How to create a Certificate Template for the PCoIP Agent for Windows using a Microsoft Certification Authority

Rate this Article
No votes yet

August 1, 2018

Last modified: 08/02/2023, 1:15 am

Knowledge Base Article Tutorial Security HP Anyware

When issuing certificates to the PCoIP Agent in a Windows environment, the Windows integration with the Microsoft Certification Authority allows for easy deployment of certificates. One of the first configurations that needs to be done is creating a certificate template on the Microsoft Enterprise Certification Authority.

The example template that is created below is an example only for testing. HP Anyware strongly recommends consultation with your security team and security policy as to your organizational requirements for Certificate Templates.

Creating a Certificate Template for issuing certificates to use with the PCoIP Agent.

  1. Open the Certification Authority Administrative Tool
  2. Retarget the tool to the Certification Authority you will be managing by right clicking on the Certification Authority (NAME) and selecting Retarget Certification Authority ...
  3. Right Click on Certificate Templates and select Manage
  4. Find the Web Server certificate and select Duplicate Template
  5. On the Compatibility Tab, Set the Certification Authority to match the operating system of your Certification Authority and Certificate recipient as the lowest operating system that the PCoIP Agent is running on.
    In this example the environment uses Windows Server 2016 Certification Authorities and all the PCoIP Agents run on Windows 7 or greater.  rtalmage
  6. Select the General Tab, Set a display name, template name and Validity period. In this example we set the display name PCoIP Agent, which automatically set the Template name to PCoIPAgent and we set the Validity period to 1 year.

  rtalimage

7. Select the Request Handling tab. Tick Allow private key to be exported. This must be selected in order for the PCoIP Agent to export the private key from the Windows key store.

8. Select the Cryptography tab. Item's to note on this page:

  • Provider Category must be Legacy Crytography Service Provider. Key Storage Provider certificates are not compatible with the PCoIP Agent requirements.
  • A minimum key size of 3072 is suggested

   rtalimage

9. Select the Subject tab. In this example the option Build from this Active Directory information is select as the individual machines will enroll themselves.
Choose the appropriate options for your environment and security policies.

    rtalimage

10. Select the Security tab.
For simplicity in testing, Domain Computers with autoenroll rights has been added. 
NOTE: Certificates are used to verify the identity machine. You must consult your organizations security team and policy before setting the security on the template. Incorrect security will allow bad actors to request legitimate certificates allowing them to be trusted by anything that trusts your Certification Authority. Adding the group Domain Computers with autoenroll rights allows all machine accounts on the domain to request signed certificates.     

   rtalimage

 

Certificates issued from the above template can be used by the PCoIP Agent. The PCoIP Agent needs to configured to use the certificate as per Configuring the Agent Certificate Mode in the PCoIP Agent Administrators' guide for your PCoIP Agent release. Reminder: The Certificate must have the friendly name PCoIP for the PCoIP Agent to select it.