660 likes | 960 Views
Configuring Active Directory Certificate Services. Lesson 13. Skills Matrix. Skills Matrix. Installing Active Directory Certificate Services. Log on to the CA member server as the default administrator of the lucernepublishing.com domain.
E N D
Installing Active Directory Certificate Services • Log on to the CA member server as the default administrator of the lucernepublishing.com domain. • If the Server Manager console does not appear automatically, click the Start button. • Select Server Manager from the Start menu. Lesson 13
Installing Active Directory Certificate Services (cont.) • Expand the Server Manager console to full screen, if necessary. • In the left pane, click the Roles node. • In the right pane, click Add Role. • Click Next to bypass the initial welcome screen. Lesson 13
Installing Active Directory Certificate Services (cont.) • Place a checkmark next to Active Directory Certificate Services, and click Next. • Read the information presented, and click Next. • Place a checkmark next to Certification Authority, and click Next. • Select the Enterprise radio button, and click Next. Lesson 13
Installing Active Directory Certificate Services (cont.) • Select the Root CA type radio button, and click Next. • Select the Create a new private key radio button, and click Next. • Accept the default values, and click Next. • Accept the default value, and click Next. Lesson 13
Installing Active Directory Certificate Services (cont.) • Accept the default value of 5 years, and click Next. • Accept the default values, and click Next. • Verify that your selections are correct, and click Install. • Click Close to complete the installation. Lesson 13
Configuring Certificate Revocation • Part A: Install the Online Responder • Log on to CA as the default administrator of the lucernepublishing.com domain. • Click the Start button, and then select Server Manager. • Drill down to RolesActive Directory Certificate Services. Lesson 13
Configuring Certificate Revocation (cont.) • Right-click Active Directory Certificate Services, and select Add Role Services. • Place a checkmark next to Online Responder. • Click Add Required Role Services, and then click Next to continue. • Read the informational message concerning the installation of the Web Server role, and click Next. Lesson 13
Configuring Certificate Revocation (cont.) • Accept the default IIS features to install, and click Next. • Click Install to install the Online Responder role service. • Click Closewhen prompted. Lesson 13
Configuring Certificate Revocation (cont.) • Part B: Configure the CA to support the Online Responder • In the left pane within Server Manager, drill down to RolesActive Directory Certificate ServicesCertificate Templates. Lesson 13
Configuring Certificate Revocation (cont.) • Right-click the OCSP Response Signing template. • Click Properties. • Click the Security tab, and click Add. • Click Object Types. Lesson 13
Configuring Certificate Revocation (cont.) • Place a checkmark next to Computers,and then click OK. • Key CA,and then click OK. • Place a checkmark next to Enroll and Autoenroll in the Allow column, and then click OK. Lesson 13
Configuring Certificate Revocation (cont.) • Drill down to RolesActive Directory Certificate Serviceslucernepublishing-CA-CACertificate Templates. • Right-click the Certificate Templates folder, and click NewCertificate Template to Issue. • Select the OCSP Response Signing certificate template, and click OK. Lesson 13
Configuring Certificate Revocation (cont.) • Part C: Establish a revocation configuration for the Certification Authority • In the left pane of Server Manager, navigate to RolesActive Directory Certificate Services Online Responder: CARevocation Configuration. • Right-click Revocation Configuration, and click Add Revocation Configuration. Lesson 13
Configuring Certificate Revocation (cont.) • Read the information on the Getting Started screen, and then click Next. • Key LUCERNEPUBLISHING-CA-REV, and click Next. • Verify that the Select a certificate for an Existing enterprise CA radio button is selected, and then click Next. Lesson 13
Configuring Certificate Revocation (cont.) • Verify that the Browse CA certificates published in Active Directory screen option is selected, and then click Browse. • Confirm that the lucernepublishing-CA-CA certificate is selected, and then click OK. • Click Next to continue. Lesson 13
Configuring Certificate Revocation (cont.) • Verify that the Automatically select a signing certificate radio button is selected. • Verify that a checkmark is next to Auto-enroll for an OCSP signing certificate. • Click Next, and then click Finish to configure the revocation configuration. Lesson 13
Configuring Certificate Revocation (cont.) • Navigate to lucernepublishing-CA-CAIssued Certificates. • Confirm that an OCSP Response Signing Certificate has been issued to the certification authority. Lesson 13
Configuring Certificate Templates • Log on to CA as the default administrator of the lucernepublishing.com domain. • Click Start, and then select Server Manager. • In the left pane, expand the Roles node, the Active Directory Certificate Services node, and the Certificate Templates node. Lesson 13
Configuring Certificate Templates (cont.) • To create a new certificate template to allow user autoenrollment, right-click the User template. • Click Duplicate Template. • Select Windows Server 2008, Enterprise Edition, and click OK. Lesson 13
Configuring Certificate Templates (cont.) • On the General tab, key LUCERNEPUBLISHING-User-Cert in the Template Display Name text box. • Verify that a checkmark is next to the Publish certificate in Active Directory option. Lesson 13
Configuring Certificate Templates (cont.) • Click the Security tab. • Click Domain Users, and then place a checkmark next to Read, Enroll, and Autoenroll. • Click the Subject Name tab. • Remove the checkmark next to the Include e-mail name in subject name option. Lesson 13
Configuring Certificate Templates (cont.) • In the Include this information in the alternate subject name section, remove the checkmark next to E-mail name. • Click the Superseded Templates tab, and click Add. • Select the built-in User certificate template, and then click OK twice to continue. Lesson 13
Configuring Certificate Templates (cont.) • Right-click the Computer template, and click Duplicate Template. • Select Windows Server 2008, Enterprise Edition, and click OK. • On the General tab, key LUCERNEPUBLISHING-Computer-Cert in the Template Display Name text box. Lesson 13
Configuring Certificate Templates (cont.) • Verify that a checkmark is next to the Publish certificate in Active Directory option. • Click the Security tab. • Click Domain Computers, and then place a checkmark next to Read, Enroll, and Autoenroll. Lesson 13
Configuring Certificate Templates (cont.) • Click the Superseded Templates tab, and click Add. • Select the built-in Computer certificate template, and then click OK twice to continue. • Right-click the Web server template, and click Duplicate Template. Lesson 13
Configuring Certificate Templates (cont.) • Select Windows Server 2008, Enterprise Edition, and click OK. • On the General tab, key LUCERNEPUBLISHING-WebServer-Cert in the Template Display Name text box. • Verify that a checkmark is next to the Publish certificate in Active Directory option. Lesson 13
Configuring Certificate Templates (cont.) • Click the Security tab, and click Add. • Click Object Types. • Place a checkmark next to Computers,and then clickOK. • Key CA,and then clickOK. Lesson 13
Configuring Certificate Templates (cont.) • Place a checkmark next to Enroll and Autoenroll in the Allow column. • Click the Superseded Templates tab, and click Add. • Select the built-in Web Server certificate template, and then click OK twice to continue. Lesson 13
Configuring Certificate Templates (cont.) • Drill down to RolesActive Directory Certificate Serviceslucernepublishing-CA-CACertificate Templates. • Right-click the Certificate Templates folder, and click NewCertificate Template to Issue. Lesson 13
Configuring Certificate Templates (cont.) • Click LUCERNEPUBLISHING-User-Cert, and click OK. • Repeat the previous two steps to configure the CA to issue the LUCERNEPUBLISHING-Computer-Cert and LUCERNEPUBLISHING-WebServer-Cert certificate templates. Lesson 13
Managing Certificate Enrollment • Part A: Configure Certificate Autoenrollment in the LUCERNEPUBLISHING.COM domain • Log on to RWDC01 as the default administrator of the lucernepublishing.com domain. • Click the Start button, Administrative Tools, and then Group Policy Management. Lesson 13
Managing Certificate Enrollment (cont.) • Drill down to Forest: lucernepublishing.comDomainsDomain: lucernepublishing.comGroup Policy ObjectsDefault Domain Policy. • Right-click the Default Domain Policy, and then click Edit. Lesson 13
Managing Certificate Enrollment (cont.) • Drill down to the following node: User ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies. • In the right pane, double-click Certificate Services Client – Auto-Enrollment. • In the Configuration model dropdown box, select Enabled. Lesson 13
Managing Certificate Enrollment (cont.) • Place a checkmark next to the following items: • Renew expired certificates, update pending certificates, and remove revoked certificates. • Update certificates that use certificate templates. • Click OK. Lesson 13
Managing Certificate Enrollment (cont.) • Drill down to the following node: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies. • In the right pane, double-click Certificate Services Client – Auto-Enrollment. • In the Configuration model dropdown box, select Enabled. Lesson 13
Managing Certificate Enrollment (cont.) • Drill down to the following node: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies. • In the right pane, double-click Certificate Services Client – Auto-Enrollment. • In the Configuration model dropdown box, select Enabled. Lesson 13
Managing Certificate Enrollment (cont.) • Place a checkmark next to the following items: • Renew expired certificates, update pending certificates, and remove revoked certificates. • Update certificates that use certificate templates. • Click OK, and then close the Group Policy Management Editor. Lesson 13
Managing Certificate Enrollment (cont.) • Open a command-prompt window. • Key gpupdate/force, and then close the command-prompt window. • Log on to CA as the default administrator of the lucernepublishing.com domain. Lesson 13
Managing Certificate Enrollment (cont.) • Open a command-prompt window. • Key gpupdate/force, and then close the command-prompt window. • Reboot the CA computer to force both user and computer autoenrollment to take place. Lesson 13
Managing Certificate Enrollment (cont.) • Part B: Install the Certification Authority Web Enrollment role service • Log on to CA as the default administrator of the lucernepublishing.com domain. • Click the Start button, and then select Server Manager. Lesson 13
Managing Certificate Enrollment (cont.) • Drill down to RolesActive Directory Certificate Services. • Right-click Active Directory Certificate Services, and select Add Role Services. • Place a checkmark next to Certification Authority Web Enrollment. Lesson 13
Managing Certificate Enrollment (cont.) • Click Add Required Role Services. • Click Next to continue. • Read the informational message concerning the installation of the Web Server role, and click Next. Lesson 13
Managing Certificate Enrollment (cont.) • Accept the default IIS features to install, and click Next. • Click Install to install the Certification Authority Web Enrollment role service. • Click Closewhen prompted. Lesson 13
Managing Certificate Enrollment (cont.) • Part C: Request a Web Server Certificate for the CA IIS installation • Click the Start button. • Click Administrative tools, and then select Internet Information Services (IIS) Manager. • In the left pane, double-click the CA node. Lesson 13
Managing Certificate Enrollment (cont.) • Scroll down to the IIS section, and double-click the Server Certificates icon. • In the right pane, click Create Domain Certificate. • Enter the appropriate information as prompted, and click Next. Lesson 13
Managing Certificate Enrollment (cont.) • Click Select next to the Specify Online Certification Authority text box. • Click lucernepublishing-CA-CA, and click OK. • In the Friendly Name text box, key ca.lucernepublishing.com. • Click Finish. Lesson 13
Managing Certificate Enrollment (cont.) • Part D: Enable Secure Connections to the CA IIS server • In the left pane of IIS Manager, expand the Sites node. • Right-click Default Web Site, and click Edit Bindings. • Click Add. Lesson 13