Step by Step Active Directory Certificate Service – Part 2
In part 1 of this blog series, we have successfully installed Active Directory Certificate Services and performed post-installation tasks. In this blog series, we will configure certificate template for client and workstation authentication and configure a group policy to auto enrollment of certificate.
To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.
Step by Step Configure Certificate Template
So far, we have AD CS installed and configured. To proceed with further configuration of AD CS, we need to configure a certificate template for workstations and clients authentication. To configure a certificate template, perform the following steps.
- Navigate to Server Manager > Tools > Certification Authority
- Navigate to Certification Authority > Machine Name > Certificate Template. Right click on Certificate Template and click on Manage
- Duplicate the template for “Workstation Authentication“
- Setup the template properties as per your requirement. Under General Template, define the name of the duplicate template and setup validity period
- Under Security Tab, Ensure that domain joined machines has permissions to Read, Enroll and auto-enroll
- Click on Extension Tab and edit Application Policies to add Server Authentication to the template
- Click on Subject Name and ensure DNS and User Principal Name options are selected
- Click on Apply and close the certificate properties.
- Navigate to Certification Authority > Certificate Template > Right Click New > Certificate Template to Issue
- Select the certificate and click ok
Group Policy for Automatic Certificate Enrollment
As of now, we have our AD CS setup ready for certificate enrollment. With the help of group policy we will setup our workstations on domain joined machines to request AD CS for certificate. To configure a group policy for AD CS, perform the following steps.
- Login to domain controller and launch Group Policy Management Console from Control Panel > Administrative Tools > Group Policy Management
- Navigate to the OU where you have all your domain joined computers. In my case, I’ve a server OU that contains all domain joined computers.
- Right click on Servers OU and click on “Create a GPO in this domain, and link it here”
- Define the name of the GPO and Click ok
- Select the GPO, Right Click and click on Edit to modify the GPO Settings
- Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies
- Select the Certificate Services Client – Certificate Enrollment Policy and click on Properties
- Under configuration model, select enable
- Next step is to select “Certificate Services Client – Auto Enrollment” and go to properties and enable configuration model
- Once done, Right click on GPO and click on Enforce and then Group Policy Update
- Click ok on Group policy pop up message to finish the process
Now your Group policy deployment for certificate authority is completed now. You can now navigate to Issued certificate to see that the computer accounts has started to receive the certificate from your AD CS infrastructure.
In this blog article we have configured the Active Directory Certificate authority template for end user workstations and deployed a group policy on server OU to request the certificate from internal CA. Hope this series help you deploy your PKI infrastructure using AD CS.