Adding the Microsoft CA

Make sure that you meet the prerequisites, and then perform the following steps in this section.

Note: In the ActivID CMS Repository settings for the Active Directory, the base node must be set to the forest level to make sure that the ActivID CMS can detect the Microsoft CA. If the base node is set at the OU level, ActivID CMS might not be able to detect the Microsoft CA.

Log on to the Operator Portal, and go to the Repositories Management page.
Click Add Certificate Authority.
In the Provider drop-down list, select Microsoft Certificate Server 2008/2012.
In the Template drop-down list, select the appropriate template.
Click Submit to display the Certificate Authority Creation page again.
- Name—Enter a valid, unique name for the CA within ActivID CMS.
- Active Directory and Certificate Authority are informative and can't be updated.
  - Recovery support—Select Software, Hardware, or No from the list.
  - If you select No, then certificate recovery will not be supported.
  - If you select Software, then enter the .pfx file path for each recovery agent. You can list several agents in a comma separated list.
    
    Enter the password in the Recovery Agent certificates password text box.
  Note: If you use several agents, all pfx files MUST use the same password.
  - If you select Hardware, then enter the recovery agent HSM A Hardware Security Module (HSM) securely stores secret key material. They are similar to large-storage, multisession smart cards. However, unlike smart cards, they are used mainly on the server side of a system. key labels using comma separators.
    
    Enter the recovery agent’s public certificates (.cer files) using comma separators.
- Optionally, you can specify a revocation reason which is going to be sent to the CA when performing one of the specified operations:
  - Device is Terminated,
  - Device is Lost,
  - Device is Stolen,
  - Device is Damaged,
  - Device is Expired,
  - Device is Re-issued,
  - Device Applications are Updated
- The possible revocation reasons are:
  - Unspecified,
  - Affiliation Changed,
  - CA Compromise,
  - Certificate Hold,
  - Cessation of Operation,
  - Key Compromise,
  - Superseded.
Click Test. The connectivity check results are displayed in the Test Report box
Click Create. A confirmation page is displayed. For more information, refer to Configuring a PKI Application Using a Microsoft CA.