This document provides information on how to integrate with a Microsoft certificate authority. For more information about the Microsoft certificate authority fields, see Certificate authorities.
Requirements
- The following Active Directory (AD) access groups:
- Domain Users
- Remote Management Users
- Permission on the certificate authority (CA). See Enable permissions on the CA for more information.
- Permission to provide access to WinRM resources. See Provide access to WinRM resources for more information.
- Permission to provide access to the WMI namespace. See Provide access to the WMI namespace for more information.
Info
- If you don’t want to provide granular non-administrative access as per the permissions, you can grant local administrator permission on the Microsoft CA. However, this practice isn’t recommended as it grants excessive privileges, increasing the attack surface and potentially compromising the security of the system. It’s crucial to minimize privileges to ensure the principle of least privilege and protect sensitive information.
- The following procedures were tested and validated in Windows Server 2019.
Enable permissions on the CA
- On the CA object, click Properties > Security.
- Enable the Request certificate permission.
- Grant permission to the service user on the certificate template that will be used by CLM to sign certificates.
- Open the CA console.
- Click Certificate Templates > Manage.
- In the new console, find the template and click Properties.
- Go to the Security tab and add the service user you want to grant permission by clicking on the Enroll checkbox.
- Click OK to save the changes.
Provide access to WinRM resources
- Open the command prompt and run the following commands:
winrm configSDDL default- After running the command, select the Execute permission in the Allow column.
Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI- After running the command, select the Full Control (All Operations) permission in the Allow column.
Provide access to the WMI namespace
- Open Windows’ Run command, type
wmimgmt.mscand press enter. - In the WmiMgmt console, click Properties under WMIControl (Local).
- In the Security tab, select Root and click Security to configure permissions.
- Add the Remote Management Users group to the groups or user names section.
- Select the added group and click Advanced to access the advanced security settings.
- Edit the permissions to apply to “This namespace and sub namespaces”.
- Check the following permissions:
- Execute Methods
- Enable Account
- Remote Enable
Integrate with a Microsoft CA
- On Segura, in the navigation bar, hover over the Products menu and select Certificate Manager.
- In the side menu, select Management > Authorities > Certificate authorities.
- In the top right corner, click Add, and select Microsoft CA.
- In the Name * field, enter a name to identify the CA.
- Select the button Status to activate or deactivate the CA.
- In the IP for connection with CA * field, enter the IP address of the connection.
- In the CA host name * field, enter the CA host name.
- To obtain the CA full host name, run the
certutilcommand in the Microsoft CA server and copy the value of the Config line.
- To obtain the CA full host name, run the
- In the Plugin for connection * field, select the plugin for connection.
- In the Port field, enter the port for connection.
- In the Access credential * field, select the access credential.
- Click Save.