Chapter 4: Working with Certificates

Understanding certificates used to be something that many people avoided. For many facets of IT, you can avoid dealing with them. They were for the networking team, not anybody doing development or desktop support. However, times have changed, and a solid understanding of the common certificate types is quickly becoming an ability that anyone in support should possess. More and more, security has become focused on certificates and with the exponential increase in the amount of applications that are served via the web, understanding the certificates that protect these services is more important than ever.

Almost anyone who has set up a website has dealt with SSL certificates from a public Certification Authority (CA), but did you know that you can be your own CA? That you can issue certificates to the machines in your network, right from your own CA server? Follow along as we explore some of the capabilities of Windows Server 2019 while running as a CA server in our network.

Together, we are going to build a public key infrastructure (PKI) environment inside our network and use it for some common certificate issuing tasks. By the end of this chapter, you should be comfortable with creating a PKI in your own environment, which will prepare you for any requirements you may encounter when working with certificate-based technologies.

This chapter will cover the following recipes:

• Setting up the first Certification Authority server in a network
• Building a subordinate Certification Authority server
• Creating a certificate template to prepare for issuing machine certificates to your clients
• Publishing a certificate template to allow enrolment
• Using MMC to request a new certificate
• Using the web interface to request a new certificate
• Using PowerShell to request a new certificate
• Configuring Autoenrollment to issue certificates to all domain-joined systems
• Renewing your root certificate
• Revoking a certificate

  Important Note

  You may have seen the acronyms Secure Socket Layer (SSL) and Transport Layer Security (TLS) used before and wondered what the difference is. In practice, these are two names for the same thing, and they both use certificates (the proper name for certificates by the way is X.509, but nobody uses that either). After the SSL v3 protocol was released, it was followed by the TLS v1 protocol. The current correct name is TLS, but a lot of people are unfamiliar with this term. So, for this book, we're going to use the phrase SSL, but know that this also means TLS.