Rutoken documentation

Page tree

This section contains instructions for installation and configuration of Certification Services in the Windows Server 2019 operating system.

For the configuration you need a computer with the Windows 2019 Server Rus operating system installed and a minidriver as well as the distribution of this OS.

All the actions described below are performed with system administrator rights.

The Administrator account is used as an example.

Stages of installation and configuration of Certification Services:

Stage 1: Installation Certification Services.

Stage 2: Adding certificate templates to the Certification Center.

Stage 3: Issuing certificates to the Administrator and ordinary users with the help of the mmc console.

Installing Certification Services

To install Certification Services:

  1. Open Server Manager.
  2. Click on the name of the Manage menu item and select Add roles and components.
  3. In the window Wizard for Adding Roles and Components read the information and click on the Next button.
  4. Set the switch to Install roles or components and click on the Next button.
  5. Set the switch to Select a server from the server pool.
  6. In the table Server pool click on the name of the required server.
  7. Click on the Next button.
  8. Check the box of the Active Directory Certificate Services.
  9. In the window that appears, click on Add components. As a result, a checkbox will be displayed next to the name of the selected server role.
  10. Click on the Next button.
  11. In the window for the selection of components, click on the Next button.
  12. Read the information and click on the Next button.
  13. Select the Certificate Center checkbox and click on the Next button.
  14. To start the installation process, click Install.
  15. Wait for the installation process to complete and click on the Close button.
  16. On the left side of the window Server Manager click on the item name Active Directory Certification Services.
  17. Click on the exclamation mark.
  18. Click on the link Configure Active Directory Certificate Services.
  19. Read the information and click on the Next button.
  20. Select the Certificate Center checkbox and click on the Next button.
  21. Set the switch next to the name of the required CC installation option (in this example, the company's CС is selected) and click Next.
  22. Set the switch next to the name of the CC type (in this example, select the Root CC, since this will be the main certification center in the domain). Click on the Next button.
  23. In the window for specifying the type of private key, specify the secret key that will be used for the certification center (in this example, select Create a new private key, because a secret key for the certification center has not been created before). Click on the Next button.
  24. In the next window, to specify the encryption parameters, select an encryption provider in the drop-down list Select an encryption service provider.
  25. In the drop-down list called Key length select the desired value.
  26. Click on the name of the required hash algorithm.
  27. Click on the Next button.
  28. In the window to specify the name of the CC, enter the values of all fields and click on the Next.
    The data entered here is informative. It is recommended to specify them. Abbreviations have the following meaning: "O" - Organization, "OU" - Organization Unit, "L" - City (Location), "S" - State or province, "C" - Country/region, "E" - E-mail.
  29. Enter the validity period of the certificate to create a CC.
    Upon expiration of the CC certificate, it will be necessary to reissue the certificates to all existing users.
  30. In the field Location of the certificate database enter the path to the certificate database and click Next.
  31. Read the information and click on the Configure button.
  32. Wait for the installation process to complete and click on the Close button.

Adding Certificate Templates to the Certification Center

To add certificate templates:

  1. Open the Control panel.
  2. Double-click on the name of the Administration item.
  3. Double-click on the name of the Certification Center snap-in.
  4. Right-click on the name of the Certificate Templates folder and select the Management item.
  5. Right-click on the template name User with a smart card and select Copy the template. A window called Properties of the new template will open.
  6. Select the following settings:
    Parameter value for the Minimum key size must be at least 1024.
  7. Click on the Apply button.
  8. Click on the OK button.
  9. Go to the Certification Center window.
  10. Right-click on the name of the Certificate Templates folder.
  11. Select the item Create and subitem Issued certificate template.
  12. In the window called Enabling certificate templates click on the template name Registration agent.
  13. Hold down the Ctrl key.
  14. Click on the template name User with RuToken.
  15. Click on the OK button.
  16. Close the Certification Center window.

Issuing certificates to the Administrator user and ordinary users with the help of an mmc console

For issuing certificates of the Administrator user and ordinary users with the help of an mmc console:

  1. Press the Windows + X combination and select the menu item Execute.
  2. Enter the command "mmc" and click on the OK button.
  3. In the window Console 1 select the File menu item and the subitem Add or remove a snap-in...
  4. On the left side of the window Adding and removing snap-ins click on the name Certificates.
  5. Click on the Add button.
  6. In the window that opens, set the switch of my user account and click Done.
  7. In the window Adding and removing snap-ins click on the OK button.
  8. On the left side of the window Console1 click on the Personal folder name.
  9. Click on the Certificates folder name.
  10. In the right part of the window, right-click in an empty space of the window.
  11. Select the item All tasks and the subitem Request a new certificate...
  12. In the window Registration of certificates read the information and click on the Next button.
  13. Click on the Next button.
  14. Select the Administrator checkbox and click on the Request button.
  15. Click on the Done button.
  16. On the left side of the window Console1 click on the Personal folder name.
  17. Click on the Certificates folder name.
  18. In the right part of the window, right-click in an empty space of the window.
  19. Select the item All tasks and the subitem Request a new certificate...
  20. Read the information presented in the Registration of certificates window. Click on the Next button.
  21. Click on the Next button.
  22. Select the Registration agent checkbox and click on the Request button.
  23. Click on the Done button.
  24. On the left side of the window Console1 click on the Personal folder name.
  25. Right-click on the Certificates folder name and select All tasks.
  26. Select the subitem Additional operations.
  27. Select the subitem Register on behalf of...
  28. Read the information and click on the Next button.
  29. Click on the Next button.
  30. Click on the Review... button.
  31. Click on the name of the certificate belonging to the Registration Agent type (to determine the type of certificate, open the certificate properties).
  32. Click on the OK button.
  33. Click on the Next button.
  34. Set the switch to User with RuToken and click on the Next button.
  35. In the window called Registration of certificates click on Review....
  36. In the field Enter the names of the selected objects enter the name of the user to whom the certificate of User with RuToken type will be issued.
  37. Click on Check the names.
  38. Click on the OK button.
  39. The field User name or alias will be filled in automatically.
  40. Click on the Request button.
  41. Enter the User's PIN and click on the OK button.
  42. Click on the Close button.
  43. As a result, the certificate of User with RuToken type is issued and saved on the token.
  44. To view the properties of this certificate, click View certificate.
  45. To close the certificate window, click on the OK button.
  46. In a similar way, issue the certificates for all users who need them. You also need to issue a certificate of User with RuToken type to the Administrator user.
  47. Close the window Console1. To save the console, click on Yes.
    It is recommended to save this console for ease of use in the future. Moreover, if you work in the system with the rights of the User account, then the console Certificates - Current user will display the certificates of the User user. Any user on the local computer can request a certificate from the console Certificates - Current user.
  48. If the console does not need to be saved, then click on the No button. After that, only the console settings are not saved, the issued certificates will be saved in the system.
  49. Enter the name of the file to store the console settings and click Save. This completes the configuration of the Certification Center and the issuance of certificates to users.
  • No labels