You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/premium-deploy-certificates-enterprise-ca.md
+16-1Lines changed: 16 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,12 +28,27 @@ To use an Enterprise CA to generate a certificate to use with Azure Firewall Pre
28
28
- an [Azure Key Vault](premium-certificates.md#azure-key-vault)
29
29
- a Managed Identity with Read permissions to **Certificates and Secrets** defined in the Key Vault Access Policy
30
30
31
+
## Create a new Subordinate Certificate Template
32
+
33
+
1. Run `certtmpl.msc` to open the Certificate Template Console.
34
+
2. Find the "Subordinate Certification Authority" template in the console.
35
+
3. Right-click on the "Subordinate Certification Authority" template and select "Duplicate Template".
36
+
4. In the "Properties of New Template" window, go to the "Compatibility" tab and set the appropriate compatibility settings or leave them as default.
37
+
5. Go to the "General" tab, set the "Template Display Name" (e.g., "My Subordinate CA"), and adjust the validity period if necessary. Optionally, check the "Publish certificate in Active Directory" checkbox.
38
+
6. In the "Settings" tab, ensure the required users and groups have read and enrol permissions.
39
+
7. Navigate to the "Extensions" tab, select "Key Usage", and click "Edit".
40
+
- Ensure that the "Digital signature", "Certificate signing", and "CRL signing" checkboxes are checked.
41
+
- Check the "Make this extension critical" checkbox and click "OK".
42
+
:::image type="content" source="media/premium-deploy-certificates-enterprise-ca/certificate-template-key-usage-extension.png" alt-text="Screenshot of certificate template key usage extensions":::
43
+
8. Click "OK" to save the new certificate template.
44
+
9. Ensure the new template is enabled so it can be used to issue certificates.
45
+
31
46
## Request and export a certificate
32
47
33
48
1. Access the web enrollment site on the Root CA, usually `https://<servername>/certsrv` and select **Request a Certificate**.
34
49
1. Select **Advanced Certificate Request**.
35
50
1. Select **Create and Submit a Request to this CA**.
36
-
1. Fill out the form using the Subordinate Certification Authority template.
51
+
1. Fill out the form using the Subordinate Certification Authority template created in previous section.
37
52
:::image type="content" source="media/premium-deploy-certificates-enterprise-ca/advanced-certificate-request.png" alt-text="Screenshot of advanced certificate request":::
38
53
1. Submit the request and install the certificate.
39
54
1. Assuming this request is made from a Windows Server using Internet Explorer, open **Internet Options**.
0 commit comments