System requirements

The Windows Server 2012 R2 and onwards operating system is used for all setups in this section. The following installation requirements and capabilities apply to both CEP and CES, unless otherwise specified.

Create the following types of accounts in the domain controller:

• Service Administrator: Named as CEPAdmin and CESAdmin

  • This user must be a part of the local admin group in the respective CEP and CES servers.

  • This user must be a member of the Enterprise Admin group.

• Service Account: Named as CEPSvc and CESSvc

  • This user must be a part of the local IIS_IUSRS group.

  • Requires Request Certificates permission on the CA for the respective CEPSvc and CESSvc.

Network connectivity requirements

• Network connectivity requirements are a key part of deployment planning, particularly for scenarios where the CEP and CES are hosted in a perimeter network.

• All client connectivity to both services occurs within an HTTPS session, so only HTTPS traffic is allowed between the client and the web services.

• CEP communicates with Active Directory Domain Services (AD DS), using standard Lightweight Directory Access Protocol (LDAP) and secure LDAP (LDAPS) ports (TCP 389 and 636 respectively).

• CES communicates with CA using Distributed Component Object Model (DCOM).

  Notes:

  • By default, DCOM uses random ephemeral ports.
  • CA can be configured to reserve a specific range of ports to simplify firewall configuration.

Creating SSL certificates for CEP and CES servers

CES and CEP must use Secure Sockets Layer (SSL) for communication with clients (by using HTTPS). Each service must have a valid certificate that has an Enhanced Key Usage (EKU) policy of server authentication in the local computer certificate store.

1. Install the IIS service in the server.

2. Log in to the CEP server, and then add the Root CA certificate in the Trusted Root Certification Authority store.

3. Launch the IIS Manager Console and then, select Server Home.

4. From the main view section, open Server Certificates.

5. Click Actions > Create Certificate Request.

6. In the Distinguished Name Properties window, provide the necessary information and then, click Next.

7. In the Cryptographic Service Provider Properties dialog, select the bit length, and then click Next.

8. Save the file.

9. Get the file signed by the CA that you are planning to use for CEP and CES.

   Note: Make sure that Server Authentication EKU is enabled in the signed certificate.

10. Copy the signed file back to the CEP server.

11. From the IIS Manager Console, select Server Home.

12. From the Main View section, open Server Certificates.

13. Click Actions > Complete Certificate Request.

14. In Specify Certificate Authority Response window, select the signed file.

15. Type a name, and then in the Certificate Store menu, select Personal.

16. Complete the certificate installation.

17. From IIS Manager Console, select the default website.

18. Click Actions > Bindings.

19. In the Site Bindings dialog, click Add.

20. In the Add Site Binding dialog, set Type to https, and then from the SSL certificate, browse for the newly created certificate.

21. From the IIS Manager Console, select Default Web Site, and then open the SSL settings.

22. Enable Require SSL and set Client certificates to Ignore.

23. Restart IIS.

Creating certificate templates

The user must create a certificate template for the certificate enrollment. Do the following to copy from an existing certificate template:

1. Log in to the Enterprise CA with CA administrator credentials.

2. Expand the CA, right-click Certificate Templates, and then click Manage.

3. In the Certificate Templates Console, right-click Web Server Certificate Template, and then click Duplicate Template.

4. From the General tab of the template, name the template MVEWebServer.

5. In the Security tab, give the CA administrator Read, Write, and Enroll permissions.

6. Give Read and Enroll permissions to the authenticated users.

7. In the Subject Name tab, select Supply in the request.

8. In the General tab, set the certificate validity period.

9. If you plan to use this certificate template for issuing a 802.1X Certificate for printers, then do the following:

   1. From the Extensions tab, select Application Policies from the list of extensions included in this template.

   2. Click Edit > Add.

   3. In Add Application Policy dialog box, select Client Authentication.

   4. Click OK.

10. In the Certificate Template Properties dialog box, click OK.

11. In the CA window, right-click Certificate Templates, and then click New > Certificate template.

12. Select MVEWebServer, and then click OK.

CEP and the CES support the following authentication methods:

• Windows-integrated authentication, also known as Kerberos Authentication

• Client certificate authentication, also known as X.509 Certificate Authentication

• Username and Password Authentication

Windows-integrated authentication

Windows-integrated authentication uses Kerberos to provide an uninterrupted authentication flow for devices connected to the internal network. This method is preferred for internal deployments because it uses the existing Kerberos infrastructure within AD DS. It also requires minimal changes to certificate client computers.

Client certificate authentication

This method is preferred over user name and password authentication because it is more secure. It does not require a direct connection to the corporate network.

Notes:

• Use this authentication method if you plan to provide clients with digital X.509 certificates for authentication.
• This method enables the web services available on the Internet.

User name and password authentication

The user name and password method is the simplest form of authentication. This method is typically used for servicing clients who are not directly connected to the internal network. It is a less secure authentication option than client certificate authentication, but it does not require provisioning a certificate.

Delegation enables a service to impersonate a user or computer account to access resources throughout the network.

Delegation is required for the CES server when all the following scenarios apply:

• CA and CES are not residing on the same computer.

• CES can process initial enrollment requests, as opposed to only processing certificate renewal requests.

• The authentication type is set to Windows-integrated authentication or Client certificate authentication.

Delegation is not required for the CES server in the following scenarios:

• CA and CES are residing on the same computer.

• User name and password is the authentication method.

Notes:

• Microsoft recommends running CEP and CES as domain user accounts.
• Users must create an appropriate service principal name (SPN) before configuring delegation on the domain user account.

Enabling delegation

1. To create an SPN for a domain user account, use the setspn command as follows:

   setspn -s http/ces.msca.com msca\CESSvc

   Notes:

   • The account name is CESSvc.
   • CES is running on a computer with a fully qualified domain name (FQDN) of ces.msca.com in the msca.com domain.

2. After running the setspn command, open the CESSvc domain user account in the domain controller.

3. From the Delegation tab, select Trust this user for delegation to specified services only.

4. Select the appropriate delegation based on the authentication method.

   Notes:

   • If you select Windows-integrated authentication, then configure delegation to use Kerberos only.
   • If the service is using client certificate authentication, then configure delegation to use any authentication protocol.
   • If you plan to configure multiple authentication methods, then configure delegation to use any authentication protocol.

5. Click Add.

6. In the Add Services dialog box, select Users or Computers.

7. Type your CA server host name, and then click Check Names.

8. From the Add Services dialog box, select either of the following services to delegate:

   • Host service (HOST) for that CA server

   • Remote Procedure Call System Service (RPCSS) for that CA server

9. Close the domain user properties dialog box.

To install CEP and CES, use Windows PowerShell.

Configuring CEP

The Install-AdcsEnrollmentPolicyWebService cmdlet configures the Certificate Enrollment Policy Web Service (CEP). It is also used to create other instances of the service within an existing installation.

1. Log in to the CEP server using CEPAdmin user name, and then launch PowerShell in administrative mode.

2. Run the command Import-Module ServerManager.

3. Run the command Add-WindowsFeature Adcs-Enroll-Web-Pol.

4. Run the command Install-AdcsEnrollmentPolicyWebService -AuthenticationType Kerberos -SSLCertThumbprint "sslCertThumbPrint".

   Note: Replace <sslCertThumbPrint> with the thumbprint of the SSL certificate created for the CEP server, after deleting the spaces between the thumbprint values.

5. Complete the installation either by selecting either Y or A.

6. Launch the IIS Manager Console.

7. In the Connections pane, expand the web server that is hosting CEP.

8. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name, ADPolicyProvider_CEP_Kerberos.

9. In the virtual application called Home , double-click the application settings, and then double-click FriendlyName.

10. Type a name under Value, and then close the dialog.

11. Double-click URI, and then copy Value.

    Notes:

    • If you want to configure another authentication method on the same CEP server, then you must change the ID.
    • This URL is used in MVE or any client application.

12. From the left pane, click Application Pools.

13. Select WSEnrollmentPolicyServer, and then from the right pane, click Actions > Advanced Settings .

14. Select the identity field under Process Model.

15. In the Application Pool Identity dialog box, select the custom account, and then type CEPSvc as the domain user name.

16. Close all dialog boxes, and then recycle IIS from the right pane of the IIS Manager Console.

17. From PowerShell, type iisreset to restart IIS.

Configuring CES

The Install-AdcsEnrollmentWebService cmdlet configures the Certificate Enrollment Web Service (CES). It is also used to create other instances of the service within an existing installation.

1. Log in to the CES server using CESAdmin user name and launch PowerShell in administrative mode.

2. Run the command Import-Module ServerManager.

3. Run the command Add-WindowsFeature Adcs-Enroll-Web-Svc.

4. Run the command Install-AdcsEnrollmentWebService -ApplicationPoolIdentity -CAConfig "CA1.contoso.com\contoso-CA1-CA" -SSLCertThumbprint "sslCertThumbPrint" -AuthenticationType Kerberos.

   Notes:

   • Replace <sslCertThumbPrint> with the thumbprint of the SSL certificate created for the CES server, after deleting the spaces between the thumbprint values.
   • Replace CA1.contoso.com with your CA computer name.
   • Replace contoso-CA1-CA with your CA common name.

5. Complete the installation by selecting either Y or A.

6. Launch the IIS Manager Console.

7. In the Connections pane, expand the web server that is hosting CES.

8. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name: contoso-CA1-CA _CES_Kerberos.

9. From the left pane, click Application Pools.

10. Select WSEnrollmentPolicyServer, and then from the right pane, click Actions > Advanced Settings .

11. Select the identity field under Process Model.

12. In the Application Pool Identity dialog box, select the custom account, and then type CESSvc as the domain user name.

13. Close all dialog boxes, and then recycle IIS from the right pane of IIS Manager Console.

14. From PowerShell, type iisreset to restart IIS.

15. For CESSvc domain user, enable delegation. For more information, see Enabling delegation.

Configuring CEP

The Install-AdcsEnrollmentPolicyWebService cmdlet configures CEP. It is also used to create other instances of the service within an existing installation.

1. Log in to the CEP server using CEPAdmin user name, and then launch PowerShell in administrative mode.

2. Run the command Import-Module ServerManager.

3. Run the command Add-WindowsFeature Adcs-Enroll-Web-Pol.

4. Run the command Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -SSLCertThumbprint “sslCertThumbPrint”.

   Note: Replace <sslCertThumbPrint> with the thumbprint of the SSL certificate created for the CEP server, after deleting the spaces between the thumbprint values.

5. Complete the installation by selecting either Y or A.

6. Launch the IIS Manager Console.

7. In the Connections pane, expand the web server that is hosting CEP.

8. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name ADPolicyProvider_CEP_Certificate.

9. In the virtual application called Home , double-click the application settings, and then double-click FriendlyName.

10. Type a name under Value and close the dialog.

11. Double-click URI, and then copy Value.

    Notes:

    • If you want to configure another authentication method on the same CEP server, then you must change the ID.
    • This URL is used in MVE or any client application.

12. From the left pane, click Application Pools.

13. Select WSEnrollmentPolicyServer, and then from the right pane, click Actions > Advanced Settings.

14. Select the identity field under Process Model.

15. In the Application Pool Identity dialog box, select the custom account, and then type CEPSvc as the domain user name.

16. Close all dialog boxes, and then recycle IIS from the right pane of the IIS Manager Console.

17. From PowerShell, type iisreset to restart IIS.

Configuring CES

The Install-AdcsEnrollmentWebService cmdlet configures the Certificate Enrollment Web Service (CES). It is also used to create other instances of the service within an existing installation.

1. Log in to the CES server using CESAdmin user name, and then launch PowerShell in administrative mode.

2. Run the command Import-Module ServerManager.

3. Run the command Add-WindowsFeature Adcs-Enroll-Web-Svc.

4. Run the command Install-AdcsEnrollmentWebService -ApplicationPoolIdentity -CAConfig “CA1.contoso.com\contoso-CA1-CA” -SSLCertThumbprint “sslCertThumbPrint” -AuthenticationType Certificate.

   Notes:

   • Replace <sslCertThumbPrint> with the thumbprint of the SSL certificate created for the CES server, after deleting the spaces between the thumbprint values.
   • Replace CA1.contoso.com with your CA computer name.
   • Replace contoso-CA1-CA with your CA common name.
   • If you have already configured one authentication method in the host, then remove ApplicationPoolIdentity from the command.

5. Complete the installation either by selecting Y or A.

6. Launch the IIS Manager Console.

7. In the Connections pane, expand the web server that is hosting CEP.

8. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name: contoso-CA1-CA _CES_Certificate.

9. From the left pane, click the Application Pools.

10. Select WSEnrollmentPolicyServer, and then from the right pane, click Actions > Advanced Settings.

11. Select the identity field under Process Model.

12. In Application Pool Identity dialog box, select the custom account, and then type CESSvc as the domain user name.

13. Close all dialog boxes, and then recycle IIS from the right pane of the IIS Manager Console.

14. From PowerShell, type iisreset to restart IIS.

15. For CESSvc domain user, enable delegation. For more information, see Enabling delegation.

Configuring CEP

The Install-AdcsEnrollmentPolicyWebService cmdlet configures the Certificate Enrollment Policy Web Service (CEP). It is also used to create other instances of the service within an existing installation.

1. Log in to the CEP server using CEPAdmin user name, and then launch PowerShell in administrative mode.

2. Run the command Import-Module ServerManager.

3. Run the command Add-WindowsFeature Adcs-Enroll-Web-Pol.

4. Run the command Install-AdcsEnrollmentPolicyWebService -AuthenticationType UserName -SSLCertThumbprint “sslCertThumbPrint”.

   Note: Replace <sslCertThumbPrint> with the thumbprint of the SSL certificate created for the CEP server, after deleting the spaces between the thumbprint values.

5. Complete the installation by selecting either Y or A.

6. Launch the IIS Manager Console.

7. In the Connections pane, expand the web server that is hosting CEP.

8. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name: ADPolicyProvider_CEP_UsernamePassword.

9. In the virtual application called Home , double-click the application settings, and then double click FriendlyName.

10. Type a name under Value and close the dialog.

11. Double-click URI, and then copy Value.

    Notes:

    • If you want to configure another authentication method on the same CEP server, then you must change the ID.
    • This URL is used in MVE or any client application.

12. From the left pane, click Application Pools.

13. Select WSEnrollmentPolicyServer, and then from the right pane, click Actions > Advanced Settings.

14. Select the identity field under Process Model.

15. In the Application Pool Identity dialog box, select the custom account, and then type CEPSvc.

16. Close all dialog boxes, and then recycle IIS from the right pane of the IIS Manager Console.

17. From PowerShell, type iisreset to restart IIS.

Configuring CES

The Install-AdcsEnrollmentWebService cmdlet configures the Certificate Enrollment Web Service (CES). It is also used to create other instances of the service within an existing installation.

1. Log in to the CES server using CESAdmin user name, and then launch PowerShell in administrative mode.

2. Run the command Import-Module ServerManager.

3. Run the command Add-WindowsFeature Adcs-Enroll-Web-Svc.

4. Run the command Install-AdcsEnrollmentWebService -ApplicationPoolIdentity -CAConfig “CA1.contoso.com\contoso-CA1-CA” -SSLCertThumbprint “sslCertThumbPrint” -AuthenticationType UserName.

   Notes:

   • Replace <sslCertThumbprint> with the thumbprint of the SSL certificate created for the CES server, after deleting the spaces between the thumbprint values.
   • Replace CA1.contoso.com with your CA computer name.
   • Replace contoso-CA1-CA with your CA common name.
   • If you have already configured one authentication method in the host, then remove ApplicationPoolIdentity from the command.

5. Complete the installation by selecting either Y or A.

6. Launch the IIS Manager Console.

7. In the Connections pane, expand the web server that is hosting CES.

8. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name: contoso-CA1-CA_CES_UsernamePassword.

9. From the left pane, click Application Pools.

10. Select WSEnrollmentPolicyServer, and then from the right pane, click Actions > Advanced Settings under Actions.

11. Select the identity field under Process Model.

12. In the Application Pool Identity dialog box, select the custom account, and then type CESSvc as the domain user name.

13. Close all dialog boxes, and then recycle IIS from the right pane of IIS Manager Console.

14. From PowerShell, type iisreset to restart IIS.

Before configuring the automated certificate management endpoint in MVE, you must make some additional changes in the platform.properties configuration file.

The location of this file is <MVE install dir>/Lexmark/Markvision Enterprise/apps/dm-mve/WEB-INF/classes.

Perform the following steps:

1. Open the platform.properties file in Notepad++ or a similar text editor in administrator mode.

2. Find the mscews.ces.hostname key, and then change its value with the host name of your CES server.

   Note: The default value is cesserver.

3. Find the mscews.cep.templateName key, and then change its value with the name of the template that you have created.

   Note: The default value of this field is CEPWebServer.

4. Save the file, and then restart the MVE service.

5. Log in to MVE, go to the Certificate Authority page, and then follow the instructions to configure the service.

Notes:

• If you are planning to use client certificate authentication method, then you must obtain the valid client certificate from CA.
• In the certificate client certificate authentication, make sure that EKU is enabled.