000021756 - How to modify the Microsoft Active Directory schema to store PKI objects when using RSA Keon Certificate Authority

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021756
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows Server 2003
Microsoft Active Directory
IssueHow to modify the Microsoft Active Directory schema to store PKI objects when using RSA Keon Certificate Authority

RSA Security has published an implementation guide to show how a Keon Certificate Authority (KCA) can interwork with Microsoft Active Directory (AD) (see http://rsasecurity.agora.com/rsasecured/guides/keonca_pdfs/Microsoft_ActiveDirectory_Keon_651.pdf). This document explains how KCA can be configured to use the directory services facilities of AD to store certificates and certificate revocation lists (CRLs). The example shown in the implementation guide demonstrates how the KCA can be configured to store a CA certificate and a CRL in the Organizational Unit Record on AD.

Section 3 states "The Active Directory schema can support conventional PKI attributes such as userCertificate or cACertificate by default. No additional configuration is necessary within Active Directory to allow publication of these attributes."

ResolutionPlease be aware that the statement in section 3 is specifically referring to storing the PKI attributes on a object class called certificationAuthority, and the statement does not relate to the example in section 1. The example in section 1 shows a common configuration where the PKI attributes are being stored in the organizationalUnit object.

If you are setting up the connectivity following the example in the implementation guide, you must modify the Active Directory schema following the instructions in the section called "Active Directory Configurable Elements".
Legacy Article IDa24823