To connect 3.8 - Nexus PRIME to Active Directory Certificate Services (ADCS), one component needs to be set up - the ADCS Connector - and one component needs to be configured - Nexus PRIME with a CA Proxy configuration. This article describes how to configure both components.
For more information about the components, see 3.8 - About the PRIME ADCS integration.
Set up the ADCS Connector
The ADCS connector is needed for PRIME to issue certificates from an ADCS.
The following prerequisites apply for the ADCS connector:
- Either a Windows 2008 R2 server, Windows 2012 R2 server, or Windows 2016 R2 server that is a member of the domain that the Enterprise CA is running on.
- The Role IIS needs to be installed on the server
- The following IIS features must be installed:
- WCF Services
- ISAPI Extensions
- ISAPI Filters
- At least 1CPU, 4 GB ram and 80 Gb HD is needed.
- Installation package for the ADCS Connector must be available.
A service account needs to be created in ADCS, for example
PRIME_ADCS. This account is needed when the ADCS connector connects to the ADCS, and also when making a certificate request to a certain certificate template.
- Set up a service account according to these requirements:
- Needs to be a Domain User
- Needs to be member of the local group
IIS_USRSon the IIS Server
- Needs to have the following access in the ADCS CA, see the picture below
- Issue and Manage Certificates
- Request Certificates
- Needs to have the following access in the Certificate Templates that PRIME will use, see the picture below
- Export CA certificates: Export all the CA chain certificates to file, either encoded as DER or Base64. For example, export the Root CA, Intermediate, and Issuing CA. These certificates are needed for later purpose.
- Issue a web server certificate with server authentication. This is needed since the ADCS Conector must have SSL/TLS enabled.
- Issue a PRIME Virtual Registration Officer (VRO) certificate: This is needed since when PRIME requests a certificate it will authenticate to the connector using a certificate. Set Extended key usage to
Server Authentication. If needed, create a certificate template in ADCS for this purpose. In the certificate template, set that the Private Key may be exported.
- Export the PRIME VRO certificate and the key to a .PFX file.
On the PRIME server, set up access to the ADCS connector SSL/TLS port, by default
ADCS Connector (IIS)
To install the Internet Information Services (IIS):
- Unzip the Installation package for the ADCS Connector, for example in C:\Nexus\connector_adcs:
- Create a folder temp in the installation folder of the ADCS connector.
- Copy the Prime VRO Officer certificate (not the key) into the folder cert.
Open the file Web.config and edit the following part:
To configure the IIS:
- Create a new site called ADCS Connector and point the root to the folder where you unzipped the connector, for example C:\Nexus\connector_adcs.
- Edit the binding of the site and add the HTTPS port
444and select the corresponding SSL/TLS certificate. If it not listed, you may have to import the certificate to the computer certificate store.
- Select the site and select SSL Settings. Enable Require SSL, select Require, and click Apply.
- Go to Application Pools, select the ADCS Connector application pool, and click on Advanced settings in the right pane.
- Change .NET Framework version to 2.0.
- Change Identity to the service account that you have created.
- Click OK.
- Restart the IIS service.
To test the ADCS connector:
- Import the PRIME VRO Officer certificate in the personal truststore in windows.
- Open a browser and browse to https://<yourhost>:444/MSCAConnectorImpl.svc.
- Authenticate with the certificate.
- You should see this page:
Set up the ADCS CA Connector in PRIME
To configure the PKI web service interface used for the chip encoding module:
- Log in to PRIME Designer as an administration user.
- Go to Home > Certification Authorities (CA).
- Click +New to create a new certificate authority for ADCS.
Do the following updates:
Select Connection type 'CA proxy'
In CA Host, enter the machine name, followed by a backslash and the CA name, in this form: <CA host name>\<CA name>.
Set Webservice URL to the hostname or IP of the server hosting the MSCA Connector IIS application.
Enter Signing password and Recovery password.
In Client Certificate, select the SSL client certificate (in .pfx or .p12 format) used for the 2-way authentication on the Webservice URL. It must fit to the client certificate configured on IIS-side.
In Server Certificate, select the .cer file of the SSL IIS server certificate, which is used under the Webservice URL. It is used to validate the connection.
It is highly recommended to configure the Webservice URL as an https connection with client authentication.
Make sure that the setup is correct. If some of the following parameters are not correct the card production will fail because the connection to the web service will be rejected:
- The hostname in the URL must fit the Common Name in the SSL server certificate.
- The certificates must be valid and not revoked.
- The CRLs must be available for verification.
- CA and ADCS CA connector must be either in the same machine or the same domain.
Each PKI provides predefined certificate types. In Microsoft ADCS, they are called Certificate Templates.
To import the certificate types:
- Go to Details.
- Click to display the certificate types in ADCS.
- Click Apply to import the certificate types.
The imported certificate types are now listed in Certificate Types.
When you create a certificate template in PRIME Designer, then the imported certificate types are available to choose from.
This article is valid from Nexus PRIME 3.7.