Multiple forest support for Microsoft Enterprise CAs

3.5 Multiple forest support for Microsoft Enterprise CAs

MyID supports Microsoft Enterprise CAs in multiple domains/forests. This includes cross-issuing certificates between domains.

To enable multiple forest support, you must first configure your domains and CA to work in this environment.

Make sure that mutual trust relationships are set up between the domains.
Set up forward and reverse DNS forwarding between the domains.
Configure the CAs for LDAP referral at issuance:
1. On each CA, start a command prompt.
2. Run the following command:
  
  certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS
3. Stop the CA.
4. Restart the CA.

You must also configure MyID to work in a multiple forest environment.

3.5.1 Setting up MyID for multiple forest support

By default, MyID searches the domain that it resides in for enterprise CAs and automatically adds these to the MyID database.

This means that in a multiple forest environment, MyID will recognize only the CAs in its own domain. You must configure all other CAs manually using the Certificate Authorities workflow. It is important that the value entered into the Certificate Store field is unique, as this is the name of the store used to hold the enrollment agent certificates used when requesting certificates from the CA.

It is recommended that you use the same value for the CA Name and the Certificate Store fields; for example, you can use the short form of the CA Path for both. If your CA Path is myCAServer.example.domain.local\myCAServer, you can use myCAServer in both the CA Name and the Certificate Store fields.

You must also add each CA host machine to the CertPublishers group in every domain to which you want to request and issue certificates.

3.5.2 Publishing the root certificate into the account forest

The availability of the root CA certificate is mandatory to establish a trust relationship between a certificate enrollee and an issuing certification authority. Therefore, the root CA certificate that the issuing CA's certificate chains up to must be published into each account forest.

To publish a root CA certificate into the enterprise-wide configuration of an Active Directory environment, export the latest root CA certificate into a file by running the following command:

certutil -config <CA machine name>\<CA Name> -ca.cert <file name>

For example:

certutil -config Cont-CA1\ContosoCA -ca.cert ContosoCA1.cer

Next, perform the following command in every account forest. Run this command with Enterprise Admins permissions in that forest:

certutil -dspublish -f <RootCACertificateFile> RootCA

For example:

certutil -dspublish -f ContosoCA1.cer RootCA

To confirm that certificate has been added to the store, use the following command:

certutil -viewstore "ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestRootNameSpace>?cACertificate?one?objectClass=certificationAuthority"

To delete a certificate from the store, use the following command:

certutil -viewdelstore "ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestRootNameSpace>?cACertificate?one?objectClass=certificationAuthority"

The command shows the list of certificates that are currently stored in the store. Select a certificate then click OK to remove it from the certificate store.