Import CA (Windows or Third-party) Certificates in Active Directory for Smart Card Authentication

Product: HYPR Workforce Access Client (All), Active Directory (AD)
Applicable Version(s): HYPR 6.10+

Overview:

As an organization, you may choose to use an internal or external Certificate Authority (CA) for certificate issuance and validation. Active Directory (AD) Certificate Services (CS) will do this by default. If you are not using AD CS, Active Directory must be aware of the CA certificates for certificate issuance and validation (enrollment and authentication). The following instructions will guide administrators on how to configure AD to use the CA certificate chain (root and intermediate).

Instructions

Publish CA to AD

1. Log on to Domain Controller and copy the two Root CA and SubCA certificates to the desktop. 

2. Start a command prompt with Administrator rights.

Publish root CA to Certificate Authorities Container

1. Navigate to the following location:

CN=Certificate Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local

2. Publish the root CA with the certutil command:

certutil -f -dspublish <cert file name> RootCA

Example

certutil -f -dspublish rootca.cer RootCA

Publish CA Certificates to NTAuthCA Attribute

Publish the certificates for both the root CA and the intermediate CA or sub-CA or Issuing CA into the NTAuthCertificates attribute:

1. Navigate to the following location:

CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local

2. For each CA (root CA, intermediate CA, sub CA, issuing CA) publish the certificate with the certutil command:

certutil -dspublish -f <cert file name> NTAuthCA

Example:

certutil -dspublish -f rootca.cer NTAuthCA

Publish Intermediate or sub-CA to AIA

Publish the certificates for the intermediate CA or sub-CA or issuing CA into the AIA container:

1. Navigate to the following location:

CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local

2. For each intermediate or sub-CA, publish the certificate with the certutil command:

certutil -f -dspublish <cert file name> SubCA

Example

certutil -f -dspublish subca.cer SubCA

Verify CA Certificates

To verify the CA certificates, you can use either ADSIEDIT or MMC / Enterprise PKI snap-in.

Using ADSIEDIT

  1. Start ADSIedit.

  2. In Connection Settings, enter a Name and the Path to your domain. Select the Naming ContextConfiguration.

  3. Browse down to Public Key Services.

  4. Look in CN=AIA and verify that only the SubCA certificate is there, not your RootCA.

  5. Look in CN=Certificate Authority and verify that only the RootCA certificate is there, not your SubCA.

  6. Look in CN=NTAuthCertificates and verify that your CA certificates are there.

Using MMC / Enterprise PKI Snap-in

  1. Start the Microsoft Management Console (MMC).

  2. Load the snap-in Enterprise PKI.

  3. Right-click on the snap-in and select Manage AD Containers.

  4. Click on each container and verify that your certificates are there.

Remove CA certificates from the Desktop

When the CA certificates are published, remove the CA certificates from the desktop.

Version Date Comment
Current Version (v. 5)   Apr 26, 2023 8:46  Nilesh Doiphode
v. 4 May 6, 2022 12:37 A. Khedron de León
v.3 Mar 16, 2022 16:37 Sean Dyon
v. 2 Mar 15, 2022 14:02 Sean Dyon
v. 1 Oct 31, 2021 07:27 Nilesh Doiphode
Was this article helpful?
1 out of 1 found this helpful