Using RSA Certificate Manager with the Microsoft Windows PKI Administrator’s Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA, the RSA logo and EMC are registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf. License agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-party licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file. This product includes software developed by The Apache Software Foundation (www.apache.org/). Portions Copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2012 EMC Corporation. All Rights Reserved. Published in the USA. March 2012 Using RSA Certificate Manager with the Microsoft Windows PKI Administrator’s Guide

Contents

Chapter 1: Using RSA Certificate Manager with Microsoft Windows Server 2003 and 2008 ...... 5 Prerequisites...... 5 RSA Certificate Manager Benefits ...... 5 Issuing Smart Card Logon Certificates...... 6 Prerequisites...... 6 How to Issue Smart Card Logon Certificates ...... 6 Issuing Authenticode Certificates ...... 15 Obtaining Microsoft Authenticode ...... 16 How to Issue Certificates for Authenticode Signing ...... 16 Signing Code with Authenticode...... 17 Issuing EFS Certificates...... 18 Prerequisite ...... 18 How to Issue EFS Certificates ...... 18 Encrypting a File Using Microsoft EFS ...... 22 Issuing Microsoft VPN Client Certificates ...... 23 Prerequisites...... 23 How to Issue VPN Client Certificates ...... 23 Connecting to the VPN ...... 25 Certificate Name Mapping in Microsoft IIS...... 26 Prerequisites...... 26 How to Issue Logon Certificates ...... 26 Testing Logon with Certificate Name Mapping ...... 34 802.1x Wireless Authentication...... 34 Configuring Wireless Authentication ...... 35 How to Issue Client TLS certificates...... 37 Issuing Certificates for Multiple Applications...... 38 Chapter 2: Using RSA Certificate Manager with Fedora Auto Enrollment Proxy ...... 39 How Auto Enrollment Works ...... 39 Prerequisites...... 40 Setting Up Auto Enrollment ...... 40 Configuring the Domain Group Policy...... 41 Selecting Certificate Templates...... 43 Setting Certificate Template Permissions...... 43 Installing Auto Enrollment Proxy...... 45 Updating Auto Enrollment Proxy ...... 45 Importing an Authentication Certificate ...... 46 Configuring AEP to Connect to RSA Certificate Manager...... 46 Configuring User Access to AEP ...... 47 Configuring RSA Certificate Manager...... 49 Requesting a Certificate...... 53

Contents 3

Using RSA Certificate Manager with the Microsoft Windows PKI Administrator’s Guide

1 Using RSA Certificate Manager with Microsoft Windows Server 2003 and 2008

This section provides administrators with instructions for using RSA® Certificate Manager infrastructure to utilize the security capabilities of the Microsoft Windows Server 2003 and 2008 operating platforms. Using Certificate Manager, administrators can increase the security of their infrastructure by issuing digital certificates for: • Smart card logon • Code signing based on Authenticode • Encrypting File System (EFS) encryption • Virtual private network (VPN) client authentication • Certificate name mapping with Microsoft Internet Information Services (IIS) • 802.1x wireless authentication with Microsoft Remote Authentication Dial-In User Service (RADIUS)

Prerequisites • You must be an administrator of a Microsoft Windows Domain Controller with Active Directory and an Administrator of a Certificate Manager installation. If you do not have administrative access to both the domain and the Certificate Manager installation, the tasks described in this guide must be coordinated with the other administrator. • Your administrative certificate must have the Vettor role enabled with vetting privileges for the issuing Jurisdiction. If you do not have vetting privileges, a Vettor must vet certificate requests and issue certificates. • Administrators must be using Microsoft Internet Explorer 6.0 or later, and end users must be using Microsoft Internet Explorer 4.0 or later.

RSA Certificate Manager Benefits Certificate Manager is a full-featured certificate authority (CA) that can interoperate with Windows Server 2003 and 2008 as well as an industry-leading array of third-party applications. Certificate Manager features enhanced security and ease of use, leveraging the built-in features of the Microsoft Windows platform to allow users to use certificates to sign or encrypt data, or gain access to web or networked applications.

1: Using RSA Certificate Manager with Microsoft Windows Server 2003 and 2008 5 Using RSA Certificate Manager with the Microsoft Windows PKI Administrator’s Guide

Issuing Smart Card Logon Certificates With Microsoft smart card logon, end users can use smart cards and certificates to authenticate to a Windows domain. You can issue smart card logon certificates from your Certificate Manager installation.

Prerequisites • You must have a Windows Server 2003 Domain Controller or a Windows Server 2008 Domain Controller with Microsoft Active Directory. You must be familiar with the Microsoft Management Console (MMC) to perform most of these operations. • Your Certificate Manager installation must have network access to the Active Directory database. • The CA that signs the certificates: – Must be configured to allow local certificate revocation list (CRL) publishing to the local HTTP server or local LDAP server.

Important: Do not use the local publishing feature of delta CRLs as this can cause end-entity certificates with the MS Logon Certificate profile to be issued with an incorrect set of v3 extensions. For more information on delta CRLs, see the RSA Certificate Manager Administrator’s Guide.

– Must have the CRL settings set to automatically generate CRLs with a nextUpdate field. – Must have two Jurisdictions—one configured to allow the MS Domain Controller Certificate profile and the other configured to allow the MS Logon Certificate profile. RSA recommends that the issuing Jurisdictions be configured so that the certi