Skip to main content
Matrix42 Self-Service Help Center

Windows 10: Add Certification Authority and Assign Certificates

Prerequisites

  • Certification Authority Server needs the following configured roles
    • Certification Authority
  • Domain Administrator Credentials

Certification Authority

  • Log into your Certification Authority server

Create User Certificate Template 

  • Open the Certification Authority MMC snap-in
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK

General 

  • Navigate to General
  • Enter as Template Display Name: Silverback User
  • Enter as Template name: SilverbackUser (will be filled automatically)
  • Uncheck Publish certificate in Active Directory

Request Handling 

  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input

Subject Name 

  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm

Issuance Requirements 

  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked

Extensions 

  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encrypting File System
  • Click Remove
  • Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security 

  • Navigate to Security
  • Select Authenticated Users
  • Enable Read and Enroll Permissions
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click OK
  • Enable Read and Enroll Permissions
  • Click OK

Change CEP Encryption Permissions

  • Right click CEP Encryption Template
  • Click Properties
  • Navigate to Security
  • Click Add
  • Search for any Domain Admin Account with which you want to proceed
  • Click Check Name
  • Click OK 
  • Enable Read
  • Enable Enroll
  • Click OK 

Change Exchange Enrollment Agent Permissions

  • Right click Exchange Enrollment Agent (Offline request) Template
  • Click Properties
  • Navigate to Security
  • Click Add
  • Search for any Domain Admin Account with which you want to proceed
  • Click Check Name
  • Click OK 
  • Enable Read
  • Enable Enroll
  • Click OK 
  • Close Certificate Templates Console

Issue Certificate Templates 

  • Navigate to Certification Authority window
  • Right Click Certificate Templates in the left panel
  • Select New
  • Click Certificate Template to Issue
  • Select the following Certificate Templates
    • CEP Encryption
    • Exchange Enrollment Agent (Offline request)
    • Silverback User
  • Click OK
  • All of them should now be listed in Certificate Templates section

Export Certification Authority Certificate

This step is only necessary, if your server is not a domain member

  • Press Windows + R or right click the Windows try icon
  • Enter MMC
  • Click File
  • Select Add/Remove Snap-in
    • Select Certificates
    • Click Add
    • Select Computer Account
    • Click Next
    • Click Finish
    • Click OK
  • Expand Certificates (Local Computer)
  • Expand Personal
  • Click Certificates
  • Right click your Certification Authority Certificate (it is issued from and by your CA) 
  • Select All Tasks
  • Click Export
    • Click Next
    • Select No, do not export the private key
    • Click Next
    • Select DER encoded bianry X.509 (.CER) 
    • Click Next
    • Click Browse
    • Select a location and name it e.g. CertificationAuthorityRootCertificate

Choose a shared folder e.g. \\FILESHARE\Certificates, we need to import that Certificate later into your Silverback Server   

  • Click Save
  • Click Next
  • Click Finish
  • Click OK

Server Preparation

  • Log onto your Silverback or Cloud Connector Server

Create Enrollment Agent Setup Information File (*.inf)

  • Open File Explorer
  • Create a new Folder under C:\ and name it Certificates
  • Perform a double click on C:\Certificates
  • Right Click in any empty are in this Folder
  • Click New
  • Select Text Document
  • Name it EnrollmentAgent.txt
  • Open the File with Notepad
  • Paste the following information into the File
Values Screenshot
[NewRequest] 
Subject = "CN=SB-Enrollment" 
Exportable = TRUE 
KeyLength = 2048 
KeySpec = 2 
KeyUsage = 0x80 
MachineKeySet = TRUE 
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" 
ProviderType = 1
[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes] 
CertificateTemplate = EnrollmentAgentOffline
clipboard_ebb8564748d551974e63b11d08826cdc6.png
  • Click File
  • Click Save As
  • Ensure that Encoding it set to ANSI
  • Change Save as type to All Files (*.*)
  • Change the File ending from .txt to .inf 
  • Click Save
  • Navigate back to your Windows Explorer and ensure the file is saved as EnrollmentAgent.inf 

Create CEP Setup Information File (*.inf)

  • Create in C:\Certificates a new Text Document
  • Name it CEP.txt
  • Open the File with Notepad
  • Paste the following information into the File
Values Screenshot
[NewRequest]
Subject = "CN=SB-CEP" 
Exportable = TRUE 
KeyLength = 2048 
KeySpec = 1 
KeyUsage = 0x20 
MachineKeySet = TRUE 
ProviderName = "Microsoft RSA Schannel Cryptographic Provider" 
ProviderType = 12
[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1
[RequestAttributes] 
CertificateTemplate = CEPEncryption
clipboard_e947011c19c0ea52cdd11a36e61d9841e.png
  • Click File
  • Click Save As
  • Ensure that Encoding it set to ANSI
  • Change Save as type to All Files (*.*)
  • Change the File ending from .txt to .inf 
  • Click Save
  • Navigate back to your Windows Explorer and ensure the file is saved as CEP.inf 

Generate Enrollment Agent Certificate

  • Open an Administrative Command Prompt 
  • Navigate to C:\Certificates
  • Run the following commands step by step
    • certreq –f -new EnrollmentAgent.inf EnrollmentAgent.req
    • certreq –submit -config "ca.imagoverum.com\Enterprise Root Authority" EnrollmentAgent.req EnrollmentAgent.cer
    • certreq –accept EnrollmentAgent.cer

Click OK at the User context template conflict prompt. You can ignore this warning

Change the Enterprise Root Authority Address path to your own 

Generate CEP Certificate

  • Now run the following commands for the CEP Certificate step by step
    • certreq –f -new CEP.inf CEP.req
    • certreq –submit -config "ca.imagoverum.com\domain-server-CA" CEP.req CEP.cer
    • certreq –accept CEP.cer

Click OK at the User context template conflict prompt. You can ignore this warning

Change the Enterprise Root Authority Address path to your own 

Change Permissions

  • Run certlm.msc
  • Expand Certificates (Local Computer)
  • Expand Personal
  • Click Certificates
  • Right Click SB-Enrollment Certificate
    • Select All Tasks
    • Select Manage Private Keys
    • Click Add
    • Search for Network Service
    • Click OK
    • Uncheck Full control and ensure that Read is enabled
    • Click OK
  • Right Click SB-CEP Certificate
    • Select All Tasks
    • Select Manage Private Keys
    • Click Add
    • Search for Network Service
    • Click OK
    • Uncheck Full control and ensure that Read is enabled
    • Click OK

Import Certification Authority Certificate

This step is only necessary, if your server is not a domain member

  • Right Click Certificate Folder in the left panel or click in any free are in the middle panel 
  • Click All Tasks
  • Click Import
  • Proceed with Next
  • Click Browse
  • Now navigate to your exported Certification Authority Certificate 
    • e.g. \\FILESHARE\Certificates
  • Select the Certificate
  • Click Open
  • Proceed with Next
  • Ensure the certificate will be place in Personal Store
  • Proceed with Next
  • Click Finish
  • Click OK
  • You should now have 3 newly imported certificates
    • SB-CEP
    • SB-Enrollment
    • Certification Authority Certificate

Copy Certification Authority Certificate

This step is only necessary, if your server is not a domain member

  • Right Click your Certification Authority Certificate
  • Select Copy
  • Expand Trusted Root Certification Authorities Folder
  • Select Certificates
  • Click Action in the navigation pane
  • Click Paste 

Silverback Configuration

Add Certificate Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Certificate Authority in the following format:
    • ca.imagoverum.com\domain-server-CA
  • Click Save
  • Confirm with OK

Select Certificate

  • Scroll down to Windows 10 Certificate Settings
  • Choose for Enrollment Issuing CA Thumbprint the CA Certificate
  • Choose for CEP Encryption Agent the SB-CEP Certificate
  • Choose for Under Exchange Enrollment Agent the SB-Enrollment Certificate
  • Click Save
  • Confirm with OK

For all Cloud Customers, all Certificates needs to be imported on your hosted server. Please get in touch with our technical support. 

Restart IIS

  • Run PowerShell with elevated priviledges
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User 

  • Logout as Settings Administrator
  • Login as Administrator

Create a new Tag

Create Windows 10 Certificate Tag 

  • Create a Tag
    • Name it e.g. Windows 10 Certificate
    • Enter as description e.g. Windows 10 Certificate Distribution (optional)
    • Enable Profile under Enabled Features
    • Enable Windows 10 under Device Types
    • Click Save

Create Windows 10 Certificate Profile 

  • Navigate to Profile
    • Navigate to Certificate
    • Enable Certificate Settings
    • Add the of your created Template, e.g. SilverbackUser
    • Add a Custom Subject Name Variable, e.g. u_{firstname}.{lastname}
    • Press Save
  • Navigate to Definitions
    • Click Associated Devices
    • Click Attach More Devices
    • Select your previously enrolled device
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Refresh Device 

  • On your device open Settings
    • Navigate to  General
    • Navigate to Accounts
    • Navigate to Access work or school
    • Click on your added connection
    • Click Info
    • Scroll down and press sync
    • Wait until sync process is finished

Open Certificates Management Console

  • Enter in your Windows 10 search try certmrg.msc
  • Press enter
  • Click Yes
  • Expand Personal
  • Expand Certificates
  • You should see now a new issues client certificate

Check Certification Authority 

  • Navigate back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • You should see now a third newly issued with the requester name Domain\Silverback$  with the SilverbackUser Template
  • Was this article helpful?