Lab 5: Microsoft CA Permissions and Approvals

Microsoft CA Lab Activity

Certificate Workflows

Keyfactor version 10 and beyond ship with a workflow engine that allows for customization to fulfill countless use cases.  We are not covering that workflow configuration in this course.  That is addressed in a separate courses that can be found within Keyfactor University.

CA Permissions

Before we begin with the Keyfactor example, let's review the permissions that have been configured on the CA in our lab environment.

1. Open the Lab Console located on the Windows Desktop.

2. Navigate to Certification Authority (dc-sql-ca) and expand the list.

3. Right Click on the KFTRAIN-LAB-CA CA in the Certification Authority list.

4. Select Properties.

5. Click the Security tab.

This tab outlines the Active Directory accounts that have access to our CA.  You can see that our Service accounts (Keyfactor Issuing CA Delegates Group) has been provided read access as required for synchronization. Our kftrain\Administrator user is part of the Domain Administrators group and has the Issue and Manage Certificates permission.  This allows our Administrator account the ability to approve requests. Additionally, we've created an enroll only user that only has the enroll permission.  Now let's take a look at our template permissions.

1. Select the Certificate Templates folder in the Lab Console.

2. Double Click the 2YearWebServer template.

3. Click the Security tab

Here we can see the Active Directory accounts that have access to reqest certificates for this template.  Our enroll only user has the enroll permission.  With these permissions in place, our lab is set is ready to execute approvals.  However, we need a template that requires at least one approval.  Let's create that and assign it to our CA.

1. Click Cancel on the 2YearWebServer Properties window (if still open)

2. Right Click on the 2YearWebServer template.

3. Select Duplicate Template.

4. Click on the General Tab and Enter a Display Name.

5. Click on the Request Handling tab and ensure "Allow private key to be exported" is selected.

6. Click on the Issuance Requirement tab and Select "CA certificate manager approval"

7. Click OK

Since we've duplicated a template, the permissions from the 2YearWebServer template are automatically applied to the new template.  With the new template with required approvals created, we need to assign the template to our CA for issuance.

1. Close the Certificate Template Console window to return to the Certification Authority screen

2. Right Click on the Certificate Templates folder.

3. Navigate to New > Certificate Template to Issue.

4. Find your template created in the previous step

5. Click OK.

Our CA is now configured to accept requests for our new template. Take a minute to enable PFX and CSR enrollment on your newly created template. (Note: Private Key Retention must be configured to allow for PFX enrollment) You may need to import the templates again if you load the Certificate Template page before the schedule task to sync templates occurs. If you still don't see it after an import, you can reset IIS to force the application to reload the templates and CAs available

1. Start > Run > cmd.

2. Click OK to launch a new command prompt.

3. Enter the command iisreset and hit enter.

4. Wait for the command to complete.

5. Reload Keyfactor in the browser (it will take a minute to rebuild the cache).

Create Enroll Only User in Keyfactor

Before we can demonstrate the approval process, we need to enable a user that can only enroll for certificates. We'll create a new role in Keyfactor, Assign the appropriate permissions, and then assign our enroll only user to the role. 

1. Open the Keyfactor Portal.

2. Navigate to Gear Icon > Security Roles & Identities.

3. Click the Claims tab

4. Click Add on the ribbon menu.

5. Set the following values in the Add Claim popup menu.

6. Click Save.

Now that we have created an Identity/Claim, we need to create a role for it to assign the correct permissions.

1. Click Add on the ribbon menu.

2. Give your role a Name and Description.

3. Click Global Permissions on the ribbon menu.

4. Enable the following permissions checkboxes:

5. Click the Claims tab.

6. Click Add.

7. Select the KFTRAIN\enroll claim value we created earlier, then click Include and Close.

8. Click Save.

Enroll for a Certificate that Requires Approval

The first step is to enroll for a certificate that requires approval.  To do this we will need to use our enroll only user to log into the Keyfactor Portal. We can do this by running the browser as our enroll only user.  Let's take a minute to do that now:

1. Make sure all existing browser windows are closed

2. Open the start menu and Right Click the Edge Browser shortcut pinned to the start menu

3. Navigate to More > Run as different user

4. Enter the enroll only user credentials

5. Navigate to https://keyfactor.kftrain.lab/keyfactorportal

6. Take a look at the top right and verify that the logged in user shows KFTRAIN\enroll.

7. Execute a PFX enrollment for template we created earlier.

We can now see that our user and we will get a message about this certificate requiring approval.   Once that's complete, we can close the browser and re-open as our Administrator user and proceed with the approval.

1. Navigate to Enrollment > Certificate Requests.

2. Choose the certificate that was submitted

3. Click Approve.

Once the certificate is approved, it will be issued and is downloadable from the certificate search page.  Go ahead and find the certificate and try to download the Certificate and Private Key in PFX format.

In our next course, we will review Keyfactor alerting and demonstrate how we can add pending and issued certificate alerts to our approval workflow. Additionally, we will cover Collection Permissions to show how we can provide our enroll only user access to download their requested certificate.