Configuring a CA for Autoenrollment in Win2K8.docx

1、Configuring a CA for Autoenrollment in Win2K8Configuring a CA for Autoenrollment in Win2K8 We Software Ltd.Suite 335, 1 Science Park East AvenueHong Kong Science Park, Shatin, Hong KongPhone: (852) 3188 2929Fax: (852) 3188 2939C H I N A H O N G K O N G U S A Copyright Notice 2005 We Software Ltd. Th

2、is document is prepared solely for WeSoft Centrify Testing Team to use as reference. No part of this document may be reproduced or retransmitted in any form or by any means electronically and mechanically without written permission of WeSoft. Filename: Public Domain Environments Setup Last Saved: 2/

3、10/2012 5:14:00 PM Printed On: 0/0/0000 0:00:00 AMChange Control The change control page will be used to record information for controlling and tracking modifications made to this document.VersionRevision Date mm/dd/yyAuthor(s)Summary of Change(s)Approved By0.102/10/2012Candy Xue1 IntroductionThis d

4、ocument describes how to configure CA for Autoenrollment in our new domain environment. This document describes how to setup a certificate authority (CA) that enables PKI to be used by Direct Security. Along with the CA, configuration of certificate templates and autoenrollment are also discussed. Y

5、ou will also know how to verify CA and some Troubleshooting Certificate Templates from this doc. Certificate templates define the content and characteristics of a certificate, and are stored in the AD configuration naming context. They are used to define the certificate types a CA can issue, and for

6、 setting which users can enroll and/or autoenroll for which certificate types. Autoenrollment is the capability that allows users and machines to automatically enroll certificates. For our purposes, we only focus on machine enrollment. The autoenrollment capability is used by DirectSecure, such that

7、 when a computer joins a domain via adjoin, the appropriate certificates are automatically downloaded to the computer, and can subsequently be used by IKE when PKI is chosen for authentication and encryption. The installation/configuration steps are summarized as follows: 1. Install Internet Informa

8、tion Services (IIS) on the host where the CA will be installed 2. Install an enterprise certificate server for the domain 3. Add trusted root certificate to group policy object 4. Enable autoenrollment at the GPO level 5. Create a new certificate template with autoenrollment permission. 6. Assign ne

9、w certificate template to CA so it can issue certificates 1.1 Install IIS When Certificate Services is installed on a computer running IIS, the default (or primary) Web site is updated so that you can perform key certificate tasks using the HTTP protocol. These tasks include Retrieving CRLs Requesti

10、ng certificates Checking on pending certificates Components of DirectSecure make use of the above operations during its operation by making various HTTP requests, hence the reason why IIS must exist. For example, during the adgpupdate process, the Centrify script certgp.pl will make a request to the

11、 IIS server to retrieve the CRL for the root certificate being used. The screenshot below shows the services added to IIS: To install IIS. It is possible to install both IIS and Certificate Services at the same time. This will effectively take care of items in this section and the section below. It

12、is highly recommended that you install IIS either at the same time, or before Certificate Services. If you install IIS after Certificate Services, you will have to manually perform these operations and that will add time and complexity to your effort. On your Windows Server, Open Sever Manager and s

13、elect Roles- Click Add Roles. This will bring up the Add Roles Wizard. Select Application Server IIS and Certificate Services from the list to install. The screenshot below provides an example. Click Next button to continue the install, choose the option on Role Services as below.1.2 Install an Ente

14、rprise Certificate Server (CA)Installing a CA in Enterprise mode provides full integration with Active Directory. This means, among other things, that the CA will use the certificate templates stored in the AD configuration naming context. Since this scenario will provide a single, root CA, this nee

15、d to be an enterprise mode installation.Follow up 1.1 sections to install a Enterprise root CA. At the screen to choose the CA Type, a list of options will be present. Choose the Enterprise root CA option. If this option is not available, you do not have the correct permissions. Stop this operation

16、and login using an account that has the appropriate permissions. The next screen allows for the naming of the CA. One can also set the validity period (default is 5 years), and distinguished name suffix. Dont modify the DN suffix unless you really know what you are doing (and even then, dont do it).

17、 The next 2 screens focus on where the certificate database is created. There isnt any reason to change these values (note: the first dialog will display quickly, then display the next dialog). At this point a private key for this CA will also be generated. Configuration of components then happens.

18、This will take a few minutes.1.3 Add Root CA Certificate as a Trust AnchorAfter the installation of the root CA, its certificate will need to be added to the group policy object where the ipsec policies are defined. Doing this enables the certificate to be downloaded to any machine that joins the do

19、main. Open up the Certificates snap-in (mmc-add/remove snapin-Certificates-Add-Computer account-Local computer-Finish), and navigate to the Trusted Root Certification Authorities-Enterprise-Certificates container. In this container will be a root certificate that was generated during the CA installa

20、tion process. Double-click on this certificate and it will bring up a dialog box where you can view the certificate details. Note: The Enterprise container will be shown when checking options “Physical certificate stores” and “Archived certificates” by clicking Trusted Root Certification Authorities

21、 node- Menu bar View- Option. From the Details tab, choose the Copy to File button. This will start the Certificate Export Wizard which will guide you through the process of saving the certificate to a file. When it asks whether to save the private key, choose No. The format of the exported file sho

22、uld be DER encoded binary X.509 (.CER) (this will most likely be the default selection). Save the certificate to a file. At this point the Group Policy Editor should be invoked (easiest way is to go to ADUC-right-click domain-properties-Group Policy tab-edit). From within the AD configuration naming

23、 context, open the Windows Settings-Security Settings-Public Key Policies-Trusted Root Certification Authorities container. Right-click on this container objects, and selects Import. Follow the instructions and import the root certificate into the GPO.1.4 Add Autoenrollment at the GPO LevelCertifica

24、te enrollment enables a user, machine, or service to participate in and use PKI-enabled applications. Enrollment can also be initiated automatically for machine accounts that are part of a Windows domain environment. This feature is known as certificate autoenrollment. It not only handles certificat

25、e enrollment, but also automates certificate renewal and certain housekeeping tasks, such as removing revoked certificates from a machines certificate store. For windows machines, it is possible to enable autoenrollment at the GPO level. To do this, open the Group Policy snap-in, go to the Windows S

26、ettings-Security Settings-Public Key Policies container, and open the Certificate Services Client - Autoenrollment Settings Properties dialog box. Check the Enroll certfiicates automatically and check the Update certificates that use certificate templates checkbox. This is shown in the picture below

27、: Youll note that this is for autoenrollment of Windows based machines. DirectSecure will use the various attributes supported by the autoenrollment feature to determine which certificates need to be requested, by evaluating the certificate templates when a computer joins a domain. 1.5 Create a new

28、certificate template with autoenrollment permission Open the Certificate Templates snap-in, and select a template from the list (e.g. choose Workstation Authentication). Make sure it minimally supports Windows Server 2003, Enterprise Edition. Right click to open the popup menu and choose Duplicate T

29、emplate. The diagram below shows what the Certificate Templates snap-in looks like, with the new template called New CA Template. Once the Duplicate Template operation is selected, a properties dialog box will be displayed, which allows you to modify the contents of the template. For our purposes, w

30、e will focus on 3 items. You can change other information of the template, such as expiration dates, etc. But it is not necessary. The described steps will create a new certificate template that supports autoenrollment: From the General tab, fill in the Template Display Name with a value - such as C

31、entrify IPsec Temp From the Security tab, select Domain Computers, and then in the lower box, select the allow checkbox for the autoenroll permission. From the Extensions tab, select Application Policies. Make sure Client Authentication and Server Authentication policies are included. If you chose t

32、o duplicate the Workstation Authentication Template, you will need to add Server authentication. Application policies give the ability to decide which certificates can be used for certain purposes. Application policies are settings that inform a target that the subject holds a certificate that can be used to perform a specific task. They are