.
Under Form/Document Library you will find all forms and documents.
Description
Class E certificates are issued by a Microsoft Active Directory integrated CA. The class E certificate clients are internal computer systems that are integrated into the Active Directory of the Federal Administration (INTRA, ADR forests).
Computer systems outside these UNIX forests or workgroup computers can also obtain a certificate from this CA by means of manual enrolment, as long as these machines do not have a public trust. The templates provided for this purpose are listed under system certificates. The signature algorithm used is sha256/RSA. The SFAO and the FDFA each operate their own issuing CA in their forests.
Class E certificates are mainly part of the systems that use them. They cannot be individually requested as standard, and this option is only available with Atlantica (see "Virtual Windows servers" factsheet).
Function: Machine certificates
- System certificates
For certificates with (EKU): client authentication, server authentication and client/server authentication, 3 certificate templates are provided for each authentication:
auto: auto-enrolment of certificates
ManAPP: manual enrolment of certificates with manager approval
noManAPP: manual enrolment of certificates without manager approval
Instructions for manual enrolment of class E system certificates are available via the link at the bottom of the page.
There is also an overview of the possible class E system certificates. - Kerberos authentication (domain controller)
These certificates allow a domain controller to authenticate itself to other computers and users. They are primarily used for smart card logon in the Active Directory domain. - SSL web server (not publicly trusted)
You can find this information under Class C certificates – Standard.
- Workstation authentification
You can find this information under Class C certificates – Standard.
- ConfigMgr OS deployment
You can find this information under Class C certificates – Standard. - NPS network policy server
You can find this information under Class C certificates – Standard. - Remote desktop computer
The keys and the certificates issued under this certificate policy allow a TLS 1.0 security level, which thus permits the verification of the identity of the server with the remote desktop session host and the encryption of the communication between the remote desktop session host and the client. - ArmasuisseTBA
The keys and certificates issued under this certificate policy enable Windows and Office products to be activated in specific environments using token-based activation [TBA]. - DC IPSec
The keys and certificates issued under this certificate policy allow the backup data of domain controllers to be transmitted over encrypted network connections.
Function: User certificates
- Code signing
The keys and certificates issued under this certificate policy allow binaries to be signed. This ensures that unauthorised software is prevented from being installed. - DC basic EFS
The keys and certificates issued under this certificate policy are used to encrypt backups of selected domain controllers. - DC EFS recovery agent
The keys and certificates issued under this certificate policy are used to decrypt backups of selected domain controllers in case of emergency.
Grade/quality of certificate issuance
Medium (administrative procedure)
Users
Machines/users
Storage medium certificate
Soft certificate (in machine or user profile)
Condition
None
Purchase
The certificate request is implicitly included in the order to create or change an account or to add a computer system to a Windows Active Directory domain of the Federal Administration (Forests INTRA and DFA).
The functionality of the Microsoft Enterprise PKI, which provides the option of automatic registration and issuing (auto-enrolment), is used as the basis for the issuing process. Authorisations on the defined certificate templates as well as group memberships and GPOs (Group Policy Object) are used to determine in detail which users and computer systems should receive a corresponding certificate.
Only the web server SSL certificates and ConfigMgr OS Depolyment must be requested individually by the server administrator by means of an electronic request for naming reasons.
A procedure with manual enrolment is provided for obtaining system certificates for machines outside the forest, UNIX server or workgroup server listed below. However, these machines must not have a Public Trust. These certificates are only issued by the CA Admin-CCE-Intra01.
Realisation and implementation
The issuance and management of class E PKI certificates are based on a two-tier hierarchical infrastructure:
The task of the first-level RootCA Admin-CC-Root01 is to validate the certificates of the second-level certification authorities.
The issuing CAs:
- Admin-CCE-Intra01 for the INTRA forest
- Admin-CCE-EDA01 for the FDFA forest
- Admin-CCE-EFK01 for the SFAO forest
- Admin-CCE-ADR01 for the ADR forest
at the second level generate, validate, publish and manage the certificates of the certificate owners.
Forms/Ordering
- Please send us the respective form via Remedy MAC using the Remedy Requester Console.
- Remedy MAC Path: Zertifikate und Authentisierungsmittel / Zertifikate Klasse E Zertifikate Klasse E (Windows PKI) / (select desired MAC)
- Antragsformular für Code Signing Zertifikate der Swiss Government PKI Klasse E (Windows PKI) (PDF, 719 kB, 24.01.2024)
- Revokationsantrag für Code Signing Zertifikate der Swiss Government PKI Klasse E (Windows PKI) (PDF, 78 kB, 24.01.2024)
- Ticketformular Revokation Klasse E Maschinenzertifikate (DOC, 221 kB, 24.01.2024)
Documentation
- Anleitung: Manuelles Enrollment Zertifikate Klasse E System - Templates (PDF, 1 MB, 24.01.2024)
- Klasse E System Templates (PDF, 46 kB, 24.01.2024)
- Manuelles Enrollment Domain Controller Zertifikate (PDF, 94 kB, 24.01.2024)Template BVerwE-KerberosAuthentication-via PKI
- Scripts domain controller enrollment (ZIP, 1 kB, 24.01.2024)
Class E certificate permission
Please submit a request for class E certificate permission by creating a ticket containing the following information:
- Domain (ADR, INTRA, etc.)
- Group name (e.g. US-intraCA-nonManApp-BIT-BS-BSC-BA)
- Reference user (user who already has this permission)
Permission for: person or machine (server or client)