ADCS

TrustView ADCS Issue and Retrieve services

Step 1

Download the TrustView installation package.

Note

If you do not have access to the ADCS module, contact our to get access to the installation package with the newest release of the ADCS module.

Step 2

Install the PowerShell PKI module by opening PowerShell and running the following command:

Install the required PSPKI module
1    Install-Module -Name PSPKI -RequiredVersion 4.0.0

Note

Go to PowerShell Gallery to see the latest version of the PSPKI module and adjust the command accordingly.

Step 3

Create a new directory in the following location on the TrustView server:

C:\Program Files\TrustView-ADCS

Note

The directory can be named something different and placed elsewhere if needed.

Step 4

Create a service account for use with the ADCS module and assign the service account all permissions on the newly created ADCS directory.

Step 5

Copy the content of the \TrustView-ADCS directory from the TrustView installations package and move it to the ADCS directory on the server:

C:\Program Files\TrustView-ADCS

Step 6

Adjust the trustview.properties file:

  • Generate a unique API key to the file and use the same API key inside TrustView - (Settings ADCS settings)

  • Update trustviewnendpoint if TrustView is using a non-default port for localhost communication

Note

The trustview.properties file is one of the files that needs to be moved to the TrustView-ADCS directory on the server.

Step 7

Install the ADCS Issue and optionally the ADCS Retrieve services:

Install the Issue service of the ADCS module
1C:\Program Files\TrustView-ADCS> .\TrustView-ADCS-Issue-Service.exe install
Install the Retrieve service of the ADCS module
1C:\Program Files\TrustView-ADCS> .\TrustView-ADCS-Retrieve-Service.exe install

Important

The ADCS Retrieve service can be seen as optional and is only needed, if you wish to retrieve certificates from your CA and import them automatically into TrustView to monitor them.

Step 8

Configure the installed service:

  • Run the service as the service account with permissions assigned on the ADCS instance

  • Make sure the service is set to be started automatically

  • Start the service

Configuration of service account for ADCS integration

The ADCS-frontend communicates with ADCS using a service account. This service account must be assigned the following permissions:

  • Read, Issue and Manage Certificates and Request Certificates on the ADCS instance (Properties Security)

  • Read and Enroll on the relevant templates that will be issued using TrustView

Tip

You can choose any template and more than one, but typically the Web Server is just used.

Configuration of the trustview.properties file

The file contains the following parameters that can be configured:

Adjust the API key and other properties as needed
1apikey=<api key>
2trustviewendpoint=http://localhost:8080/AdcsConnection/
3trustviewmonitoredcertsendpoint=http://localhost:8080/CertificateImport/
4_cahost=adtest.local
5_caname=Adtest CA
6_guidhostnametemplate=WebServer

Note

The lines starting with the _ character (underscore) is commented out and therefore not used by default. Remove the _ to utilize the properties.

By default the ADCS module will attempt to retrieve all available templates and any CA’s it finds (you can see what specific CA’s are found in the logs directory of TrustView-ADCS), but you can specify the CA and template you want to use (if necessary), when issuing ADCS certificates through API or TrustView by removing the _ character and changing the cahost, caname and guidhostnametemplate to fit your needs.

Setup certificate issuing from two or more separate CA’s

To be able to issue ADCS certificates from two or more separate CA’s from TrustView, you must install the TrustView-ADCS-Issue-Service.exe for each CA, you wish to use and perform the steps above for the TrustView-ADCS directory, for each CA you wish to use. After that, each trustview.properties file in the respective TrustView-ADCS directory must contain the caname and cahost for the corresponding CA. guidhostnametemplate is optional for any of the CA’s.

Important

Each TrustView-ADCS-Issue-Service installed must be named something unique.

Example:

If ADCS certificates in TrustView must be able to be issued from two CA’s, the following setup could be used:

  • TrustView-ADCS1 (name of the directory containing the setup for the first CA)

  • TrustView-ADCS2 (name of the directory containing the setup for the second CA)

Open the TrustView-ADCS-Issue-Service.xml file in each TrustView-ADCS directory and change the name of the services:

1 <id>TrustViewAdcsIssueService1</id>
2 <name>TrustView ADCS Issue Service1</name>

1 <id>TrustViewAdcsIssueService2</id>
2 <name>TrustView ADCS Issue Service2</name>

After that, each TrustView ADCS Issue Service must be installed as normal (see step 7) and will then use the new designated names for the services. Adjust the caname and cahost in each trustview.properties file to match the CA that is used for issuing certificates.

Note

This can also be done with the TrustView-ADCS-Retrieve-Service, by following the same steps for the retrieve service.

Revoke ADCS certificates

Important

This feature is only available from version v1.13 or higher of the ADCS module. Contact our if you are in need of an upgrade or unaware of your current version of the module.

ADCS certificates can be revoked from inside TrustView by opening the detail page of the CA certificate you want to revoke and press Revoke certificate.

You can follow the status of the revocation in the event log on the detail page.

Danger

A revocation of a ADCS certificate cannot be undone, once the action has been performed.