steps in Download the Horizon Cloud Pairing Bundle.