Installing the ADCS Agent on another machine
The free version of certdog assumes that all components will be installed on the same machine. But if you wish to connect to a Microsoft CA on another domain (or from a non-domain connected machine), you will need to install the ADCS driver separately
To do this, you need to make some changes to the free version’s installation. We will re-install the database to make it accessible to external servers then install the ADCS driver on the new machine and configure it with the database URI
Un-install the Database
From your certdog installation
-
Open a new PowerShell window as Administrator and navigate to the
.\certdogfree\install
folder -
Run the following commands:
.\uninstall-db.ps1
When prompted, choose y to continue
.\reset-db.ps1
When prompted, choose y to continue
Edit Files with the new IP Address
Obtain the IP address of the server’s externally visible interface. This is the IP address that the external ADCS Agent will connect to. On Windows you can run ifconfig
to get this information. You will need this IP Address to plug-in to files in the next steps
Edit .\certdogfree\install\js\createreplicateset.js
Replace the default 127.0.0.1
IP Address with your server IP Address. For example, if your server IP was 192.55.13.17
the file would be updated from:
rs.initiate({_id: "replocal", members: [{_id: 0, host: "127.0.0.1:27017"}] })
rs.status
rs.status()
To this:
rs.initiate({_id: "replocal", members: [{_id: 0, host: "192.55.13.17:27017"}] })
rs.status
rs.status()
Save the file
- Edit:
cerdogfree\install\templates\mongod.template.nossl.cfg
Replace the default 127.0.0.1
bindIp address with 0.0.0.0
. E.g.
From:
net:
bindIp: 127.0.0.1
port: 27017
To this:
net:
bindIp: 0.0.0.0
port: 27017
Save the file
Re-Install the Database
From the PowerShell prompt, navigate to .\certdogfree\install
and run:
.\install-db.ps1
At the prompt: Download the database binaries (y/n)? (Choose n if you have previously downloaded)
Choose n
Continue through the prompts, entering the required details as for the original installation (note: the passwords do not need to match the original installation, all will be reset)
Obtain the connection string
Open the .\certdogfree\config\application.properties
file, it will look something like the following:
spring.data.mongodb.uri=mongodb://certmanuser:bFhvqunuZRdvCZK@127.0.0.1/certman
management.endpoint.info.enabled=true
management.endpoints.web.exposure.include=*
server.error.include-message=always
logging.level.root=FATAL
# Check for cert expiry at 2:15AM every day
# It you want to change this ensure the cron setting is correct else, you could produce
# many unwanted emails - or none at all...
certexpirycheck.cron=0 15 2 * * ?
The part we are interested in is the top line. i.e.:
spring.data.mongodb.uri=mongodb://certmanuser:bFhvqunuZRdvCZK@127.0.0.1/certman
We need the URI to configure the ADCS driver in the next step
Extract the string after the equals sign and replace the 127.0.0.1
IP address with your server’s IP address. For example, if your server’s IP address was 192.55.13.17
the string we want would be as follows:
mongodb://certmanuser:bFhvqunuZRdvCZK@192.55.13.17/certman
This string will be entered at the ADCS Driver next…
Install the ADCS Agent on the new machine
Download the ADCS stand-alone Installer from here
Unzip to a file on the new server
Open a PowerShell window and navigate to [unzipped location]\adcsdriver\
and run
.\install-certdog-adcs-service.ps1
The following output will be shown:
PS C:\certdogfree\adcsdriver> .\install-certdog-adcs-service.ps1
AD Certificate Services Agent
-----------------------------
Do you wish to install the ADCS agent on this machine (y/n)?: y
Installing Adcs agent from C:\certdog\adcsdriver\AdcsDriverInstaller.msi
Services installed OK
Configure Adcs Service
Enter the full database URL. E.g. 'mongodb://certmanuser:mypassword@localhost/certman'
Full Database URL:
When prompted to enter the full database URL, enter the string we obtained in the step above e.g.
Full Database URL: mongodb://certmanuser:bFhvqunuZRdvCZK@192.55.13.17/certman
The script will then continue:
Starting the service...
Service started OK
If the database URL changes, re-run this script
The certdog database will now be able to accept connections from the ADCS agent. Note: Firewall restrictions must allow the port 27017
If the ADCS agent does not register, attempt to telnet from the server to the certdog server IP address on port 27017 e.g.
telnet 192.55.13.17 27017
If this fails to connect, there is most likely a firewall restriction in place, at the network layer or on the server hosts. This must be relaxed for this port