Microsoft Enterprise CA

Prerequisites

Following are the prerequisites for configuring Microsoft Enterprise CA in AppViewX

AppViewX Windows Gateway installer should be installed in a windows machine, running and reachable from AppViewX vendor plugin(s) through the Communication Modes described below.

Table 1. Communication Mode Table
Communication mode Category Windows gateway machine Microsoft CA
NATIVE API User account type Service account

Service account

.
User permission

Read, Request certificates, Issue and Manage certificates permission at CA level for the service account or the service account group or authenticated users

Enroll permission at Certificate template level for the service account or the service account group or authenticated users
Services RPC service

RPC service

certutil.exe command availability
Ports

135 as the incoming port
POWERSHELL User account type Service account

Service account.
User permission

Full control permission to C:\Windows\Temp

Read, Request certificates, Issue and Manage certificates permission at CA level for the service account or the service account group or authenticated users
Services RPC Service, WinRM Service, WinRM Configuration, Powershell remoting,certutil.exe command availability

RPC Service, WinRM Service, WinRM Configuration, Powershell remoting,certutil.exe command availability.
Ports

5985
WMI User account type Service account

Service account
User permission

Full control permission to C:\Windows\Temp

Read, Request certificates, Issue and Manage certificates permission at CA level for the service account or the service account group or authenticated users
Services

WMI service

certutil.exe command availability

WMI service

certutil.exe command availability
Ports NA.

135, 445 or 139

Configuring Microsoft Enterprise CA

To configure the Microsoft enterprise CA:

  1. Go to menu > KUBE+ > CLUSTER PKI > Certificate Authority.
  2. Click the +Add icon on the top right of the page.
  3. Select the Microsoft in the left side vendor list, and then click the Enterprise tab.
  4. Update the following details in the General Information section as described in the table:
    Table 2. General Information - Field and Description Table
    Name Description
    *CA Account name

    A unique name to identify the CA setting.

    Note: No special characters other than ‘.’, ‘-’,’_’ are allowed. Names should not start with special characters.
    *Purpose/Usage Certificate Type for which CLM actions will be enabled. Example. Server, Client, Code Signing
    Proxy Required Enable this field if the CA communication needs to happen via Proxy. The proxy details configured in general settings will be used for communication.
    Data Center (AppViewX's CA agent) Select the data center through which the CA communication needs to happen.
    *: Mandatory fields
  5. Update the following details in the CA Configuration section as described in the table.
    Table 3. CA Configuration - Field and Description Table
    Name Description
    Windows Gateway Mode For communicating with Windows-based devices, from the following options, select the gateway agent mode to be used:
    • External

      This mode will use the AppViewX Windows Gateway Agent that is set up on a Windows device.

    • Integrated

      This mode will use the prepackaged gateway that is integrated in the AppViewX Cloud Connector (enabled only in the SaaS and Managed Kubernetes installations).

    Prerequisites for using the Integrated Windows Gateway mode
    *Windows Gateway URL Enter the URL where the AppViewX agent is running.
    *Windows Gateway Type The mode of communication types from Windows Gateway machine to CA machine. Available types are NATIVE API, POWERSHELL, WMI. Refer Communication Mode
    CA Deployment Mode From the following options, select one that indicates how the Certificate Authority (CA) is deployed in your environment:
    • Standalone: Indicates a single-instance CA setup
    • High Availability: Indicates a clustered deployment to ensure redundancy and failure support
    Client Authentication Certificate The client certificate used while installing Windows Gateway. Users can use the default client certificate (ClientCertificateGateway.pfx) or the custom certificate given by the Customer.
    *Credential Type

    Type of credential to be used. Either Manual Entry or Credential List.

    Username User name of the credentials.
    Password Password for the username.
    *: Mandatory fields
  6. Click Fetch CA Names to retrieve CAs accessible from Windows Gateway installed machine.
    Upon successful completion of Fetch CA Names, all reachable CAs listed in Select CA.
  7. Click on one specific CA and proceed.
    Table 4. Dynamic Fields for the Select CA Section
    Name Description
    Select CA All the reachable CAs are listed here.
    *CA Machine Hostname Host name of the CA Machine will be auto-filled.
    *Secondary Hostname(s) For a high availability CA deployment, enter the hostname/IP address of the secondary node in the HA pair.

    This node will take over if the primary node fails.
    *CA Name Name of the CA chosen which will be auto-filled.
    CA Manager Approval Approves the pending enroll / Renew request submitted from AppViewX Certificate.
    *Time Zone To perform scheduled and Optimized CA discovery, please provide time zone value.
    *: Mandatory fields
  8. Enter the Template Details to define the Microsoft certificate templates to be used for certificate issuance by the CA.
    There are two ways you can define the template details: manually enter individual details or upload a file with bulk template configuration.

    To manually enter template details:

    1. Enter/Select the details for the template that will be used for certificate issuance.
      Fields Description
      *MS Template Name Enter the template that will be used for certificate issuance.
      OID Enter the Object Identifier (OID) associated with the MS template specified for certificate issuance.

      The OID is especially important for legacy templates because, in older Microsoft CA environments, it provides a reliable and unique identifier if the template names are ambiguous or insufficient.
      *: Mandatory fields
    2. Click Add.
      The template details are added.
    For a bulk template configuration:
    1. For reference and if required, download the sample CSV template file.
    2. Update and save the CSV file for your bulk template configuration.
    3. On the Certificate Authority page, click Upload.
      The uploaded details are automatically added.
  9. Configure the Advanced Settings for certificate issuance.
    Fields Description
    Poll after CSR submission To automatically fetch the certificate after CSR submission for enrollment, renewal, or reissue requests, select Poll after CSR submission.
    *Retry Count Specify the number of times AppViewX will attempt to retrieve the certificate if it is not immediately available after the initial request.

    Minimum number of rety attempts: 1

    Maximum number of retry attempts: 10
    *Retry Frequency Sepcify the time interval, in seconds, between consecutive retry attempts.

    Minimum time interval between retry attempts: 1 second

    Maximum time interval between retry attempts: 30 seconds
    *: Mandatory fields
  10. Click Save.
    In the CA instance inventory, the connection status is initially set to In Progress. Twice after this, this status is automatically checked and refreshed every 5 seconds. Once the CA instance is successfully configured, the status is updated to Success. Status checks after the first two times have to be done via a manual refresh.
    Note: In case the connection fails, you can manually verify the connection status by clicking the Check button in the Connection Status field.

Using Native API

Using Powershell and WMI
  1. Configure the Template Details.
    Once CA is selected from the Select CA list, the Template details should have auto-filled.
    Note: If the desired template is not listed, it might not be published in AD. Users can add it manually through MS Template name and OID fields.

  2. In the Template Details section, select/enter the details.

  3. Click Save.

Validating Microsoft Enterprise

Once the Microsoft Enterprise settings are added validation needs to be done to check whether the connection between AppViewX and Microsoft Enterprise is properly configured. To validate the Microsoft enterprise CA,

  1. Go to menu > KUBE+ > CLUSTER PKI > Certificate Authority
  2. Select the InCommon in the left side vendor list
    The newly created and older settings are displayed in the grid.
  3. Click Check to validate the CA setting that has been created.
    The CA communication will be validated and the Connection Status will be shown as either Success or Failure.
    Success Message.
    Success Scenario for Native API
    Success Scenario for Powershell
    Success scenario for WMI