You can configure the certificate template on the CA. The certificate template is the basis for the certificates that the CA generates.

Procedure

  1. Create a new Universal Security Group.

    This allows you to have a single Security Group to which you can assign the permissions required for issuing certificates on behalf of users. All the computers where VMware Enrollment Servers are installed can inherit those permissions by becoming a member of this group.

    1. Click Start and type dsa.msc.

      The Active Directory Users and Computers dialog displays.

    2. In the tree, right-click the Users folder for the domain controller and select New > Group.

      The New Object - Group dialog displays.

    3. In the Group Name field, enter a name for the new group. For example, TrueSSO Enrollment Servers.
    4. Make settings as described below.

      Setting

      Value

      Group scope

      Universal

      Group type

      Security

    5. Click OK.

      The new group appears in the tree in the Active Directory Users and Computers dialog dialog.

    6. Right-click the group and select Properties.
    7. On the Member Of tab, add the computer where the Enrollment Server will be installed, and then click OK.
    8. Restart the computer(s) where the Enrollment Server(s) will be installed
  2. Configure certificate template.
    1. Select Control Panel > Administrative Tools > Certificate Authority.
    2. In the tree, expand the local CA name.
    3. Right-click on the Certificate Templates folder and select Manage.

      The Certificate Templates Console displays.

    4. Right-click on the Smartcard Logon template and select Duplicate Template.

      The Properties of New Template dialog displays.

    5. Enter information on the tabs of the dialog as described below.

      Tab

      Settings

      Compatibility

      • Select 'Show resulting changes' check box

      • Certification Authority - Windows Server 2008 R2

      • Certificate recipient - Windows 7 / Server 2008 R2

      General

      • Template display name - Name of your choice. For example, True SSO Template.

      • Template name - Name of your choice. For example, True SSO Template.

      • Validity period - 1 hours

      • Renewal period - 0 weeks

      Request Handling

      • Purpose - Signature and smartcard logon

      • Select 'For automatic renewal of smart card certificates . . .' check box

      • Select 'Prompt the user during enrollment' radio button

      Cryptography

      • Provider Category - Key Storage Provider

      • Algorithm name - RSA

      • Minimum key size - 2048

      • Select 'Requests can use any provider available . . . .' radio button

      • Request hash - SHA256

      Subject Name

      • Select 'Build from this Active Directory Information' radio button

      • Subject name format - Fully distinguished name

      • Select 'User principal name (UPN) check box

      Server

      Select 'Do not store certificates and requests in the CA database' check box

      Issuance Requirements

      • Require the following for enrollment - Select 'This number of authorized signatures' and enter 1

      • Policy type required in signature - Application policy

      • Application policy - Certificate Request Agent

      • Require the following for enrollment - Valid existing certificate

      Security

      In the upper part of the tab select the new group you created. Then in the lower part of the tab select 'Allow' for Read and Enroll permissions.

    6. Click OK.
  3. Issue template for True SSO.
    1. Right-click again on the Certificate Templates folder and select New > Certificate Template to Issue.

      The Enable Certificate Templates dialog displays.

    2. Select TrueSsoTemplate and click OK.
  4. Issue Enrollment Agent template.
    1. Right-click again on the Certificate Templates folder and select New > Certificate Template to Issue.

      The Enable Certificate Templates dialog displays.

    2. Select the Enrollment Agent computer and click OK.
      Note:

      This template must have the same security settings as the template issued in the previous step.

Results

The CA is now set up and configured with a certificate template suitable for use with True SSO.

What to do next

Set up the Enrollment Server