A newer version of this documentation is available.

Microsoft Certificate Authority

Prerequisites

For Net iD Portal to be able to request certificates with all necessary content the following modifications of the Certificate Authority must be made.

MSCAPolicyUpdate.cmd

The Microsoft Certificate Authority service must be configured to automatically create a pending/issue certificate enrollment. Run the command file "MSCAPolicyUpdate.cmd" that is attached with the installation package from SecMaker with administrator rights. The script enables some additional features of the certificate server that enables Net iD Card Portal to configure certificates more dynamically.

Information about the commands included in the script:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE: Set your own validity end date
certutil -setreg policy\EditFlags +EDITF_REQUESTEXTENSIONLIST: Add own extension (SERIALNUMBER)
certutil -setreg policy\EditFlags +EDITF_BASICCONSTRAINTSCRITICAL: Set Basic Constraints to Critical
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2: Build your own upn och smime
certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT: Create own values in Subject SERIALNUMBER
certutil -setreg ca\EnforceX500NameLengths 0: No limitations in number of characters for certinfo

CA rights

Normally the service account the Net iD Portal service is running with the following rights are necessary on the Certificate Authority Service:

If the extension SeisCardNumber must be included in the certificates, the following rights are necessary:

MSADCS Certificate Subject Attributes

To issue certificates with special attributes, for example SERIALNUMBER, you need to do the following changes in the registry of the server:

Use the regedit tool and go to the following registry string:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\CertSvc\Configuration\{CA-NAME}].
Choose "Subject Template" and add the special attributes you want to use (that the CA is allowed to use). The attributes have to be entered in OID format.

OID’s for the Subject Attributes:
- Common Name (CN) = 2.5.4.3
- Given Name (G) = 2.5.4.42
- Surname (surname) = 2.5.4.4
- Email (Email) = 1.2.840.113549.1.9.1
- Title (T) = 2.5.4.12
- Distinguished Name (DN) = 2.5.4.49
- Organizational Unit (OU) = 2.5.4.11
- Organization (O) = 1.3.10x
- Country ©: The value of the country attribute is different for each country, examples:
  
  Sweden (SE) = 1.2.752
  
  Norway (NO) = 1.2.578
  
  Finland (FI) = 1.2.246
- SERIALNUMBER (serialNumber) = 2.5.4.5
The MSCA server needs to be restarted after a change has been made for the attributes.

Certificate templates

The Microsoft Certificate Authority service has to be configured with correct certificate templates that Net iD Card Portal will use to enroll certificates to a user’s smart card and/or other certificates.

Creating certificate templates for smart card logon

To create a new smart card login template right click Certificate Templates, and then click Manage.

Make sure that Net iD Enterprise is installed on the computer before modifying the certificate templates.
In the dialogue box with available templates in the domain, right click Smart Card User, and then click Duplicate Template to open the Properties of New Template dialog box.
To create a business certificate template with your own parameters, select Windows Server 2003 Enterprise.

If you use a third party’s CSP that does not rely on Microsoft Base CSP and you have your own minidriver, select "Windows Server 2003 Enterprise".

Net iD can be used both with its own CSP or Microsoft’s CSP and CNG (Cryptography Next Generation) and also for Windows Server 2003 Enterprise and Windows Server 2008 Enterprise.
Click the General tab.
- In the Template display name box, type the template name "Net iD Smartcard User".
- Under Validity period, set the correct time.
  
  Renewal period is only used for auto enrollment, but should not be set to 0. This can cause problems with the certificate templates in other systems.
- Select the Publish in Active Directory check box.
  
  Publish in Active Directory is useful if you would like for an example encrypted mail (the public key is stored in Active Directory). |

On the Cryptography tab, in the Minimum key size box, type the value 2048.

If you want to force the certificate template to only be used with Net iD CSP Check the radio button "Requests must use one of the following providers and select Net iD as CSP.1.

If you allow the user to select CSP during the issuance procedure the officer has to select what CSP that should be used.

2048 key is possible to use with most of the smart cards on the market today, but you should check how the specific smart card your organization will use works. Worth thinking about is that with a longer key the longer time the operations against the smart card will take, which will affect the logon time.

On the Subject name tab, click Supply in the request.
Click the Issuance Requirements tab.
- Select the This number of authorized signatures check box and type 1 in the corresponding text box.
- In the Application policy list, click Certificate Request Agent.
  
  Signatures are used to issue certificates through a management console and to enroll a smart card.
On the Security tab, make sure the Net iD Portal service account has "Read" and "Enroll" right specified.
Make no changes on the Request Handling, Key Attestation, Surpressed Templates, Server, or Extensions tabs.

Superseded templates is normally only used together with auto enrollment, and a template with a superseded template set will automatically be replaced by that specified template.

Use the extensions to specify the certificate’s purpose.
Click OK to close the Properties of New Template dialog box.
To issue the created certificate template, right click Certificate Templates, click New, and then click Certificate template to issue.
Select Net iD Smartcard User.