Configuring a CA for Autoenrollment in Win2K8文档格式.docx
《Configuring a CA for Autoenrollment in Win2K8文档格式.docx》由会员分享,可在线阅读,更多相关《Configuring a CA for Autoenrollment in Win2K8文档格式.docx(15页珍藏版)》请在冰豆网上搜索。
CopyrightNotice
2005WeSoftwareLtd.
ThisdocumentispreparedsolelyforWeSoftCentrifyTestingTeamtouseasreference.NopartofthisdocumentmaybereproducedorretransmittedinanyformorbyanymeanselectronicallyandmechanicallywithoutwrittenpermissionofWeSoft.
∙Filename:
PublicDomainEnvironmentsSetup
∙LastSaved:
2/10/20125:
14:
00PM
∙PrintedOn:
0/0/00000:
00:
00AM
ChangeControl
Thechangecontrolpagewillbeusedtorecordinformationforcontrollingandtrackingmodificationsmadetothisdocument.
Version
RevisionDatemm/dd/yy
Author(s)
SummaryofChange(s)
ApprovedBy
0.1
02/10/2012
CandyXue
1Introduction
ThisdocumentdescribeshowtoconfigureCAforAutoenrollmentinournewdomainenvironment.
Thisdocumentdescribeshowtosetupacertificateauthority(CA)thatenablesPKItobeusedbyDirectSecurity.AlongwiththeCA,configurationofcertificatetemplatesandautoenrollmentarealsodiscussed.YouwillalsoknowhowtoverifyCAandsomeTroubleshootingCertificateTemplatesfromthisdoc.
·
Certificatetemplatesdefinethecontentandcharacteristicsofacertificate,andarestoredintheADconfigurationnamingcontext.TheyareusedtodefinethecertificatetypesaCAcanissue,andforsettingwhichuserscanenrolland/orautoenrollforwhichcertificatetypes.
Autoenrollmentisthecapabilitythatallowsusersandmachinestoautomaticallyenrollcertificates.Forourpurposes,weonlyfocusonmachineenrollment.TheautoenrollmentcapabilityisusedbyDirectSecure,suchthatwhenacomputerjoinsadomainviaadjoin,theappropriatecertificatesareautomaticallydownloadedtothecomputer,andcansubsequentlybeusedbyIKEwhenPKIischosenforauthenticationandencryption.
Theinstallation/configurationstepsaresummarizedasfollows:
1.InstallInternetInformationServices(IIS)onthehostwheretheCAwillbeinstalled
2.Installanenterprisecertificateserverforthedomain
3.Addtrustedrootcertificatetogrouppolicyobject
4.EnableautoenrollmentattheGPOlevel
5.Createanewcertificatetemplatewithautoenrollmentpermission.
6.Assign[new]certificatetemplatetoCAsoitcanissuecertificates
1.1InstallIIS
WhenCertificateServicesisinstalledonacomputerrunningIIS,thedefault(orprimary)WebsiteisupdatedsothatyoucanperformkeycertificatetasksusingtheHTTPprotocol.Thesetasksinclude
∙RetrievingCRLs
∙Requestingcertificates
∙Checkingonpendingcertificates
ComponentsofDirectSecuremakeuseoftheaboveoperationsduringitsoperationbymakingvariousHTTPrequests,hencethereasonwhyIISmustexist.Forexample,duringtheadgpupdateprocess,theCentrifyscriptcertgp.plwillmakearequesttotheIISservertoretrievetheCRLfortherootcertificatebeingused.ThescreenshotbelowshowstheservicesaddedtoIIS:
ToinstallIIS.ItispossibletoinstallbothIISandCertificateServicesatthesametime.Thiswilleffectivelytakecareofitemsinthissectionandthesectionbelow.ItishighlyrecommendedthatyouinstallIISeitheratthesametime,orbeforeCertificateServices.IfyouinstallIISafterCertificateServices,youwillhavetomanuallyperformtheseoperationsandthatwilladdtimeandcomplexitytoyoureffort.
OnyourWindowsServer,OpenSeverManagerandselectRoles->
ClickAddRoles.ThiswillbringuptheAddRolesWizard.SelectApplicationServer[IIS]andCertificateServicesfromthelisttoinstall.
Thescreenshotbelowprovidesanexample.
ClickNextbuttontocontinuetheinstall,choosetheoptiononRoleServicesasbelow.
1.2InstallanEnterpriseCertificateServer(CA)
InstallingaCAinEnterprisemodeprovidesfullintegrationwithActiveDirectory.Thismeans,amongotherthings,thattheCAwillusethecertificatetemplatesstoredintheADconfigurationnamingcontext.Sincethisscenariowillprovideasingle,rootCA,thisneedtobeanenterprisemodeinstallation.
Followup1.1sectionstoinstallaEnterpriserootCA.
AtthescreentochoosetheCAType,alistofoptionswillbepresent.ChoosetheEnterpriserootCAoption.Ifthisoptionisnotavailable,youdonothavethecorrectpermissions.Stopthisoperationandloginusinganaccountthathastheappropriatepermissions.
ThenextscreenallowsforthenamingoftheCA.Onecanalsosetthevalidityperiod(defaultis5years),anddistinguishednamesuffix.Don'
tmodifytheDNsuffixunlessyoureallyknowwhatyouaredoing(andeventhen,don'
tdoit).
Thenext2screensfocusonwherethecertificatedatabaseiscreated.Thereisn'
tanyreasontochangethesevalues(note:
thefirstdialogwilldisplayquickly,thendisplaythenextdialog).AtthispointaprivatekeyforthisCAwillalsobegenerated.
Configurationofcomponentsthenhappens.Thiswilltakeafewminutes.
1.3AddRootCACertificateasaTrustAnchor
AftertheinstallationoftherootCA,itscertificatewillneedtobeaddedtothegrouppolicyobjectwheretheipsecpoliciesaredefined.Doingthisenablesthecertificatetobedownloadedtoanymachinethatjoinsthedomain.
OpenuptheCertificatessnap-in(mmc->
add/removesnapin->
Certificates->
Add->
Computeraccount->
Localcomputer->
Finish),andnavigatetotheTrustedRootCertificationAuthorities->
Enterprise->
Certificatescontainer.InthiscontainerwillbearootcertificatethatwasgeneratedduringtheCAinstallationprocess.Double-clickonthiscertificateanditwillbringupadialogboxwhereyoucanviewthecertificatedetails.
Note:
TheEnterprisecontainerwillbeshownwhencheckingoptions“Physicalcertificatestores”and“Archivedcertificates”byclickingTrustedRootCertificationAuthoritiesnode->
MenubarView->
Option.
FromtheDetailstab,choosetheCopytoFilebutton.ThiswillstarttheCertificateExportWizardwhichwillguideyouthroughtheprocessofsavingthecertificatetoafile.Whenitaskswhethertosavetheprivatekey,chooseNo.TheformatoftheexportedfileshouldbeDERencodedbinaryX.509(.CER)(thiswillmostlikelybethedefaultselection).Savethecertificatetoafile.
AtthispointtheGroupPolicyEditorshouldbeinvoked(easiestwayistogotoADUC->
right-clickdomain->
properties->
GroupPolicytab->
edit).FromwithintheADconfigurationnamingcontext,opentheWindowsSettings->
SecuritySettings->
PublicKeyPolicies->
TrustedRootCertificationAuthoritiescontainer.Right-clickonthiscontainerobjects,andselectsImport.FollowtheinstructionsandimporttherootcertificateintotheGPO.
1.4AddAutoenrollmentattheGPOLevel
Certificateenrollmentenablesauser,machine,orservicetoparticipateinandusePKI-enabledapplications.EnrollmentcanalsobeinitiatedautomaticallyformachineaccountsthatarepartofaWindowsdomainenvironment.Thisfeatureisknownascertificateautoenrollment.Itnotonlyhandlescertificateenrollment,butalsoautomatescertificaterenewalandcertainhousekeepingtasks,suchasremovingrevokedcertificatesfromamachine'
scertificatestore.
Forwindowsmachines,itispossibletoenableautoenrollmentattheGPOlevel.Todothis,opentheGroupPolicysnap-in,gototheWindowsSettings->
PublicKeyPoliciescontainer,andopentheCertificateServicesClient-AutoenrollmentSettingsPropertiesdialogbox.Checkthe"
Enrollcertfiicatesautomatically"
andcheckthe"
Updatecertificatesthatusecertificatetemplates"
checkbox.Thisisshowninthepicturebelow:
You'
llnotethatthisisforautoenrollmentofWindowsbasedmachines.DirectSecurewillusethevariousattributessupportedbytheautoenrollmentfeaturetodeterminewhichcertificatesneedtoberequested,byevaluatingthecertificatetemplateswhenacomputerjoinsadomain.
1.5Createanewcertificatetemplatewithautoenrollmentpermission
OpentheCertificateTemplatessnap-in,andselectatemplatefromthelist(e.g.chooseWorkstationAuthentication).MakesureitminimallysupportsWindowsServer2003,EnterpriseEdition.RightclicktoopenthepopupmenuandchooseDuplicateTemplate.ThediagrambelowshowswhattheCertificateTemplatessnap-inlookslike,withthenewtemplatecalledNewCATemplate.
Oncethe"
DuplicateTemplate"
operationisselected,apropertiesdialogboxwillbedisplayed,whichallowsyoutomodifythecontentsofthetemplate.Forourpurposes,wewillfocuson3items.Youcanchangeotherinformationofthetemplate,suchasexpirationdates,etc.Butitisnotnecessary.Thedescribedstepswillcreateanewcertificatetemplatethatsupportsautoenrollment:
FromtheGeneraltab,fillintheTemplateDisplayNamewithavalue-suchas"
CentrifyIPsecTemp"
FromtheSecuritytab,selectDomainComputers,andtheninthelowerbox,selecttheallowcheckboxfortheautoenrollpermission.
FromtheExtensionstab,selectApplicationPolicies.MakesureClientAuthenticationandServerAuthenticationpoliciesareincluded.IfyouchosetoduplicatetheWorkstationAuthenticationTemplate,youwillneedtoaddServerauthentication.
Applicationpoliciesgivetheabilitytodecidewhichcertificatescanbeusedforcertainpurposes.Applicationpoliciesaresettingsthatinformatargetthatthesubjectholdsacertificatethatcanbeusedtoperformaspecifictask.Theyare