2. ADCS#

2.1. TrustView ADCS Issue and Retrieve services#

Download the TrustView ADCS module package.

Note

If you do not have access to the ADCS module package, contact our Support to get access to the TrustView ADCS module package, with the newest release of the ADCS module and related files.

Install the PowerShell PKI module by opening PowerShell (may require admin rights) and running the following command:

Install the required PSPKI module#
1Install-Module -Name PSPKI

Tip

Go to PowerShell Gallery or GitHub to see the latest version of the PSPKI module and get installation instructions for the module.

Create a new directory or just copy the ADCS module package (including the content) to the following location on the TrustView server:

C:\Program Files\TrustView-ADCS

Note

The directory can be named anything and placed anywhere on the TrustView server.

Create a service account for use with the ADCS module and assign the service account all permissions on the newly created TrustView-ADCS folder. The same service account can be used for both the Issue and the Retrieve service.

Adjust the trustview.properties file:

  • Generate a unique API key (without special characters) to the file and use the same API key inside TrustView - (Settings ADCS settings)

  • Update trustviewnendpoint if TrustView is using a non-default port for localhost communication.

Install the ADCS Issue and optionally the ADCS Retrieve services:

Install the Issue service of the ADCS module#
1C:\Program Files\TrustView-ADCS> .\TrustView-ADCS-Issue-Service.exe install
Install the Retrieve service of the ADCS module#
1C:\Program Files\TrustView-ADCS> .\TrustView-ADCS-Retrieve-Service.exe install

Important

The ADCS Retrieve service can be seen as optional and is only needed if you wish to retrieve certificates from your CA and import them automatically into TrustView to monitor them.

Configure the installed service:

  • Run the service as the service account with permissions assigned on the ADCS instance

  • Make sure the service startup type is set to Automatic

  • Start the service

2.2. Configuration of service account for ADCS integration#

The ADCS-frontend communicates with ADCS using a service account. This service account must be assigned the following permissions:

CA instance
Read
Issue and Manage Certificates
Request Certificates
All relevant issuance templates
Read
Enroll

Tip

You can choose any number of templates to assign the permissions, but typically the Web Server template is used.

2.3. Configuration of the trustview.properties file#

The file contains the following parameters that can be configured:

Adjust the API key and other properties as needed#
 1apikey=<api key>
 2trustviewendpoint=http://localhost:8080/AdcsConnection/
 3trustviewmonitoredcertsendpoint=http://localhost:8080/CertificateImport/
 4publicKeyString=foobar
 5_cahost=ica01.adtest.local
 6_caname=Adtest CA
 7
 8# Add a comma-separated list of templates to import
 9_templateImportList=WebServer, DomainWebServer
10
11# SSL validation options:
12#   default   = use system defaults (no override)
13#   pinnedcert = trust only certificate matching the public key (set the variable "publicKeyString")
14#   acceptall = trust all certificates (insecure)
15
16sslvalidationlevel=default

Note

The lines starting with the _ character (underscore) is commented out and therefore not used by default. Remove the _ to utilize the property.

By default, the ADCS module will attempt to retrieve all available templates and any CA’s it finds (you can see what specific CA’s are found in the log file, found in the logs directory, by setting the -loglevel to debug), but you can specify the CA and template you want to use (if necessary), when issuing ADCS certificates through API or TrustView by removing the _ character and changing the cahost, caname and templateImportList to fit your needs.

2.4. Setup certificate issuing from two or more separate CA’s#

To be able to issue ADCS certificates from two or more separate CA’s from TrustView, you must install the TrustView-ADCS-Issue-Service.exe for each CA, you wish to use and perform the steps above for the TrustView-ADCS directory, for each CA you wish to use. After that, each trustview.properties file in the respective TrustView-ADCS directory must contain the caname and cahost for the corresponding CA. templateImportList is optional for any of the CA’s.

Important

Each TrustView-ADCS-Issue-Service installed must be named something unique.

Example:

If ADCS certificates in TrustView must be able to be issued from two CA’s, the following setup could be used:

  • TrustView-ADCS1 (name of the directory containing the setup for the first CA)

  • TrustView-ADCS2 (name of the directory containing the setup for the second CA)

Open the TrustView-ADCS-Issue-Service.xml file in each TrustView-ADCS directory and change the name of the services:

1 <id>TrustViewAdcsIssueService1</id>
2 <name>TrustView ADCS Issue Service1</name>

1 <id>TrustViewAdcsIssueService2</id>
2 <name>TrustView ADCS Issue Service2</name>

After that, each TrustView ADCS Issue Service must be installed as normal (see step 7) and will then use the new designated names for the services. Adjust the caname and cahost in each trustview.properties file to match the CA that is used for issuing certificates.

Note

This can also be done with the TrustView-ADCS-Retrieve-Service, by following the same steps for the retrieve service.

2.5. Revoke ADCS certificates#

Important

This feature is only available from version v1.13 or higher of the ADCS module. Contact our Support if you are in need of an upgrade or unaware of your current version of the module.

ADCS certificates can be revoked from inside TrustView by opening the detail page of the CA certificate you want to revoke and press Revoke certificate.

You can follow the status of the revocation in the event log on the detail page.

Danger

A revocation of a ADCS certificate cannot be undone, once the action has been performed.

2.6. SSL Validation Options#

There are 3 options to choose from in the trustview.properties configuration file:

  • default = use system defaults (no override)

  • pinnedcert = trust only the certificate matching the public key (set the variable publicKeyString)

  • acceptall = trust all certificates (insecure)

Note

The variable publicKeyString only needs to be changed if the pinnedcert option is chosen.

The variables trustviewendpoint and trustviewmonitoredcertsendpoint needs to be changed to the https version of your TrustView URL.

Example configuration#
1trustviewendpoint=https://trustview.domain/AdcsConnection/
2trustviewmonitoredcertsendpoint=https://trustview.domain/CertificateImport/