Implementing the Microsoft Public Key Infrastructure (PKI) solution

SDS Enterprise operation requires the use of encryption and signature keys for all the company's users. To set up the Microsoft Windows PKI solution to generate your users’ keys, follow the steps below.

The implementation of Microsoft Windows PKI facilitates, among other things, the creation of user accounts in SSO mode, which require keys to be stored in Windows certificate stores. For more information, see Creating a Single Sign-On (SSO) account.

You must have a Microsoft Windows server as the domain controller and assign the following roles to it:

  • DHCP server

  • DNS server

  • Active Directory Domain Services (AD DS)

The first step is to implement a certification authority on your Windows server, using the Active Directory Certificate Services (AD CS) role. The certification authority issues, revokes and renews user keys.

The first certification authority you deploy becomes the root authority of your internal PKI. Subsequently, you can deploy secondary certification authorities and create a hierarchy of authorities.

Follow the procedure below to set up your certification authority and declare it in your SDS Enterprise security policies.

NOTE
For more information on using Windows Server Manager and implementing a certification authority, see the Microsoft documentation.

  1. On your Windows server, open Server Manager.

  2. Click Add roles and features.

  3. Fill out the following screens.

  4. On the server roles screen, select Active Directory Certificate Services.

  5. Add the Certification Authority and Certification Authority Web Enrollment role services.

  6. After installation, when configuring Active Directory Certificate Services, select Enterprise CA in Setup Type.

  7. Select Root CA in CA Type.

  8. Fill out the following screens.

  9. Save the certification authority certificate in .cer, .crt or .cert format.

  10. Import it into the SDMC certificate library by following the Managing authority certificates and recovery certificates in SDMC procedure.

  11. Declare the certification authority in your security policies by following the Adding certification authorities and configuring certificate revocation control procedure.

A certification authority can refer to a CRL to verify the validity of certificates. Your SDS Enterprise security policies must know where CRLs are distributed.

To configure your root authority CRL:

  1. On the server, open the Certification Authority Manager certsrv.msc and view the properties of the certification authority you just created.

  2. On the Extensions tab, click on Add.

  3. Enter the public location that will host the CRL, then confirm.

  4. Check the Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates options.

  5. Select the LDAP link in the CRL locations and clear the Include issued certificates in CDP extension check box.

  6. Close the authority properties.

  7. Restart the Active Directory Certificate Services.

  8. In your SDS Enterprise security policies in SDMC, specify the CRL distribution points by following the Adding certification authorities and configuring certificate revocation control.

We recommend that you do not store the CRL file on the AD CS server. You can store it on a web server that is accessible to all users over HTTPS.

NOTE
For more information on using the Certification Authority Manager, see the Microsoft documentation.

The key recovery agent is a Windows administrator authorized to decrypt private keys that are archived by the PKI.

Start by creating a user who will be the key recovery agent in your Active Directory. Then create a key recovery agent certificate template and publish it:

  1. On the server, open the Certification Authority Manager certsrv.msc.

  2. In the Certification Authority’s Certificate templates directory, right-click and select Manage.

  3. In the right-hand panel, right-click the Key Recovery Agent template and select Duplicate Template.

  4. On the Security tab, add your key recovery agent.

  5. Grant it the Enroll permission.

  6. Confirm template creation.

  7. To publish the new template, in the Certification authority’s Certificate templates directory, right-click and select New > Certificate template to issue.

  8. Select the key recovery agent certificate template.

  9. Confirm the publication.
    The new template is now available in Certificate templates and ready to use.

Next, request a certificate for the key recovery agent according to the new template added earlier:

  1. On a domain workstation, log on with the Windows account of the key recovery agent.

  2. Open the Windows Certificate Manager certmgr.msc.

  3. In the Personal > Certificates store, right-click and select All Tasks > Request new certificate.

  4. Select the key recovery agent certificate template.
    The certificate is generated in the Windows certificate store of the key recovery agent.

Confirm the certificate request again in the Certification authority Manager on the authority server:

  1. Open the certsrv.msc manager.

  2. Select the Certification authority’s Pending requests directory.

  3. Select the certificate corresponding to the request.

  4. Right-click and select All Tasks > Issue.

Complete the creation by declaring the key of the key recovery agent:

  1. In the certsrv.msc manager, view the certification authority properties.

  2. On the Recovery Agents tab, select the Archive the key option and add the key recovery agent certificate.

  3. Confirm and restart the Active Directory Certificate Services.

Finally, in the properties of the encryption and recovery certificate templates that you will create below:

  • Make sure you have selected the Archive subject’s encryption private key check box on the Request Handling tab to archive all private keys in the PKI.

NOTE
For more information on using the Certification Authority Manager, see the Microsoft documentation.

You must now create certificate templates to subsequently generate the encryption and signature certificates for users, and the associated private keys. You also need templates for SDS Enterprise security policy signatories and recovery accounts.

Creating certificate templates for encryption and signature

  1. On the server, open the Certification Authority Manager certsrv.msc.

  2. In the Certification Authority’s Certificate templates directory, right-click and select Manage.

  3. Right-click the User template and select Duplicate template.

  4. On the General tab, enter its name and validity period, along with the renewal period if necessary.

  5. On the Request Handling tab:

    • Select Encryption or Signature depending on the type of template to be created,

    • In the case of a certificate template for encryption, select the Archive subject’s encryption private key check box to allow the key recovery agent to decrypt the private keys that are archived by the PKI if required,

    • You may want to allow the private key to be exported if your company’s security policy allows it.

  6. On the Cryptography tab, select 4096 as the minimum key size.

  7. On the Extensions tab, make sure that you have these extensions with the following options:

      Encryption options Signature options
    Application Policies Secure Email Secure Email
    Usage of the key

    - Allow key exchange only with key encryption (Key encipherment)

    - Allow encryption of user data

    - Make this extension critical

    - Digital signature

    - Signature is proof of origin (nonrepudiation)

    - Make this extension critical

    Be sure to delete the other extensions displayed in the tab so that you only have the two extensions shown in the table.

  8. On the Security tab, select the Enroll permission for domain users. This is sufficient for a manual certificate request.

  9. Confirm template creation.

To publish the newly created template, see Publishing templates.

Creating the certificate template for the SDS Enterprise security policy signatory

The certificate template for the signatory is identical to the signature certificate template for users. Only the validity period of the certificate differs.

  1. Follow the procedure described in Creating certificate templates for encryption and signature by selecting Signature on the Request Handling tab.

  2. On the General tab, we recommend that you set the validity period to be longer than the typical duration for user signature certificates.

To publish the newly created template, see Publishing templates.

Creating the certificate template for the recovery account

The certificate template for the recovery account is identical to the encryption certificate template for users. Only the validity period of the certificate differs.

  1. Follow the procedure described in Creating certificate templates for encryption and signature by selecting Encryption on the Request Handling tab.

  2. On the General tab, we recommend that you set the validity period to be longer than the duration typically expected for user encryption certificates.

To publish the newly created template, see Publishing templates.

Publishing templates

To publish certificate templates:

  1. In the Certification authority Manager certsrv.msc, right-click on the Certification authority’s Certificate Templates directory and select New > Certificate template to issue.

  2. Select the previously created templates.

  3. Confirm the publication.
    The new templates are now available and ready to use in Certificate Templates.

SDS Enterprise security policies are signed by a signatory account, guaranteeing their authenticity and integrity.

The signatory account is a Windows user account with a signature key only, used exclusively to sign security policies.

To create the certificate and associated private key of the policy signatory account, use the previously added signatory certificate template:

  1. On a domain workstation, log on with the Windows account of the policy signatory agent.

  2. Open the Windows Certificate Manager certmgr.msc.

  3. In the Personal > Certificates store, right-click and select All Tasks > Request new certificate.

  4. Select the security policy signatory certificate template.
    The certificate is generated in the Windows certificate store of the policy signatory agent.

  5. Save the certificate in .cer, .crt or .cert format.

  6. Save the private key in .pfx format.

To sign a security policy, see Downloading and signing a security policy.

NOTE
For more information on using the Windows Certificate Manager, see the Microsoft documentation.

The recovery account is required to secure the use of SDS Enterprise. This is a Windows user account with an encryption key only.

For more information on how the recovery account works, see Enabling data recovery.

To create the certificate and associated private key for the recovery account, use the certificate template for the previously added recovery account:

  1. On a domain workstation, log on with the recovery agent’s Windows account.

  2. Open the Windows Certificate Manager certmgr.msc.

  3. In the Personal > Certificates store, right-click and select All Tasks > Request new certificate.

  4. Select the certificate template for the recovery account.
    The certificate is generated in the recovery agent’s Windows certificate store.

  5. Save the certificate in .cer, .crt or .cert format.

  6. Save the private key in .pfx format.

    WARNING
    Make sure to keep this key in a safe place.

  7. Import the certificate into the SDMC certificate library by following the Managing authority certificates and recovery certificates in SDMC procedure.

  8. Specify the certificates of the recovery accounts to be used in each of your security policies by following the Enabling data recovery procedure.

NOTE
For more information on using the Windows Certificate Manager, see the Microsoft documentation.

To create SDS Enterprise user accounts in SSO mode, user certificates must be stored in the Windows certificate stores of the workstations. Thus, when a user logs on to SDS Enterprise for the first time, their account is created automatically, provided that the security policy also includes the necessary settings.

To create and deploy a SDS Enterprise security policy that allows accounts to be created in SSO mode, see Creating a Single Sign-On (SSO) account.

There are two possible solutions for managing certificate creation requests from SDS Enterprise solution users and for storing them in Windows stores:

  • automatic enrollment deployed via a group policy (GPO).

  • manual request via Windows Certificate Manager certmgr.msc on user workstations.

Configuring automatic user enrollment

Automatic enrollment allows users to request a certificate transparently when logging into their Windows session. The certificate is then automatically generated via a group policy and stored in the user’s Windows certificate store.

REQUIREMENTS
To set up automatic enrollment, you must first check the self-enrollment permission for domain users, in the Security tab of the properties of your encryption and signature certificate templates on your server acting as a certification authority.

On your server, create a new group policy:

  1. Open the Group policy manager.

  2. Create a new policy for that domain.

  3. In the Group Policy Editor, select the User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies directory.

  4. In the right-hand panel, open the properties of the Certificate Services Client – Auto Enrollment object.

  5. In Configuration Model, select Enabled.

  6. Check the Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates options, then confirm.

  7. Deploy the new group policy to users’ workstations.

NOTE
For more information on using group policies, see the Microsoft documentation.

Requesting a certificate manually

Each user can request a certificate on their workstation. The user must:

  1. Open the Windows Certificate Manager certmgr.msc.

  2. On the Personal > Certificates store, right-click and select All Tasks > Request a new certificate.

  3. Select the encryption and signature certificate templates and complete the procedure.
    Certificates are generated in the Windows certificate store.