Description

This document will explain the steps to create signing certificate using Local CA.

Steps

To create signing certificate using Local CA follow the steps given below,

1. Creating Signing Certificate template
2. Issuing Signing Certificate template
3. Requesting Signing Certificate
4. Deploying the certificate using GPO

Creating the Signing Certificate template on the certification authority.

1. Open CertificatIon authority on the machine where you have installed the certification authority.
2. Expand the name of the certification authority and click Certificate Templates.

3. Right-click Certificate Templates, and click Manage to load the Certificate Templates management console.

   

4. In the results pane, right-click the entry that displays "Code Signing" in the Template Display Name column, and then right click and select Duplicate Template. 

   

5. Properties of New template console will open. Select General tab, enter the template name for the site server signing certificate. For eg: ThirdPartySigningCertificate.

   

6. Select Request handling tab and enable Allow private key to be exported.

   

7. Select Subject name tab and select Build from this Active Directory information and select Common Name as the Subject name format.

   

8. Select Extensions tab and ensure that the key usage has digital signature.

   

9. Select Security tab, under Group or users name select Authenticated users and provide Read and Enroll permissions.

   

10. Select Cryptography tab and verify if the minimum key size is 2048.

    

11. Click OK and close the Certificate Templates console.

Issuing the Signing Certificate template

1. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

   

2. In the Enable Certificate Templates dialog box, select the new template you have just created, ThirdPartySigningCertificate, and then click OK.

   

Requesting Signing certificate

1. On a machine which is under the domain, type mmc.exe in command prompt, and then press Enter.
2. An empty management console will open , click File, and then click Add/Remove Snap-in.
3. Add or Remove Snap-in dialog box will open, select Certificates from the list of Available snap-ins, and then click Add.
4. In the Certificate snap-in dialog box, select My user account, and then click Finish.
5. In the Add or Remove Snap-in dialog box, click OK.
6. In the console, expand Certificates— Current User, expand Personal and click Certificates 

7. Right click Certificates, then click All Tasks and then click Request New Certificate.

   

8. Follow the Certificate Enrollment wizard to select the newly created certificate template, set a friendly name in certificate properties and click Enroll.

   

9. After enroll succeeds, you will find the new certificate under Certificates — Current User -> Personal -> Certificates. 

10. Right click the certificate you just enrolled and click All Tasks -> Export. Follow the export wizard and export the certificate without private key and save the export as SigningCertificate.cer.

    

    

11. Export the certificate again, and this time, select "Yes, export the private key" and "Export all extended properties" in the Certificate Export Wizard, and save the export as SigningCertificate.pfx. 

Steps to Deploy Signing certificate through GPO.

In case if this problem continues, kindly Contact Support

Keywords: Third-party Patch Management, Create Signing certificate, local CA.