Lab 4: Enabling Enrollment Configurations

Enabling Enrollment Lab Activity

Welcome to Lab 4.  In this lab we are going to configure elements within Keyfactor that support enrolling for a certificate.  We will take a look at our CA configuration to ensure we have a CA enabled for enrollment.  We'll verify that we have appropriate permissions and templates available. We will also gathering additional information by configuration a few metadata fields. Finally, we'll enroll for a new certificate! Let's get started.

CA and Template Configuration

Enable PFX Enrollment on CA

Enrollment begins by ensuing the CA is enabled for the issuance process.  This configuration enables an organization to control which CAs are issuing certificates as part of their enrollment flow(s). By default CAs are not part of the issuance flow in Keyfactor.  This configuration adds the CA to the issuance process.

1. Navigate to Locations > Certificate Authorities.

2. Double click the KFTRAIN-LAB-CA entry in the list.

3. Go to the Advanced tab and turn on the checkbox to Enable PFX Enrollment.

4. Check the box under Private Key Retention and select Indefinite.

   • This setting will be used later when we need to deploy a private key to a certificate store.

5. Click Test and Save.

Enable PFX Enrollment on Template

After enabling the CA, we need to also enable the template (or profile).  The template contains information about how the certificate being signed should look.  It controls Key Size, Validity Period, Approval Requirements, and Purpose.  Please note that templates are specific to the Microsoft CA.  Other CAs (EJBCA, Public CAs, etc) might control these attributes differently.

1. Navigate to Locations > Certificate Templates.

2. Double click the 2YearWebServer entry in the list.

   • If your template list is empty, click the Import Templates button in the ribbon menu.

3. Check the PFX Enrollment box in the Allowed Enrollment Types section of the Edit dialog.

4. Check the box under Private Key Retention and select Indefinite.

   • This setting will be used later when we need to deploy a private key to a certificate store.

5. Click Save.

Metadata Configuration

Metadata allows an organization to gather additional details from the user submitting the request.  Metadata can be configured system wide for all templates and then specifics over-ridden at the template level for more granular control.  In this activity we are going to create a metadata field to capture the environment for which this certificate will be used.

1. Navigate to the Gear Icon > Certificate Metadata.

2. Click the Add button in the ribbon menu.

3. Configure the new metadata field with the following values:

4. Click Save.

At this point we've created a hidden global metadata field.  Being hidden, however, will do us no good in capturing data.  Now we need to head to our template and make sure this metadata field is visible for our template.

1. Navigate to the Locations > Certificate Templates

2. Click the 2YearWebServer template in the list

3. Click the Metadata tab.

4. Select the Environment metadata type we created.

5. Click the Edit button in the ribbon menu.

6. Select the Override system-side settings option.

7. Choose Required under the Enrollment Options

8. Leave default value Blank.

9. Click Save.

10. Click Save again.
    

Enroll for a Certificate

Now that we've enabled enrollment, we need to verify that we are able to issue certificates from the portal.  We'll use our PFX enrollment form to verify our configuration.

1. Navigate to the Enrollment > PFX Enrollment

2. In the Certificate Authority Information section:

   1. Select the 2YearWebServer template from the Template drop down.

   2. Verify that dc-sql-ca.KFTRAIN.LAB\KFTRAIN-LAB-CA is selected in the CA drop down.

3. In the Certificate Subject Information section, fill in the Common Name with a subject value of your choice.

4. In the Certificate Metaata section, select the Environment of your choice from the Metadata drop down.

5. Under the Certificate Delivery Format section, ensure that the selected format is PFX .

6. Click Enroll.

Note: If you receive an error about the CRL being unavailable, it is likely the automated publishing of the CRL failed. To manually publish the CRL, enter the following command in a new command window:

certutil -crl -config "dc-sql-ca.kftrain.lab\KFTRAIN-LAB-CA"

The PFX request will be forwarded to the selected CA and signed.  A PFX will be generated with a random password.  Make note of this password as it will be required to install the certificate. Open the downloaded file and install the certificate into the Personal store.

Q: Why is our template list limited to only the 2YearWebServer template?

A: There are three things checked when populating the available templates:

• Is the template enabled for enrollment?

• Is the template available to be issued from a CA?

• Does the user have appropriate permissions to request a certificate?

If those things are true, the template will be shown for enrollment.

Bonus Lab: Can you enable the web server template and submit the below CSR for enrollment?

-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQAwFTETMBEGA1UEAwwKY29tbW9ubmFtZTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANfN4Y3zcv+JV2oSz75Gmk7xybOsKZkNbcrT9nYj
T1hfpT4cu+6olX493Qc9rpGYB1oUY3MuFS0bm1Zdhb04aYjg/fLuWQjp6R9KvMVY
cbKxjYvZ3yzdxtNRfN8R9ITwsWZ2npyZ+QIWeiL9thQN3Shxas8HaBgjkJfpt51V
igSGpfVBGeF3PAOzncr+/qpZb6wOA6856kR5iChpVWlwoLHXYGTKzoD69orZPb9K
pD4hnBlmUNcpT+/Xe3mSLZyAKHMb5IcvjkQA45yxVePwZ4wSVyXbVtKSKrnqn8Wc
yyX8PXpZGToRSHzaZvljpchNDThFSL+viyPPSLFkkASI7cMCAwEAAaBUMFIGCSqG
SIb3DQEJDjFFMEMwQQYDVR0RBDowOIIKY29tbW9ubmFtZYIUbmV4dF9sYWIua2Z0
cmFpbi5sYWKCFGNvbmdyYXRzLmtmdHJhaW4ubGFiMA0GCSqGSIb3DQEBCwUAA4IB
AQCvZmex7wMIN4zksut5KWVQ6qiVO7TnyNxxqbITtbv2yHAtIbRXjCbcYt6PIZUt
zoaWuBZLfkIsJdY6oV8NRApG6Ha6R4JfRIg0UkyV6AmvJ/pnu3pqGCclCSXfr/Pa
kDrUnm8PiiMHo+ri1s5AXyDIDmyfFiuiNHPRnWRTmyISsdxwcFnQep5zIyFgbmjy
zfSuqgbv2Po93Vhhg5pie0kYePI6P5cNFm3bUewCQT13BK6jtqG0MODto0/oXO9A
nJ0kCwNtlIi6xJ9Bh54oQThIkLnpR2psH5+WFz5jsDZ3jZba1Z3ciQf0ewWO8ryz
VuoYl66/ZSYT02VumBbpyzfa
-----END CERTIFICATE REQUEST-----