Indeed Certificate Manager can interact with Microsoft CA that are beyond the boundaries of the domain of Indeed CM server. Say, in a configuration, when an organization has several independent domains with an independent CA in each of them, and Indeed CM is deployed at only one of the domains. Meanwhile, the user accounts are the same in the domains.
The IndeedCM.MSCA.Proxy component allows to request and write certificates to cards using Indeed CM from all CA that reside beyond the domain where Indeed CM is deployed. In this case, the MSCA Proxy address is added to the usage policy of Indeed CM cards. The said proxy is deployed in an external domain with user directory and certification authority. When issuing a card, the Indeed CM addresses the MSCA Proxy, and the latter sends the corresponding request to the target certification authority using the Enrollment Agent certificate (which resides in the storage of a workstation with IndeedCM.MSCA.Proxy component installed). To install and configure the MSCA Proxy application, proceed as follows:
The Enrollment Agent certificate has to reside in the certificate storage of a workstation (Local computer) with IndeedCM.MSCA.Proxy component installed.
Install the IndeedCM.MSCA.Proxy.msi component onto a workstation in a domain with external CA.
System requirements for the component installation are the same as ones for installation of Indeed CM server.
Switch to C:\inetpub\wwwroot\mscaproxy folder and open Web.config file in Notepad as administrator.
In the caProxySettings section:
Specify the certification authority name in the ca parameter.
Specify credentials of the account (userName and password) with Enrollment Agent certificate.
Specify the Thumbprint of the Enrollment Agent certificate in the parameter enrollmentAgentCertificateThumbprint.