1 / 60

Complete Guide to Active Directory Certificate Services Installation and Configuration

Learn how to install and configure Active Directory Certificate Services and configure certificate revocation settings step by step in this comprehensive guide.

sosborn
Download Presentation

Complete Guide to Active Directory Certificate Services Installation and Configuration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuring Active Directory Certificate Services Lesson 13

  2. Skills Matrix

  3. Skills Matrix

  4. Installing Active Directory Certificate Services • Log on to the CA member server as the default administrator of the lucernepublishing.com domain. • If the Server Manager console does not appear automatically, click the Start button. • Select Server Manager from the Start menu. Lesson 13

  5. Installing Active Directory Certificate Services (cont.) • Expand the Server Manager console to full screen, if necessary. • In the left pane, click the Roles node. • In the right pane, click Add Role. • Click Next to bypass the initial welcome screen. Lesson 13

  6. Installing Active Directory Certificate Services (cont.) • Place a checkmark next to Active Directory Certificate Services, and click Next. • Read the information presented, and click Next. • Place a checkmark next to Certification Authority, and click Next. • Select the Enterprise radio button, and click Next. Lesson 13

  7. Installing Active Directory Certificate Services (cont.) • Select the Root CA type radio button, and click Next. • Select the Create a new private key radio button, and click Next. • Accept the default values, and click Next. • Accept the default value, and click Next. Lesson 13

  8. Installing Active Directory Certificate Services (cont.) • Accept the default value of 5 years, and click Next. • Accept the default values, and click Next. • Verify that your selections are correct, and click Install. • Click Close to complete the installation. Lesson 13

  9. Configuring Certificate Revocation • Part A: Install the Online Responder • Log on to CA as the default administrator of the lucernepublishing.com domain. • Click the Start button, and then select Server Manager. • Drill down to RolesActive Directory Certificate Services. Lesson 13

  10. Configuring Certificate Revocation (cont.) • Right-click Active Directory Certificate Services, and select Add Role Services. • Place a checkmark next to Online Responder. • Click Add Required Role Services, and then click Next to continue. • Read the informational message concerning the installation of the Web Server role, and click Next. Lesson 13

  11. Configuring Certificate Revocation (cont.) • Accept the default IIS features to install, and click Next. • Click Install to install the Online Responder role service. • Click Closewhen prompted. Lesson 13

  12. Configuring Certificate Revocation (cont.) • Part B: Configure the CA to support the Online Responder • In the left pane within Server Manager, drill down to RolesActive Directory Certificate ServicesCertificate Templates. Lesson 13

  13. Configuring Certificate Revocation (cont.) • Right-click the OCSP Response Signing template. • Click Properties. • Click the Security tab, and click Add. • Click Object Types. Lesson 13

  14. Configuring Certificate Revocation (cont.) • Place a checkmark next to Computers,and then click OK. • Key CA,and then click OK. • Place a checkmark next to Enroll and Autoenroll in the Allow column, and then click OK. Lesson 13

  15. Configuring Certificate Revocation (cont.) • Drill down to RolesActive Directory Certificate Serviceslucernepublishing-CA-CACertificate Templates. • Right-click the Certificate Templates folder, and click NewCertificate Template to Issue. • Select the OCSP Response Signing certificate template, and click OK. Lesson 13

  16. Configuring Certificate Revocation (cont.) • Part C: Establish a revocation configuration for the Certification Authority • In the left pane of Server Manager, navigate to RolesActive Directory Certificate Services Online Responder: CARevocation Configuration. • Right-click Revocation Configuration, and click Add Revocation Configuration. Lesson 13

  17. Configuring Certificate Revocation (cont.) • Read the information on the Getting Started screen, and then click Next. • Key LUCERNEPUBLISHING-CA-REV, and click Next. • Verify that the Select a certificate for an Existing enterprise CA radio button is selected, and then click Next. Lesson 13

  18. Configuring Certificate Revocation (cont.) • Verify that the Browse CA certificates published in Active Directory screen option is selected, and then click Browse. • Confirm that the lucernepublishing-CA-CA certificate is selected, and then click OK. • Click Next to continue. Lesson 13

  19. Configuring Certificate Revocation (cont.) • Verify that the Automatically select a signing certificate radio button is selected. • Verify that a checkmark is next to Auto-enroll for an OCSP signing certificate. • Click Next, and then click Finish to configure the revocation configuration. Lesson 13

  20. Configuring Certificate Revocation (cont.) • Navigate to lucernepublishing-CA-CAIssued Certificates. • Confirm that an OCSP Response Signing Certificate has been issued to the certification authority. Lesson 13

  21. Configuring Certificate Templates • Log on to CA as the default administrator of the lucernepublishing.com domain. • Click Start, and then select Server Manager. • In the left pane, expand the Roles node, the Active Directory Certificate Services node, and the Certificate Templates node. Lesson 13

  22. Configuring Certificate Templates (cont.) • To create a new certificate template to allow user autoenrollment, right-click the User template. • Click Duplicate Template. • Select Windows Server 2008, Enterprise Edition, and click OK. Lesson 13

  23. Configuring Certificate Templates (cont.) • On the General tab, key LUCERNEPUBLISHING-User-Cert in the Template Display Name text box. • Verify that a checkmark is next to the Publish certificate in Active Directory option. Lesson 13

  24. Configuring Certificate Templates (cont.) • Click the Security tab. • Click Domain Users, and then place a checkmark next to Read, Enroll, and Autoenroll. • Click the Subject Name tab. • Remove the checkmark next to the Include e-mail name in subject name option. Lesson 13

  25. Configuring Certificate Templates (cont.) • In the Include this information in the alternate subject name section, remove the checkmark next to E-mail name. • Click the Superseded Templates tab, and click Add. • Select the built-in User certificate template, and then click OK twice to continue. Lesson 13

  26. Configuring Certificate Templates (cont.) • Right-click the Computer template, and click Duplicate Template. • Select Windows Server 2008, Enterprise Edition, and click OK. • On the General tab, key LUCERNEPUBLISHING-Computer-Cert in the Template Display Name text box. Lesson 13

  27. Configuring Certificate Templates (cont.) • Verify that a checkmark is next to the Publish certificate in Active Directory option. • Click the Security tab. • Click Domain Computers, and then place a checkmark next to Read, Enroll, and Autoenroll. Lesson 13

  28. Configuring Certificate Templates (cont.) • Click the Superseded Templates tab, and click Add. • Select the built-in Computer certificate template, and then click OK twice to continue. • Right-click the Web server template, and click Duplicate Template. Lesson 13

  29. Configuring Certificate Templates (cont.) • Select Windows Server 2008, Enterprise Edition, and click OK. • On the General tab, key LUCERNEPUBLISHING-WebServer-Cert in the Template Display Name text box. • Verify that a checkmark is next to the Publish certificate in Active Directory option. Lesson 13

  30. Configuring Certificate Templates (cont.) • Click the Security tab, and click Add. • Click Object Types. • Place a checkmark next to Computers,and then clickOK. • Key CA,and then clickOK. Lesson 13

  31. Configuring Certificate Templates (cont.) • Place a checkmark next to Enroll and Autoenroll in the Allow column. • Click the Superseded Templates tab, and click Add. • Select the built-in Web Server certificate template, and then click OK twice to continue. Lesson 13

  32. Configuring Certificate Templates (cont.) • Drill down to RolesActive Directory Certificate Serviceslucernepublishing-CA-CACertificate Templates. • Right-click the Certificate Templates folder, and click NewCertificate Template to Issue. Lesson 13

  33. Configuring Certificate Templates (cont.) • Click LUCERNEPUBLISHING-User-Cert, and click OK. • Repeat the previous two steps to configure the CA to issue the LUCERNEPUBLISHING-Computer-Cert and LUCERNEPUBLISHING-WebServer-Cert certificate templates. Lesson 13

  34. Managing Certificate Enrollment • Part A: Configure Certificate Autoenrollment in the LUCERNEPUBLISHING.COM domain • Log on to RWDC01 as the default administrator of the lucernepublishing.com domain. • Click the Start button, Administrative Tools, and then Group Policy Management. Lesson 13

  35. Managing Certificate Enrollment (cont.) • Drill down to Forest: lucernepublishing.comDomainsDomain: lucernepublishing.comGroup Policy ObjectsDefault Domain Policy. • Right-click the Default Domain Policy, and then click Edit. Lesson 13

  36. Managing Certificate Enrollment (cont.) • Drill down to the following node: User ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies. • In the right pane, double-click Certificate Services Client – Auto-Enrollment. • In the Configuration model dropdown box, select Enabled. Lesson 13

  37. Managing Certificate Enrollment (cont.) • Place a checkmark next to the following items: • Renew expired certificates, update pending certificates, and remove revoked certificates. • Update certificates that use certificate templates. • Click OK. Lesson 13

  38. Managing Certificate Enrollment (cont.) • Drill down to the following node: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies. • In the right pane, double-click Certificate Services Client – Auto-Enrollment. • In the Configuration model dropdown box, select Enabled. Lesson 13

  39. Managing Certificate Enrollment (cont.) • Drill down to the following node: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies. • In the right pane, double-click Certificate Services Client – Auto-Enrollment. • In the Configuration model dropdown box, select Enabled. Lesson 13

  40. Managing Certificate Enrollment (cont.) • Place a checkmark next to the following items: • Renew expired certificates, update pending certificates, and remove revoked certificates. • Update certificates that use certificate templates. • Click OK, and then close the Group Policy Management Editor. Lesson 13

  41. Managing Certificate Enrollment (cont.) • Open a command-prompt window. • Key gpupdate/force, and then close the command-prompt window. • Log on to CA as the default administrator of the lucernepublishing.com domain. Lesson 13

  42. Managing Certificate Enrollment (cont.) • Open a command-prompt window. • Key gpupdate/force, and then close the command-prompt window. • Reboot the CA computer to force both user and computer autoenrollment to take place. Lesson 13

  43. Managing Certificate Enrollment (cont.) • Part B: Install the Certification Authority Web Enrollment role service • Log on to CA as the default administrator of the lucernepublishing.com domain. • Click the Start button, and then select Server Manager. Lesson 13

  44. Managing Certificate Enrollment (cont.) • Drill down to RolesActive Directory Certificate Services. • Right-click Active Directory Certificate Services, and select Add Role Services. • Place a checkmark next to Certification Authority Web Enrollment. Lesson 13

  45. Managing Certificate Enrollment (cont.) • Click Add Required Role Services. • Click Next to continue. • Read the informational message concerning the installation of the Web Server role, and click Next. Lesson 13

  46. Managing Certificate Enrollment (cont.) • Accept the default IIS features to install, and click Next. • Click Install to install the Certification Authority Web Enrollment role service. • Click Closewhen prompted. Lesson 13

  47. Managing Certificate Enrollment (cont.) • Part C: Request a Web Server Certificate for the CA IIS installation • Click the Start button. • Click Administrative tools, and then select Internet Information Services (IIS) Manager. • In the left pane, double-click the CA node. Lesson 13

  48. Managing Certificate Enrollment (cont.) • Scroll down to the IIS section, and double-click the Server Certificates icon. • In the right pane, click Create Domain Certificate. • Enter the appropriate information as prompted, and click Next. Lesson 13

  49. Managing Certificate Enrollment (cont.) • Click Select next to the Specify Online Certification Authority text box. • Click lucernepublishing-CA-CA, and click OK. • In the Friendly Name text box, key ca.lucernepublishing.com. • Click Finish. Lesson 13

  50. Managing Certificate Enrollment (cont.) • Part D: Enable Secure Connections to the CA IIS server • In the left pane of IIS Manager, expand the Sites node. • Right-click Default Web Site, and click Edit Bindings. • Click Add. Lesson 13

More Related