Windows 10/11: Add Certification Authority and Assign Certificates (2024)

Create User Certificate Template

• Open the Certification Authority MMC snap-in
  • Choose from Server Manager > Tools > CertificationAuthority
  • Or run (Windows + R)MMC> Add/Remove Snap-In > Certification Authority > Add > Local Computer
• Expand the Configuration Tree on the Right until the Certificate Templates section is visible
• Right Click Certificate Templates
• Click Manage
• Right Click User in the middle pane
• Click Duplicate Template
  • When Certificate Authority is running on Windows Server 2008 R2 you will be promptedto select the Template version
  • Select Windows Server 2003 Enterprise
  • Click OK

Change CEP Encryption Permissions

• Right click CEP Encryption Template
• Click Properties
• Navigate to Security
• Click Add
• Search for any Domain Admin Account with which you want to proceed
• Click Check Name
• Click OK
• Enable Read
• EnableEnroll
• Click OK

Change Exchange Enrollment Agent Permissions

• Right click Exchange Enrollment Agent (Offline request) Template
• Click Properties
• Navigate to Security
• Click Add
• Search for any Domain Admin Account with which you want to proceed
• Click Check Name
• Click OK
• Enable Read
• EnableEnroll
• Click OK
• Close Certificate Templates Console

Issue Certificate Templates

• Navigate to CertificationAuthority window
• Right Click Certificate Templates in the left panel
• Select New
• Click Certificate Template to Issue
• Select the following Certificate Templates
  • CEPEncryption
  • Exchange Enrollment Agent (Offline request)
  • Silverback User
• Click OK
• All of them should now be listed in Certificate Templates section

Export Certification Authority Certificate

This step is only necessary, if your server is not a domain member

• Press Windows + R or right click the Windows try icon
• Enter MMC
• Click File
• Select Add/Remove Snap-in
  • Select Certificates
  • Click Add
  • Select Computer Account
  • Click Next
  • Click Finish
  • Click OK
• Expand Certificates (Local Computer)
• Expand Personal
• Click Certificates
• Right click your Certification Authority Certificate (it is issued from and by your CA)
• Select All Tasks
• Click Export
  • Click Next
  • Select No, do not export the private key
  • Click Next
  • Select DER encoded binary X.509 (.CER)
  • Click Next
  • Click Browse
  • Select a location and name it e.g. CertificationAuthorityRootCertificate

Choose a shared folder e.g. \\FILESHARE\Certificates, we need to import that Certificate later into your Silverback Server

• Click Save
• Click Next
• Click Finish
• Click OK

CreateEnrollment Agent Setup Information File(*.inf)

• Open File Explorer
• Create a new Folder under C:\ and name it Certificates
• Perform a double click on C:\Certificates
• Right Click in any empty are in this Folder
• Click New
• Select Text Document
• Name it EnrollmentAgent.txt
• Open the File with Notepad
• Paste the following information into the File

Values	Screenshot
[NewRequest] Subject = "CN=SB-Enrollment" Exportable = TRUE KeyLength = 2048 KeySpec = 2 KeyUsage = 0x80 MachineKeySet = TRUE ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" ProviderType = 1 [EnhancedKeyUsageExtension] OID = 1.3.6.1.4.1.311.20.2.1 [RequestAttributes] CertificateTemplate = EnrollmentAgentOffline

• Click File
• Click Save As
• Ensure that Encoding it set to ANSI
• Change Save as type to All Files (*.*)
• Change the File ending from .txt to .inf
• Click Save
• Navigate back to your Windows Explorer and ensure the file is saved as EnrollmentAgent.inf

CreateCEP Setup Information File(*.inf)

• Create in C:\Certificates a new Text Document
• Name it CEP.txt
• Open the File with Notepad
• Paste the following information into the File

Values	Screenshot
[NewRequest] Subject = "CN=SB-CEP" Exportable = TRUE KeyLength = 2048 KeySpec = 1 KeyUsage = 0x20 MachineKeySet = TRUE ProviderName = "Microsoft RSA Schannel Cryptographic Provider" ProviderType = 12 [EnhancedKeyUsageExtension] OID = 1.3.6.1.4.1.311.20.2.1 [RequestAttributes] CertificateTemplate = CEPEncryption

• Click File
• Click Save As
• Ensure that Encoding it set to ANSI
• Change Save as type to All Files (*.*)
• Change the File ending from .txt to .inf
• Click Save
• Navigate back to your Windows Explorer and ensure the file is saved as CEP.inf

Generate Enrollment Agent Certificate

• Open an Administrative Command Prompt
• Navigate to C:\Certificates
• Adjust and run the following commands step by step
  • certreq –f -new EnrollmentAgent.inf EnrollmentAgent.req
  • certreq –submit -config "ca.imagoverum.com\domain-server-CA" EnrollmentAgent.req EnrollmentAgent.cer
  • certreq –accept EnrollmentAgent.cer

Click OK at the User context template conflict prompt. You can ignore this warning

Change the Enterprise Root Authority Address path to your own.Open a command prompt on your Certification Authority and type certutil, press enterand take the value displayed in config.

Generate CEPCertificate

• Now run the following commands for the CEP Certificate step by step
  • certreq –f -new CEP.inf CEP.req
  • certreq –submit -config "ca.imagoverum.com\domain-server-CA" CEP.req CEP.cer
  • certreq –accept CEP.cer

Click OK at the User context template conflict prompt. You can ignore this warning

Change the Enterprise Root Authority Address path to your own. Open a command prompt on your Certification Authority and type certutil, press enterand take the value displayed in config.

Change Permissions

• Runcertlm.msc
• Expand Certificates (Local Computer)
• Expand Personal
• Click Certificates
• Right Click SB-Enrollment Certificate
  • Select All Tasks
  • Select Manage Private Keys
  • Click Add
  • Search for Network Service
  • Click OK
  • Uncheck Full control and ensure that Read is enabled
  • Click OK
• Right Click SB-CEP Certificate
  • Select All Tasks
  • Select Manage Private Keys
  • Click Add
  • Search for Network Service
  • Click OK
  • Uncheck Full control and ensure that Read is enabled
  • Click OK

Import Certification Authority Certificate

This step is only necessary, if your server is not a domain member

• Right Click Certificate Folder in the left panel or click in any free are in the middle panel
• Click All Tasks
• Click Import
• Proceed with Next
• Click Browse
• Now navigate to your exported Certification Authority Certificate
  • e.g.\\FILESHARE\Certificates
• Select the Certificate
• Click Open
• Proceed with Next
• Ensure the certificate will be place in Personal Store
• Proceed with Next
• Click Finish
• Click OK
• You should now have 3 newly imported certificates
  • SB-CEP
  • SB-Enrollment
  • Certification Authority Certificate

Copy Certification Authority Certificate

This step is only necessary, if your server is not a domain member

• Right Click your Certification Authority Certificate
• Select Copy
• Expand Trusted Root Certification Authorities Folder
• Select Certificates
• Click Action in the navigation pane
• Click Paste

Add CertificationAuthority

• Open your Silverback Management Console
• Login as an Settings Administrator
• Navigate to Certificates
• Under Certificate Deployment enable Individual Client
• Enter your Corporate CertificationAuthority in the following format:
  • ca.imagoverum.com\domain-server-CA
• Click Save
• Confirm with OK

Select Certificate

• Scroll down to Windows Certificate Settings
• Choose for Enrollment Issuing CA the CA Certificate
• Choose for CEP Encryption Agent theSB-CEPCertificate
• Choose for Exchange Enrollment Agentthe SB-Enrollment Certificate
• Click Save
• Confirm with OK

For all Cloud Customers, theCertificates needs to be imported on your hosted server. Please get in touch with our technical support.

Restart Services

• Run PowerShell with elevated privileges
• Run the following command:
  • restart-service w3svc,silv*,epic*

Change User

• Logout as Settings Administrator
• Login as Administrator

Create Windows 10/11 Certificate Tag

• Create a Tag
  • Name it e.g. Windows 10/11 Certificate
  • Enter as description e.g. Windows 10/11 Certificate Distribution (optional)
  • Enable Profile under Enabled Features
  • Enable Windows 10 under Device Types
  • Click Save

Create Windows 10/11 Certificate Profile

• Navigate to Profile
  • Navigate to Certificate
  • Enable Certificate Settings
  • Add the of your created Template, e.g. SilverbackUser
  • Add a Custom Subject Name Variable, e.g.u_{firstname}.{lastname}
  • Press Save
• Navigate to Definitions
  • Click Associated Devices
  • Click Attach More Devices
  • Select your previously enrolled device
  • Click Attach Selected Devices
  • Click OK
  • Click Close
  • Click Push to devices
  • Click OK

Refresh Device

• On your device open Settings
  • Navigate toGeneral
  • Navigate to Accounts
  • Navigate to Access work or school
  • Click on your added connection
  • Click Info
  • Scroll down and press sync
  • Wait until sync process is finished

Open Certificates Management Console

• Enter in your Windows 10/11 search try certmgr.msc
• Press enter
• Click Yes
• Expand Personal
• Expand Certificates
• You should see now a new issues client certificate

Check Certification Authority

• Navigate back to your CertificationAuthority
  • Navigate to Issued Certificates
  • Right click and click refresh
  • You should see now a third newly issued with the requester name Domain\Silverback$ with the SilverbackUserTemplate