browse
Overview
This article will go over the process of creating a custom root certificate in place of the standard Cisco Root Certificate. This guide assumes that you have both Active Directory Certificate Services configured and the Web Service/Web Enrolment Service roles configured on the Windows Server in question.
Preparing AD CS Template
- Open the Active Directory Certification Authority MMC by navigating to Start -> Run -> MMC
- Click File -> Add/Remove Snap-in and add the Certificate Templates and Certification Authority snap-ins. Click OK
- Expand Certificate Templates and right-click on Subordinate Certification Authority. Click on Duplicate Template.
We will now create a custom certificate template to comply with the requirements listed in our documentation.
https://docs.umbrella.com/umbrella-user-guide/docs/add-customer-ca-signed-root-certificate
We will highlight the requirements that are detailed at the time of this articles creation.
- General tab
- Give the template a name which has meaning to you.
- Set the Validity Period for 35 Months (3 years less a month)
- Set the Renewal Period to 20 Days
- Extensions tab
- Double-click on Basic Constraints
- Ensure that Make this extension critical is ticked
- Under Key Usage
- Ensure that Certificate Signing & CRL Signing are ticked.
- Untick Digital Signature.
- Ensure Make this extension critical is ticked here too.
- Double-click on Basic Constraints
- Click Apply and OK
Issue the Template
- Now back in the MMC we set up in step 2 of the previous process, expand the Certificate Authority section.
- In the newly expanded section, right-click on the Certificate Templates folder and click New -> Certificate Template to Issue.
- In the new window select the name of the certificate template we created in the last section. and click OK.
The CA is now ready to facilitate the request.
Set the Certificate Authority to apply UTF-8 encoding
If you already have your AD Certificate Services configuration set to enforce UTF-8 encoding then this section can be skipped.
RFC-5280 states that the encoding method used should be consistent throughout the certificate chain, therefore the encoding used for this signing should be UTF-8.
The steps below are one method of enforcing UTF-8 encoding with ADCS and accurate at the time of writing. However we strongly recommend contacting Microsoft Support, before making this change, if you are unclear of the implications within your environment
- Enforce UTF-8 encoding with the following certutil command:
certutil -setreg ca\forceteletex +0x20
- Restart Certificate Services to apply the change:
net stop certsvc
net start cersvc - After the signing of the CSR is complete in the next section, the changes here can be reverted with the following commands:
certutil -setreg ca\forceteletex -0x20
net stop certsvc
net start cersvc
If this section is skipped, and the certificate is signed using different encoding method (for example PrintableString), then the certificate chain may not be trusted by Web Browsers on MacOS and Firefox on Windows.
Downloading and Signing the CSR
- Login to your Umbrella Dashboard (https://dashboard.umbrella.com)
- Navigate to Deployments - Root Certificate
- Click the Add (+) Icon in the upper-right hand corner and name your CA in the new window.
- Download the Certificate Signing Request (CSR)
- In a new browser tab navigate to web services for Active Directory Certificate Services. (If you are using local machine this would be 127.0.0.1/certsrv/ or similar.
- In the new page select Request a Certificate
- Select Advanced Certificate Request
- Under Saved Request, copy paste the contents of the CSR we downloaded in step 4 (you will need to open it with a text editor)
- Under Certificate Template select the name of the certificate template we created in the Preparing the Certificate Template section and click Submit
- Ensure to select Base64 Encoded and Select Download Certificate and make note of the .cer file location.
Upload your the signed CSR (and Public Root Cert)
- On your Umbrella Dashboard once again navigate to Deployment -> Root Certificate
- Click on the root certificate we created in Step 3 of the previous section
- Click Upload CA at the bottom right hand corner of the line ***
- Click the top Browse button [Certificate Authority (Signed CSR)]
- Browse to the location of the .cer file we created in the previous section and hit save.
- Click Next and select the groups of computers/users you would like the certificate to be used with (instead of the Cisco Root Certificate) and hit Save
*** - You may also upload the CA certificate optionally. This can be retrieved from the web interface of your certification authority server (http://127.0.0.1/certsrv/) and then selecting Download a CA Certificate, Certificate Chain, or CRL. Follow the onscreen prompts to 'Download the CA certificate' in Base 64