Setup a Microsoft Enterprise Certificate Authority
Announcement: McAfee ePO Deep Command 2.0 Released June 25th!
The information provided below is based on McAfee ePO Deep Command version 1.5. The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more. The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution
Microsoft Certificate Authority is optional and no longer required with Deep Command 2.0!
Installing Microsoft Certificate Authority with Web Enrollment
McAfee Deep Command requires Intel AMT to be configured for secure communication. This is done by configuring Intel AMT to encrypt its client to server communication with Transport Layer Security (TLS). A Microsoft Certificate Authority must be established to create TLS certificates for each Intel AMT client. AMT clients will then get those certificates via web enrollment.
Note: You may already have a Microsoft CA in your environment.
Note: In production environments, do not add the Microsoft Certificate Authority roll to your McAfee ePO server. It should run from its own server.
Note: This document shows Windows Server 2008, but Windows Server 2003 is also supported.
Log in to the server that will function as your Microsoft Certificate Authority. Go to server manager, expand roles and choose add roles. Then check the box for Active Directory Certificate Services and click Next.
Check the box for Certificate Authority Web Enrollment and click Next.
Web Enrollment requires the server to be running IIS. Select Add Required Role Services to proceed.
Validate that both Certificate Authority and Certificate Authority Web Enrollment are selected, then click Next to proceed.
In the Specify Setup Type screen, select Enterprise. Then click next to proceed.
In the Set Up Private Key Screen, select Create a new private key. Then click Next to proceed.
In the Configure Cryptography for CA screen, use the default values which should be:
Cryptographic service provider (CSP): RSA #Microsoft Software Key Storage Provider
Key character length: 2048
Hash algorithm for signing certificates issues by this CA: SHA1
In the Configured CA Name screen, enter a name for your CA in the Common name for this CA field. In this example, we name it RootCA. Then click Next to proceed.
In the Set Validity Period, set the validity date in accordance with your company’s security policy. 5 Years is the default value and that is used in this example.
In the Configure Certificate Database screen, select the default values. Then click Next to proceed.
The Microsoft Certificate Authority configuration is now complete, but we must also add IIS for Web Enrollment. In the Web Server (IIS) screen, simply click Next to proceed.
In the Confirm Installation Selections screen, click Install proceed.
The Installation Progress screen will appear and will display the installation progress.
Once complete, the Installation Results screen will appear. Click close to complete the process. At this point, the Microsoft Certificate Authority role will be enabled with Web Enrollment.
The final steps to preparing the Microsoft Certificate authority include:
- Enable permissions for the WebServer template to Read and Enroll
- Enable Security permissions to Issue and Manage Certificates along with Request Certificates
- Setting the Request Handling to Automatically Issue the certificate (See Properties of the Microsoft CA under the Policy Module tab)
- Stop and Start the Certificate Authority after changing the Requesting Handling policy
More resources for installing McAfee Deep Command
Appendix C: McAfee Deep Command Setup Checklist