This is the fifth part of a seven-part series explaining and setting up a two-tier PKI with Windows Server 2016 in an enterprise SMB setting. Master of the arena witcher 3.
*Note* (16 May 2017): This page is currently in progress, is unfinished, and likely contains errors. I published it in this state due to time constraints, and will be working on it over the next week until it’s finished.
Because of the long time period between part 4 and part 5, I had to recreate my demonstration lab. Everything is functionally the same, but you may notice some different IPs or other minor changes.
Part 1 (Informational)
Part 2 (Getting Started & IIS Web Server Configuration) Part 3 (Standalone Offline Root CA Configuration) Part 4 (Enterprise CA Configuration) >>> Part 5 (Distributing Certificates & AutoEnrollment) <<< Part 6 (Additional Configuration) Part 7 (Troubleshooting & Clean-up)
To help with the layout and navigation of these longer pages, use the Table of Contents below:
Table of Contents
Now that you have the IIS, Root CA, and Enterprise CA servers basically set up, it’s time to create or distribute certificates to users and devices. But, before we can do that, we must create the templates from which the certificates will be made.
There’s a ton of reasons you would want to distribute user and computer certificates, and a ton of certificate templates you could configure. To name a few popular examples, you could have a template for the following purposes:
If you are a small or even medium size business, require a simple PKI, and don’t want to deal with the extra administration of multiple certificates, you could combine them a little if you are using strong encryption algorithms. This of course depends on a number of factors, so don’t just go ahead and do it…
For example, lets say that due to new email security concerns, you need to require that all emails from company users are digitally signed and encrypted. You could do that with a single certificate. Best practice may suggest that you use separate certificates; one for digital signatures, and one for email encryption. You don’t have to. Will it matter? Not likely, but it can.
However, your company may have legal reasons to do so, and may be required to separate them! You may also be high-risk. Always find out first! The main reason for separating them is to spread risk. If your encryption key was compromised, not only could the attacker decrypt your emails, but they could also impersonate you by using the same key to digitally sign emails as you! The same idea goes for whatever else the certificate is used for. Another two reasons, are that you may also want to set certain certificates to expire sooner or later than others… or for archival (escrow) purposes. There are definitely other reasons, but for now you get my point.
For the purpose of keeping this guide simple and still useful, I’ll guide you through creating a single template for email (digital signatures and encryption) certificates, and a template for one-off Web Server SSL certificates. Once you can do these, you can easily make and distribute certificates for any purpose, such as those listed a bit above.
Creating your (S/MIME) Certificate Template
On the server issuingCA, we will duplicate a preexisting user certificate template and configure it to our needs for digitally signing and encrypting email.
Duplicate a user certificate template
Publishing your (S/MIME) Certificate Template
Publishing a certificate template makes it available for use. To publish your above S/MIME certificate template (or any other certificate template), follow the below steps.
Autoenrollment will not automatically hand out certificates to users until we create and configure a GPO that is distributed to all domain computers. But before we do that, we need to enable private key archiving.
… article in progress …
Nothing really wrong with that plan, it would work, but I would recommend setting up a two tier PKI with an offline root so you can keep using this PKI in the future for other applications without having to worry about rebuilding it because it's not secure enough. Global co2 emissions 2018.
If you take a look at this guide, the steps and configuration are going to be the same as doing it in 2016.
2012R2 PKI Setup
I've set this up in 2016 a couple of times and it was basically identical to the 2012R2 process. Keep in mind that you can't use web enrollment to request version 3 certificate templates, so if you use those you will have to request/issue them from the Certificates MMC.
Windows Server 2016 Essentials Remove Certificate AuthorityHow to Install Enterprise CA on Windows Server 2016
In this blog post, I’ll show you How to Install Enterprise CA on Windows Server 2016, Microsoft Active Directory Certificate Services Role and Install an Enterprise Certificate Authority also known as Enterprise CA.
When configuring your CA role for the first time, you will be presented with a big choice. Do you want this CA server to be an enterprise CA or a standalone CA?
Let’s start with the enterprise CA. As the wizard will tell you, an enterprise CA server must be a member of your domain and these certificate servers typically stay online so that they can issue certificates to computers and users who need them.
When creating an enterprise CA, your templates and some certificate-specific information is able to store itself within Active Directory, which makes integration between certificates and the domain tighter and more
beneficial. Installation Procedure for Enterprise CA on Windows Server 2016
These days, Enterprise CA Is a standard role any environment needs because It helps us secure the Network by Issuing trusted certificates to Web Server, Applications, and Computer.
When we Install Enterprise CA, The CA allows Domain Joined Applications, Web Servers, etc to easily receive a trusted certificate from the CA that will not prompt Domain Joined Users and Computer for Security warnings.
To get started, Open Server Manager and Add the Active Directory Certificate Services Role
Click Next
Select the 4 Role Services blow
Wait for post-deployment task to appear
Start the Configuration wizard and select the two tix boxes blow
Select Enterprise CA
Select Root CA
Select SHA256 also known as SHA2
Select validity period
Done
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |