Net iD Portal Installation Guide
1. Introduction
Net iD Portal is the software the XMS integrates with in order to obtain certificates for XoTs. Net iD Portal provides an API bridge, which in turn communicates with a Certificate Engine in its backend in order to get the certificates. XMS uses the microservice nip-manager in order to talk with this API bridge, which uses SOAP.
This guide explains how to install Net iD Portal on a Windows server hosted on Azure, using Microsoft’s Active Directory Certificate Services (AD CS) as the backing certificate engine. Note that it is possible to integrate towards other certificate authorities than Microsoft's.
1.1 Required installation files
-
netidsetup_v1.1.0.36_win_xer-001_lsa.zip
-
Net iD Portal - 0508057803.exe
2. Preparations before installing the portal
Before installation you will need an installation of Windows Server 2019 or later. This guide will assume that you already have access to such an installation.
2.1 Install Active Directory Domain Services (AD DS)
AD DS is needed prior to installing Microsoft Certificate Authority.
-
Start server manager. Select "Add roles and features" which starts a wizard.
-
Pick "Role-based or feature-based installation", and select the server itself in the list: 10.0.0.4.
-
Check the "Active Directory Domain Services" entry. A window will open, asking to install required features. Do that by clicking "Add Features". Then click "Next".
-
Just click next in the "Features" and "Active Directory Domain Services" screens. Confirm by clicking "Install". When installation is done, click "Close".
-
Click the flag with the exclamation mark and promote the server to a domain controller.
-
Deployment Configuration: Add a new forest. Fill in your .local domain name under Root domain name.
-
Domain Controller Options: Default settings. Set a DSRM password.
-
Ignore the DNS error and click Next.
-
Additional Options: Keep the NetBIOS name as is.
-
Paths: Keep defaults.
-
Review Options: Confirm and click Next.
-
Prerequisites Check: Install
2.2 Add Organizational Units (OU)
-
In server manager, open "Active Directory Users and Computers".
-
Right-click “\
.local” to create three Organizational Units; "\ " (without .local), and then "Service accounts" and "Users" below it. -
Create user “nipsvc” as a Service account. Generate a strong password for it, but don’t include quotes in it since that will crash the Net iD Portal installer. Configure the password to never expire.
-
Check that the user is member of Domain Users.
2.3 Install Active Directory Certificate Services
-
Start server manager. Select "Add roles and features" which starts a wizard.
-
Click next until you reach Select server roles.
-
Check “Active Directory Certificate Services”, confirm features that should be added in the pop-up by clicking “Add Features”.
-
Click Next.
-
Click Next in the Features and AD CS screens.
-
Keep “Certification Authority” as the only checked role service in the Role Services screen and click Next twice and then Install.
-
Close the wizard when installation is done.
-
Click the flag with the exclamation mark and select “Configure Active Directory Certificate Services on the destination server”.
-
In the wizard, click Next in the Credentials screen.
-
Select “Certification Authority” in Role Services and click Next.
-
Keep “Enterprise CA” selected, click Next.
-
Keep “Root CA” selected, click Next.
-
Keep “Create a new private key” selected, click Next.
-
Set key length to 4096 bits and otherwise use default settings in Cryptography screen.
-
Specify a common name (CN) for the CA. For instance “\
PoV CA v1”. -
Set the validity period to, say, 10 years.
-
Click Next until the Confirmation screen and click “Configure”.
-
Click Close.
-
Choose Tools in Server Manager and then "Certification Authority". Right-click the created CA and choose "Properties". Go to the "Security" tab and add the “nipsvc” user and set their permissions to allow “Read”, “Issue and Manage Certificates”, and “Request Certificates”. Click OK.
2.4 Install Internet Information Services (IIS)
-
Select "Add roles and features" under “Manage” in Server Manager.
-
Click next until you reach Select server roles.
-
Check “Web Server (IIS)” and confirm and add the features that are required. Click Next.
-
Click Next until you reach “Role Services”.
-
In addition to the already checked role services, also check “Application Development”, “.NET Extensibility 4.7”, “ASP.NET 4.7”, “ISAPI Extensions”, “ISAPI Filters”, “Management Tools”, “IIS Management Console”, “IIS 6 Management Compatibility”, “IIS 6 Metabase Compatibility”. Click Next.
-
Click Install.
-
Close the wizard when done.
-
Choose Tools → Internet Information Services (IIS) Manager
-
Expand nodes in the left pane to find “Default Web Site”.
-
Right-click it and choose Remove. Confirm removal by clicking Yes.
-
Right-click “Sites” and choose “Add Website…”
-
Set “Site name” to crl and “Host name” to crl.\
, and click OK to create the new site on port 80. -
Under MIME Type properties for the new site, add a new entry for “.cer”-files and set it to use MIME type “application/x-x509-ca-cert”.
2.5 Install SQL Express
-
Download SQL Express from Microsoft's site.
-
Start the installer, choose Basic in the first screen.
-
Install the database to the default location.
-
Click the “Install SSMS” button when installation has completed.
-
Continue the installation and restart when done.
-
Log in again, and start Microsoft SQL Server management Studio.
-
Click Connect to connect to the local database.
-
Right click Security in the left pane and select “New → Login…”.
-
Input the nipsvc account in the Login name field. Click OK.
-
Right click Databases in the left pane and select “New Database…”.
-
Enter “NiPDB” in Database name, set the database owner to nipsvc. Click OK to create it.
-
Do the same as above to create databases “NiPDB_log” and “NiPDB_logClient”.
2.6 Configure Certificate Revocation List (CRL) and Authority Information Access (AIA) extensions
-
Create the folder “C:\inetpub\wwwroot\crl”, used for publishing CRLs.
-
In Server Manager, choose Tools → Certification Authority.
-
Right click your CA certificate and choose “Properties”.
-
In the properties window, click the “Extensions” tab.
-
In the Select extension drop-down, if not already selected, choose “CRL Distribution Point (CDP)”.
-
Select the second item in the list box, the one starting with “ldap://”.
-
Uncheck the checkbox “Include in the CDP extension of issued certificates”.
-
Remove the third and forth items from the list box, the ones starting “http://” and “file://”.
-
Click “Add…” and add a location for “C:\inetpub\wwwroot\crl\\
\ \ .crl”. -
With the newly created file location selected, check “Publish CRLs to this location” and “Publish Delta CRLs to this location”.
-
Click “Add…” and add a location for “http://crl.\
/\ \ \ .crl”. (Note that \ should be replaced with the actual domain name, the other tags should be entered as is). -
With the newly created HTTP location selected, check “Include in CRLs. Clients use this to find Delta CRL locations.” and “Include in the CDP extension of issued certificates”.
-
In the Select extension drop-down, choose “Authority Information Access (AIA)”.
-
Select the second item in the list box, the one starting with “ldap://”.
-
Uncheck the checkbox “Include in the AIA extension of issued certificates“.
-
Remove the third and forth items from the list box, the ones starting “http://” and “file://”.
-
Click “Add…” and add a location for ”C:\inetpub\wwwroot\crl\\
_\ \ .cer”. -
Click “Add…” and add a location for ”http://crl.\
/\ _\ \ .cer”. (Note that \ should be replaced with the actual domain name, the other tags should be entered as is). -
With the newly created HTTP location selected, check the checkbox “Include in the AIA extension of issued certificates”.
-
Click OK.
-
When prompted, click Yes to restart Active Directory Certificate Services.
-
In Server Manager, choose Tools → Certification Authority.
-
Right-click on “Revoked Certificates”, choose “All Tasks” → “Publish”.
-
Confirm that a new CRL should be published and click OK.
-
Check that files were published to “C:\inetpub\wwwroot\crl”.
-
Start “certlm.msc”.
-
Find the created root CA, right-click it and choose “All Tasks” → “Export…”.
-
Do not export the private key and choose DER format.
-
Input “NetId.\
.local_\ ” as file name. -
Export the certificate as a file in “C:\inetpub\wwwroot\crl”.
2.7 Configuring Windows Certificate Authority templates
2.7.1 Net iD Portal Smartcard Logon
-
In Server Manager, choose Tools → Certification Authority.
-
Expand the CA in the left pane.
-
Right-click “Certificate Templates” and choose “Manage”.
-
In the new window, find the template called “Smartcard Logon”. Right-click it and choose “Duplicate Template”.
-
Go to the “General” tab.
-
In “Template display name”, enter “Net iD Portal Smartcard Logon”.
-
Set “Validity period” to 3 years.
-
-
Go to the “Request Handling” tab.
- Check “Include symmetric algorithms allowed by the subject”.
-
Go to the “Subject Name” tab.
-
Choose “Supply in the request” instead of “Build from this Active Directory information”.
-
Click OK in the warning message box that appears.
-
-
Go to the “Issuance Requirements” tab.
- Check “CA certificate manager approval”.
-
Go to the “Security” tab.
-
Add the nipsvc user to the list.
-
In addition to the Read permission, add Enroll as an allowed permission.
-
-
Click OK.
-
Close the Certificate Templates Console Window and go back to the Certificate Templates folder for the Certificate Authority.
-
Right-click some empty space in the right pane and select New → Certificate Template to Issue.
-
Select “Net iD Portal Smartcard Logon” and click OK.
2.7.2 Net iD Portal Web Server UPN
-
In Server Manager, choose Tools → Certification Authority.
-
Expand the CA in the left pane.
-
Right-click “Certificate Templates” and choose “Manage”.
-
In the new window, find the template called “Web Server”. Right-click it and choose “Duplicate Template”.
-
Go to the “General” tab.
- In “Template display name”, enter “Net iD Portal Web Server UPN”.
-
Go to the “Issuance Requirements” tab.
- Check “CA certificate manager approval”.
-
Go to the “Security” tab.
-
Add the nipsvc user to the list.
-
In addition to the Read permission, add Enroll as an allowed permission.
-
-
Go to the “Extensions” tab.
-
Select “Application Policies” and click “Edit…”.
-
Click “Add…”.
-
Select “Client Authentication” and click OK.
-
-
Click OK.
-
Close the Certificate Templates Console Window and go back to the Certificate Templates folder for the Certificate Authority.
-
Right-click some empty space in the right pane and select New → Certificate Template to Issue.
-
Select “Net iD Portal Web Server UPN” and click OK.
2.7.3 Net iD Portal Web Server ECC
-
In Server Manager, choose Tools → Certification Authority.
-
Expand the CA in the left pane.
-
Right-click “Certificate Templates” and choose “Manage”.
-
In the new window, find the template called “Web Server”. Right-click it and choose “Duplicate Template”.
-
Go to the “General” tab.
- In “Template display name”, enter “Net iD Portal Web Server ECC”.
-
Go to the “Compatibility” tab.
-
Change “Certification Authority” to “Windows Server 2016”.
-
Click OK in the pop-up.
-
Change “Certificate Recipient” to “Windows 10 / Windows Server 2016”.
-
Click OK in the pop-up.
-
-
Go to the “Cryptography” tab.
-
Change “Provider Category” to “Key Storage Provider”.
-
Change “Algorithm name” to “ECDH_P256”.
-
Select “Requests must use one of the following providers:”
-
Check “Microsoft Software Key Storage Provider”.
-
Set “Request Hash” to “SHA256”.
-
-
Go to the “Issuance Requirements” tab.
- Check “CA certificate manager approval”.
-
Go to the “Security” tab.
-
Add the nipsvc user to the list.
-
In addition to the Read permission, add Enroll as an allowed permission.
-
-
Go to the “Extensions” tab.
-
Select “Application Policies” and click “Edit…”.
-
Click “Add…”.
-
Select “Client Authentication” and click OK.
-
-
Click OK.
-
Close the Certificate Templates Console Window and go back to the Certificate Templates folder for the Certificate Authority.
-
Right-click some empty space in the right pane and select New → Certificate Template to Issue.
-
Select “Net iD Portal Web Server ECC” and click OK.
2.8 Configure CA according to Net iD Portal requirements
-
Open cmd.exe as an Administrator.
-
Paste the following into the command interpreter
certutil -setreg policy\\EditFlags +EDITF\_ATTRIBUTEENDDATE
certutil -setreg policy\\EditFlags +EDITF\_REQUESTEXTENSIONLIST
certutil -setreg policy\\EditFlags +EDITF\_BASICCONSTRAINTSCRITICAL
certutil -setreg policy\\EditFlags +EDITF\_ATTRIBUTESUBJECTALTNAME2
certutil -setreg ca\\CRLFlags +CRLF\_ALLOW\_REQUEST\_ATTRIBUTE\_SUBJECT
certutil -setreg ca\\EnforceX500NameLengths 0
certutil -setreg ca\\validityPeriodUnits 5
3. Net iD Client
3.1 Installing Net iD Client
-
Download the zip-file below.
-
Forward it to the RDP connection with a shared folder.
-
In the Windows VM, create a folder “C:\tesmp” and move the zip-file there.
-
Extract the contents of the zip-file in the same directory.
-
Start netidsetup.exe and install the software.
3.2 Configuring Net iD Client
-
Open regedit.
-
Navigate to “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Pointsharp\NetiD\Client\Plugin\AllowURL”.
-
Add a new String Value.
-
Give it the next number as name, and set its value to: “https://nip.\
,full“. -
Do the same again for “https://netid.\
,full”.
4. Installing Net iD Portal
-
Download the installer below.
-
Run the Net iD Portal installer.
-
Select the service account, input its password.
-
In “Select SSL Certificate” choose, for now, the NetiD host certificate.
-
Use default SQL database settings.
-
Fill in Organization details. Name, organizational number (if available, else 0) and domain suffix.
-
Organization certificate, pick the same certificate as the one chosen for SSL.
-
In “Select your CA certificate” pick your CA, and enter localhost for IP/DNS.
-
Click Next in “Certificate Templates” without filling anything in.
-
Continue the wizard to start the installation.
-
Finish the database and IIS installation.
-
Store the one-time password (OTP) safely. It is needed for login.
-
Finish the installation wizard.
-
Go to IIS and start the server for Net iD Portal.
4.1 Login to Net iD Portal
-
Open Edge, go to nip.\
. -
In the right hand corner for the browser, turn on the Net iD Client extension.
-
Click on “Administration”.
-
Enter OTP to login.
5. Configuring Net iD Portal
After a successful installation of Net iD Portal, it starts out in a bootstrap mode, in which it is possible to log in using a one-time password (OTP). The idea is that one should configure the system with a proper user as SuperAdmin, which is using a Yubikey to login. After that the system can exit the bootstrap mode and the OTP will be disabled.
To login to the portal (regardless of using OTP or not), a Net iD Client software is required. On the system used to login, the software should be installed and the browser extension should be activated. The client software we’ve been provided is only available for Windows, which requires us to use Windows in order to interact with the portal. The browser software and extension
5.1 Configure certificate templates
5.1.1 Net iD Portal Smartcard Login
-
Go to the Administration tab.
-
Select “Certificate templates”.
-
Click “Manage” at the bottom, then “Certificate template - Create”.
-
Select “SmartCard User”, then Execute.
-
Fill in the following and click Execute to create the template.
| Name | Net iD Portal Smartcard Logon |
| Type | Client |
| CA service: Certificate template name | Net iD Portal Smartcard Logon |
| Validity value | 2 Years |
| Asymmetric key algorithm | RSA |
| Hash algorithm | SHA256 |
| Key parameter | 0x800 |
| Key usage | 0xA0 |
| UseRecover | False |
| SubjectName: Common name (CN) | {internal.user.displayname} |
| SubjectAltName otherName: msUPN (User Principal Name) | {internal.user.uniquename} |
| Additional info | \ |
5.1.2 Net iD Portal Web Server ECC
-
Go to the Administration tab.
-
Select “Certificate templates”.
-
Click “Manage” at the bottom, then “Certificate template - Create”.
-
Select “Web Server”, then Execute.
-
Fill in the following and click Execute to create the template.
| Name | Net iD Portal Web Server ECC |
| Type | Server |
| CA service: Certificate template name | Net iD Portal Web Server ECC |
| Validity value | 2 Years |
| Asymmetric key algorithm | ECDH |
| Hash algorithm | SHA256 |
| Key parameter | secp521r1 |
| Key usage | 0x88 |
| SubjectName: Common name (CN) | {internal.server.displayname} |
Paste the following XML into the In “Additional task info” box at the bottom
<?xml version="1.0" encoding="utf-8"?>
<TaskInfo>
<TaskType Id="300" Name="EnrollServer">
<Task>
<ActionList>
<ActionObj>
<GroupId />
<UserId />
<DateTime />
<Signature />
<RequireSignature>true</RequireSignature>
<Type>
<Id>100</Id>
<Name>InputGeneric</Name>
</Type>
<Server>
<PrepareList />
<ExecuteList>
<ExecuteObj>
<Id>303</Id>
<Name>EnrollServer</Name>
</ExecuteObj>
</ExecuteList>
</Server>
<Info>
<InputFieldList>
<InputFieldObj>
<Id>SubjectCommonName</Id>
<Name>SubjectCommonName</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectOrganizationUnitNames</Id>
<Name>SubjectOrganizationUnitNames</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectOrganizationName</Id>
<Name>SubjectOrganizationName</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectLocality</Id>
<Name>SubjectLocality</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectCountry</Id>
<Name>SubjectCountry</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectAltNameDns</Id>
<Name>SubjectAltNameDns</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
</InputFieldList>
<ParameterList>
<ParameterObj>
<Id>CertificateTemplateId</Id>
<Value />
</ParameterObj>
</ParameterList>
</Info>
</ActionObj>
<ActionObj>
<GroupId />
<UserId />
<DateTime />
<Signature />
<RequireSignature>false</RequireSignature>
<Type>
<Id>4</Id>
<Name>Download</Name>
</Type>
<Server>
<PrepareList>
<PrepareObj>
<Id>60</Id>
<Name>InitializeDownload</Name>
<Type>IssuedPkcs12</Type>
</PrepareObj>
</PrepareList>
<ExecuteList />
</Server>
<Info>
<InputFieldList>
<InputFieldObj>
<Id>DataType</Id>
<Name>DataType</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>DataPassword</Id>
<Name>DataPassword</Name>
<Type>Password</Type>
<Help />
<Value />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>DataValue</Id>
<Name>DataValue</Name>
<Type>Textarea</Type>
<Help />
<Value />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
</InputFieldList>
</Info>
</ActionObj>
</ActionList>
</Task>
</TaskType>
<TaskType Id="301" Name="EnrollServerPkcs10">
<Task>
<ActionList>
<ActionObj>
<GroupId />
<UserId />
<DateTime />
<Signature />
<RequireSignature>true</RequireSignature>
<Type>
<Id>100</Id>
<Name>InputGeneric</Name>
</Type>
<Server>
<PrepareList>
<PrepareObj>
<Id>50</Id>
<Name>CertificateTemplateList</Name>
<Type>CertificateTemplateServer</Type>
<Field>CertificateTemplateId</Field>
</PrepareObj>
</PrepareList>
<ExecuteList></ExecuteList>
</Server>
<Info>
<InputFieldList>
<InputFieldObj>
<Id>CertificateTemplateId</Id>
<Name>CertificateTemplate</Name>
<Type>List</Type>
<Help />
<Value />
<ValueList />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>Pkcs10</Id>
<Name>Pkcs10</Name>
<Type>Textarea</Type>
<Help />
<Value />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>false</ReadOnly>
</InputFieldObj>
</InputFieldList>
</Info>
</ActionObj>
<ActionObj>
<GroupId>5</GroupId>
<UserId />
<DateTime />
<Signature />
<RequireSignature>true</RequireSignature>
<Type>
<Id>100</Id>
<Name>InputGeneric</Name>
</Type>
<Server>
<PrepareList>
<PrepareObj>
<Id>80</Id>
<Name>ParsePkcs10</Name>
<Type />
<Field>CSR</Field>
</PrepareObj>
</PrepareList>
<ExecuteList>
<ExecuteObj>
<Id>304</Id>
<Name>EnrollServerPkcs10</Name>
</ExecuteObj>
</ExecuteList>
</Server>
<Info>
<InputFieldList>
<InputFieldObj>
<Id>Pkcs10</Id>
<Name>Pkcs10</Name>
<Type>Textarea</Type>
<Help />
<Value />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>CSR</Id>
<Name>RequestSubject</Name>
<Type>Text</Type>
<Help />
<Value />
<Policy />
<ReadOnly>true</ReadOnly>
</InputFieldObj>
</InputFieldList>
<ParameterList>
<ParameterObj>
<Id>CertificateTemplateId</Id>
<Value />
</ParameterObj>
</ParameterList>
</Info>
</ActionObj>
<ActionObj>
<GroupId />
<UserId />
<DateTime />
<Signature />
<RequireSignature>false</RequireSignature>
<Type>
<Id>4</Id>
<Name>Download</Name>
</Type>
<Server>
<PrepareList>
<PrepareObj>
<Id>60</Id>
<Name>InitializeDownload</Name>
<Type>IssuedCertificate</Type>
</PrepareObj>
</PrepareList>
<ExecuteList />
</Server>
<Info>
<InputFieldList>
<InputFieldObj>
<Id>DataType</Id>
<Name>DataType</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>DataValue</Id>
<Name>DataValue</Name>
<Type>Textarea</Type>
<Help />
<Value />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
</InputFieldList>
</Info>
</ActionObj>
</ActionList>
</Task>
</TaskType>
</TaskInfo>
5.1.3 Net iD Portal Web Server UPN
-
Go to the Administration tab.
-
Select “Certificate templates”.
-
Click “Manage” at the bottom, then “Certificate template - Create”.
-
Select “Web Server”, then Execute.
-
Fill in the following and click Execute to create the template.
| Name | Net iD Portal Web Server UPN |
| Type | Server |
| CA service: Certificate template name | Net iD Portal Web Server UPN |
| Asymmetric key algorithm | RSA |
| Hash algorithm | SHA256 |
| Key parameter | 0x800 |
| Key usage | 0xA0 |
| SubjectName: Common name (CN) | {internal.server.displayname} |
Paste the following XML into the In “Additional task info” box at the bottom
<?xml version="1.0" encoding="utf-8"?>
<TaskInfo>
<TaskType Id="300" Name="EnrollServer">
<!-->EnrollPKCS12<-->
<Task>
<ActionList>
<ActionObj>
<GroupId />
<UserId />
<DateTime />
<Signature />
<RequireSignature>true</RequireSignature>
<Type>
<Id>100</Id>
<Name>InputGeneric</Name>
</Type>
<Server>
<PrepareList />
<ExecuteList>
<ExecuteObj>
<Id>303</Id>
<Name>EnrollServer</Name>
</ExecuteObj>
</ExecuteList>
</Server>
<Info>
<InputFieldList>
<InputFieldObj>
<Id>SubjectCommonName</Id>
<Name>SubjectCommonName</Name>
<Type>Text</Type>
<Help />
<Value>svcXertifiedNipApiXX</Value>
<ValueList />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectOrganizationUnitNames</Id>
<Name>SubjectOrganizationUnitNames</Name>
<Type>Text</Type>
<Help />
<Value>559211-3251</Value>
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectOrganizationName</Id>
<Name>SubjectOrganizationName</Name>
<Type>Text</Type>
<Help />
<Value>Xertified AB</Value>
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectLocality</Id>
<Name>SubjectLocality</Name>
<Type>Text</Type>
<Help />
<Value>Stockholm</Value>
<ValueList />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectCountry</Id>
<Name>SubjectCountry</Name>
<Value>SE</Value>
<Type>List</Type>
<ValueList>
<ValueObj>
<Id>SE</Id>
<Name>SE</Name>
</ValueObj>
</ValueList>
<Help />
<Policy />
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectEmail</Id>
<Name>SubjectEmail</Name>
<Type>Email</Type>
<Help />
<Value />
<ValueList />
<Policy>json:{"Email":{}}</Policy>
<ReadOnly>false</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>SubjectAltNameUPN</Id>
<Name>SubjectAltNameUPN</Name>
<Type>Text</Type>
<Help />
<Value>svcXertifiedNipApiXX@netidcloud.com</Value>
<ValueList />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>false</ReadOnly>
</InputFieldObj>
</InputFieldList>
<ParameterList>
<ParameterObj>
<Id>CertificateTemplateId</Id>
<Value />
</ParameterObj>
</ParameterList>
</Info>
</ActionObj>
<ActionObj>
<GroupId />
<UserId />
<DateTime />
<Signature />
<RequireSignature>false</RequireSignature>
<Type>
<Id>4</Id>
<Name>Download</Name>
</Type>
<Server>
<PrepareList>
<PrepareObj>
<Id>60</Id>
<Name>InitializeDownload</Name>
<Type>IssuedPkcs12</Type>
</PrepareObj>
</PrepareList>
<ExecuteList />
</Server>
<Info>
<InputFieldList>
<InputFieldObj>
<Id>DataType</Id>
<Name>DataType</Name>
<Type>Text</Type>
<Help />
<Value />
<ValueList />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>DataPassword</Id>
<Name>DataPassword</Name>
<Type>Password</Type>
<Help />
<Value />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
<InputFieldObj>
<Id>DataValue</Id>
<Name>DataValue</Name>
<Type>Textarea</Type>
<Help />
<Value />
<Policy>json:{"Required":{}}</Policy>
<ReadOnly>true</ReadOnly>
</InputFieldObj>
</InputFieldList>
<ParameterList>
<ParameterObj>
<Id>ExtraConfirmation</Id>
<Value>true</Value>
</ParameterObj>
</ParameterList>
</Info>
</ActionObj>
</ActionList>
</Task>
</TaskType>
</TaskInfo>
5.2 Create server certificate for XMS
-
Create an XMS API user in AD.
- Call the account name xms@\
- Call the account name xms@\
-
Go to the Users tab.
-
Search for the XMS user.
-
Click it, then Execute. This creates the user in the portal.
-
Click Manage → Assign user privileges.
-
Add the SuperAdmin user group and click Execute. (Note: such a strong role is not needed for XMS. Consider restricting this to a limited user group, and if successful, update this documentation accordingly.)
-
Go to the Server tab.
-
Manage → Create Server
-
Give it a name, for instance XMS API, and create it.
-
In the server information pane, click the Manage button for the newly created server and choose “Enroll for server certificate token”.
-
Choose “Net iD Portal Web Server UPN” as the Certificate template and click Execute.
-
Fill in
-
SubjectName: Common name (CN) xms-\
-
SubjectName: Country (C) SE
-
SubjectAltNameUPN: xms@\
-
-
Click Execute.
-
Save the certificate by clicking Save.
-
Click Execute.
-
I clicked Yes in the popup.
5.3 Turn off TimerService
-
Go to the Administration tab.
-
Select “General settings”, then “Net iD Portal”. Click Show.
-
Click Manage → Reconfigure general settings.
-
In TimerService settings, edit the XML to use the correct uploader path: “C:\Program Files\Pointsharp\Net iD\Server\Portal\TimerServiceUploader”
-
Then, in the same UploaderModule module, change TimerSeconds to 0.
-
Click Execute.
5.4 Upload license file
-
Go to the Administration tab.
-
Choose Manage → Licence - Upload
-
Paste the license file into the text box.
-
Click Execute.
5.5 Setup Yubikey
5.5.1 Modify the token template
-
Go to the Administration tab.
-
Select “Token template”, and then “Standard YubiKey”. Click Show.
-
In the pane that appears to the right, click the Manage button at the bottom right and select “Reconfigure token template”.
-
Under “Certificate template”, select “Net iD Portal Smartcard Logon”.
-
Set the validity years (min, default, and max) to equal the validity value that was set for the “Net iD Portal Smartcard Logon” certificate template.
-
Click Execute.
5.5.2 Enable token enrollment
-
Go to the Administration tab.
-
Select Organization, then your organization name, and click Show.
-
In the pane that appears to the right, click the Manage button at the bottom right and select “Reconfigure organization”.
-
In the box Additional info, modify the XML so that TaskType with id 124 and name EnrollUserTabletStd, has Officer set to true instead of false.
-
Click Execute.
5.5.3 Create user and enroll
-
Create the user that should have super user privileges in AD. Make sure it has a Last Name, otherwise Net iD Portal will not permit you to create the user as a shadow user.
-
Go to the Users tab in the portal.
-
Search for the user, and then select it in the search box in the center of the page.
-
Confirm the properties for the user in the “Create the user” step, and click Execute to create the shadow user.
-
Click Manage → Assign user privileges.
-
Add the SuperAdmin user group and click Execute.
-
Click Manage → Enroll primary YubiKey.
-
Click Execute with “Standard YubiKey” chosen.
-
Pick a 6-digit pin and click Execute.
5.6 Organization certificate
One use of the organization certificate in Net iD Portal is to encrypt the communication between the client and the GUI. If this certificate expires, it won’t be possible to access the GUI without modifying the database. It is therefore important to keep this certificate up to date.
This is a manual procedure, which is done in the GUI. A new certificate can be created on the Windows CA machine, for instance based on the Web Server template. A validity period of 2 years and 2048-bit RSA should be reasonable. This can then be uploaded in Net iD Portal.
The organization certificate set with the instructions above will expire one year after installation. Keep that in mind.