Step-by-Step: Installing AD Certificate Services and Creating a Code Signing Certificate for App Attach

Posted by



1. Install Active Directory Certificate Services:

All Appx packages require a valid code signing certificate. You can obtain a code signing certificate from an internal enterprise certificate authority, such as Active Directory Certificate Services. Ensure you export the code signing certificate along with its private key.

1.  Navigate to Server Manager. Click on Add Roles and Features.


2. Click Next.



3. Go with Role-based or feature-based installation. Click Next.



4. Make sure the correct DC is selected. Click Next.



5. Select Active Directory Certificate Services. The wizard opens up. Click on Add Features.


6. Click Next.



7. Leave the defaults as is. Click Next.


8.  Read the information provided and click Next.


9. Select Certificate Authority, as this is the only applicable option for obtaining the code signing certificate required for the App Attach service in AVD. Click Next.



10. Click Install.


11. Click Close.



2. Configure Active Directory Certificate Services:


1. Navigate to the Notifications icon, then click Configure Active Directory Certificate Services.


2.  Since we are logged into the AD VM with the Administrator account, the same account is selected by default.  Click Next.


3. Only the Certificate Authority option is enabled, while the others are greyed out. Select this option and click Next.


4. Select Enterprise CA, as it integrates with Active Directory and supports issuing the code signing certificate required for AVD App Attach. Click Next.

5. Select Root CA as this is the first Certificate Authority in the environment. It will be the top of the trust hierarchy and can issue certificates directly. Click Next.



6. Keep the default as is. Go with "Create a new private key". Click Next.


7. Microsoft Software KSP / RSA 2048 / SHA-256 is the safe, compatible choice for AVD App Attach code signing certificates. Click Next.


8. Keep the default names as is. Click Next.


9. Keep the default as is. Click Next.


10. Specify the database and log location as the default path unless you have specific performance or security requirements to change it. Click Next.


11. Click Configure.


12. Click Close.


3. Create the Code Signing Certificate:

1. On the Server Manager dashboard, click on Tools and then on Certification Authority.
    

2. Expand the CA. Right click on Certificate Templates and click on Manage.



3. Right click on Code Signing and click on Duplicate Template.


 
4. Under the General tab, give a suitable name for Template display name.  Keep the default value for the validity period. Click Apply.


    
5. Under the Security tab, select Domain Admins and check the box for Enroll. Leave the other default checkboxes as they are and click Apply.

    
6. Under Request Handling, for Purpose, select Signature. Check the box for Allow private key to be exported, then click Apply and OK.


7. You may close the Certificate Template console.

4. Issue the template:


1. Right click on Certificate Templates-New-Certificate Templates to issue.

 
2. Select the template we just created and click on OK.


    3. Once done, in the Certificate template, our created template appears.


4. You may close the Certificate Authority wizard.












Comments

Post a Comment