Windows Desktop MFA - EJBCA Configuration

This guide will show how to set up and configure Windows and EJBCA for Windows SmartCard Logon.

💡
Note that the screenshots in this guide were taken from EJBCA Version 7.11.0.1, v3.0. If you are using a different version of EJBCA or require assistance, please get in touch with the idemeum support team for further help and guidance.

Pre-requisites

Desktop MFA is supported on Windows machines where TPM is enabled. Please click here to enable TPM on your PC. By default, Windows 11 will have TPM enabled, whereas not all Windows 10 PC will have TPM enabled by default, and if the PC has TPM present and disabled, it can be enabled via BIOS setup. Refer to the same link as before to learn more about how to verify whether TPM is present in the system.

Step 1: Creating the CA

💡
Skip this step if CA has already been created.
  • Login to EJBCA Administration GUI
  • Navigate CA Functions -> Certification Authorities
  • Add the CA name and Click Create...
  • When setting up the CA, be sure to select appropriate values for settings such as Subject DN, Validity, and CRL Distribution Point. Additionally, ensure that the CRL Distribution Point is publicly accessible to enable certificate revocation checking.

Step 2: Create Certificate Profile for DomainController

  • Login to EJBCA Administration GUI
  • Navigate CA Functions -> Certificate Profiles
  • Download the zip file above
  • Click Choose file and select the downloaded zip file
  • Click Import Profiles
  • Verify Certificate Profile with the name DomainController  imported successfully and listed in the List of Certificate Profiles
  • Click Edit
  • Change Validity or end date of the certificate as per Org policy
  • Choose the relevant CA in Available CAs section
  • Click Save

Step 3: Create Certificate Profile for end users

  • Login to EJBCA Administration GUI
  • Navigate CA Functions -> Certificate Profiles
  • Download the zip file above
  • Click Choose file and select the downloaded zip file
  • Click Import Profiles
  • Verify Certificate Profile with name MSSmartCardLogon  imported successfully and listed in the List of Certificate Profiles
  • Click Edit
  • Change Validity or end date of the certificate as per Org policy
  • Choose the relevant CA in Available CAs section
  • Click Save

Step 4: Create an End Entity Profile for DomainController

  • Login to EJBCA Administration GUI
  • Navigate RA Functions -> End Entity Profiles
  • Download the zip file above
  • Click Choose file and select the downloaded zip file
  • Click Import
  • Verify the End Entity Profile with the name DomainController  imported successfully and listed in the List of End Entity Profiles
  • Click Edit End Entity Profile  -> Choose the relevant CA in Default CA & Available CAs sections -> Click Save

Step 5: Create an End Entity Profile for end users

  • Login to EJBCA Administration GUI
  • Navigate RA Functions -> End Entity Profiles
  • Download the zip file above
  • Click Choose file and select the downloaded zip file
  • Click Import
  • Verify the End Entity Profile with the name MSSmartCardLogon  imported successfully and listed in the List of End Entity Profiles
  • Click Edit End Entity Profile  
  • Enter the domain as highlighted. Example: xyz.com
  • Choose the relevant CA in Default CA & Available CAs sections
  • Click Save

Step 6: Download scripts

Download the above scripts (zip file) onto the Domain Controller to proceed with the next steps.

Step 7: Generate a certificate request for each domain controller

  • On Domain Controller
  • Run GenerateDCCertRequest.vbs script file provided above.
  • Confirm that the script execution is complete by verifying the status as "Done!"
  • This script produces DomainControllerCertRequest-<hostname>.reqcontaining the request and a DomainControllerInfo-<hostname>.txt
  • The output files generated from the above steps are required in EJBCA for further configuration.
  • This Step (7) needs to be repeated for every Domain Controller

Step 8 a: Issue Domain Controller Certificate(s) for all Domain Controllers - Add End Entity

  • Login to EJBCA Administration GUI
  • Navigate RA Functions -> Add End Entity
  • Set Username to say "DomainController-001"
  • Set a Password of your choice
  • Set CN  as <<name of the domain controller>>
  • Set DNS Name = from DomainControllerInfo-<hostname>.txt
  • Set MS GUID, Globally Unique Identifier = from DomainControllerInfo-<hostname>.txt

Step 8 b: Issue Domain Controller Certificate(s) for all Domain Controllers - Fetch Certificate

  • Login to EJBCA Administration GUI
  • Click Public Web
  • Navigate to Enroll -> Create Certificate from CSR
  • Enter Username and Enrollment code provided in the above step
  • Click Choose file -> Select DomainControllerCertRequest-<hostname>.req generated from Step 7
  • Choose PKCS#7 certificate in Result type
  • Click OK
  • After completing the previous step, a p7b certificate file will be generated. If the file does not download automatically, you can download it manually

Step 9: Install and publish the certificate on each Domain Controller

Now that you have the .p7b certificate file acquired from the previous step, you can proceed with installing the certificate

  • On Domain Controller
  • From the Downloaded scripts, Run InstallDomainControllerCert.vbs script file.
  • Select .p7b certificate file when prompted for the DC certificate and click Open. This will take some time to process.
  • Click OK
  • The certificate should be displayed if everything goes fine. Click on More choices it to verify the list if there are multiple.
  • Click Cancel post verification to close the window

Step 10: Fetch the CA certificate

💡
You can skip this step if the CA certificate has already been imported to the "Enterprise NTAuth store"
  • Login to EJBCA Administration GUI
  • Click Public Web
  • Click Retrieve -> Fetch CA Certificates
  • Click Download as PEM : This downloads <ca>.pem file
  • Click Download to Internet Explorer : This downloads <ca>.crt file

Step 11: Import the CA certificate to the "Enterprise NTAuth store"

💡
You can skip this step if the CA certificate has already been imported to the "Enterprise NTAuth store"
  • On Domain Controller
  • From the Downloaded scripts, Run ImportCACertToNTAuthStore.vbs script file.
  • Select the CA certificate <ca>.pem when prompted. This will take some time to process
  • Click OK
  • The certificate should be displayed if everything goes fine. Click on More choices it to verify the list if there are multiple.
  • Click Cancel post verification to close the window

Step 12 a: Push CA certificate to all clients - Add the CA certificate to the Domain Security Policy

💡
You can skip this step if the CA certificate has already been pushed to all client machines.
  • On Domain Controller
  • Start → Administrative Tools → Group Policy Management
  • Domains → Choose your Domain → Group Policy Objects → Default Domain Policy → Settings tab → Computer configuration → Polices → Windows Settings → Security Settings → Public Key Policies/Encrypting File System
  • Right Click → Edit...
  • Navigate to Computer Configuration → Windows Settings → Security Settings → Public Key Policies → Trusted Root Certification Authorities
  • Right Click -> Import
  • Select <ca>.crt downloaded from the previous step and continue with the remaining steps as guided.
  • Verify the confirmation window The import was successful. The certificate should be displayed if everything goes fine.

Step 12 b: Push CA certificate to all clients - Install the certificate on every client machine

💡
You can skip this step if the CA certificate has already been pushed to all client machines.
  • On client machine
  • This should happen automatically every 8 hours. To force the update, run "gpupdate /force" on the client(s).

Step 13: Retrieve the Keystore file and Keystore password for ReST API authentication

  • Ask the EJBCA admin to provide the keystore details for executing user certificate enrollment API.
💡
Admins should consider creating a separate EJBCA user with limited privileges and assigning a dedicated certificate to that user for API authentication purposes. By using a separate and dedicated certificate and keystore for API authentication, we improve the overall security posture of EJBCA deployment.
Windows Desktop MFA - Validate EJBCA configuration
This guide will show you how to troubleshoot or validate Windows Desktop MFA - EJBCA configuration. Windows Desktop MFA - EJBCA ConfigurationThis guide will show how to set up and configure Windows and EJBCA for Windows SmartCard Logon. 💡Note that the screenshots in this guide were taken from EJBC…
Click here to view Access Roles and Rules for API user/End Entity

Step 14: Enable ReST API for certificate management

  • Login to EJBCA Administration GUI
  • Click System Configuration -> Protocol Configuration tab
  • Enable REST Certificate Management & REST Certificate Management V2

How to enable EJBCA in idemeum

  • Navigate to the Admin portal /adminportal
  • Click Settings  -> Desktop MFA tab
  • Click Enable EJBCA
  • Enter CA name in Certificate authority name field
  • Enter the EJBCA server hostname in Hostname field
  • Enter the End Entity profile name configured earlier in End entity profile name field. As per the profile created earlier, it is "MSSmartCardLogon"
  • Enter the Certificate profile name configured earlier in Certificate profile name field. As per the profile created earlier, it is "MSSmartCardLogon"
  • For API auth keystore password and API auth keystore fields, retrieve the API Auth keystore file (.p12 file) and API Auth keystore password from Step 13.
  • Click Save

Validation

Refer below guide to validate all of the above configurations before installing the idemeum Desktop app.

Windows Desktop MFA - Validate EJBCA configuration
This guide will show you how to troubleshoot or validate Windows and EJBCA configuration. Desktop MFA - Windows and EJBCA ConfigurationThis guide will show how to set up and configure Windows and EJBCA for Windows SmartCard Logon. 💡Note that the screenshots in this guide were taken from EJBCA Vers…