Microsoft Enterprise CA

Prerequisites

The prerequisites for configuring Microsoft Enterprise CA in AppViewX are as follows:
  • AppViewX Windows Gateway installer should be installed in a windows machine, running and reachable from AppViewX vendor plugin through the Communication Modes described below.
Table 1. Communication Mode Table
Communication mode Category Windows gateway machine Microsoft CA
NATIVE API User account type Service account Service account.
User permission NA Read, Request certificates, Issue and Manage certificates permission at CA level for the service account or the service account group or authenticated users

Enroll permission at Certificate template level for the service account or the service account group or authenticated users
Services RPC service RPC service

certutil.exe command availability
Ports NA 135 as the incoming port
POWERSHELL User account type Service account Service account.
User permission NA Full control permission to C:\Windows\Temp

Read, Request certificates, Issue and Manage certificates permission at CA level for the service account or the service account group or authenticated users
Services RPC Service, WinRM Service, WinRM Configuration, Powershell remoting,certutil.exe command availability RPC Service, WinRM Service, WinRM Configuration, Powershell remoting,certutil.exe command availability.
Ports NA 5985
WMI User account type Service account

Service account
User permission NA Full control permission to C:\Windows\Temp

Read, Request certificates, Issue and Manage certificates permission at CA level for the service account or the service account group or authenticated users
Services WMI service

certutil.exe command availability

 WMI service

certutil.exe command availability
Ports NA. 135, 445 or 139

Configuring Microsoft Enterprise CA

  1. Go to (Menu) > SIGN+ > ADMINISTRATION > Certificate Authority.
  2. From the displayed CA, select Microsoft.
    The Microsoft home page is displayed.
  3. Select the Enterprise tab.
  4. Click the Configure Now button or +Add icon from the middle or top-right of the page respectively.
  5. Update the following details in the General Information section as described in the table.
    Table 2. General Information - Field Description Table
    Fields Description
    *CA Account name A unique name to identify the CA setting.

    Note: No special characters other than ‘.’, ‘-’,’_’ are allowed. Names should not start with special characters.

    *Purpose/Usage Certificate Type for which CLM actions will be enabled. Example. Server, Client, Code Signing
    Proxy Required Enable this field if the CA communication needs to happen via Proxy. The proxy details configured in general settings will be used for communication.
    Data Center (AppViewX's CA agent) Select the data center through which the CA communication needs to happen.
    *: Mandatory fields
  6. Update the following details in the CA Configuration section as described in the table.
    Table 3. CA Configuration - Field Description Table
    Fields Description
    *Windows Gateway URL Enter the URL where the AppViewX agent is running.
    *Windows Gateway Type The mode of communication types from Windows Gateway machine to CA machine. Available types are NATIVE API, POWERSHELL, WMI. Refer Communication Mode
    Client Authentication Certificate The client certificate used while installing Windows Gateway. Users can use the default client certificate (ClientCertificateGateway.pfx) or the custom certificate given by the Customer.
    *Credential Type Type of credential to be used. Either Manual Entry or Credential List.
    Username User name of the credentials.
    Password Password for the username.
    *: Mandatory fields
  7. Click Fetch CA Names to retrieve CAs accessible from Windows Gateway installed machine.
    Upon successful completion of Fetch CA Names, all reachable CAs listed in Select CA.
  8. Click on one specific CA and proceed.
    Using Native API
    Using POWERSHELL / WMI
    Table 4. CA Details - Field Description Table
    Fields Description
    Select CA All the reachable CAs are listed here.
    *CA Machine Hostname Host name of the CA Machine will be auto-filled.
    *CA Name Name of the CA chosen which will be auto-filled.
    CA Manager Approval Approves the pending enroll / Renew request submitted from AppViewX Certificate.
    *Time Zone To perform scheduled and Optimized CA discovery, please provide time zone value.
    *: Mandatory fields
    1. Configure the Template Details.
      Once CA is selected from the Select CA list, the Template details should have auto-filled as shown below.
      Note: If the desired template is not listed, it might not be published in AD. Users can add it manually through MS Template name and OID fields as shown below.
    2. In the Template Details section, select/enter the details as shown below.
  9. Click Save.

Validating Microsoft Enterprise

Once the Microsoft Enterprise settings are added validation needs to be done to check whether the connection between AppViewX and Microsoft Enterprise is properly configured.
  1. Go to (Menu) > SIGN+ > ADMINISTRATION > Certificate Authority.
  2. From the displayed CA, select Microsoft.
    The Microsoft home page is displayed.
  3. Select the Enterprise tab.
  4. In the Status column of the grid with the listed accounts, click Check to validate the CA setting that has been created.
    The CA communication will be validated and the Connection Status will be shown as either Success or Failure.
    Success Scenario for Native API
    Success Scenario for Powershell
    Failure scenario for WMI