Register Agent in EZCA

Prerequisites

  1. Setup IIS
  2. Create Certificate Templates In CA
  3. Setup EZCA Agent

Introduction

The last step to linking EZCA to your existing ADCS CAs is registering the CA in EZCA.

Registering the CA in EZCA

  1. Navigate to the EZCA portal.
  2. Navigate to Certificate Authorities. CA Menu
  3. Click on the “Create CA”. Create CA
  4. Select ADCS CA. Create CA
  5. Press Next.

Connect CAs

Now we will connect EZCA to all the CAs you want to manage with EZCA.

  1. First, enter the CA Friendly Name. This name is only for your reference in the EZCA portal.
  2. Upload the CAs certificate (Only the public part. Do not upload the private key).
  3. Enter the Agent URL.

    The Agent URL has to be a valid public facing FQDN with a valid SSL certificate.

  4. Enter the CA name with the format HOST.DNS\CA Name.
  5. Press “Test Connection”.

    This will create a test certificate in the CA, make sure that CA has the Test Template enabled.

    Create ADCS CA
  6. Once the connection is validated, Press Add CA. Create ADCS CA
  7. If you want to add more CAs to this CA group (this will enable you to manage domains and requests as if they are all part of one big geo-redundant CA), repeat steps 2-6 for all CAs.
  8. Once you are done adding the CAs, press Next. Create ADCS CA

Adding Templates

Once the CAs are connected to EZCA, we have to add the templates that you want EZCA to manage certificates for.

  1. First select the template type this will be used for.
  2. Then enter the template name as it appears in the CA.
  3. Press Test Template to verify EZCA has access to request certificates for this template. Create ADCS CA
  4. Enter the maximum lifetime for a certificate that can be issued by EZCA.
  5. (Optional) EZCA templates have advance settings that can be set such as domain restrictions, require approval or restrict who can request domain registrations. [Read More]
  6. Press Add template.
  7. Once you have added and configured all the desired templates, press the create button.

(Optional) Templates (Advanced Settings)

This section gives you grater granularity on who can request. This is not required for most organizations.

  1. Click the expand button. Create ADCS CA

Pre-Approved List of domains

  1. Since this is not a publicly trusted CA, by default EZCA will allow requesters to register any domains. If you want to limit which domains can this CA issue, Select the “Allow Only Pre-Approved List of Domains” option.
  2. Upload a .txt file with your Pre-Approved domains (one per line), or enter them in the portal. Create ADCS CA

Allow Wildcard Domains

By default EZCA does not allow users to request certificates with wildcard domains (a domain that starts with *. which allows you to use that same certificate for all other subdomains). If you want EZCA to issue wildcard certificates, select the “Allow wild-card certificates” option.

Issuance Rules

To enable more granular control who can request domain ownership in EZCA, we created to extra knobs PKI administrators can adjust to control domain ownership.

  1. Require domain registration approval. This option enables PKI administrators to set a group of approvers that must approve each domain registration before a user or group of users are registered as domain owners.
    1. To enable this option select the “require approval” option.
    2. Enter the users or AAD groups that can approve domain requests. Require Approval
  2. The second way PKI administrators can control the registration of domains is to only allow specific users to request domains. This option enables PKI administrators to set a list of users that can request domains for this CA.
    1. To enable this option deselect the “Allow all users” option.
    2. Enter the users or AAD groups that can register domains. Specific Domain Admins