Deployment Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption

6 Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

• under Key Usage, make sure that only the

digital signature

and

key encipherment

checkboxes are checked.

• under Extended Key Usage, check only the following checkboxes:

client authentication

server authentication

, and

MS: Smart Card Logon

• under Subject Alternative Name, add an

Other Nam

e field and complete its attributes as follows:

specify an

OID

1.3.6.1.4.1.311.25.1

set

Octet String

as the type of this attribute and enter the domain controller's GUID as its value; then carefully

remove the first four characters (

04??

) and all spaces and insert

at the front of the string (to ensure it is

interpreted in hex).

For example, if the GUID was originally

0410 6661 6135 3636 3234 3831 6263 3866 6662

as above, you would enter

0x666135363632343831626338666662

as the hexadecimal value of the new attribute.

• under Subject Alternative Name, add a

DNS Name

and specify the DNS name of the domain controller.

• enter the following base64-encoded data as a Custom Extension:

NOTE: When you copy and paste this value, be sure to capture the two trailing equal signs. This extension is required to ensure that the

certificate is accepted and processed as a domain controller certificate by the default policy module in the domain controller.

• Basic Constraints are optional, but if you include them be sure to deselect the

checkbox.

Review the changes and then click

Submit

to issue the certificate.

If you are doing this often, you should configure a CA account or sub-account to include the custom extensions

automatically so that only minor editing of attribute values is required on a per-request basis. For a detailed discussion of

the constraints on the contents of a Microsoft domain controller certificate, see

http://support.microsoft.com/kb/291010

Installing the Domain Controller Certificate

Once the domain controller certificate has been issued, the system administrator may install it by following these steps:

Go to the

Retrieve Certificate

page of the CertAgent public site.

Enter the

request ID

and click

Retrieve

Click the link labeled

Download this certificate path to a local base64-encoded PKCS#7 file

and save the PKCS#7 file

to a convenient folder on your computer.

Install the domain controller certificate by running the following command at a Command Prompt:

certreq -accept <PKCS#7 filename>.

For a more detailed discussion of the installation process for a domain controller certificate, see

http://technet.microsoft.com/en?us/library/cc785678%28WS.10%29.aspx

MC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcg==