Installation and configuration
To install and configure the services that are required by Net iD Portal, install and configure the services in the following sequence:
Install and configure the web service
Server role
-
Start Server Manager on the Windows Server.
-
Start the Add Roles and Features wizard.
-
Add the Web Server (IIS) role.
-
Add the Application Server role including the sub roles:
-
.NET Framework 4.5
-
COM+ Network Access
-
Web Server (IIS) Support
-
-
Close the Server Manager and restart the server.
NiP API
-
Extract the NiP API files from the WebServiceApplication package (delivered from SecMaker AB) to an optional directory path on the local server. For example
C:\Program Files\Net iD Portal\WebServiceApplication
. -
Start the Internet Information Services (IIS) Manager.
-
Add a new application pool with an optional name. Set the .NET CLR version to
4.0.30319
and the Managed pipeline mode toIntegrated
. -
Open Advanced Settings of the created application pool. Set the Application Pool Identity to either
ApplicationPoolIdentity
as "Build-in account" or use a custom account that already has been configured as a service account in the environment. The service account is the physical account that need to access the other necessary services of the environment (i.e. database and certificate service). -
Create a new virtual directory or web site, and set the physical path to the extracted NiP API path. Choose the application pool and set an optional alias.
-
Test the NiP API by browsing and download the WSDL file (i.e. http://server/api/servicesoap.svc?singlewsdl).
-
If using NiP API with SSL, open the
web.config
file and modify the bindings from:<security mode="None"></security>
to:
<security mode="Transport"> <transport clientCredentialType="None"></transport> </security>
NiP GUI
-
Extract the NiP GUI files from package to an optional directory path on the local server. For example
C:\Program Files\Net iD Portal\GUI
. -
Open the
config.js
file and setbackendUrl
to created service. For examplehttp://server/api/servicesoap.svc
. -
Start the Internet Information Services (IIS) Manager.
-
Create a new virtual directory or web site, and set the physical path to the extracted NiP GUI path. Choose the application pool and set an optional alias.
-
Test the NiP GUI by browsing to the URL (i.e. http://server/gui/index.html).
Install and configure the database service
Microsoft SQL Server
-
Start the setup wizard.
-
Add the feature Database Engine Services.
-
Add the feature Management Tools – Basic.
-
Set the optional Instance name.
-
Set the Collation mode to
SQL_Latin1_General_CP1_CI_AS
(Windows-1252 or CP-1252 are the character encodings). -
Set the Authentication Mode to use
Windows Authentication
account only. The database needs the service account that also will be used by the application pool described above.
Install and configure the certificate service
Microsoft Certificate Authority (MSCA)
-
Start Server Manager on the Windows Server.
-
Start the Add Roles and Features wizard.
-
Add the Active Directory Certificate Services role including the sub role
Certification Authority
.
The MSCA can be configured in different ways depending on purpose. The two main instance types for MSCA are:
- Stand Alone CA
-
The Stand Alone CA has no external of extra calls when generating the end entity certificate. The Stand Alone CA only sets the CA signature of the certificate request and issues the certificate. All information about the information to be included in the end entity certificate needs to be included in the certificate request.
- Enterprise CA
-
The Enterprise CA is the most common usage type for MSCA. The Enterprise CA has several certificate templates for generating end entity certificates more dynamically, especially when issuing certificates to different kind of users and computers.
NiP API supports both Stand Alone CA and Enterprise CA but also supports extensible enroll modes for both instance types:
- Stamp
-
NiP API creates the certificate request in PKCS#10 format containing all information about the certificate and sends the request to the CA. The CA only makes the CA signature in the issuance process (stamp). This scenario is very useful when issuing computer certificates.
- Modifier
-
NiP API creates the certificate request in PKCS#10 format that only contains information about the end-entity. The request is sent to the CA and NiP API modifies the rest of the certificate extensions content for the certificate that will be issued by the CA. This scenario is very useful when issuing certificates across domains and services.
- Microsoft Enrollment Agent (Microsoft Enterprise CA only)
-
NiP API creates the certificate request containing information about the end entity and an enrollment agent in CMC format and sends it to the CA. The CA looks up the end entity object in the Microsoft Active Directory and issues the certificate to that object.
MSCA policy modifications
In some cases and scenarios, there must be some modifications done for the MSCA that overrides the default settings. These modifications can be done with the "certutil.exe" ("Certificate Utility") in Microsoft Windows platform. The MSCA service must be restarted after policies or settings have been changed. The most common policies and settings changes are:
RequestDisposition
This command changes the policy of the request handling for the MSCA.
- Flags
-
REQDISP_ISSUE = 1
,REQDISP_PENDINGFIRST = 256
- Command
-
certutil -setreq policy\RequestDisposition %FLAGS%
EnableRequestExtensionList
This command allows customized extensions in the issued certificate (i.e. certutil -setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.1.3
sets the "Qualified Certificate" extension to be allowed in the request).
- Flags
-
+%OID%
(add extension)
or
-%OID%
(remove extension) - Command
-
certutil -setreg policy\EnableRequestExtensionList +%OID%
RequestExtensionList
This command allows customized extensions to be added into the issued certificate.
- Flags
-
+EDITF_REQUESTEXTENSIONLIST
(add flag)
or
-EDITF_REQUESTEXTENSIONLIST
(remove flag) - Command
-
certutil -setreq policy\EditFlags +EDITF_REQUESTEXTENSIONLIST
AttributeEndDate
This command allows to customize the validity period of the certificate template within its time span, otherwise the validity of the issued certificate always will be validity specified in the certificate template (Enterprise CA only).
- Flags
-
+EDITF_ATTRIBUTEENDDATE
(add flag)
or
-EDITF_ATTRIBUTEENDDATE
(remove flag) - Command
-
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE
BasicConstraintsCritical
This command sets the basic constraints as critical in the issued certificate.
- Flags
-
+EDITF_BASICCONSTRAINTSCRITICAL
(add flag)
or
-EDITF_BASICCONSTRAINTSCRITICAL
(remove flag) - Command
-
certutil -setreg policy\EditFlags +EDITF_BASICCONSTRAINTSCRITICAL
AttributeSubjectAltName2
This command allows NiP API to set the SubjectAlternativeName extension of the issued certificate.
- Flags
-
+EDITF_ATTRIBUTESUBJECTALTNAME2
(add flag)
or
-EDITF_ATTRIBUTESUBJECTALTNAME2
(remove flag) - Command
-
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
AllowRequestAttributeSubject
This command allows customized subject names (or OIDs) in the subject of the issued certificate.
- Flags
-
+CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
(add flag)
or
-CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
(remove flag) - Command
-
certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
SubjectTemplate
This command allows customized subject name attributes in the subject of the issued certificate.
For example certutil -setreg ca\SubjectTemplate +2.5.4.5
sets the "SerialNumber" attribute to be allowed in the subject).
- Flags
-
+%OID%
(add subject name attribute)
or
-%OID%
(remove subject name attribute) - Command
-
certutil -setreg ca\SubjectTemplate +%OID%
RebuildModifiedSubjectOnly
This command allows any custom OID in the subject of the issued certificate. There is no need to modify the "SubjectTemplate" described above. Note that this only works when enrollment mode is set to "Stamp" which means that all customized OIDs must be set in the certificate request. This will not work in "Modifier" enrollment mode.
- Flags
-
+CRLF_REBUILD_MODIFIED_SUBJECT_ONLY
(add flag)
or
-CRLF_REBUILD_MODIFIED_SUBJECT_ONLY
(remove flag) - Command
-
certutil -setreg ca\CRLFlags +CRLF_REBUILD_MODIFIED_SUBJECT_ONLY
EnforceX500NameLengths
This command allows values in the subject name attribute to be larger than 64 characters (default).
- Flags
-
1
(add flag)
or
0
(remove flag) - Command
-
certutil -setreg ca\EnforceX500NameLengths 0
ValidityPeriod
This command sets the maximum validity period of the issued certificate (i.e. certutil -setreg ca\ValidityPeriod Years
sets the maximum validity period to years).
Note that this is only useful when using "Stand Alone CA" with enrollment mode as "Modifier".
This command has no effect on "Enterprise CA" because the current certificate template overrides the validity maximum period.
- Flags
-
%PERIODSTRING%
(Years, Months, Hours, Minutes, Seconds). - Command
-
certutil -setreg ca\ValidityPeriod %PERIODSTRING%
ValidityPeriodUnits
This command set the maximum validity period units of the issued certificate (i.e. certutil -setreg ca\ValidityPeriodUnits 2
sets the maximum validity period units to "2" (i.e. 2 Years if used with the example of "ValidityPeriod" above)).
Note that this is only useful when using "Stand Alone CA" with enrollment mode as "Modifier".
This command has no effect on "Enterprise CA" because the current certificate template overrides the maximum validity period.
Note that the maximum period units cannot override the validity of the CA itself.
- Flags
-
%PERIODINTEGER%
- Command
-
certutil -setreg ca\ValidityPeriodUnits %PERIODINTEGER%
Setup MSCA as a Stand Alone CA and enrollment mode as Stamp:
-
Set the CA instance as
stand-alone root CA
orsubordinate CA
. -
Set the CSP as
RSA Microsoft Key Storage Provider
(orECDSA Microsoft Key Storage Provider
if using ECC). -
Run the Certificate Utility command:
certutil -setreq policy\RequestDisposition 1
The CA will now automatically issue the certificate.
Setup MSCA as a Stand Alone CA and enrollment mode as Modifier:
-
Set the CA instance as
stand-alone root CA
orsubordinate CA
. -
Set the CSP as
RSA Microsoft Key Storage Provider
(orECDSA Microsoft Key Storage Provider
if using ECC). -
Run the Certificate Utility command:
certutil -setreq policy\RequestDisposition 257
The CA will now set the request as pending before issuing the certificate.
Setup MSCA as an Enterprise CA and enrollment mode as Modifier:
-
Set the CA instance as
Enterprise root CA
orsubordinate CA
. -
Set the CSP as
RSA Microsoft Key Storage Provider
(orECDSA Microsoft Key Storage Provider
if using ECC). -
Run the Certificate Utility command:
ertutil -setreq policy\RequestDisposition 257
The CA will now set the request as pending before issuing the certificate.
-
Open the Certificate Authority snap-in module.
-
Right-click Certificate Templates and choose Manage.
-
Right-click User template and choose the Compability Settings for the current environment.
-
Set an optional Template Display Name and Template Name in the General tab. Make sure that
Publish in Active Directory
property is disabled. -
Set the Purpose on the Request Handling tab. Disable the
Allow private key to be exported
property. -
Set the CSP and KeyLength on the Cryptography tab.
-
Set CA certificate manager approval on the Issuance Requirements tab.
-
Set Supply in the request on the Subject Name tab.
-
Click OK.
-
Right-click Certificate Templates and choose
. -
Choose the template that just has been created.
-
Close the snap-in module and restart the MSCA service.
Setup MSCA as an Enterprise CA and enrollment mode as EnrollmentAgent:
-
Set the CA instance as
Enterprise root CA
orsubordinate CA
. -
Set the CSP as
RSA Microsoft Key Storage Provider
(orECDSA Microsoft Key Storage Provider
if using ECC). -
Open the Certificate Authority snap-in module.
-
Right-click Certificate Templates and choose Manage.
-
Open Enrollment Agent (Computer) certificate template and open the Security tab.
-
Add the server of the NiP API (i.e.
webserver$
) and set Read and Enroll as permissions to this account. -
Click OK.
-
Right-click Certificate Templates and choose
. -
Choose the template Enrollment Agent (Computer).
-
Open the Certificate snap-in module on the server of the NiP API.
-
Open the Personal folder and right-click
. -
Issue certificate from template Enrollment Agent (Computer).
-
Set the Security Permissions of the certificate (i.e.
Computers
and/orUserGroups
).
Enterprise Java Beans Certificate Authority (EJBCA):
Please read the documentation on www.ejbca.org or contact Primekey for a professional installation of EJBCA.
-
Install EJBCA.
-
Setup the Certificate Authority.
-
Create an administrator user that will be used as a web service user (i.e. ws-user) with correct privileges.
-
Create a PKCS#12 file for the web service user and install the content of the PKCS#12 file on the current web server.
-
Set permission rights for the private key so it`s accessible by NiP API service account.
-
Set the web service user status to
Generated
to ensure that no additional certificates can be enrolled by mistake for this account. -
Test the EJBCA web service by browsing and download the WSDL file
(i.e. https://ejbca:8443/ejbca/ejbcaws/ejbcaws?wsdl).
For more information on how to setup an EJBCA please read the documentation on the following link www.ejbca.org.