Configuring a CA for Autoenrollment in Win2K8

By Jack Gardner,2014-06-25 14:38
9 views 0
win2k8 configuring go in for javascript for in in for the kill js for in for in shell for in for all entries in for each in

     Public Domain Environments

    Configuring a CA for Autoenrollment in


    We Software Ltd.

    Suite 335, 1 Science Park East Avenue

    Hong Kong Science Park, Shatin, Hong Kong

    Phone: (852) 3188 2929

    Fax: (852) 3188 2939

    C H I N A ; H O N G K O N G ; U S A

Copyright Notice

2005 We Software Ltd.

    Public Domain Env Setup MES-01 Page 1 of 16

     Public Domain Environments

    This document is prepared solely for WeSoft Centrify Testing Team to use as reference. No part of this document may be reproduced or retransmitted in any form or by any means electronically and mechanically without written permission of WeSoft.

; Filename: Public Domain Environments Setup

    ; Last Saved: 6/25/2013 2:42:00 PM

    ; Printed On: 6/25/2013 2:42:00 PM

Public Domain Env Setup MES-01 Page 2 of 16

     Public Domain Environments

    Change Control

    The change control page will be used to record information for controlling and tracking

    modifications made to this document.

    Revision Date Version Author(s) Summary of Change(s) Approved By mm/dd/yy

    0.1 02/10/2012 Candy Xue

Public Domain Env Setup MES-01 Page 3 of 16

     Public Domain Environments


    This document describes how to configure CA for Autoenrollment in our new domain environment.

    This document describes how to setup a certificate authority (CA) that enables PKI to be used by Direct Security. Along with the CA, configuration of certificate templates and autoenrollment are also discussed.

    You will also know how to verify CA and some Troubleshooting Certificate Templates from this doc.

    ; Certificate templates define the content and characteristics of a certificate, and are stored in the AD configuration naming context. They are used to define the certificate types a CA can issue, and for setting which users can enroll and/or autoenroll for which certificate types.

    ; Autoenrollment is the capability that allows users and machines to automatically enroll certificates. For our purposes, we only focus on machine enrollment. The autoenrollment capability

    is used by DirectSecure, such that when a computer joins a domain via adjoin, the appropriate

    certificates are automatically downloaded to the computer, and can subsequently be used by IKE when PKI is chosen for authentication and encryption.

Public Domain Env Setup MES-01 Page 4 of 16

     Public Domain Environments

The installation/configuration steps are summarized as follows:

    1. Install Internet Information Services (IIS) on the host where the CA will be installed

    2. Install an enterprise certificate server for the domain

    3. Add trusted root certificate to group policy object

    4. Enable autoenrollment at the GPO level

    5. Create a new certificate template with autoenrollment permission.

    6. Assign [new] certificate template to CA so it can issue certificates

    1.1 Install IIS

    When Certificate Services is installed on a computer running IIS, the default (or primary) Web site is updated so that you can perform key certificate tasks using the HTTP protocol. These tasks include

    ; Retrieving CRLs

    ; Requesting certificates

    ; Checking on pending certificates

    Components of DirectSecure make use of the above operations during its operation by making various HTTP requests, hence the reason why IIS must exist. For example, during the adgpupdate process, the Centrify script will make a request to the IIS server to retrieve the CRL for the root certificate being used. The screenshot below shows the services added to IIS:

    To install IIS. It is possible to install both IIS and Certificate Services at the same time. This will effectively take care of items in this section and the section below. It is highly recommended that you install IIS

    either at the same time, or before Certificate Services. If you install IIS after Certificate Services, you will have to manually perform these operations and that will add time and complexity to your effort.

    On your Windows Server, Open Sever Manager and select Roles-> Click Add Roles. This will bring up the Add Roles Wizard. Select Application Server [IIS] and Certificate Services from the list to install.

    The screenshot below provides an example.

    Public Domain Env Setup MES-01 Page 5 of 16

Public Domain Environments

Click Next button to continue the install, choose the option on Role Services as below.

Public Domain Env Setup MES-01 Page 6 of 16

     Public Domain Environments

    1.2 Install an Enterprise Certificate Server (CA)

    Installing a CA in Enterprise mode provides full integration with Active Directory. This means, among other things, that the CA will use the certificate templates stored in the AD configuration naming context. Since this scenario will provide a single, root CA, this need to be an enterprise mode installation.

Follow up 1.1 sections to install a Enterprise root CA.

    At the screen to choose the CA Type, a list of options will be present. Choose the Enterprise root CA option. If this option is not available, you do not have the correct permissions. Stop this operation and login using an account that has the appropriate permissions.

    The next screen allows for the naming of the CA. One can also set the validity period (default is 5 years), and distinguished name suffix. Don't modify the DN suffix unless you really know what you are doing (and even then, don't do it).

    The next 2 screens focus on where the certificate database is created. There isn't any reason to change these values (note: the first dialog will display quickly, then display the next dialog). At this point a private key for this CA will also be generated.

    Configuration of components then happens. This will take a few minutes.

Public Domain Env Setup MES-01 Page 7 of 16

     Public Domain Environments

    1.3 Add Root CA Certificate as a Trust Anchor

    After the installation of the root CA, its certificate will need to be added to the group policy object where the ipsec policies are defined. Doing this enables the certificate to be downloaded to any machine that joins the domain.

    Open up the Certificates snap-in (mmc->add/remove snapin->Certificates->Add->Computer account->Local computer->Finish), and navigate to the Trusted Root Certification Authorities->Enterprise->Certificates container. In this container will be a root certificate that was generated during the CA installation process. Double-click on this certificate and it will bring up a dialog box where you can view the certificate details. Note: The Enterprise container will be shown when checking options Physical certificate stores and

    Archived certificates by clicking Trusted Root Certification Authorities node-> Menu bar View-> Option.

    From the Details tab, choose the Copy to File button. This will start the Certificate Export Wizard which will guide you through the process of saving the certificate to a file. When it asks whether to save the private key, choose No. The format of the exported file should be DER encoded binary X.509 (.CER) (this will most likely be the default selection). Save the certificate to a file.

    At this point the Group Policy Editor should be invoked (easiest way is to go to ADUC->right-click domain->properties->Group Policy tab->edit). From within the AD configuration naming context, open the Windows Settings->Security Settings->Public Key Policies->Trusted Root Certification Authorities container. Right-click on this container objects, and selects Import. Follow the instructions and import the root certificate into the GPO.

    Public Domain Env Setup MES-01 Page 8 of 16

     Public Domain Environments

    1.4 Add Autoenrollment at the GPO Level

    Certificate enrollment enables a user, machine, or service to participate in and use PKI-enabled applications. Enrollment can also be initiated automatically for machine accounts that are part of a Windows domain environment. This feature is known as certificate autoenrollment. It not only handles certificate enrollment, but also automates certificate renewal and certain housekeeping tasks, such as removing revoked certificates from a machine's certificate store.

    For windows machines, it is possible to enable autoenrollment at the GPO level. To do this, open the Group Policy snap-in, go to the Windows Settings->Security Settings->Public Key Policies container, and open the Certificate Services Client - Autoenrollment Settings Properties dialog box. Check the "Enroll certfiicates automatically" and check the "Update certificates that use certificate templates" checkbox. This is shown in the picture below:

You'll note that this is for autoenrollment of Windows based machines. DirectSecure will use the various

    attributes supported by the autoenrollment feature to determine which certificates need to be requested, by

    evaluating the certificate templates when a computer joins a domain.

Public Domain Env Setup MES-01 Page 9 of 16

     Public Domain Environments

    1.5 Create a new certificate template with autoenrollment


    Open the Certificate Templates snap-in, and select a template from the list (e.g. choose Workstation Authentication). Make sure it minimally supports Windows Server 2003, Enterprise Edition. Right click to open the popup menu and choose Duplicate Template. The diagram below shows what the Certificate

    Templates snap-in looks like, with the new template called New CA Template.

    Once the "Duplicate Template" operation is selected, a properties dialog box will be displayed, which allows you to modify the contents of the template. For our purposes, we will focus on 3 items. You can change other information of the template, such as expiration dates, etc. But it is not necessary. The described steps will create a new certificate template that supports autoenrollment:

    From the General tab, fill in the Template Display Name with a value - such as "Centrify IPsec Temp" From the Security tab, select Domain Computers, and then in the lower box, select the allow checkbox for

    the autoenroll permission.

    Public Domain Env Setup MES-01 Page 10 of 16

Report this document

For any questions or suggestions please email