Configuring direct certificate authority access to a Microsoft CA server

The Certificate Integration module is an alternative method to the SCEP and helps to request device certificates from a Microsoft Certificate Authority server. The Cloud Extender® provides a feature that directly obtains certificates from Microsoft Certificate Authority servers that reside in the same forest, or trusted forests, as the Cloud Extender server.

Cloud Extender Configuration Tool setting

Cloud Extender provides a new template type, the Direct CA Certs template. When you configure the Direct CA Certs template, the following settings are required.
  • Cloud Extender must be in the same forest as the Certificate Authority server. Configure a Direct CA Certs template on the Cloud Extender that is in a different forest. Ensure that a two-way trust is established between the Cloud Extender forest and the Certificate Authority server's forest.
  • Note the fully qualified domain name (FQDN) of the Certificate Authority server.
  • Note the default defined template on the Certificate Authority server, which is generally mobiledevices.
  • The Cloud Extender service account must have enroll and read privileges to request and download certificates from the Certificate Authority.

Configuring direct certificate access to a Microsoft Certificate Authority

  1. From the Certificate Integration page in the Cloud Extender Configuration Tool, click Add New Template. The Certificate Templates section expands.
  2. Select the Certificate Authority and the method for issuing Identity Certificates.
  3. Select Microsoft CA, and then select the User Authentication for Email, Wi-Fi, VPN, browser or reverse proxy option to create Device Identity Certificates.
  4. Select Direct CA Certs to request and download your Device Identity Certificates. The Direct CA and Service Account Configuration page is displayed.
  5. In the Direct CA section, enter the Direct CA Certs template name, the fully qualified domain name (FQDN) of the Certificate Authority, and the Certificate Authority server template name.
  6. In the Service Account Configuration section, enter the service account credentials that allow the Cloud Extender to obtain certificates from the Certificate Authority server. If you previously entered service account credentials for another feature, the account credentials automatically populate the configuration fields.
    Note: For Direct CA certificates to work properly, the account that you specify must have enroll and read privileges on your Certificate Authority server.
  7. Click Next. The Certificate Properties page is displayed.
  8. Provide more certificate properties such as a Subject Name and a Subject Alternative Name. You can also choose whether to cache certificates locally.
  9. Click Next. The Test Configuration and Configure Advanced Settings page is displayed.
  10. In the Test Configuration section, enter the certificate name and other required test values, such as a username, an email address, and the user principal name (upn). The test values are based on the characteristics of the template that you create.
  11. In the Configure Advanced Settings section, you can change some template characteristics that are not commonly altered. Click Advanced to view and change these settings.
  12. Click Test or Test and Save to test the certificate. If the test is successful, the certificate information is displayed including a link to the location of the certificate on the file system. If an error occurs and the certificate test fails, a message is displayed explaining why the test failed.