Configuring a CA for Autoenrollment in Win2K8.docx
《Configuring a CA for Autoenrollment in Win2K8.docx》由会员分享,可在线阅读,更多相关《Configuring a CA for Autoenrollment in Win2K8.docx(15页珍藏版)》请在冰豆网上搜索。
![Configuring a CA for Autoenrollment in Win2K8.docx](https://file1.bdocx.com/fileroot1/2023-1/31/584ba6d7-87fc-4dee-9948-fcf435b085e0/584ba6d7-87fc-4dee-9948-fcf435b085e01.gif)
ConfiguringaCAforAutoenrollmentinWin2K8
ConfiguringaCAforAutoenrollmentinWin2K8
WeSoftwareLtd.
Suite335,1ScienceParkEastAvenue
HongKongSciencePark,Shatin,HongKong
Phone:
(852)31882929
Fax:
(852)31882939
CHINA.HONGKONG.USA
CopyrightNotice
2005WeSoftwareLtd.
ThisdocumentispreparedsolelyforWeSoftCentrifyTestingTeamtouseasreference.NopartofthisdocumentmaybereproducedorretransmittedinanyformorbyanymeanselectronicallyandmechanicallywithoutwrittenpermissionofWeSoft.
∙Filename:
PublicDomainEnvironmentsSetup
∙LastSaved:
2/10/20125:
14:
00PM
∙PrintedOn:
0/0/00000:
00:
00AM
ChangeControl
Thechangecontrolpagewillbeusedtorecordinformationforcontrollingandtrackingmodificationsmadetothisdocument.
Version
RevisionDatemm/dd/yy
Author(s)
SummaryofChange(s)
ApprovedBy
0.1
02/10/2012
CandyXue
1Introduction
ThisdocumentdescribeshowtoconfigureCAforAutoenrollmentinournewdomainenvironment.
Thisdocumentdescribeshowtosetupacertificateauthority(CA)thatenablesPKItobeusedbyDirectSecurity.AlongwiththeCA,configurationofcertificatetemplatesandautoenrollmentarealsodiscussed.YouwillalsoknowhowtoverifyCAandsomeTroubleshootingCertificateTemplatesfromthisdoc.
·Certificatetemplatesdefinethecontentandcharacteristicsofacertificate,andarestoredintheADconfigurationnamingcontext.TheyareusedtodefinethecertificatetypesaCAcanissue,andforsettingwhichuserscanenrolland/orautoenrollforwhichcertificatetypes.
Autoenrollmentisthecapabilitythatallowsusersandmachinestoautomaticallyenrollcertificates.Forourpurposes,weonlyfocusonmachineenrollment.TheautoenrollmentcapabilityisusedbyDirectSecure,suchthatwhenacomputerjoinsadomainviaadjoin,theappropriatecertificatesareautomaticallydownloadedtothecomputer,andcansubsequentlybeusedbyIKEwhenPKIischosenforauthenticationandencryption.
Theinstallation/configurationstepsaresummarizedasfollows:
1.InstallInternetInformationServices(IIS)onthehostwheretheCAwillbeinstalled
2.Installanenterprisecertificateserverforthedomain
3.Addtrustedrootcertificatetogrouppolicyobject
4.EnableautoenrollmentattheGPOlevel
5.Createanewcertificatetemplatewithautoenrollmentpermission.
6.Assign[new]certificatetemplatetoCAsoitcanissuecertificates
1.1InstallIIS
WhenCertificateServicesisinstalledonacomputerrunningIIS,thedefault(orprimary)WebsiteisupdatedsothatyoucanperformkeycertificatetasksusingtheHTTPprotocol.Thesetasksinclude
∙RetrievingCRLs
∙Requestingcertificates
∙Checkingonpendingcertificates
ComponentsofDirectSecuremakeuseoftheaboveoperationsduringitsoperationbymakingvariousHTTPrequests,hencethereasonwhyIISmustexist.Forexample,duringtheadgpupdateprocess,theCentrifyscriptcertgp.plwillmakearequesttotheIISservertoretrievetheCRLfortherootcertificatebeingused.ThescreenshotbelowshowstheservicesaddedtoIIS:
ToinstallIIS.ItispossibletoinstallbothIISandCertificateServicesatthesametime.Thiswilleffectivelytakecareofitemsinthissectionandthesectionbelow.ItishighlyrecommendedthatyouinstallIISeitheratthesametime,orbeforeCertificateServices.IfyouinstallIISafterCertificateServices,youwillhavetomanuallyperformtheseoperationsandthatwilladdtimeandcomplexitytoyoureffort.
OnyourWindowsServer,OpenSeverManagerandselectRoles->ClickAddRoles.ThiswillbringuptheAddRolesWizard.SelectApplicationServer[IIS]andCertificateServicesfromthelisttoinstall.
Thescreenshotbelowprovidesanexample.
ClickNextbuttontocontinuetheinstall,choosetheoptiononRoleServicesasbelow.
1.2InstallanEnterpriseCertificateServer(CA)
InstallingaCAinEnterprisemodeprovidesfullintegrationwithActiveDirectory.Thismeans,amongotherthings,thattheCAwillusethecertificatetemplatesstoredintheADconfigurationnamingcontext.Sincethisscenariowillprovideasingle,rootCA,thisneedtobeanenterprisemodeinstallation.
Followup1.1sectionstoinstallaEnterpriserootCA.
AtthescreentochoosetheCAType,alistofoptionswillbepresent.ChoosetheEnterpriserootCAoption.Ifthisoptionisnotavailable,youdonothavethecorrectpermissions.Stopthisoperationandloginusinganaccountthathastheappropriatepermissions.
ThenextscreenallowsforthenamingoftheCA.Onecanalsosetthevalidityperiod(defaultis5years),anddistinguishednamesuffix.Don'tmodifytheDNsuffixunlessyoureallyknowwhatyouaredoing(andeventhen,don'tdoit).
Thenext2screensfocusonwherethecertificatedatabaseiscreated.Thereisn'tanyreasontochangethesevalues(note:
thefirstdialogwilldisplayquickly,thendisplaythenextdialog).AtthispointaprivatekeyforthisCAwillalsobegenerated.
Configurationofcomponentsthenhappens.Thiswilltakeafewminutes.
1.3AddRootCACertificateasaTrustAnchor
AftertheinstallationoftherootCA,itscertificatewillneedtobeaddedtothegrouppolicyobjectwheretheipsecpoliciesaredefined.Doingthisenablesthecertificatetobedownloadedtoanymachinethatjoinsthedomain.
OpenuptheCertificatessnap-in(mmc->add/removesnapin->Certificates->Add->Computeraccount->Localcomputer->Finish),andnavigatetotheTrustedRootCertificationAuthorities->Enterprise->Certificatescontainer.InthiscontainerwillbearootcertificatethatwasgeneratedduringtheCAinstallationprocess.Double-clickonthiscertificateanditwillbringupadialogboxwhereyoucanviewthecertificatedetails.
Note:
TheEnterprisecontainerwillbeshownwhencheckingoptions“Physicalcertificatestores”and“Archivedcertificates”byclickingTrustedRootCertificationAuthoritiesnode->MenubarView->Option.
FromtheDetailstab,choosetheCopytoFilebutton.ThiswillstarttheCertificateExportWizardwhichwillguideyouthroughtheprocessofsavingthecertificatetoafile.Whenitaskswhethertosavetheprivatekey,chooseNo.TheformatoftheexportedfileshouldbeDERencodedbinaryX.509(.CER)(thiswillmostlikelybethedefaultselection).Savethecertificatetoafile.
AtthispointtheGroupPolicyEditorshouldbeinvoked(easiestwayistogotoADUC->right-clickdomain->properties->GroupPolicytab->edit).FromwithintheADconfigurationnamingcontext,opentheWindowsSettings->SecuritySettings->PublicKeyPolicies->TrustedRootCertificationAuthoritiescontainer.Right-clickonthiscontainerobjects,andselectsImport.FollowtheinstructionsandimporttherootcertificateintotheGPO.
1.4AddAutoenrollmentattheGPOLevel
Certificateenrollmentenablesauser,machine,orservicetoparticipateinandusePKI-enabledapplications.EnrollmentcanalsobeinitiatedautomaticallyformachineaccountsthatarepartofaWindowsdomainenvironment.Thisfeatureisknownascertificateautoenrollment.Itnotonlyhandlescertificateenrollment,butalsoautomatescertificaterenewalandcertainhousekeepingtasks,suchasremovingrevokedcertificatesfromamachine'scertificatestore.
Forwindowsmachines,itispossibletoenableautoenrollmentattheGPOlevel.Todothis,opentheGroupPolicysnap-in,gototheWindowsSettings->SecuritySettings->PublicKeyPoliciescontainer,andopentheCertificateServicesClient-AutoenrollmentSettingsPropertiesdialogbox.Checkthe"Enrollcertfiicatesautomatically"andcheckthe"Updatecertificatesthatusecertificatetemplates"checkbox.Thisisshowninthepicturebelow:
You'llnotethatthisisforautoenrollmentofWindowsbasedmachines.DirectSecurewillusethevariousattributessupportedbytheautoenrollmentfeaturetodeterminewhichcertificatesneedtoberequested,byevaluatingthecertificatetemplateswhenacomputerjoinsadomain.
1.5Createanewcertificatetemplatewithautoenrollmentpermission
OpentheCertificateTemplatessnap-in,andselectatemplatefromthelist(e.g.chooseWorkstationAuthentication).MakesureitminimallysupportsWindowsServer2003,EnterpriseEdition.RightclicktoopenthepopupmenuandchooseDuplicateTemplate.ThediagrambelowshowswhattheCertificateTemplatessnap-inlookslike,withthenewtemplatecalledNewCATemplate.
Oncethe"DuplicateTemplate"operationisselected,apropertiesdialogboxwillbedisplayed,whichallowsyoutomodifythecontentsofthetemplate.Forourpurposes,wewillfocuson3items.Youcanchangeotherinformationofthetemplate,suchasexpirationdates,etc.Butitisnotnecessary.Thedescribedstepswillcreateanewcertificatetemplatethatsupportsautoenrollment:
FromtheGeneraltab,fillintheTemplateDisplayNamewithavalue-suchas"CentrifyIPsecTemp"
FromtheSecuritytab,selectDomainComputers,andtheninthelowerbox,selecttheallowcheckboxfortheautoenrollpermission.
FromtheExtensionstab,selectApplicationPolicies.MakesureClientAuthenticationandServerAuthenticationpoliciesareincluded.IfyouchosetoduplicatetheWorkstationAuthenticationTemplate,youwillneedtoaddServerauthentication.
Applicationpoliciesgivetheabilitytodecidewhichcertificatescanbeusedforcertainpurposes.Applicationpoliciesaresettingsthatinformatargetthatthesubjectholdsacertificatethatcanbeusedtoperformaspecifictask.Theyare