Step 1: Create
a client authentication template for Microsoft CA
Complete the following to configure the Microsoft CA Proxy:
Step 1: Create
a client authentication template for Microsoft CA1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.
2. Click your certification authority to expand the root folder.
3. Right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.
4. Scroll the template list, right-click the User template and select Duplicate Template. The Properties of New Template dialog box appears.
5. In the Compatibility Settings, select the following:
a. From the Certificate Authority drop-down list, select
– Windows Server 2012R2 if you are running on a 2012R2 server
-or-
– Windows Server 2016 if you are running on Windows Server 2016 or later
b. From the Certificate Recipient drop-down list, select
– Windows 8.1/Windows Server 2012R2 if you are running on a 2012R2 server
-or-
– Windows 10/Windows Server 2016 if you are running on Windows Server 2016 or later
c. Optional. If the Show resulting changes check box is selected, a message lists the options that will be added with your choice. Click OK to close the message.
6. Click the General tab.
7. In the Template display name field, enter Client Authentication.
8. Review the Validity Period. Extend it if necessary.
9. Click the Subject Name tab.
10. Select Supply in the request radio button and click OK on the warning dialog box.
11. Click the Extensions tab.
12. Select Applications Policies and click Edit. The Edit Application Policies Extension dialog box appears.
13. Select and remove Encrypting File System and Secure Email and then click OK.
14. Click OK to close the Properties of Template dialog box.
15. Return to the Certification Authority.
16. Click to expand your certification authority root folder.
17. Right-click Certificate Templates and select New > Certificate Template to Issue. The Enable Certificate Templates dialog box appears.
18. Select Client Authentication and click OK.
Step 2: Generate
the Microsoft CA Proxy Server truststoreGenerate the Microsoft CA Proxy Server truststore
1. On the Microsoft CA Proxy Server machine, create an SSL directory under MS CA Proxy installation (for example, c:\mscaproxy\ssl).
2. Open a command prompt.
3. Run the following commands where
● truststorepwd = The trust store password
● ca_host = CA host name
● ca_name = CA name. You can find the CA name at Certification Authority > Properties > General > Name.
certutil -config <ca_host>\<ca_name> -ca.cert caroot.cer
4. In this directory, run the following command to include the root CA certificate (for example, caroot.cer)
keytool -import -noprompt -alias caroot -file caroot.cer -keystore truststore.jks -storepass <truststorepwd>
5. If your CA has intermediate CA certificates, obtain these certificates from your CA then run the following command for each of them to import the corresponding issuing certificate (for example, ca-issuing.cer).”
keytool -import -noprompt -alias ca-issuing -file ca-issuing.cer -keystore truststore.jks -storepass <truststorepwd>
Step 3: Configure
SSL for the Microsoft CA Proxy ServerTo configure SSL for the Microsoft CA Proxy Server, you need to generate a mscaproxy.jks keystore containing the following:
● The Microsoft CA Proxy private key for SSL server authentication
● The key's certificate
● The certificate chain
● The Microsoft CA Proxy certificate
Generate a Server JKS
1. On the Microsoft CA Proxy Server machine, go the SSL directory under the Microsoft CA proxy directory (c:\mscaproxy\ssl).
2. Open a command prompt.
3. Run the following commands where
● keypwd = private key password
● keystorepwd = JKS password
● ca_proxy_fqdn = Microsoft CA proxy server fully qualified domain name.
● ca_host = CA host name
● ca_name = CA name. You can find the CA name at Certification Authority > Properties > General > Name.
keytool -genkey
-noprompt -alias mscaproxy -dname "cn=<ca_proxy_fqdn>"
-keyalg RSA -keysize 2048 -keystore mscaproxy.jks -storepass <keystorepwd>
keytool -certreq -alias mscaproxy -ext SAN=dns:"<ca_proxy_fqdn>" -file mscaproxy.csr -keystore mscaproxy.jks -storepass
<keystorepwd>
certreq.exe -f
-attrib "CertificateTemplate:WebServer" -config "<ca_host>\<ca_name>"
mscaproxy.csr CertChainFileOut mscaproxy.p7b
keytool -import -noprompt -alias mscaproxy -file mscaproxy.p7b -keystore
mscaproxy.jks -storepass <keystorepwd>
keytool -export -noprompt -alias mscaproxy -file mscaproxyserver.cer
-keystore mscaproxy.jks -storepass <keystorepwd>
Note: You need the generated mscaproxyserver.cer file located in the ssl directory when you Configure a Microsoft CA in Identity as a Service.
Step 4: Generate
a Client PKCS12 for Identity as a ServiceTo generate a client PKCS12, you need to generate a mscaproxyclient.pfx keystore containing the following:
● The CA Gateway's private key for client authentication
● The key's certificate
● The certificate chain
Generate a client PKCS12
1. On the Microsoft CA Proxy Server machine, create a client directory under the Microsoft CA proxy directory (c:\mscaproxy\client).
2. Open a command prompt.
3. Run the following commands where
● keystorepwd = the PKCS12 password
● ca_host = CA host name
● ca_name = CA name. You can find the CA name at Certification Authority > Properties > General > Name.
keytool -genkey
-noprompt -alias mscaproxyclient -dname "cn=mscaproxy client" -keyalg
RSA -keysize 2048 -keystore mscaproxyclient.pfx -storetype PKCS12
-storepass <keystorepwd>
keytool -certreq
-alias mscaproxyclient -file mscaproxyclient.csr -keystore mscaproxyclient.pfx
-storepass <keystorepwd>
certreq.exe -f
-attrib "CertificateTemplate:ClientAuthentication" -config
"<ca_host>\<ca_name>"
mscaproxyclient.csr CertChainFileOut mscaproxyclient.p7b
keytool -import -noprompt -alias mscaproxyclient -file mscaproxyclient.p7b -keystore mscaproxyclient.pfx -storepass <keystorepwd>
Note: You need the generated mscaproxyclient.pfx file located in the client directory when you Configure a Microsoft CA in Identity as a Service.
Step 5: Edit
the application.yml file and the keystore and truststore passwords1. On the Microsoft CA Proxy Server machine, go to <msca_install>/config and open application.yml with a text editor.
2. Uncomment all lines in the file by removing the #.
3. Save and close the file.
4. Go to <msca_install>/config and open key-store-password.scrt with a text editor.
5. Set decrypted=<keystorepwd> where <keystorepwd> is the password of the JKS file you created in the section, "Configure SSL for the Microsoft CA Proxy Server."
6. Save and close the file.
7. Go to <msca_install>/config and open trust-store-password.scrt with a text editor.
8. Set decrypted=<truststorepwd> where <truststorepwd> is the password of the JKS file you created in the Step 2:, "Generate the Microsoft CA Proxy Server truststore."
9. Save and close the file.
Step 6: Manage
the Microsoft CA ProxyAs administrator, use the following commands to manage the Microsoft CA Proxy Server machine:
● MSCAProxy start
● MSCAProxy stop
● MSCAProxy uninstall
● MSCAProxy restart
You can also check to see whether the Microsoft CA Proxy is running.
Check to see if the Microsoft CA Proxy is running
1. Open Chrome.
2. Start the Microsoft CA Proxy as follows:
From a command prompt, enter
C:\>cd mscaproxy
C:\mscaproxy>MSCAProxy.exe start
3. Import into Chrome the mscaproxyclient.pfx file you created in Step 4: Generate a Client PKCS12 for Identity as a Service.
4. Go to:https://proxyserver:8443/MSCAProxy/rest/status/ping, where proxyserver is the hostname of your Microsoft CA Proxy Server.
5. Check the server response for the following message to confirm that the Microsoft CA Proxy is running:
"MS CA proxy is running"