Custom Certificate Templates

This document describes how to create a custom Active Directory certificate template on a Windows server and then configure the HYPR Workforce Access Client application to use the certificate when a user registers or authenticates on a Windows workstation. There are three main steps in this process:

Create a Certificate Template on the Server
Issue the Certificate Template on the Server
Configure HYPR to Use the Certificate on the Workstation

Before you begin, verify that:

  • Active Directory Certificate Services are deployed within the domain
  • Your account on the Windows server has privileges to modify the Certificate Authority settings
  • The HYPR Workforce Access Client application is already installed on the workstation

Create a Certificate Template on the Server

  1. Log into the Windows server that performs the Certificate Authority role, either directly or via a remote desktop client.
  2. Open the Microsoft Management Console (MMC).
  3. In the console, select File>Add/Remove Snap-in...
603603
  1. Use the Add > button to add Certificate Templates to the list of selected snap-ins then click OK to save the change.
452452
  1. Open the Certificate Templates snap-in, right-click on the User template, and select Duplicate Template.
603603
  1. In the Properties of New Template window, go to the General tab and change the following settings:

Parameter

Value

Template display name

Any name that will let you identify this as a HYPR template. For example:

HYPR Windows

Template name

By default, MMC will use the Template display name without any spaces. You can change the name, but make a note of the value since you’ll need it later to set up the HYPR Workforce Access client on each workstation.

Publish certificate in Active Directory

You can leave this either checked or unchecked

271271
  1. Go to the Request Handling tab and change the following settings:

Parameter

Value

Purpose

Signature and encryption

Allow private key to be exported

Checked

Prompt the user during enrollment

Selected

271271
  1. Go to the Subject Name tab and change the following settings:

Parameter

Value

Build from this Active Directory information

Checked

Subject name format

None

User principal name (UPN)

Checked

271271
  1. Go to the Extensions tab and edit Application Policies so that the only listed policies are Client Authentication and Smart Card Logon. (Remove any default policies as necessary.)
271271
  1. Go to the Cryptography tab and verify the Minimum key size. HYPR supports a minimum of 1024-bit encryption but recommends you use 2048-bit RSA private keys.
271271
  1. Select OK to close the Properties of New Template window and create the template.

Issue the Certificate Template on the Server

  1. On the Windows Server, open the Certification Authority console.
  2. In the left navigation pane, right-click on the machine name and select Properties.
498498
  1. Go to the Policy Module tab, click the Properties... button, and make sure the "Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate" option is checked for Request Handling.
461461
  1. Back in the left navigation pane, right-click on Certificate Templates and select New>Certificate Template to Issue.
497497
  1. In the Enable Certificate Templates list, locate the HYPR certificate template you created above. Highlight the template name and click OK to publish it.
392392

Configure HYPR to Use the Certificate on the Workstation

To configure HYPR to use the new certificate, you need to modify HYPR’s Certificate Template registry setting on each workstation where the HYPR Workforce Access Client application is installed.

This example uses Regedit to set the value locally. Please refer to the Installation and Configuration page for instructions on how to update the registry as part of a silent installation.

  1. Open Regedit on the workstation where the HYPR Workforce Access Client is installed.

Important: Before making any changes, back up the registry for safety.

  1. Locate the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access

  1. Edit the Certificate Template value and change the data field to the name of the HYPR certificate template you created. Make sure you use the template name (for example, “hyprwin” without spaces), not the template display name (“HYPR Windows”).
635635
  1. Close Regedit and restart the computer.
  2. Open the HYPR Workforce Access Client and register a new device to confirm the registration is using the new certificate template.