The tab contains parameters of working with Microsoft Certification Authorities. To add a certification authority, click Add CA.
Set the address of certification authority (if it was not found automatically) and specify the user account data with Enrollment Agent certificate, then click Add.
Presence of user with Enrollment Agent certificate is mandatory for Indeed CM to work with CA correctly. This user account is utilized to request certificates for other Indeed CM users from the specified certification authority. This user account data can be changed after a CA is added (see Working with Microsoft Enterprise CA section of Indeed CM Installation and configuration).
To change the account data of the user with Enrollment Agent certificate, select the Certification Authority and click to the right of user name. To remove a certification authority, click the
.
Indeed CM supports using multiple certification authorities of an organization. You can add several CA for a single policy or create several policies and define a separate CA for each of them.
To add a CA that is beyond the domain of Indeed CM users (say, in another independent domain of your organization), proceed as follows:
1. Click Add CA.
2. In the Address field, specify the URL of Indeed CM MSCA Proxy application.
See Connecting to Microsoft CA via IndeedCM.MSCA.Proxy section of Indeed CM Installation and configuration.
If Indeed CM is deployed in a domain forest, MSCA Proxy is not required. In this case the CA address is specified in the Address field.
3. Specify the user account and its password (in Domain/Name format) with Enrollment Agent certificate at CA which is beyond the domain of Indeed CM users.
4. Enable the Issue certificates for users from external associated catalog.
5. Specify the path to Indeed CM user directory of the external domain in the LDAP field.
Example:
The Indeed CM is deployed in demo.local domain and user certificates are issued by the CA deployed in the same domain. When adding the CA deployed in external.com domain, you should specify the path to user directory in the domain, where Indeed CM users have another domain account, for which the added CA should issue the certificates.
Thus, the system would allow to write several certificates issued by CA from different independent domains, onto one device for an employee with accounts in those independent domains.
The certificates can be issued successfully for external directory users only if the reference property coincides with one of the main user directory.
For example, the e-mail address specified in the user account properties of demo.local domain should be the same as the one specified in the account of the same user in external.com domain.
6. Specify the account with privileges to read all user properties of external domain in the User name field (in Domain/User format). You can use the account specified at step 3 for that.
To configure the permission to read required properties only, please refer to Configuring the user catalog in Active Directory section of Indeed CM Installation and configuration.
7. Specify the attribute (Common name (CN), E-mail or Logon name (sAMAccountName)), which is to be used by Indeed CM to determine uniqueness of a user with accounts in each of the domains, in the Catalogs associating attribute. Figure shows an example of settings for external Microsoft CA.