Howto:Creating custom Certificates using a Windows Certificate Authority

From innovaphone-wiki

Jump to: navigation, search

Contents

Applies To

This information applies to

  • all innovaphone devices
  • Microsoft 2008R2 CA
  • Microsoft 2012R2 CA


More Information

Problem Details

To issue a certificate from a Microsoft CA for innovaphone devices which meets the requirements (client and server authentication), you must create a appropriate certificate template. Here is how.

System Requirements

We need an Microsoft CA on Windows 2008R2 or Windows 2012R2. Windows 2016 is not tested yet.

Configuration

To do this, we open the certificate templates with the management console (mmc.exe) on our Microsoft CA and add the certificate templates snap-in. The two operating systems do not differ at this point.
Image:CA_w2k12_1_k.png‎

Here we look for an existing template to derive a new template for our innovaphone devices from (for example Webserver). With the right mouse button on this template, we can duplicate this template.
Image:CA_w2k12_2_k.png

Now the corresponding settings of the certificate template can be done according to your own guidelines.
If you want to be able to create certificates without a certificate signing request (CSR), the private key must be exportable. This can be set in the Request Processing tab. This option is not necessary for certificates created via a signing request (e.g. using the Howto:PHP based Update Server V2).
Image:CA_w2k12_3_k.png‎

On the General tab, you can specify the name of the certificate template and set the validity period and the renewal period.
Image:CA_w2k12_4.png‎

Under cryptography you can set the required key length. Currently, 2048 is used as default.
innovaphone provides devices with a 1024 key. At this point you have to be careful that a too large key does not overload the CPU when using TLS. See Certificate Key Length and CPU Usage and Support:Be careful when using your own Device Certificate for details!

Image:CA_w2k12_5_k.png‎

Under the Extensions tab, we need to add "client authentication" to the existing server authentication application.
Image:CA_w2k12_6.png‎ Image:CA_w2k12_7.png‎ Image:CA_w2k12_8.png‎

Now we need to grant the right to read the created template and to send this certificate-based certificate issuing or renewal request to a previously created user. In example it is a normal domain user "Inno-Cert". This allows us to give a dedicated user the right to manage only these certificate requests.
Image:CA_w2k12_11.png‎

If all necessary settings have been carried out, this certificate template can be created using the OK button. However, in order to get this certificate template also displayed in the certification authority, you must activate it. To do this, right-click on the certificate templates in the certification authority and select New - Certificate certificate to be issued.
Image:CA_w2k12_9_k.png‎

In the following window, you will find the created certificate template and confirm with OK.
Image:CA_w2k12_10_k.png‎‎

Using the newly created certificate template, you can issue proper device certificates for innovaphone devices.

Known Problems

Note on using strong certificate keys:

The innovaphone devices come with an RSA key with a length of 1024 bit and a SHA signature of 256 bit. This should be sufficient for a standard encryption of a UC system. Be sure to read Certificate Key Length and CPU Usage before you create stronger certificates (that is, with larger key length).

Related Articles

Personal tools