UniToken Integration Guide Windows 2003 Server Smart Card Configuration
From the Start Menu, click on [Connect To], [Show all connections].
Right-click on the connection interface between the domain controller and client and select [Properties].
In the properties window of the connection, select [Internet Protocol (TCP/IP)] and click on [Properties].
In the "Internet Protocol Version 4 (TCP/IPv4) Properties" window, select [Use the following IP address] and input a static IP address, subnet mask and default gateway for your server.
Select [Use the following DNS server addresses] and input the same IP address as your static IP address. This server will be used as the main DNS server.
Click on [OK] on all windows to finish.
Active Directory Installation
From the start menu, click on “Run...”
Input "dcpromo", without quotation marks, and click [OK] to launch the Active Directory wizard.
On the "Active Directory Installation Wizard" welcome screen, click on [Next].
On the "Operating System Compatibility" page, click on [Next].
On the "Domain Controller Type" page, verify that [Controller for a new domain] is selected, then click [Next].
On the "Create New Domain" page, verify that [Domain in a new forest] is selected, then click [Next].
On the [New Domain Name] page, input a name for your domain, then click [Next].
On the "NetBIOS Domain Name" page, input a NetBIOS name or otherwise leave the suggested name, then click on [Next].
On the "Database and Log Folders" page, click on [Next].
On the "Shared System Volume" page, click on [Next].
On the [DNS Registration Diagnostics] page, select [Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server], then click on [Next].
On the "Permissions" page, select [Permissions compatible only with Windows 2000 or Windows Server 2003], then click on [Next].
On the "Directory Service Restore Mode Administrator Password" page, input a restore mode password, then click on [Next].
On the "Summary" page, confirm the entered settings, then click on [Next].
After the configuration of Active Directory is completed, the Windows Server 2003 CD-ROM is required to complete the procedure.
Verify that the Active Directory has been installed successfully, then click on [Finish] to close the wizard.
From the Start Menu, click on [Control Panel], [Add or Remove Programs].
Under the "Add or Remove Programs" window, choose [Add/Remove Windows Components] from the left-hand side menu.
Check [Application Server] and click on [Next].
Verify the installation was successful after completion.
Certification Authority Installation
If continuing from the previous step, return to the "Add/Remove Windows Components" window. Otherwise, from the Start Menu, click on [Control Panel], [Add or Remove Programs], then choose [Add/Remove Windows Components] from the left-hand side menu.
In the "Add/Remove Windows Components" window, check [Certificate Services]. A warning message indicating the computer name and domain may not be changed once Certificate Services is installed will appear. Click [Yes] to continue.
Verify that [Certificate Services] has been checked, and click on [Next].
In the "CA Type" step, select [Enterprise root CA], then click on [Next].
In the "CA Identifying Information" step, input the name for the CA in the field [Common name for this CA], and check that [Distinguish name suffix] corresponds to the domain name. Click on [Next] when done.
On the "Certificate Database Settings" page, click on [Next]
During the installation, a warning message indicating the IIS service must be stopped temporarily will be displayed. Click on “Yes” to continue the installation.
The installation changes will be applied.
A warning message asking if Active Server Pages is to be enabled will appear. Click on [Yes] to continue.
Verify that the component has been installed successfully and click on [Finish] to close the wizard.
Update CertSrv for Windows Vista/7
An update available from Microsoft configures the CA web interface to be resolve an issue with enrolling web certificates against a Windows Server 2003 Certificate Services Web enrollment, and improves the CA's compatibility with Windows XP to Windows Vista and 7. The file can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=4758.
Back up your data before installing this update! SecuTech cannot be held as responsible for any data loss caused by this update.
Double-click the downloaded file to launch the installation.
Click on [Next] in the "Software Update Installation Wizard" screen.
On the [License Agreement] step, select [I agree] and click on [Next] to continue.
Changes will be applied.
Verify that the update has been successfully installed and click on [Finish] to complete.
Secure Access to Certsrv with SSL
From the Start Menu, click on [Administrative Tools], [Internet Information Services (IIS) Manager].
In the "Internet Information Services (IIS) Manager" window, navigate to [Web Sites], [Default Website] in the tree list on the left. Right-click on [Default Website], then click on [Properties].
Under the [Directory Security] tab, in the [Secure communications] section, click on [Server Certificate].
Click on [Next] in the Web Server Certificate Wizard to begin.
On the "Server Certificate" page, select [Create a new certificate], then click on [Next].
In the "Delayed or Immediate Request" step, select [Prepare the request now, but send it later] and click on [Next].
On the "Name and Security Settings" page, enter the name of the certificate, then click on [Next].
On the "Organization Information" step, input the organization and organizational unit information and click on [Next].
In the "Your Site's Common Name" step, input the name of your website and click on [Next].
Input the [Country/region], [State/province], [City/locality] and click on [Next].
Indicate the certificate request file path and name in the "Certificate Request File Name" page. Click on [Next] afterwards.
On the "Request File Summary" page, verify the information is correct, then click on [Next].
Click on [Finish] to complete the wizard.
Launch your internet browser of your choice and navigate to "https://[address of domain server]/certsr".
On the "Microsoft Active Directory Certificate Services" main page, under "Select a task", click on [Request a certificate]. Under "Request a certificate", click on [advanced certificate request].
On the page “Advanced Certificate Request”, choose [Submit a certificate request by using a base 64 encoded CMC or PKCS#10 file, or submit a renewal request by using a base 64 encoded CMC or PKCS#7 file]
Navigate to the folder where the "certreq.txt" file is located and open it.
Excluding the first and last line, copy the whole contents of "certreq.txt" and paste it in the corresponding text area in the web page.
Under "Certificate Template", choose [Web server] from the drop-down list and click on [Submit].
Select [DER encoded] and click on [Download certificate].
Save the file [certnew.cer] to a destination for later use.
Return to the [Default Web Site Properties] window, and click on [Server Certificate] under "Secure communications".
Under the "Welcome to the Web Server Certificate Wizard" welcome screen, click [Next].
On the "Pending Certificate Request" step, select [Process the pending request and install the certificate].
On the "Process a Pending Request" step, check or otherwise enter the path to the "certnew.cer" file created eariler. Click on [Next].
On the [SSL Port] step, check the correct SSL port used on the server is correct and click on [Next].
Click on [Finish] to complete the wizard.
Return to the [Internet Information Service (IIS) Manager] window and expand [Default Web Site], right-click on the element [CertSrv], and select [Properties].
In the tab [Directory Security], click on the [Edit…] button located under "Secure communications."
In the [Secure Communications] window, check [Require secure channel (SLL)] and [Require 128-bit encryption]. Verify that [Ignore client certificates] is selected under "Client certificates" and select [Enable client certificate mapping]. Click [OK] to finish.
Create Users in Active Directory
From the Start Menu, click [Administrative tools], [Active directory Users and Computers].
From the tree list on the left under the "Active Directory Users and Computers" window, right click on [(Domain)], [Users], then from the popup menu [New], [User].
Complete the form on the new user and click [Next].
Fill in the [Password] and [Confirm password] fields. Choose the corresponding options as needed and click on [Next].
Verify information about the new user is correct and click [Finish] to close the window.
Set Access Rights for Certificate Templates
From the start menu, select [Run...].
Type "certtmpl.msc", without quotation marks, then click [OK].
On the "certtmpl - [Certificate Templates}" window, right-click [Smartcard User] from the list on the right and select [Properties].
Under the [Security] tab, click on [Add] to add a new user to the list.
Select the user previously created (UniTokenPRO in this example) and click [OK] to apply.
Back on the [Security] tab, select the newly added user and check [Read] and [Enroll] for the user's permissions. Click on [OK] to finish.
From the Start Menu, click on [Administrative Tools], [Certification Authority].
On the "Certification Authority" window, right-click on [Certificate Template], and select [New], [Certificate Template to Issue].
Under the "Enable Certificate Templates" window, select [Smartcard User] and click [OK] to finish.