Export Microsoft CA / SubCA certificate from Certification Authority for renewing Veridium CA

Using a new CA certificate into Veridium Service require the usage of a pkcs12/pem/.p12 certificate.

Newly exported certificate will allow customer to use his own proprietary CA certificate in the network components or devices located between WAN and Veridium Servers.

All new devices certificates issued during the smartphone, workstations enrollment and authentication will use the updated certificate provided by the customer from his infrastructure.

Once the steps from this guide are performed, checking exported certificate should provide below features:

X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication

Steps to obtain certificate from CA or SubCA

  1. Connect with enterprise domain administrator rights to any of the trusted and online CA’s of the domain

    1. When online CA isn’t available, any of the trusted subCA’s of domain must be used.

  2. Open Certification Authority (certsrv.msc) from the domain controller

  3. Connect to CA or Subordinate CA’s

  4. Select CA or Sub CA → right click → All Tasks → Back up CA


    1. image-20230728-094508.png
    2. Press Next

      1. image-20230728-091650.png
    3. Select Private Key and CA certificate

    4. Select location folder where the certificate will be saved

      1. image-20230728-091920.png
    5. Press next

      1. image-20230728-092019.png
    6. Create a new strong password and press next

      1. image-20230728-092149.png
    7. Press finish to complete the process

    8. image-20230728-092244.png
    9. Certificate is available now to be imported into computer certificate store for later export of pkcs12 certificate

    10. This operation requires opening certlm.msc - Trusted Certification Authorities

    11. Idendify your CA or SubCA certificate → select it-> Right click → All Tasks → Export

      1. image-20230728-092548.png
    12. Press Next

      1. image-20230728-092634.png
    13. Select Base-64 x509 (.CER)

    14. Choose your export folder location and give a name for the file → Save

      1. image-20230728-092956.png
    15. Next

      1. image-20230728-093027.png
    16. Newly created certificate will be available for import

      1. image-20230728-093123.png
    17. Open certlm.msc → Personal Certificate store and import your certificate

      1. image-20230728-093341.png
    18. Select your certificate → Right Click → Export

      1. image-20230728-093429.png
    19. Select → Yes, export the private key

      1. image-20230728-093502.png
    20. Confirm PKCS12 information which will be included in the certificate → Press Next

      1. image-20230728-093537.png
    21. Assign a strong password and choose encryption AES256-SHA256 to your certificate then → Next

      1. image-20230728-093702.png
    22. Save the file by giving it a name → Next → Finish

      1. image-20230728-093754.png
    23. image-20230728-093909.png

      Communicate to Veridium team the new certificate and password to be imported into Veridium Servers

    24. Next steps will be performed on Veridium Servers and should be defined if not existent into other security devices of customer network ( such as import in F5/Netscaler etc)