Adding Active Directory nodes

Add the Windows Active Directory nodes for which to enroll certificates.

To add an Active Directory node:

1. Follow the steps described in Accessing your partitions to log into the PKIaaS interface as a user with any of the following roles:

   • Owners
   • Protocol Operators

2. Click Certificate Authorities in the sidebar.

   

3. Make sure you have a subordinate CA with a profile of the wstep group. You can either:

   • Create a new issuing subordinate CA with this set, as explained in Creating an issuing subordinate CA.
   • Add this set to an existing CA, as explained in Selecting CA profiles.

4. Select the Enrollment Protocols (Legacy) tab.

   

   ---

   ℹ Future releases will move all functionalities on this legacy tab to the Enrollment Protocols branch of the navigation tree.

   ---

5. Click WSTEP in the protocols list.

6. Click the plus + icon to the right of the Active Directories tab.

   

7. Configure the following values.

   • Server
   • DNS Resolver
   • User
   • Password
   • LDAP Certificate Chain
   • CA Identifier

8. Click Add.

9. In the details of the new Active Directory, copy the value under Certificate Enrollment Policy Server. You will need this value when Enabling WSTEP for users.

Server

Enter an identifier for the Active Directory.

DNS Resolver

Enter the DNS resolver that the WSTEP agent will use to resolve domain names. Enter the DNS resolver in the following syntax:

<ip>[:<port>]

Where:

• <ip> is the IP address of the DNS server.
• <port> is the port of the DNS service (defaults to 53).

User

Enter the name of a user with administrative permissions in the Windows domain.

Password

Enter and confirm the password of the selected user.

LDAP Certificate Chain

Select a file containing the certificate chain of the Active Directory server.

CA Identifier

Select the issuing subordinate CA that will process the WSTEP enrollment requests.

ℹ This list only includes certificate authorities with profiles of the wstep group.