Summary:

This document details the steps to create Certificates for WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

Question:

How do I create Certificates for the WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

Description:

I am unable to create Certificates for the WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

Solution:

Steps to create Certificates for WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

SUMMARY: You will need to have a Certificate (TrustFile=) that can verify the IdentityFile Certificate. This can be a Certificate that is signed by an official 3 rd party Certificate Authority or a Certificate provided by your local Certificate Authority. To establish the secure communication the client or agent Identity Certificate (IdentityFile=) will need to be verified by the Trusted Certificate.

The basic steps below should help to create the certificates needed.

• Create a Trusted Certificate (TrustFile=) which is base 64 encoded and with a cer or der extension.
  
  
• Create a new Certificate Template based on Administrator Certificate
  
  
• Issue the new Template
  
  
• Request the Certificate from CA Web Services using advanced options.
  
  
• Copy both the Trusted and Identity Certificates to the correct folders specified/updated in the SSO Client and Win Auth Agent ini files.

WIN Auth Agent Certificate Setup:

Download the CA Certificate to the WIN Auth Agent machine using the Microsoft Certificate Authority Web Services

Connect to your Certificate Server web services using the below link but substitute your Certificate Server in place of the Your_CA_Server_Here

http://Your_CA_Server_Here/certsrv

EXAMPLE: http://2003cadc/certsrv/

You should be asked for a User Name and Password. Please provide domain user credentials.

<Please see attached file for image>

Click "Download CA Certificate" with the "Base 64" Radio button selected

<Please see attached file for image>

Click "Save"

<Please see attached file for image>

Copy the certificate to the folder you will designate for the Trusted Certificate on the SSO Client workstation.

For the purpose of this document, we will use the following folder location|
C:\Program Files\CA\eTrust SSO\Certificates

Create Custom WIN Auth Agent Template

Click "Start" then click "Run" and type in mmc and then click "Open".

On the first screen click "File" then click "Add/Remove Snap-in..."

<Please see attached file for image>

Next click "Add" button

<Please see attached file for image>

Then highlight "Certificate Templates" and click the "Add" button.

<Please see attached file for image>

Click "OK" button

<Please see attached file for image>

You should now be back at the "Certificate Template" main screen.

<Please see attached file for image>

Click on the "Certificate Templates" icon.

<Please see attached file for image>

Right click the Administrator template and then left click on "Duplicate Template"

<Please see attached file for image>

Rename the "Template display name" and "Template name" and consider increasing the "Validity period" of the Certificate.

For the purpose of this document, we will use the following values:-

 Template Display name  :  WIN_Auth_Agent
 Template Name    :  WIN_Auth_Agent
 Validity Period    :  5 Years

<Please see attached file for image>

NOTE: Ensure "Publish certificate in Active Directory" is selected.

"Request Handling" options remain default

<Please see attached file for image>

Below are the "Subject Name" default options. We will need to uncheck the following options.

"Include e-mail name in subject name"
"E-mail Name"
and
"User Principal Name"

<Please see attached file for image>

Your "Subject Name" should then look like the following screenshot.

<Please see attached file for image>

"Issuance Requirements" leave default options.

<Please see attached file for image>

"Superseded Templates" leave as default.

<Please see attached file for image>

The "Extensions" tab will change, the following steps are the changes required in the tab:

<Please see attached file for image>

Highlight the "Application Policies" and click the "Edit" button.

Remove all but the Client Authentication Policy as shown below.

<Please see attached file for image>

Next Click "Add" and then select "Server Authentication". Next click "OK" on the following screen.

<Please see attached file for image>

Your Add Application Policy screen should now look like the following screenshot. Once confirmed click "OK"

<Please see attached file for image>

Your Application Polices should now look as follows.

<Please see attached file for image>

Next, select and highlight "Key Usage"

<Please see attached file for image>

Click "Edit" and verify your Key Usage looks as follows.

We will leave the default options for this Template.

<Please see attached file for image>

In the "Security" Tab, grant permissions to Administrator, Domain Admins and Enterprise Admins, so they can request this Certificate type.

<Please see attached file for image>

Added "Enroll" and Autoenroll"

<Please see attached file for image>

Next added "Enroll" and Autoenroll" for Domain Admins.

<Please see attached file for image>

Then added "Enroll" and Autoenroll" for Enterprise Admins.

<Please see attached file for image>

Finish by clicking "Apply" and then "OK"

Issue the new Certificate Template

We will now need to "Issue" the new WIN_Auth_Agent Certificate Template to the CA server. This will make the Template available for Certificate creation. When we complete these steps the new WIN_Auth_Agent Template should be displayed in your Advanced options from the Certificate Web Service.

First click "Start" then click "All Programs" next click "Administrative Tools" and finish by clicking "Certificate Authority".

Once the Certificate Authority program starts expand your Certificate Authority name (Example: 2003cadc), then select and highlight the "Certificate Template" folder.

Finish by Right clicking the "Certificate Template" folder, next click "New" followed by clicking "Certificate Template to Issue"

<Please see attached file for image>

<Please see attached file for image>

Select WIN_Auth_Agent Template and click "OK"

<Please see attached file for image>

Your Template should now show up in the Name Column and should be available for Certificate requests.

<Please see attached file for image>

Request WIN Auth Agent custom Certificate

Next request the WIN Auth Agent custom Certificate we created with a Domain Administrator using the Web Certificate Services under Advanced options. Then import the Certificate.

Connect to your Certificate Server using the below link but substitute your Certificate Server in place of the Your_CA_Server_Here

http://Your_CA_Server_Here/certsrv

EXAMPLE: http://2003cadc/certsrv/

You should be asked for a User Name and Password. Please provide the credentials of the User who will be requesting their certificate. In my example I am using my CA domain Administrator.

<Please see attached file for image>

Click "Request Certificate"

<Please see attached file for image>

Click "Advanced Certificate Request"

<Please see attached file for image>

Please select "Create and Submit a request to the CA"

<Please see attached file for image>

Expand the Certificate Template dropdown and choose the custom certificate we created.

<Please see attached file for image>

<Please see attached file for image>

Leave the options as they are and provide a Friendly Name which will clearly identify this certificate.

I choose the name WIN_Auth_Agent in the example below.

<Please see attached file for image>

Click "Yes"

<Please see attached file for image>

Click "Install this Certificate"

<Please see attached file for image>

Click "Yes"

<Please see attached file for image>

Certificate Imported successfully.

<Please see attached file for image>

Export Agent Certificate:

Open up Internet Explorer.

Click on "Tools" from the menu

Click "Internet Options" from the dropdown

Then click the "Content" Tab.

Next click the "Certificates" button.

From here you should be on the "Personal" Tab.

Now highlight the Certificate with the name of the requesting User and the Friendly Name provided in the previous step. I requested the Certificate and Imported as Administrator and provided the Friendly Name "WIN_Auth_Agent". As you can see below this certificate is identified with that Friendly Name.

Click "Export"

<Please see attached file for image>

Click "Next"

<Please see attached file for image>

Choose the "Yes, export the private key" radio button and then click "Next"

<Please see attached file for image>

Check "Include all certificates in the certification path if possible" and click "Next"

<Please see attached file for image>

Enter in a password you will designate for this Certificate.

NOTE: Remember this password, as this will be needed to create the encrypted "IdentityPassword" value later in the procedures.

<Please see attached file for image>

Choose a name and a location (with full path) if preferred and click "Next"

<Please see attached file for image>

Click Finish if the values look correct.

<Please see attached file for image>

Click "OK"

<Please see attached file for image>

Copy this WIN Auth Agent Cert (WIN_Auth_Agent.pfx) to the directory or location you are keeping the Trusted and Identity certificates for the WIN Auth Agent.

I used the below location which I needed to create.
C:\Program Files\CA\eTrust SSO\Certificates

Change the extension of the Certificate from .pfx to .p12 by renaming the WIN Auth Agent Certificate.

Before: WIN_Auth_Agent. pfx
After: WIN_Auth_Agent. p12

Create the Identity file encrypted password value "IdentityPassword" in the WIN Auth Agent ini file (CA_wintga.ini) and Update with the new certificate file and location.

The following steps are needed to create the encrypted value (IdentityPassword=) which will represent the password for the Agent Certificate (IdentityFile=) in the CA_Wintga.ini file

Below is the section of the CA_Wintga.ini file which will need to be modified with the new "IdentityFile" and "IdentityPassword" values. See below example.

EXAMPLE:

BEFORE:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Windows Agent\cfg\sample2.p12
IdentityPassword= qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI=

AFTER:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Certificates\Agent_Cert.p12
IdentityPassword= cR/n62fX1IXQWvnW6GLpuRB4DLvvclyg9AuAPr88oPQ=

Open an explorer window to the below directory.
C:\Program Files\CA\eTrust SSO\Windows Agent\cfg

Make a backup the CA_wintga.ini file and keep this location open for later reference.

Open a dos command prompt and change to the below directory.
C:\Program Files\CA\eTrust SSO\Windows Agent\bin

Now use the ssoencconf executable to encrypt the password value in the CA_wintga.ini file.

The below command is one long line which wraps around, please replace the Password_Here value with your Agent Certificate's password in the below command. Please do not copy and paste the command from this document. Instead type it out completely on the command line.

EXAMPLE:

ssoencconf.exe -i "C:\Program Files\CA\eTrust SSO\Windows Agent\cfg\CA_wintga.ini" -v IdentityPassword -d Password_Here

NOTE: For further details and usage information on the ssoencconf.exe see the Index of this document.

Next open the CA_wintga.ini file and verify the IdentifyPassword value has changed as shown below. If needed compare this to the backup of the CA_wintga.ini file you took previously.

Update the new certificate files and locations.

Also change the IdentityFile value to reflect the new WIN Auth Agent certificate and its specific location.

Finish by uncommenting the TrustFile= setting.

BEFORE:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Windows Agent\cfg\sample2.p12
IdentityPassword= qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI=
TrustFile=C:\Program Files\CA\eTrust SSO\Windows Agent\cfg\sample_CA_cert.pem

AFTER:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Certificates\Agent_Cert.p12
IdentityPassword= cR/n62fX1IXQWvnW6GLpuRB4DLvvclyg9AuAPr88oPQ=
; TrustFile=C:\Program Files\CA\eTrust SSO\Certificates\certnew.cer

Once the changes are confirmed save the file and restart the WIN Auth Agent service.

SSO Client Side Certificate Steps:

First on the SSO Client machine change to the below directory and backup the auth.ini file.
C:\Program Files\CA\eTrust SSO\Client\cfg

Inside the SSO Client Auth.ini file comment out the IdentifyFile and IdentifyPassword values and update the TrustFile setting with the location and name of your Trusted CA certificate. In my examples this was certnew.cer

See below example of that change.

BEFORE:

[Auth.WIN]
IdentityFile=C:\Program Files\CA\eTrust SSO\Client\cfg\sample1.p12
IdentityPassword=qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI
TrustFile=C:\Program Files\CA\ eTrust SSO\Client\cfg\sample_CA_cert.pem
------

AFTER:
[Auth.WIN]
; IdentityFile=C:\Program Files\CA\eTrust SSO\Client\cfg\sample1.p12
; IdentityPassword=qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI
TrustFile=C:\Program Files\CA\ Certificates\certnew.cer

Save the file and reboot to ensure the SSO Client takes the new settings.

Test the new configuration by connecting the SSO Client to the server running the new WIN Auth agent configuration containing your WIN Auth Agent custom Identity Certificates.

You should now have your WIN Auth communications encrypted using custom certificates.

INDEX:

SSOENCCONF.EXE

Utility to obfuscate a configuration value and optionally update it in either the Windows Registry or a configuration file.

 usage: ssoencconf[<config location><name>]<data>
 where:
   config location - The storage location of the configuration data.
     Must be specified as either:
    -r <Windows Registry Key>
    OR
    -i <Configuration File Path>
    
    Note: if this option is omitted the value is
    output to stdout.
 name   - The name of either the registry value or configuration 
      file variable specified as: 
     -v [<registry value name>|<variable name>]
 data   - The data to be obfuscated and stored specified as:
    -d <data>
    Note: use -d "" to obfuscate an empty string.

Page 184 in the Implementations guide.

SSL Communication

The use of SSL is mandatory for the Windows authentication agent. To set this up during installation, you must specify:

• An Identity file and password. You can also specify a Trust file ( optional ).
  
  
• To install the TGA, an administrator will require (at least) a 'P12' file containing certificate(s) and associated private key that can be used by the server to assert its identity.
  
  
• To install the client components, an administrator will require each client to have (at least) a pem file containing the required trusted certificates with which the client can confirm the servers identity.

Note: SSO does not provide the tools/utilities to create these files. You can choose to use your PKI design and technology adoption, or download the OpenSSL tool which will guide you through the trusted certificate creation process. For more information, see the procedures at the end of this section.

Identity File and Password

The identity file is a PKCS #12 (Personal Information Exchange Syntax Standard) format file containing the private key and machine certificate of the authentication host. This is required to authenticate SSL communication between the authentication host and SSO client machines.

For more information on creating an Identity file, see 5. Create an Identity File (PKCS#12) for the Windows Authentication Agent (see page 189).

Trust Files

The Trust file is the PEM format issuer certificate of the identity files installed on the SSO Client machines. This is required if the SSL communications between the SSO Client and Windows authentication agent are to be bilaterally authenticated.

For more information on creating trusted certificates, see Create a Self Signed Certificate (see page 185) and Issue a Certificate for the Windows Authentication Agent (see page 187).