Creating and Configuring Profile Templates in a Test Environment

  • Article

Microsoft Certificate Lifecycle Manager 2007 (CLM 2007) is a policy and workflow-driven solution that helps organizations manage the lifecycle of digital certificates and smart cards. CLM lowers the costs associated with digital certificates and smart cards by enabling organizations to more efficiently deploy, manage, and maintain a certificate-based infrastructure. CLM streamlines provisioning, deprovisioning, configuration, and auditing of digital certificates and smart cards, and increases security through strong, multi-factor authentication technology.

What This Document Covers

This document provides step-by-step instructions for installing and configuring a CLM profile template, and configuring permissions and management policies for the template. You can then use the CLM portal to perform a Web server certificate request.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

Audience

This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan and develop certificate management on the network.

Time Requirements

The procedures in this document require 60 to 90 minutes to complete.

Note

These time estimates assume the testing environment is already configured and ready for testing to begin and do not include the time required to set up the test environment.

Scenario Description

The procedures in this document will help you create and configure a CLM Profile Template, and use the CLM portal to request a Web Server certificate.

The Testing Environment

To perform the procedures in this document, it is assumed that your test environment has been set up and configured using the procedures in the document “Getting Started with Microsoft Certificate Lifecycle Manager: Installing and Configuring CLM 2007 in a Test Environment” ( https://go.microsoft.com/fwlink/?LinkId=89655).

Your environment should consist of:

  • Microsoft® Windows Server® 2003, Enterprise Edition or Microsoft® Windows Server® 2003, Datacenter Edition, named CLMServer

  • CLM 2007, installed on the above server.

  • A minimum of one certification authority (CA) installed, named CLM, which may be either an Enterprise root CA, or an Enterprise subordinate CA.

  • Microsoft SQL Server 2005 (SP1).

  • Microsoft Internet Information Services (IIS), with SMTP service enabled.

  • Microsoft .NET Framework 2.0

In addition, this document assumes that all computers are members of the Fabrikam.com forest.

Note

It is possible to test the results of the procedures in this document on a single computer that has all of these components. However, for your production environment, we strongly recommend that you do not set up CLM and Active Directory on the same computer for performance reasons.

Pre-install Tasks

Create User and Group with Necessary Profile Template Permissions

To perform the procedures in this guide, you must create a user and security group that are delegated the minimum permissions necessary to perform the procedures.

To create a new user and security group

  1. Log on as administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In Active Directory Users and Computers, right-click Users and select New User.

  4. On the New User page, type CLM_Template for the user name, enter a password, clear User must change password at next logon, and then click Finish.

  5. Right-click Users and select New Group.

  6. For the group name enter CLM_Template_Admins, make sure that the Group Scope is set to Global, and the Group Type is set to Security, then click OK.

  7. In the right pane, right-click CLM_Template_Admins, and click Properties.

  8. Click the Members tab and add user CLM_Template to the group.

The CLM_Template_Admins group will need the necessary permissions to create and configure Profile Templates in CLM.

To configure Profile Template permissions

  1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. Click View, and make sure that Show Services Node is selected.

  3. Expand the Services node, then expand the Public Key Services node, and select Profile Templates.

  4. Right-click Profile Templates and select Properties.

  5. Click the Security tab, add the CLM_Template_Admins group, and click OK.

  6. In Group or user names, select CLM_Template_Admins, and allow Full Control.

  7. Click Advanced, select CLM_Template_Admins, and click Edit.

  8. In Apply onto, select This object and all child objects, then click OK three times to exit.

  9. Close Active Directory Sites and Services.

To configure the Service Connection Point permissions

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. Click View, and make sure that Advanced Features is selected.

  3. Expand the domain, expand System, expand Microsoft, expand Certificate Lifecycle Manager, and select CLMServer.

  4. Right-click CLMServer and select Properties.

  5. Select the Security tab, add the CLM_Template_Admins group, and allow the CLM Audit permission. Make sure that you also allow the Read permission.

  6. Click OK.

  7. Close Active Directory Users and Computers.

To configure the Web Server certificate template permissions

  1. Click Start, Run, type certtmpl.msc, and click OK.

  2. In the right pane, select Web Server, and select Properties.

  3. Select the Security tab, add the CLM_Template_Admins group, and allow Read and Enroll permissions.

  4. Click OK.

  5. Close Certificate Templates.

Create and configure a new Profile Template

Create the Profile Template

To create a new Profile Template you will need to copy an existing template. Two sample templates are provided with CLM 2007 for this purpose.

To create a new Profile Template

  1. Log in as CLM_Template.

  2. Open Internet Explorer.

  3. In Internet Explorer, open https://CLMServer/clm

  4. Click the Microsoft Certificate Lifecycle Manager logo.

  5. On the Home page of the CLM Web Portal, in the Administration section, click Manage profile templates.

  6. On the Profile Template Management page, in the Profile Template List section, enable the check box next to CLM Sample Profile Template, and then click Copy a selected profile template.

  7. On the Duplicate Profile page, in the Profile Template Name section, in the New Profile Template Name box, type Web Server SSL Certificates, and then click OK.

Configure the Profile Template

For each Profile Template, you must configure a set of General Settings, as well as settings for the Certificate Template that is used by the Profile Template.

Modify the General Settings

To modify the General Settings

  1. In the CLM Web Portal, in the left-hand pane, in the Select a view section, ensure that Profile Details is selected.

  2. On the Edit Profile Template [Web Server SSL Certificates] page, in the General section, click Change general settings.

  3. On the Edit Profile Template [Web Server SSL Certificates] page, in the Name and Description section, in the Description box, type Allows issuance and management of Web Server SSL Certificates.

  4. On the Edit Profile Template [Web Server SSL Certificates] page, leave all other settings at their default value, and then at the bottom of the page, click OK.

To modify the Certificate Template settings

  1. On the Edit Profile Template [Web Server SSL Certificates] page, in the Certificate Templates section, click Add new certificate template(s) to profile template.

  2. Make the following changes on the Edit Profile Template [Web Server SSL Certificates] page:

    1. In General Options, enable Allow Raw Request.

    2. In certification authorities, select CLM.

    3. In Certificate Templates, enable Web Server.

  3. At the bottom of the page, click Add.

  4. In the Certificate Templates section, enable the User check box, and then click Delete selected certificate templates.

  5. In the Microsoft Internet Explorer dialog box, click OK to delete the selected items.

Configure the Enroll Policy

Each Profile Template has a set of management policies that can be configured for it. For this scenario, you will only need to configure the Enroll policy.

To define the general workflow settings

  1. In the left-hand pane, in the Select a view section, click Enroll Policy.

  2. On the Edit Profile Template [Web Server SSL Certificates] page, in the Workflow: General section, click Change general settings.

  3. Ensure that the following options are set on the Edit Profile Template [Web Server SSL Certificates] page:

    1. Enable policy: Enabled

    2. Use self-server: Enabled

    3. Require enrollment agent: Disabled

    4. All comments to be collected: Disabled

    5. Allow request priority to be collected: Disabled

    6. Default request priority: 0

    7. Number of approvals: 0

    8. Number of active or suspended profiles/smart cards allowed: Unlimited

  4. At the bottom of the page, click OK.

To define who can initiate an enrollment request

  1. In the Workflow: Initiate Enroll Requests section, enable the check box next to NT AUTHORITY/SYSTEM, and the click Delete principal(s) for enroll request initiation.

  2. In the Microsoft Internet Explorer dialog box, click OK to confirm the deletion.

To change the Data Collection settings

  1. On the Edit Profile Template [Web Server SSL Certificates] page, in the Data Collection section, select the check box next to Sample Data Item, and then click Delete data collection items.

  2. In the Microsoft Internet Explorer dialog box, click OK to confirm the deletion.

  3. In the Data Collection section, click Add new data collection item.

  4. In the Data Item Name and Type section, make the following changes:

    1. Name: Web Server Hostname

    2. Description: Provide the NetBIOS name of the Web Server

    3. Type: String

    4. Default Value: Disabled

    5. Required: Enabled

  5. In the Data Item Originator section, select User.

  6. In the Data Item Validation section, select Data type.

  7. In the Data Item Storage section, ensure that the following settings are set:

    1. Store data in: Database

    2. Encrypted: Disabled

  8. At the bottom of the page, click OK to save any changes.

Change the One Time Password Settings

  1. On the Edit Profile Template [Web Server SSL Certificates] page, in the One Time Passwords section, click Change password provider settings.

  2. On the Edit Profile Template [Web Server SSL Certificates] page, in the Password Provider section, ensure that Default password provider is selected, and then in the Number of one time passwords (password provider data) box, type 0, and then click OK.

Requesting a Web Server Certificate

Once the enrollment policy is set, you can test the Profile Template by installing an SSL certificate on CLMserver. You will need to perform the following tasks:

  • Add the CLM_Template_Admins group to the local Administrators group

  • Configure DNS

  • Initiate and process the Web Server certificate request

To add the CLM_Template_Admins group to the local Administrators group

  1. Log on as administrator.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Select Users. In the right pane, right-click CLM_Template_Admins, and click Properties.

  4. Click the Member of tab and add Administrators.

Important

Before completing the next procedure, you must ensure that DNS is installed on your server. If it is not already installed, install DNS using Add and Remove Programs, and then return to this procedure.

To configure the CNAME record in DNS

  1. Click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, expand CLMServer, expand Forward Lookup Zones, and then select Fabrikam.com.

  3. In the console tree, right-click Fabrikam.com, and the click New Alias (CNAME).

  4. In the New Resource Record dialog box, do the following:

    1. In the Alias name (uses parent domain if left blank) box, type clm.

    2. In the Fully qualified domain name (FQDN) for target host box, type CLMServer.Fabrikam.com.

  5. In the New Resource Record dialog box, click OK.

  6. Close the DNS console.

  7. Click Start, Run, type cmd, then click OK.

  8. At the command prompt, type ipconfig /flushdns, and then press ENTER.

  9. At the command prompt, type ping clm.CLMServer.Fabrikam.com, and then press ENTER.

  10. Ensure that the DNS name resolves successfully.

To initiate the Web Server Certificate Request

  1. Log on as CLM_Template

  2. In Administrative Tools, open Internet Information Services (IIS) Manager.

  3. In the console tree, expand CLMServer, expand Web Sites, and then select Default Web Site.

  4. Right-click Default Web Site and then click Properties.

  5. In the Default Web Site Properties dialog box, click the Directory Security tab.

  6. On the Directory Security tab, in the Secure communications section, click Server Certificate.

  7. On the Welcome to the Web Server Certificate Wizard page, click Next.

  8. On the Server Certificate page, click Create a new certificate, and then click Next.

  9. On the Delayed or Immediate Request page, click Prepare the request now, but sent it later, and the click Next.

  10. On the Name and Security Settings page, in Name type CLM web Portal, set the Bit length to 1024, and the click Next.

  11. On the Organization Information page, enter the following information, and then click Next.

    1. Organization: <any name>

    2. Organizational unit: <any name>

  12. On the Your Site's Common Name page, in Common name, type CLMServer and then click Next.

  13. On the Geographical Information page, enter the following information and the click Next.

    1. Country/Regions: US (United States)

    2. State/province: Washington

    3. City/locality: Redmond

  14. On the Certificate Request File Name page, in File Name, type c:\clmreq.txt, and then click Next.

  15. On the Request File Summary page, verify the settings, and then click Next.

  16. On the Completing the Web Site Properties dialog box, click OK.

  17. In the Default Web Site Properties dialog box, click OK.

  18. Minimize the Internet Information Services (IIS) Manager console.

To process the Web Server Certificate Request

  1. Open c:\clmreq.txt.

  2. From the Edit menu, click Select All.

  3. From the Edit menu, click Copy.

  4. Close c:\clmreq.txt.

  5. Open Internet Explorer

  6. In Internet Explorer, open https://CLMServer/clm.

  7. Click the Microsoft Certificate Lifecycle Manager logo.

  8. On the Home page, in the Select a view section, click Manage my info.

  9. On the Home page, in the Common Tasks section, click Request a new set of certificates.

  10. In the Select a Profile Template section, select Web Server SSL Certificates, and click Next.

  11. In the Data Collection section, in Web Server hostname, type CLMServer, and then click Next.

  12. On the Installing Certificates page, in the Key Generation: Web Server section, in Name, type CLM, right-click the Raw certificate request text area, and then click Paste.

  13. Ensure that the request file contents appear, and the click Next.

  14. On the Installing Certificates page, in the Template Common Name (click to download) column, click WebServer.

  15. In File Download, click Save.

  16. In Save As, in File name, type c:\clmcert, and then click Save.

  17. If the Download Complete dialog appears, click Close.

  18. On the Installing Certificates page, ensure that the Success column shows as a check mark, and then click Next.

  19. Close Internet Explorer.

To complete the Web Server Certificate request

  1. Restore the Internet Information Services (IIS) Manager console.

  2. Right-click Default Web Site, and the click Properties.

  3. In the Default Web Site Properties dialog box, click the Directory Security tab.

  4. On the Directory Security tab, in the Secure communications section, click Server Certificate.

  5. On the Welcome to the Web Server Certificate Wizard page, click Next.

  6. On the Pending Certificate Request page, click Process the pending request and install the certificate, and then click Next.

  7. On the Process a Pending Request page, in Path and file name, type c:\clmcert.p7b, and then click Next.

  8. On the SSL Port page, in SSL port this web site should use, type 443, and the click Next.

  9. On the Certificate Summary page, verify the information, and then click Next.

  10. On the Completing the Web Server Certificate Wizard page, click Finish.

  11. In the Default Web Site Properties dialog box, click OK.

To enable SSL for the Clm virtual directory

  1. In Internet Information Services (IIS) Manager, in the console tree, expand Default Web Site, and then right-click Clm, and the click Properties.

  2. In the Clm Properties dialog box, click the Directory Security tab.

  3. On the Directory Security tab, in the Secure communications section, click Edit.

  4. In the Secure Communications dialog box, enable Require secure channel SSL, enable Require 128-bit encryption, and then click OK.

  5. In the Clm Properties dialog box, click OK.

  6. Close the IIS Manager console.

To test the SSL connection to the CLM Server

  1. Open Internet Explorer.

  2. Open https://CLMServer/clm

  3. If the Security Alert dialog box opens, click In the future, do not show this warning, and then click OK.

  4. Ensure that no SSL related errors are displayed regarding the SSL certificate.