Windows 10: Add Certification Authority and Assign Certificates
Prerequisites
- Certification Authority Server needs the following configured roles
- Certification Authority
- Domain Administrator Credentials
Certification Authority
- Log into your Certification Authority server
Create User Certificate Template
- Open the Certification Authority MMC snap-in
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
- Expand the Configuration Tree on the Right until the Certificate Templates section is visible
- Right Click Certificate Templates
- Click Manage
- Right Click User in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback User
- Enter as Template name: SilverbackUser (will be filled automatically)
- Uncheck Publish certificate in Active Directory
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Ensure that CA certificate manager approval is unchecked
Extensions
- Navigate to Extensions
- Select Application Policies
- Click Edit
- Select Encrypting File System
- Click Remove
- Click OK
Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included
Security
- Navigate to Security
- Select Authenticated Users
- Enable Read and Enroll Permissions
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click OK
- Enable Read and Enroll Permissions
- Click OK
Change CEP Encryption Permissions
- Right click CEP Encryption Template
- Click Properties
- Navigate to Security
- Click Add
- Search for any Domain Admin Account with which you want to proceed
- Click Check Name
- Click OK
- Enable Read
- Enable Enroll
- Click OK
Change Exchange Enrollment Agent Permissions
- Right click Exchange Enrollment Agent (Offline request) Template
- Click Properties
- Navigate to Security
- Click Add
- Search for any Domain Admin Account with which you want to proceed
- Click Check Name
- Click OK
- Enable Read
- Enable Enroll
- Click OK
- Close Certificate Templates Console
Issue Certificate Templates
- Navigate to Certification Authority window
- Right Click Certificate Templates in the left panel
- Select New
- Click Certificate Template to Issue
- Select the following Certificate Templates
- CEP Encryption
- Exchange Enrollment Agent (Offline request)
- Silverback User
- Click OK
- All of them should now be listed in Certificate Templates section
Export Certification Authority Certificate
This step is only necessary, if your server is not a domain member
- Press Windows + R or right click the Windows try icon
- Enter MMC
- Click File
- Select Add/Remove Snap-in
- Select Certificates
- Click Add
- Select Computer Account
- Click Next
- Click Finish
- Click OK
- Expand Certificates (Local Computer)
- Expand Personal
- Click Certificates
- Right click your Certification Authority Certificate (it is issued from and by your CA)
- Select All Tasks
- Click Export
- Click Next
- Select No, do not export the private key
- Click Next
- Select DER encoded bianry X.509 (.CER)
- Click Next
- Click Browse
- Select a location and name it e.g. CertificationAuthorityRootCertificate
Choose a shared folder e.g. \\FILESHARE\Certificates, we need to import that Certificate later into your Silverback Server
- Click Save
- Click Next
- Click Finish
- Click OK
Server Preparation
- Log onto your Silverback or Cloud Connector Server
Create Enrollment Agent Setup Information File (*.inf)
- Open File Explorer
- Create a new Folder under C:\ and name it Certificates
- Perform a double click on C:\Certificates
- Right Click in any empty are in this Folder
- Click New
- Select Text Document
- Name it EnrollmentAgent.txt
- Open the File with Notepad
- Paste the following information into the File
Values | Screenshot |
---|---|
[NewRequest] Subject = "CN=SB-Enrollment" Exportable = TRUE KeyLength = 2048 KeySpec = 2 KeyUsage = 0x80 MachineKeySet = TRUE ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" ProviderType = 1 [EnhancedKeyUsageExtension] OID = 1.3.6.1.4.1.311.20.2.1 [RequestAttributes] CertificateTemplate = EnrollmentAgentOffline |
![]() |
- Click File
- Click Save As
- Ensure that Encoding it set to ANSI
- Change Save as type to All Files (*.*)
- Change the File ending from .txt to .inf
- Click Save
- Navigate back to your Windows Explorer and ensure the file is saved as EnrollmentAgent.inf
Create CEP Setup Information File (*.inf)
- Create in C:\Certificates a new Text Document
- Name it CEP.txt
- Open the File with Notepad
- Paste the following information into the File
Values | Screenshot |
---|---|
[NewRequest] Subject = "CN=SB-CEP" Exportable = TRUE KeyLength = 2048 KeySpec = 1 KeyUsage = 0x20 MachineKeySet = TRUE ProviderName = "Microsoft RSA Schannel Cryptographic Provider" ProviderType = 12 [EnhancedKeyUsageExtension] OID = 1.3.6.1.4.1.311.20.2.1 [RequestAttributes] CertificateTemplate = CEPEncryption |
![]() |
- Click File
- Click Save As
- Ensure that Encoding it set to ANSI
- Change Save as type to All Files (*.*)
- Change the File ending from .txt to .inf
- Click Save
- Navigate back to your Windows Explorer and ensure the file is saved as CEP.inf
Generate Enrollment Agent Certificate
- Open an Administrative Command Prompt
- Navigate to C:\Certificates
- Run the following commands step by step
- certreq –f -new EnrollmentAgent.inf EnrollmentAgent.req
- certreq –submit -config "ca.imagoverum.com\Enterprise Root Authority" EnrollmentAgent.req EnrollmentAgent.cer
- certreq –accept EnrollmentAgent.cer
Click OK at the User context template conflict prompt. You can ignore this warning
Change the Enterprise Root Authority Address path to your own
Generate CEP Certificate
- Now run the following commands for the CEP Certificate step by step
- certreq –f -new CEP.inf CEP.req
- certreq –submit -config "ca.imagoverum.com\domain-server-CA" CEP.req CEP.cer
- certreq –accept CEP.cer
Click OK at the User context template conflict prompt. You can ignore this warning
Change the Enterprise Root Authority Address path to your own
Change Permissions
- Run certlm.msc
- Expand Certificates (Local Computer)
- Expand Personal
- Click Certificates
- Right Click SB-Enrollment Certificate
- Select All Tasks
- Select Manage Private Keys
- Click Add
- Search for Network Service
- Click OK
- Uncheck Full control and ensure that Read is enabled
- Click OK
- Right Click SB-CEP Certificate
- Select All Tasks
- Select Manage Private Keys
- Click Add
- Search for Network Service
- Click OK
- Uncheck Full control and ensure that Read is enabled
- Click OK
Import Certification Authority Certificate
This step is only necessary, if your server is not a domain member
- Right Click Certificate Folder in the left panel or click in any free are in the middle panel
- Click All Tasks
- Click Import
- Proceed with Next
- Click Browse
- Now navigate to your exported Certification Authority Certificate
- e.g. \\FILESHARE\Certificates
- Select the Certificate
- Click Open
- Proceed with Next
- Ensure the certificate will be place in Personal Store
- Proceed with Next
- Click Finish
- Click OK
- You should now have 3 newly imported certificates
- SB-CEP
- SB-Enrollment
- Certification Authority Certificate
Copy Certification Authority Certificate
This step is only necessary, if your server is not a domain member
- Right Click your Certification Authority Certificate
- Select Copy
- Expand Trusted Root Certification Authorities Folder
- Select Certificates
- Click Action in the navigation pane
- Click Paste
Silverback Configuration
Add Certification Authority
- Open your Silverback Management Console
- Login as an Settings Administrator
- Navigate to Certificates
- Under Certificate Deployment enable Individual Client
- Enter your Corporate Certification Authority in the following format:
- ca.imagoverum.com\domain-server-CA
- Click Save
- Confirm with OK
Select Certificate
- Scroll down to Windows 10 Certificate Settings
- Choose for Enrollment Issuing CA Thumbprint the CA Certificate
- Choose for CEP Encryption Agent the SB-CEP Certificate
- Choose for Under Exchange Enrollment Agent the SB-Enrollment Certificate
- Click Save
- Confirm with OK
For all Cloud Customers, all Certificates needs to be imported on your hosted server. Please get in touch with our technical support.
Restart IIS
- Run PowerShell with elevated priviledges
- Run the following command:
- restart-service w3svc,silv*,epic*,mat*
Change User
- Logout as Settings Administrator
- Login as Administrator
Create a new Tag
Create Windows 10 Certificate Tag
- Create a Tag
- Name it e.g. Windows 10 Certificate
- Enter as description e.g. Windows 10 Certificate Distribution (optional)
- Enable Profile under Enabled Features
- Enable Windows 10 under Device Types
- Click Save
Create Windows 10 Certificate Profile
- Navigate to Profile
- Navigate to Certificate
- Enable Certificate Settings
- Add the of your created Template, e.g. SilverbackUser
- Add a Custom Subject Name Variable, e.g. u_{firstname}.{lastname}
- Press Save
- Navigate to Definitions
- Click Associated Devices
- Click Attach More Devices
- Select your previously enrolled device
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
Refresh Device
- On your device open Settings
- Navigate to General
- Navigate to Accounts
- Navigate to Access work or school
- Click on your added connection
- Click Info
- Scroll down and press sync
- Wait until sync process is finished
Open Certificates Management Console
- Enter in your Windows 10 search try certmrg.msc
- Press enter
- Click Yes
- Expand Personal
- Expand Certificates
- You should see now a new issues client certificate
Check Certification Authority
- Navigate back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- You should see now a third newly issued with the requester name Domain\Silverback$ with the SilverbackUser Template