Install and configure DigiCert MCARS service
DigiCert®'s Microsoft Certificate Authority Remoting Service (MCARS) is a Windows® service that allows DigiCert® Trust Lifecycle Manager to discover, enroll, and revoke certificates from a Microsoft CA.
MCARS also reports revocations that are performed directly on the Microsoft CA, synchronizing this information with Trust Lifecycle Manager to ensure you always have access to the latest information.
Prerequisites
On the Microsoft CA server:
Microsoft Windows Server 2019 or later.
Microsoft Active Directory Certificate Services (AD CS) installed.
Java 8 (64-bit) Java Runtime Environment (JRE) installed, with the
JAVA_HOME
environment variable defined and pointing at the JRE bin folder. Commercial Java distributions such as Oracle JRE should only be used with the appropriate license in the production environment, otherwise use an open-source distribution like OpenJDK.Firewall port open for the DigiCert MCARS service. The MCARS service uses port
7443
by default, but this can be modified during the configuration process.
Before you begin
Before installing the DigiCert MCARS service, configure the Microsoft CA server and set up a service user account to use with MCARS.
1. Download MCARS
Start by downloading the DigiCert MCARS software from Trust Lifecycle Manager:
From the Trust Lifecycle Manager main menu, select Resources > Client Tools.
Select the tile for Microsoft CA Remoting Service (MCARS) - Windows Installer.
Select the download icon on the right side of the download page.
Save the MCARS installer to your Microsoft CA server.
2. Install MCARS
Use the downloaded MCARS installer to install and launch the service on your Microsoft CA server:
Run the MCARS
installer.exe
file as an administrator on the Microsoft CA server.Follow the on-screen steps to install and launch the DigiCert MCARS service.
3. Update the MCARS configuration file
The configuration file for Digicert MCARS is found at C:\ProgramData\Mocana\TrustCenter MCARS\conf\config.properties.
Available configuration parameters are listed below. Most of these can be left at their default values. However, make sure to update at least the auth.username
and auth.password
parameters.
The values you supply for auth.username
and auth.password
will be configured on the CA connector in Trust Lifecycle Manager and used to connect to the MCARS service to support the Microsoft CA integration.
Parameters | Description |
---|---|
| Username for basic authentication by the Trust Lifecycle Manager CA connector. |
| Password for basic authentication by the Trust Lifecycle Manager CA connector. The entered password will be hashed after the MCARS service restarts to hide its true value. |
| Type of authentication. Leave as default value (basicAuth). Reserved for future extension. |
| The port on which MCARS listens for certificate requests. Default is 7443. |
| Location of the MCARS logs directory. |
| Location of the MCARS log configuration file, which defines the verbosity of logging and other logging parameters. |
| The password used to access the keystore that contains TLS certificate and private key for MCARS. |
| Name of key in the MCARS keystore. |
| The password used to decrypt the private key from the MCARS keystore. |
| Location of the PKCS12-formatted keystore that contains the TLS certificate and corresponding private key used by the MCARS service. |
Importante
To apply changes you make to the MCARS configuration file, restart the MCARS service either from the Windows Services control panel or through the TCMCARS.exe
application in the C:\Program Files\Mocana\TrustCenter MCARS\bin folder.
4. Update the MCARS service parameters
Update the startup behavior and user account settings for the MCARS service:
In the Windows Services control panel, double click on the TrustCenter MCARS service to launch the Properties panel for it.
In the General tab, change the value of the Startup type field to
Automatic (Delayed Start)
to start MCARS after other Windows services.In the Log On tab, select This account. Enter the username and password for the service user you created for the MCARS service.
Select OK to apply your changes.
(Optional) If your Microsoft server has multiple Java Virtual Machines (JVMs) installed, and the default is not Java 8, update the Java settings for the MCARS service:
Launch the
TCMCARS.exe
application in the C:\Program Files\Mocana\TrustCenter MCARS\bin folder.In the Java tab, clear the “Use default” option and specify the path to the jvm.dll file for Java 8.
5. Configure MCARS file permissions
Configure the security properties for the MCARS configuration file and logs directory to add the MCARS service user with the required permissions:
Right-click on the MCARS configuration file (C:\ProgramData\Mocana\TrustCenter MCARS\conf\config.properties) and select Properties.
In the Security tab, add the service user you created for the MCARS service. Assign this user the following permissions:
Modify
Read & execute
Read
Write
Right-click on the MCARS logs directory (default location C:\ProgramData\Mocana\TrustCenter MCARS\logs) and select Properties.
In the Security tab, add the service user you created for the MCARS service. Assign this user the following permissions:
Modify
Read & execute
List folder contents
Read
Write
6. Restart the MCARS service
At this point, you have completed the DigiCert MCARS installation and configuration.
Restart the MCARS service from the Windows Services control panel to make sure it has all the updated settings.
Importante
If the MCARS service fails immediately upon launch, check to make sure you configured the MCARS file permissions correctly with the service user account you created for MCARS operation.
Verify MCARS service operation
You can verify the MCARS installation through its API. Using Postman or a similar API testing tool, connect to the below MCARS endpoints to verify its operation.
Substitute in the IP address for your local Microsoft CA server, along with the port number configured for MCARS (port 7443 by default). Send the username and password from the MCARS configuration file as 'basic authentication' parameters in each request.
GET https://10.2.3.4:7443/service/version
Should respond with the current DigiCert MCARS version if the service is up and running and you sent the correct username and password.
If you get an
access denied
response, check to make sure you have the correct username and password, as specified in the MCARS configuration file. This is the username and password you will use to add the CA connector in Trust Lifecycle Manager.
GET https://10.2.3.4:7443/certificate/templates
Should respond with an array of Microsoft certificate templates.
If you get an
access denied
response, make sure you are sending the correct username and password from the MCARS configuration file, as verified with the/service/version
endpoint.If you still get
access denied
, make sure the security group for MCARS has been added to the Microsoft CA server configuration withIssue and Manage Certificates
andRequest Certificates
permissions.
What's next
After configuring the Microsoft CA server and installing and configuring the DigiCert MCARS service on it, you are ready to complete the integration by adding a Microsoft CA connector in Trust Lifecycle Manager.