IDMS as a Certificate Authority Gateway for CMS
For multiple certificate authority issuance scenarios, the IDMS can assist the CMS by providing an additional interface for CMS to interact with to retrieve certificates.
Overview
The IDMS CA gateway enables the CMS to route certificate requests to different Certificate Authorities that may not be part of the CMS’s domain.
Setup
Prepare the Certificate authority
| 1 | Open Certificate authority snap-in Right click on the CA server and press "properties" |  |
| 2 | Click "security" tab Click "Add" under Group or user names. Click "Object types" Select the "Computer" Click OK |  |
| 3 | Search for the IDMS Server (Computer) Click OK |  |
| 4 | Select the IDMS Server then allow the "Issue and Manage Certificates" permission. Click OK |  |
The system will utilize the enrollment agent certificate when issuing certificates as part of the smart card programming process.
Creating Enrollment Agent Certificate
| 1 | Log in to CA server | |
| 2 | Open Certificate Authority, Right click on Certificate Templates then press Manage |  |
| 3 | Right click on the Enrollment Agent (Computer). Under Security tab, select Authenticated Users and allow them to Enroll. Press OK |  |
| 4 | Back in Certificate Authority, right click on Certificate Templates and press New then Certificate template to Issue. Then Select the Enrollment Agent (Computer) Certificate and press OK. |  |
| 5 | Log In to IDMS server | |
| 6 | Open MMC → Certificates→ Local Computer. Under Personal Certificates, right click and press All Tasks, then Request New Certificate. |  |
| 7 | Proceed with the defaults then select the Enrollment Agent (Computer) Certificate and Press Enroll. |  |
| 8 | Open the Certificate that was issued then press Details tab then select the Serial Number. Save the Serial number of the certificate - it will be used in the next section. |  |
Requirements:
The account the IDMS server is running as must be able to access the Microsoft CA.
Create the Certificate Template
| Step Number | Step | Description |
|---|---|---|
| 1 | Open the Certificate Template Snap In | |
| 2 | Locate the Smart Card Logon Certificate Template, Click Duplicate | |
| 3 | Name the template DC_PIV_AUTHENTICATION | |
| 4 | Click Request Handling   | |
| 5 | Click Security  | |
| 6 | Click Subject Name  | |
| 7 | Click Issuance Requirements Check This number of authorized signatures Application Policy: "Certificate Request Agent"  | |
| 8 | Save the template | |
| 9 | Go to CA, Certificate Templates, right click, New, Certificate Template To Issue  | |
| 10 | Select Template | |
| 11 | Restart CA service |