Set Up a Certificate Template on the CA

You must configure the certificate template on the CA. The certificate template is the basis for the certificates that the CA generates.

Prerequisites

Complete the steps described in Install and Configure a Windows Server 2012 R2 Certificate Authority.

Procedure

Create a new Universal Security Group.

Creating this group allows you to have a single Security Group to which you can assign the permissions required for issuing certificates on behalf of users. All the computers where VMware Enrollment Servers are installed can inherit those permissions by becoming a member of this group.

Click Start and type dsa.msc.
The Active Directory Users and Computers window displays.
In the tree, right-click the Users folder for the domain controller and select New > Group.
The New Object - Group window displays.
In the Group Name field, enter a name for the new group. For example, TrueSSO Enrollment Servers.

Set the following values.


Setting	Value
Group scope	Universal
Group type	Security

Click OK.
The new group appears in the tree in the Active Directory Users and Computers window.
Right-click the group and select Properties.
On the Member Of tab, add every computer on which you will be installing an Enrollment Server, and then click OK.
Restart every computer on which you will be installing an Enrollment Server.

Configure the certificate template.

Select Control Panel > Administrative Tools > Certificate Authority.
In the tree, expand the local CA name.
Right-click on the Certificate Templates folder and select Manage.
The Certificate Templates Console displays.
Right-click on the Smartcard Logon template and select Duplicate Template.
The Properties of New Template window displays.

Enter information on the tabs of the window as described below.


Tab	Settings
Compatibility	Select the Show resulting changes check box. Certification Authority - Windows Server 2008 R2 Certificate recipient - Windows 7 / Server 2008 R2
General	Template display name - Name of your choice. For example, True SSO Template. Template name - Name of your choice. For example, True SSO Template. Validity period - 1 hours Renewal period - 0 weeks
Request Handling	Purpose - Signature and smartcard logon Select the For automatic renewal of smart card certificates . . . check box Select the Prompt the user during enrollment radio button
Cryptography	Provider Category - Key Storage Provider Algorithm name - RSA Minimum key size - 2048 Select the Requests can use any provider available . . . . radio button Request hash - SHA256
Subject Name	Select the Build from this Active Directory Information radio button. Subject name format - Fully distinguished name Select the User principal name (UPN) check box.
Server	Select the Do not store certificates and requests in the CA database check box
Issuance Requirements	Require the following for enrollment - Select This number of authorized signatures and enter `1`. Policy type required in signature - Application policy Application policy - Certificate Request Agent Require the following for enrollment - Valid existing certificate
Security	In the upper part of the tab, select the new group you created. Then in the lower part of the tab, select Allow for Read and Enroll permissions.

Click OK.

Issue the template for True SSO.
1. Right-click again on the Certificate Templates folder and select New > Certificate Template to Issue.
  The Enable Certificate Templates window displays.
2. Select TrueSsoTemplate and click OK.
Issue the Enrollment Agent template.
1. Right-click again on the Certificate Templates folder and select New > Certificate Template to Issue.
  The Enable Certificate Templates window displays.
2. Select the Enrollment Agent computer and click OK.
  
  Note: This template must have the same security settings as the template issued in the previous step.
The CA is now set up and configured with a certificate template suitable for use with True SSO.
Download the Horizon Cloud pairing bundle by following the steps in Download the Horizon Cloud Pairing Bundle.