Windows 10/11: Add Certification Authority and Assign Certificates
Prerequisites
- Certification Authority Server needs the following configured roles
- Certification Authority
- Domain Administrator Credentials
Certification Authority
- Log into your Certification Authority server
Create User Certificate Template
- Open the Certification Authority MMC snap-in
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
- Expand the Configuration Tree on the Right until the Certificate Templates section is visible
- Right Click Certificate Templates
- Click Manage
- Right Click User in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback User
- Enter as Template name: SilverbackUser (will be filled automatically)
- Uncheck Publish certificate in Active Directory
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Ensure that CA certificate manager approval is unchecked
Extensions
- Navigate to Extensions
- Select Application Policies
- Click Edit
- Select Encrypting File System
- Click Remove
- Click OK
Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included
Security
- Navigate to Security
- Select Authenticated Users
- Ensure that Read Permissions are enabled
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click Ok
- Enable Read and Enroll Permissions
- Select Domain Users
- Click Remove
Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future.
- Click OK to finish Template Configuration
- Close Certificate Templates Console window
Change CEP Encryption Permissions
- Right click CEP Encryption Template
- Click Properties
- Navigate to Security
- Click Add
- Search for any Domain Admin Account with which you want to proceed
- Click Check Name
- Click OK
- Enable Read
- Enable Enroll
- Click OK
Change Exchange Enrollment Agent Permissions
- Right click Exchange Enrollment Agent (Offline request) Template
- Click Properties
- Navigate to Security
- Click Add
- Search for any Domain Admin Account with which you want to proceed
- Click Check Name
- Click OK
- Enable Read
- Enable Enroll
- Click OK
- Close Certificate Templates Console
Issue Certificate Templates
- Navigate to Certification Authority window
- Right Click Certificate Templates in the left panel
- Select New
- Click Certificate Template to Issue
- Select the following Certificate Templates
- CEP Encryption
- Exchange Enrollment Agent (Offline request)
- Silverback User
- Click OK
- All of them should now be listed in Certificate Templates section
Export Certification Authority Certificate
This step is only necessary, if your server is not a domain member
- Press Windows + R or right click the Windows try icon
- Enter MMC
- Click File
- Select Add/Remove Snap-in
- Select Certificates
- Click Add
- Select Computer Account
- Click Next
- Click Finish
- Click OK
- Expand Certificates (Local Computer)
- Expand Personal
- Click Certificates
- Right click your Certification Authority Certificate (it is issued from and by your CA)
- Select All Tasks
- Click Export
- Click Next
- Select No, do not export the private key
- Click Next
- Select DER encoded binary X.509 (.CER)
- Click Next
- Click Browse
- Select a location and name it e.g. CertificationAuthorityRootCertificate
Choose a shared folder e.g. \\FILESHARE\Certificates, we need to import that Certificate later into your Silverback Server
- Click Save
- Click Next
- Click Finish
- Click OK
Server Preparation
- Log onto your Silverback or Cloud Connector Server
Create Enrollment Agent Setup Information File (*.inf)
- Open File Explorer
- Create a new Folder under C:\ and name it Certificates
- Perform a double click on C:\Certificates
- Right Click in any empty are in this Folder
- Click New
- Select Text Document
- Name it EnrollmentAgent.txt
- Open the File with Notepad
- Paste the following information into the File
| Values | Screenshot |
|---|---|
| [NewRequest] Subject = "CN=SB-Enrollment" Exportable = TRUE KeyLength = 2048 KeySpec = 2 KeyUsage = 0x80 MachineKeySet = TRUE ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" ProviderType = 1 [EnhancedKeyUsageExtension] OID = 1.3.6.1.4.1.311.20.2.1 [RequestAttributes] CertificateTemplate = EnrollmentAgentOffline |
 |
- Click File
- Click Save As
- Ensure that Encoding it set to ANSI
- Change Save as type to All Files (*.*)
- Change the File ending from .txt to .inf
- Click Save
- Navigate back to your Windows Explorer and ensure the file is saved as EnrollmentAgent.inf
Create CEP Setup Information File (*.inf)
- Create in C:\Certificates a new Text Document
- Name it CEP.txt
- Open the File with Notepad
- Paste the following information into the File
| Values | Screenshot |
|---|---|
| [NewRequest] Subject = "CN=SB-CEP" Exportable = TRUE KeyLength = 2048 KeySpec = 1 KeyUsage = 0x20 MachineKeySet = TRUE ProviderName = "Microsoft RSA Schannel Cryptographic Provider" ProviderType = 12 [EnhancedKeyUsageExtension] OID = 1.3.6.1.4.1.311.20.2.1 [RequestAttributes] CertificateTemplate = CEPEncryption |
 |
- Click File
- Click Save As
- Ensure that Encoding it set to ANSI
- Change Save as type to All Files (*.*)
- Change the File ending from .txt to .inf
- Click Save
- Navigate back to your Windows Explorer and ensure the file is saved as CEP.inf
Generate Enrollment Agent Certificate
- Open an Administrative Command Prompt
- Navigate to C:\Certificates
- Run the following commands step by step
- certreq –f -new EnrollmentAgent.inf EnrollmentAgent.req
- certreq –submit -config "ca.imagoverum.com\Enterprise Root Authority" EnrollmentAgent.req EnrollmentAgent.cer
- certreq –accept EnrollmentAgent.cer
Click OK at the User context template conflict prompt. You can ignore this warning
Change the Enterprise Root Authority Address path to your own. Open a command prompt on your Certification Authority and type certutil, press enter and take the value displayed in config.
Generate CEP Certificate
- Now run the following commands for the CEP Certificate step by step
- certreq –f -new CEP.inf CEP.req
- certreq –submit -config "ca.imagoverum.com\domain-server-CA" CEP.req CEP.cer
- certreq –accept CEP.cer
Click OK at the User context template conflict prompt. You can ignore this warning
Change the Enterprise Root Authority Address path to your own. Open a command prompt on your Certification Authority and type certutil, press enter and take the value displayed in config.
Change Permissions
- Run certlm.msc
- Expand Certificates (Local Computer)
- Expand Personal
- Click Certificates
- Right Click SB-Enrollment Certificate
- Select All Tasks
- Select Manage Private Keys
- Click Add
- Search for Network Service
- Click OK
- Uncheck Full control and ensure that Read is enabled
- Click OK
- Right Click SB-CEP Certificate
- Select All Tasks
- Select Manage Private Keys
- Click Add
- Search for Network Service
- Click OK
- Uncheck Full control and ensure that Read is enabled
- Click OK
Import Certification Authority Certificate
This step is only necessary, if your server is not a domain member
- Right Click Certificate Folder in the left panel or click in any free are in the middle panel
- Click All Tasks
- Click Import
- Proceed with Next
- Click Browse
- Now navigate to your exported Certification Authority Certificate
- e.g. \\FILESHARE\Certificates
- Select the Certificate
- Click Open
- Proceed with Next
- Ensure the certificate will be place in Personal Store
- Proceed with Next
- Click Finish
- Click OK
- You should now have 3 newly imported certificates
- SB-CEP
- SB-Enrollment
- Certification Authority Certificate
Copy Certification Authority Certificate
This step is only necessary, if your server is not a domain member
- Right Click your Certification Authority Certificate
- Select Copy
- Expand Trusted Root Certification Authorities Folder
- Select Certificates
- Click Action in the navigation pane
- Click Paste
Silverback Configuration
Add Certification Authority
- Open your Silverback Management Console
- Login as an Settings Administrator
- Navigate to Certificates
- Under Certificate Deployment enable Individual Client
- Enter your Corporate Certification Authority in the following format:
- ca.imagoverum.com\domain-server-CA
- Click Save
- Confirm with OK
Select Certificate
- Scroll down to Windows Certificate Settings
- Choose for Enrollment Issuing CA the CA Certificate
- Choose for CEP Encryption Agent the SB-CEP Certificate
- Choose for Exchange Enrollment Agent the SB-Enrollment Certificate
- Click Save
- Confirm with OK
For all Cloud Customers, the Certificates needs to be imported on your hosted server. Please get in touch with our technical support.
Restart Services
- Run PowerShell with elevated privileges
- Run the following command:
- restart-service w3svc,silv*,epic*
Change User
- Logout as Settings Administrator
- Login as Administrator
Create a new Tag
Create Windows 10/11 Certificate Tag
- Create a Tag
- Name it e.g. Windows 10/11 Certificate
- Enter as description e.g. Windows 10/11 Certificate Distribution (optional)
- Enable Profile under Enabled Features
- Enable Windows 10 under Device Types
- Click Save
Create Windows 10/11 Certificate Profile
- Navigate to Profile
- Navigate to Certificate
- Enable Certificate Settings
- Add the of your created Template, e.g. SilverbackUser
- Add a Custom Subject Name Variable, e.g. u_{firstname}.{lastname}
- Press Save
- Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
Refresh Device
- On your device open Settings
- Navigate to General
- Navigate to Accounts
- Navigate to Access work or school
- Click on your added connection
- Click Info
- Scroll down and press sync
- Wait until sync process is finished
Open Certificates Management Console
- Enter in your Windows 10/11 search try certmgr.msc
- Press enter
- Click Yes
- Expand Personal
- Expand Certificates
- You should see now a new issues client certificate
Check Certification Authority
- Navigate back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a third newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template