How do I set up SSL Certificates for MS AD Child Domains ?

How do I set up SSL Certificates for MS AD Child Domains ?

Certification Authority setup

Parent/Child – Parent or root domain should contain the Enterprise root CA and the child domains would be Enterprise subordinate CA.

You must be logged on as an enterprise administrator.
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers.
The Active Directory Users and Computers snap-in opens up. In the left pane, under example-cloud.com, click the Users folder.
Double-click the Enterprise Admins group.
In the Enterprise Admins Properties dialog, click the Members tab, and then click the Add button.
In the Select Users, Contacts, or Computers dialog, click John Doe and then click the Add button. Click OK.
John Doe is now an enterprise administrator with the necessary permissions to set up Certificate Authority in a Windows based network.
Close the Active Directory Users and Computers window.

You now need to log on as an enterprise administrator; using our example, log on as John Doe.

Note: You will also need to log on as an enterprise administrator when setting up the enterprise intermediary and enterprise-issuing certificate computers.

To set up the CA
Click Start, point to Settings and then click Control Panel.
Double-click Add/Remove Programs.
Click Add/Remove Windows Components to start the Windows Components Wizard.
Select the Certificate Services check box and then click Next.
If you intend to use the Web components of the Certificate Services, ensure that the IIS check box is selected.

The wizard prompts you to specify the type of Certification Authority you want to install. Setup attempts to guess which option is selected in order to make installation simpler.
If no Active Directory is detected, the two enterprise options are disabled.
If an Active Directory is detected, the Enterprise root CA option is selected if there is no CA already registered in the Active Directory.
If there is a CA registered in the Active Directory, the Enterprise subordinate CA option is selected.

If you will be issuing certificates to entities in your organization, or if you need to have seamless integration with the Active Directory or to enable smart card logon, select an enterprise CA. Select one of the following:
Enterprise root CA -- This is if you do not have any CAs in your directory, or if you need a second enterprise root CA. The root CA will be registered in the directory, and all computers in your enterprise using that directory will automatically trust the root CA. It is good security practice to limit the root CA to issue certificates to subordinate CAs only, or to issuing only a few special purpose certificates. This means you want to install an enterprise subordinate after you finish installing the root. However, you can choose only the root CA.
Enterprise subordinate CA -- This is if you have already installed an enterprise root CA. Typically, you will have multiple enterprise-subordinate CAs. Each of these CAs either serves different communities of users or provides different types of certificates. If there is more than one subordinate, it is possible to revoke the subordinate’s certificate in case of disaster, and not have to reissue all certificates in the organization.

If you will be issuing certificates to entities outside your enterprise and do not want to use Active Directory or other Windows public key infrastructure (PKI) features, then you want a stand-alone CA. Select one of the following:
Stand-alone CA -- This is if you do not already have a stand-alone CA, or if you need a second root for a purpose different than the first.
Stand-alone subordinate CA -- This is if this CA will be a member of an existing CA hierarchy. The parent CA in the hierarchy can be a stand-alone CA, an enterprise CA, or an external commercial CA.
If you need to change the default cryptographic settings, select the Advanced Options check box. (Select Advanced Options only if you know how to change cryptographic settings). Click Next.
If you selected Advanced Options, the wizard prompts you to specify the cryptographic service provider to use.

In this dialog box, you can change the cryptographic settings, such as the Cryptographic Service Provider (CSP), hash algorithm, and other advanced options. In general, you will not need to modify the default settings. Users who need to modify these settings must be very familiar with cryptography, Certificate Server, and the CAPI 2.0 architecture.

The list of CSPs will vary depending on the software and hardware that has been installed on the server. The Key length specifies the length of the public and private key pair. A value of Default in this box generates a key pair whose default length is determined by the selected provider. Microsoft recommends that you use a long key length, such as 1024 or 2048, for a root CA or an enterprise CA. (Note that a long key length is computationally more expensive, and may not be accepted by all hardware devices. For example, some smart cards may not accept certificates issued by a CA that has a 4096 bit key, due to space limitations on the card.)

The Use existing keys option allows you to use keys that were generated previously or to reuse keys from a previously installed CA. When installing a CA, you should almost never reuse keys. The exception to this is when you are restoring a CA after a catastrophic failure. You will then import a set of existing keys and install a new CA that uses those keys. In addition, if you are restoring a CA after a failure, you must select the Use the associated certificate check box. This ensures that the new CA has a certificate that is identical to the old CA. If you do not check this box, a new certificate will be generated that makes the new CA different from the old CA.

Note The private key is always stored locally on the server, except in the case where a cryptographic hardware device is used. In such a case, the private key is stored in the device. The public key is placed in the certificate, and in the case of an enterprise CA, the certificate is published in Active Directory.
The wizard prompts you to supply identifying information appropriate for your site and organization.
Note that the CA name (or common name) is critical because it is used to identify the CA object created in the Directory. The Valid for time can only be set for a root CA. Set the root CA Valid for time to a reasonable value: the actual duration is a tradeoff between security and administrative overhead. Keep in mind that each time a root certificate expires, an administrator has to update all trust relationships, and administrative steps need to be taken to move the CA to a new certificate. A time period of two or more years is usually sufficient. When you are finished entering the information, click Next.
A dialog box defines the locations of the certificate database, configuration information, and the location where the Certificate Revocation List (CRL) is stored. The Enterprise CA will always store its information, including the CRL, in the directory. It is recommended that you select the Shared folder check box. This option specifies the location of a folder where configuration information for the CA will be stored. You should make this folder a UNC path and have all your CAs point to the same folder. Then the administration tools can use this folder for determining CA configuration if the Active Directory is not available. If you have an Active Directory, this folder is optional. If you do not have an Active Directory, this folder is required.
 


    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Change Reset Password Button Text

        Change the text of the "Reset Password" button on the UW Login Page How to change the text of the Reset Password button on the Login Page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants ...
      • Remove Reset Password Button From Login Page

        Remove the Reset Password Button from the Login Page How to remove the Reset Password button from the Unified Workspace login page. Login to webNetwork and open webAdmin on your Relay Central Server Expand Customization Center Expand Tenants Expand ...
      • Lenovo Unified Workspace End-of-Life Questions and Answers

        As of January 31st 2024, Lenovo Unified Workspace (formerly Stoneware WebNetwork) is no longer supported. This means that we no longer provide licenses, downloads, updates, patches, or technical assistance for this product. If you have any questions ...
      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...
      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...
      • Related Articles

      • Problems with Multi Domain / Parent - Child AD Domain Issues

        Issue: The customer has an MS AD Parent / Child setup and webNetwork is having many problems creating objects in webAdmin. When a wizard is used to create a webApp and the end the Host, Link and User cannot be modified.   Resolution: This was ...
      • DC won’t obtain SSL certificate automatically

        Customer installed Enterprise CA server in their AD forest and some Domain Controllers won’t pick up an SSL certificate.   The customer used LDP.exe to verify all of their DC to see if they had SSL enabled.  They found a DC that did not pick up an ...
      • webNetwork will not start because AD ssl certificate has expired

        Customer restarted webnetwork and now it won’t start. It gives errors like : FATAL (12/23) 11:19:23 [com.stoneware.service.DirectoryManager]: Unable to verify/extend schema. javax.naming.CommunicationException: simple bind failed: 192.168.1.41:636 ...
      • General MS AD LDAP information.

        General MS AD LDAP information
      • SSL certificate installation - part 2

        Problem:  Need to create and add new wildcard SSL certificate to Unified Workspace server. Prerequisite(s): Completed part 1 Access to keystore password Solution(s):  Below instructions will walk you through process of placing a new keystore on ...