Create a CA template in TLS protect Datacenter¶
In this step, you will create a new CA template in TLS Protect Datacenter, which will be used to sign the subordinate CA certificate for Firefly. In this example, Microsoft Active Directory Certificate Services (ADCS) is used, but any CA capable of issuing subordinate CA certificates that meets the following requirements will also work.
Requirements for the subordinate CA certificate¶
The Certificate Authority (CA) must be configured with a template to issue the subordinate CA certificate, following the requirements below:
Basic Constraints Extension:
-
The subject must be a certification authority (CA).
-
It must not issue certificates to other CAs (pathLenConstraint set to 0).
-
This is a critical extension.
Key Usage Extension:
-
Signature requirements:
-
Digital signature
-
Certificate signing
-
-
This is a critical extension.
The Certificate Authority should be configured to allow clients to specify the end date of the required certificates. This will enable Firefly to request subordinate CA certificates with validity specified by the PKI administrator responsible for configuring Firefly.
Create a new ADCS CA template in TLS Protect Datacenter¶
-
In the TLS Protect Datacenter policy tree, right-click on the policy folder where you want to create the CA template, and select Add > CA Template > Microsoft.
-
Enter the relevant information for your CA in the following fields the fields according to your CA (the values below are for illustration purposes only), then click Save:
-
Name: ADCS SubCA
-
Hostname: adcs.example.com
-
Service Name: Example-CA
-
Credential:
\VED\Policy\Administration\Credentials\adcs -
Template: Subordinate Certification Authority
-
Allow Users to Specify End Date: Selected
-
To learn more about ADCS, see Microsoft Active Directory Certificate Services.