Dell Data Protection | Encryption Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication
© 2014 Dell Inc. Registered trademarks and trademarks used in the DDP|E, DDP|ST, and DDP|CE suite of documents: Dell™ and the Dell logo, Dell Precision™, OptiPlex™, ControlVault™, Latitude™, XPS®, and KACE™ are trademarks of Dell Inc. Intel®, Pentium®, Intel Core Inside Duo®, Itanium®, and Xeon® are registered trademarks of Intel Corporation in the U.S. and other countries. Adobe®, Acrobat®, and Flash® are registered trademarks of Adobe Systems Incorporated.
Contents Domain Controller Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enrollment for a Domain Controller Certificate Issuing a Domain Controller Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication
Domain Controller Certificates Enrollment for a Domain Controller Certificate To initiate the process of obtaining a suitable certificate, a system administrator on the domain controller system should do the following: 1 Generate an “offline” domain controller certificate request following the instructions on the Microsoft Technet website: http://technet.microsoft.com/en-us/library/cc783835%28WS.10%29.
• under Key Usage, make sure that only the digital signature and key encipherment checkboxes are checked. • under Extended Key Usage, check only the following checkboxes: client authentication, server authentication, and MS: Smart Card Logon. • under Subject Alternative Name, add an Other Name field and complete its attributes as follows: specify an OID of 1.3.6.1.4.1.311.25.
Smart Card Logon Certificates Enrollment for a Smart Card Logon Certificate Any entity wishing to obtain a smart card logon certificate for use with Active Directory can initiate the process by following these steps: 1 Go to the Enroll Certificate using Browser page for an appropriate CA account/sub-account on the public side of the CertAgent website. 2 Select the CSP associated with your smart card. 3 Select Both for the Key Usage value. 4 Deselect the checkbox labeled Mark keys as exportable.
2 Enter the request ID for your certificate and click Retrieve. 3 Click the link labeled Install this certificate path into CAPI/CNG and follow the prompts to install your certificate.
0XXXXXA0X