Steps to create Certificates for WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority

Document ID : KB000054930
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

This document details the steps to create Certificates for WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

Question:

How do I create Certificates for the WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

Description:

I am unable to create Certificates for the WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

Solution:

Steps to create Certificates for WIN Auth Agent and SSO Client communication using Microsoft Windows Certificate Authority.

SUMMARY: You will need to have a Certificate (TrustFile=) that can verify the IdentityFile Certificate. This can be a Certificate that is signed by an official 3 rd party Certificate Authority or a Certificate provided by your local Certificate Authority. To establish the secure communication the client or agent Identity Certificate (IdentityFile=) will need to be verified by the Trusted Certificate.

The basic steps below should help to create the certificates needed.

  • Create a Trusted Certificate (TrustFile=) which is base 64 encoded and with a cer or der extension.

  • Create a new Certificate Template based on Administrator Certificate

  • Issue the new Template

  • Request the Certificate from CA Web Services using advanced options.

  • Copy both the Trusted and Identity Certificates to the correct folders specified/updated in the SSO Client and Win Auth Agent ini files.

WIN Auth Agent Certificate Setup:

Download the CA Certificate to the WIN Auth Agent machine using the Microsoft Certificate Authority Web Services

Connect to your Certificate Server web services using the below link but substitute your Certificate Server in place of the Your_CA_Server_Here

http://Your_CA_Server_Here/certsrv

EXAMPLE: http://2003cadc/certsrv/

You should be asked for a User Name and Password. Please provide domain user credentials.

Figure 1

Click "Download CA Certificate" with the "Base 64" Radio button selected

Figure 2

Click "Save"

Figure 3

Copy the certificate to the folder you will designate for the Trusted Certificate on the SSO Client workstation.

For the purpose of this document, we will use the following folder location|
C:\Program Files\CA\eTrust SSO\Certificates

Create Custom WIN Auth Agent Template

Click "Start" then click "Run" and type in mmc and then click "Open".

On the first screen click "File" then click "Add/Remove Snap-in..."

Figure 4

Next click "Add" button

Figure 5

Then highlight "Certificate Templates" and click the "Add" button.

Figure 6

Click "OK" button

Figure 7

You should now be back at the "Certificate Template" main screen.

Figure 8

Click on the "Certificate Templates" icon.

Figure 9

Right click the Administrator template and then left click on "Duplicate Template"

Figure 10

Rename the "Template display name" and "Template name" and consider increasing the "Validity period" of the Certificate.

For the purpose of this document, we will use the following values:-

 Template Display name  :  WIN_Auth_Agent
 Template Name    :  WIN_Auth_Agent
 Validity Period    :  5 Years

Figure 11

NOTE: Ensure "Publish certificate in Active Directory" is selected.

"Request Handling" options remain default

Figure 12

Below are the "Subject Name" default options. We will need to uncheck the following options.

"Include e-mail name in subject name"
"E-mail Name"
and
"User Principal Name"

Figure 13

Your "Subject Name" should then look like the following screenshot.

Figure 14

"Issuance Requirements" leave default options.

Figure 15

"Superseded Templates" leave as default.

Figure 16

The "Extensions" tab will change, the following steps are the changes required in the tab:

Figure 17

Highlight the "Application Policies" and click the "Edit" button.

Remove all but the Client Authentication Policy as shown below.

Figure 18

Next Click "Add" and then select "Server Authentication". Next click "OK" on the following screen.

Figure 19

Your Add Application Policy screen should now look like the following screenshot. Once confirmed click "OK"

Figure 20

Your Application Polices should now look as follows.

Figure 21

Next, select and highlight "Key Usage"

Figure 22

Click "Edit" and verify your Key Usage looks as follows.

We will leave the default options for this Template.

Figure 23

In the "Security" Tab, grant permissions to Administrator, Domain Admins and Enterprise Admins, so they can request this Certificate type.

Figure 24

Added "Enroll" and Autoenroll"

Figure 25

Next added "Enroll" and Autoenroll" for Domain Admins.

Figure 26

Then added "Enroll" and Autoenroll" for Enterprise Admins.

Figure 27

Finish by clicking "Apply" and then "OK"

Issue the new Certificate Template

We will now need to "Issue" the new WIN_Auth_Agent Certificate Template to the CA server. This will make the Template available for Certificate creation. When we complete these steps the new WIN_Auth_Agent Template should be displayed in your Advanced options from the Certificate Web Service.

First click "Start" then click "All Programs" next click "Administrative Tools" and finish by clicking "Certificate Authority".

Once the Certificate Authority program starts expand your Certificate Authority name (Example: 2003cadc), then select and highlight the "Certificate Template" folder.

Finish by Right clicking the "Certificate Template" folder, next click "New" followed by clicking "Certificate Template to Issue"

Figure 28

Figure 29

Select WIN_Auth_Agent Template and click "OK"

Figure 30

Your Template should now show up in the Name Column and should be available for Certificate requests.

Figure 31

Request WIN Auth Agent custom Certificate

Next request the WIN Auth Agent custom Certificate we created with a Domain Administrator using the Web Certificate Services under Advanced options. Then import the Certificate.

Connect to your Certificate Server using the below link but substitute your Certificate Server in place of the Your_CA_Server_Here

http://Your_CA_Server_Here/certsrv

EXAMPLE: http://2003cadc/certsrv/

You should be asked for a User Name and Password. Please provide the credentials of the User who will be requesting their certificate. In my example I am using my CA domain Administrator.

Figure 32

Click "Request Certificate"

Figure 33

Click "Advanced Certificate Request"

Figure 34

Please select "Create and Submit a request to the CA"

Figure 35

Expand the Certificate Template dropdown and choose the custom certificate we created.

Figure 36

Figure 37

Leave the options as they are and provide a Friendly Name which will clearly identify this certificate.

I choose the name WIN_Auth_Agent in the example below.

Figure 38

Click "Yes"

Figure 39

Click "Install this Certificate"

Figure 40

Click "Yes"

Figure 41

Certificate Imported successfully.

Figure 42

Export Agent Certificate:

Open up Internet Explorer.

Click on "Tools" from the menu

Click "Internet Options" from the dropdown

Then click the "Content" Tab.

Next click the "Certificates" button.

From here you should be on the "Personal" Tab.

Now highlight the Certificate with the name of the requesting User and the Friendly Name provided in the previous step. I requested the Certificate and Imported as Administrator and provided the Friendly Name "WIN_Auth_Agent". As you can see below this certificate is identified with that Friendly Name.

Click "Export"

Figure 43

Click "Next"

Figure 44

Choose the "Yes, export the private key" radio button and then click "Next"

Figure 45

Check "Include all certificates in the certification path if possible" and click "Next"

Figure 46

Enter in a password you will designate for this Certificate.

NOTE: Remember this password, as this will be needed to create the encrypted "IdentityPassword" value later in the procedures.

Figure 47

Choose a name and a location (with full path) if preferred and click "Next"

Figure 48

Click Finish if the values look correct.

Figure 49

Click "OK"

Figure 50

Copy this WIN Auth Agent Cert (WIN_Auth_Agent.pfx) to the directory or location you are keeping the Trusted and Identity certificates for the WIN Auth Agent.

I used the below location which I needed to create.
C:\Program Files\CA\eTrust SSO\Certificates

Change the extension of the Certificate from .pfx to .p12 by renaming the WIN Auth Agent Certificate.

Before: WIN_Auth_Agent. pfx
After: WIN_Auth_Agent. p12

Create the Identity file encrypted password value "IdentityPassword" in the WIN Auth Agent ini file (CA_wintga.ini) and Update with the new certificate file and location.

The following steps are needed to create the encrypted value (IdentityPassword=) which will represent the password for the Agent Certificate (IdentityFile=) in the CA_Wintga.ini file

Below is the section of the CA_Wintga.ini file which will need to be modified with the new "IdentityFile" and "IdentityPassword" values. See below example.

EXAMPLE:

BEFORE:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Windows Agent\cfg\sample2.p12
IdentityPassword= qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI=

AFTER:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Certificates\Agent_Cert.p12
IdentityPassword= cR/n62fX1IXQWvnW6GLpuRB4DLvvclyg9AuAPr88oPQ=

Open an explorer window to the below directory.
C:\Program Files\CA\eTrust SSO\Windows Agent\cfg

Make a backup the CA_wintga.ini file and keep this location open for later reference.

Open a dos command prompt and change to the below directory.
C:\Program Files\CA\eTrust SSO\Windows Agent\bin

Now use the ssoencconf executable to encrypt the password value in the CA_wintga.ini file.

The below command is one long line which wraps around, please replace the Password_Here value with your Agent Certificate's password in the below command. Please do not copy and paste the command from this document. Instead type it out completely on the command line.

EXAMPLE:

ssoencconf.exe -i "C:\Program Files\CA\eTrust SSO\Windows Agent\cfg\CA_wintga.ini" -v IdentityPassword -d Password_Here

NOTE: For further details and usage information on the ssoencconf.exe see the Index of this document.

Next open the CA_wintga.ini file and verify the IdentifyPassword value has changed as shown below. If needed compare this to the backup of the CA_wintga.ini file you took previously.

Update the new certificate files and locations.

Also change the IdentityFile value to reflect the new WIN Auth Agent certificate and its specific location.

Finish by uncommenting the TrustFile= setting.

BEFORE:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Windows Agent\cfg\sample2.p12
IdentityPassword= qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI=
TrustFile=C:\Program Files\CA\eTrust SSO\Windows Agent\cfg\sample_CA_cert.pem

AFTER:
[Security]
IdentityFile=C:\Program Files\CA\eTrust SSO\ Certificates\Agent_Cert.p12
IdentityPassword= cR/n62fX1IXQWvnW6GLpuRB4DLvvclyg9AuAPr88oPQ=
; TrustFile=C:\Program Files\CA\eTrust SSO\Certificates\certnew.cer

Once the changes are confirmed save the file and restart the WIN Auth Agent service.

SSO Client Side Certificate Steps:

First on the SSO Client machine change to the below directory and backup the auth.ini file.
C:\Program Files\CA\eTrust SSO\Client\cfg

Inside the SSO Client Auth.ini file comment out the IdentifyFile and IdentifyPassword values and update the TrustFile setting with the location and name of your Trusted CA certificate. In my examples this was certnew.cer

See below example of that change.

BEFORE:

[Auth.WIN]
IdentityFile=C:\Program Files\CA\eTrust SSO\Client\cfg\sample1.p12
IdentityPassword=qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI
TrustFile=C:\Program Files\CA\ eTrust SSO\Client\cfg\sample_CA_cert.pem
------

AFTER:
[Auth.WIN]
; IdentityFile=C:\Program Files\CA\eTrust SSO\Client\cfg\sample1.p12
; IdentityPassword=qX5Su3vq7cGmkIbzH5UPJRvGS38Aba75dzwBwHc5yxI
TrustFile=C:\Program Files\CA\ Certificates\certnew.cer

Save the file and reboot to ensure the SSO Client takes the new settings.

Test the new configuration by connecting the SSO Client to the server running the new WIN Auth agent configuration containing your WIN Auth Agent custom Identity Certificates.

You should now have your WIN Auth communications encrypted using custom certificates.

INDEX:

SSOENCCONF.EXE

Utility to obfuscate a configuration value and optionally update it in either the Windows Registry or a configuration file.

 usage: ssoencconf[<config location><name>]<data>
 where:
   config location - The storage location of the configuration data.
     Must be specified as either:
    -r <Windows Registry Key>
    OR
    -i <Configuration File Path>
    
    Note: if this option is omitted the value is
    output to stdout.
 name   - The name of either the registry value or configuration 
      file variable specified as: 
     -v [<registry value name>|<variable name>]
 data   - The data to be obfuscated and stored specified as:
    -d <data>
    Note: use -d "" to obfuscate an empty string.

Page 184 in the Implementations guide.

SSL Communication

The use of SSL is mandatory for the Windows authentication agent. To set this up during installation, you must specify:

  • An Identity file and password. You can also specify a Trust file ( optional ).

  • To install the TGA, an administrator will require (at least) a 'P12' file containing certificate(s) and associated private key that can be used by the server to assert its identity.

  • To install the client components, an administrator will require each client to have (at least) a pem file containing the required trusted certificates with which the client can confirm the servers identity.

Note: SSO does not provide the tools/utilities to create these files. You can choose to use your PKI design and technology adoption, or download the OpenSSL tool which will guide you through the trusted certificate creation process. For more information, see the procedures at the end of this section.

Identity File and Password

The identity file is a PKCS #12 (Personal Information Exchange Syntax Standard) format file containing the private key and machine certificate of the authentication host. This is required to authenticate SSL communication between the authentication host and SSO client machines.

For more information on creating an Identity file, see 5. Create an Identity File (PKCS#12) for the Windows Authentication Agent (see page 189).

Trust Files

The Trust file is the PEM format issuer certificate of the identity files installed on the SSO Client machines. This is required if the SSL communications between the SSO Client and Windows authentication agent are to be bilaterally authenticated.

For more information on creating trusted certificates, see Create a Self Signed Certificate (see page 185) and Issue a Certificate for the Windows Authentication Agent (see page 187).