Configure a Microsoft CA

To configure a Microsoft Certificate Authority (Microsoft CA), you must complete procedures on two different machines.

● Microsoft CA Proxy Server—The interfacing component that communicates to the Microsoft CA. This component must be deployed on a domain-joined machine in the same domain as the Microsoft CA.

If you are publishing certificates to Active Directory, the subject dn of your generated certificates must correctly identify the associated user in Active Directory. If you are using AD Sync to sync users to Identity as a Service, the certificate subject DN is automatically set with the user's DN. See Configure a DN attribute for Microsoft CA for more information.

Overview

The use of a Microsoft CA with Identity as a Service involves the following components and interactions:

Prerequisites

Before you begin, you need a machine that will host the Microsoft Certification Authority Proxy with the following:

● Java 11 version or later of Oracle Java, OpenJDK, or AdoptOpenJDK. To check the Java installation, run java -version

You need to create a domain administrator account with the following Certificate Authority permissions:

a. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.

b. Right-click the Certification Authority and select Properties. The CA Properties dialog box appears.

c. Click the Security tab.

d. In the Group or user names list, select the name of the domain administrator account you created (or the administrators group or the enterprise administrator group that your administrator belongs to).

e. Under Permissions for <user account>, in the Allow column, ensure that the following permissions are selected:

– Issue and Manage Certificates

– Request Certificates

f. Click OK to save the settings and close the window.

1. Go to the directory where Microsoft CA Proxy 2.5.4 is installed (for example, c:\mscaproxy).

Note: If you get an error accessing the files, perform a reboot and run the command again to move the files.

1. Download the Microsoft CA Proxy server installation file form Identity as a Service:

b. Click

Microsoft CA Proxy. The Microsoft CA Proxy Download URL dialog box appears.

c. In the Microsoft CA Proxy Download URL dialog box, click

Microsoft CA Proxy to download the msca-proxy-install-2.7.10-158.zip file.

2. Copy the msca-proxy-install-2.7.10-158.zip file to your Microsoft CA Proxy server machine.

3. Unzip the contents of the compressed file in a local directory of the Windows machine (for example, c:\mscaproxy).

Note: The /p option is required in order to be prompted to use a domain administrator account with the required permissions as mentioned below.

5. At the username and password prompt, use a domain administrator account with the following permissions on the CA:

Note: When entering the domain administrator, the value should be of the form domain\username, for example, mydomain\myadmin.

1. Do the following to maintain the existing ssl keys, certificates, and configuration:

xcopy c:\mscaproxy2.5.4\tmp\* c:\mscaproxy\tmp /I (or xcopy c:\mscaproxy\client\* c:\mscaproxy\client /I)

2. Update the keystore and truststore passwords. These will be re-encrypted using the latest MSCA Proxy version.

a. Go to <msca_install>/config and open key-store-password.scrt with a text editor.

b. Change encrypted=<encrypted-keystorepwd> to decrypted=<keystorepwd> where <decrypted-keystorepwd> is the decrypted password of the JKS keystore used with the Microsoft CA Proxy Server.

d. Go to <msca_install>/config and open trust-store-password.scrt with a text editor.

e. Change encrypted=<encrypted-truststorepwd> to decrypted=<decrypted-truststorepwd> where <decrypted-truststorepwd> is the decrypted password of the JKS truststore used with the Microsoft CA Proxy Server.

There are many topics in this section. It is important that you complete the procedures in the following order: