- Windows Server 2012 Automation with PowerShell Cookbook
- Ed Goad
- 619字
- 2021-07-27 18:09:55
Building out a PKI environment
Windows Active Directory domains are a great way to authenticate users and computers. Using a central store of accounts and passwords, requests can be easily authenticated, and accounts can be quickly added, updated, or removed as needed. While this is a great method for authentication within the domain, it does not work as well outside of the domain. Situations, where the domain controller may not be accessible, where the authority of the domain controller is in question, or when accessing resources outside of a domain, call for alternative authentication methods.
Certificates allow for creation of an authentication infrastructure by using a series of trusts. Instead of joining a domain, and thereby trusting the domain controllers, you trust a Certificate Authority (CA). The CA is responsible for handing out certificates that authenticate the user or computer. By trusting the CA, you implicitly trust the certificates it produces.
Windows server has the ability to operate both as an Active Directory domain and a Certificate Authority. This provides the basis for several technologies in a domain such as secure web servers, IPSec, and DirectAccess. The following will cover the necessary steps to install and configure a Private Key Infrastructure (PKI) environment.
Getting ready
This particular recipe installs and configures an enterprise root CA, which requires a domain environment to operate. If you do not have a domain environment, this can still be used, but the CAType needs to be changed to support a standalone system.
How to do it...
Carry out the following steps to build a PKI environment:
- Install certificate server:
Get-WindowsFeature | Where-Object Name -Like *cert* Install-WindowsFeature AD-Certificate -IncludeManagementTools -IncludeAllSubFeature
- Configure the server as an enterprise CA:
Install-AdcsCertificationAuthority -CACommonName corp.contoso.com -CAType EnterpriseRootCA -Confirm:$false
- Install root certificate to trusted root certification authorities store:
Certutil –pulse
- Request machine certificate from CA:
Set-CertificateAutoEnrollmentPolicy -PolicyState Enabled -Context Machine -EnableTemplateCheck
How it works...
The first two steps install and configure the certificate services on the target server. The certificate server is configured as an enterprise root CA named corp.contoso.com, with the default configuration settings.
The third step uses the Certutil.exe utility to download and install the root CA to the trusted root certification authorities store. Lastly, a machine certificate is requested using the default autoenrollment policy.
There are four types of Certificate Authorities supported by Windows server:
- Enterprise root CA
- Enterprise subordinate CA
- Standalone root CA
- Standalone subordinate CA
The two enterprise CA types are designed to integrate with Active Directory domains and provide more flexibility in AD environments. Standalone CA types operate similar to third party CAs and don't integrate with AD. Additionally, the subordinate CA types are child authorities that have been delegated permission from the root authorities to create certificates.
There's more…
Once the PKI environment is implemented, the next step is to create a group policy to have clients autoenroll. Unfortunately, there is not a built-in function to edit the group policy objects we need, so we have to perform the task manually. Following are the steps necessary to set up the autoenroll GPO:
- Open Server Manager and select Tools | Group Policy Management:
- Browse to Group Policy Management | Forest <forestname> | Domains | <domainname>.
- Right-click on Default Domain Policy and select Edit:
- In the Group Policy Management Editor, browse to Default Domain Policy | Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies:
- Right-click on Certificate Services Client – Auto-Enrollment and select Properties.
- In the Enrollment Policy Configuration window, set the following fields:
- Configuration Model: Enabled
- Check the Renew expired certificates, update pending certificates, and remove revoked certificates checkbox
- Check the Update certificates that use certificate templates checkbox
- Click on OK and close the Group Policy Management Editor.
- 中文版Photoshop CS5數碼照片處理完全自學一本通
- 蕩胸生層云:C語言開發修行實錄
- Hands-On Machine Learning with TensorFlow.js
- 自動檢測與轉換技術
- 工業機器人入門實用教程(KUKA機器人)
- Blender Compositing and Post Processing
- Splunk Operational Intelligence Cookbook
- 網絡化分布式系統預測控制
- 數據掘金
- PostgreSQL 10 Administration Cookbook
- 中國戰略性新興產業研究與發展·智能制造裝備
- 基于神經網絡的監督和半監督學習方法與遙感圖像智能解譯
- PowerMill 2020五軸數控加工編程應用實例
- 大數據素質讀本
- Effective Business Intelligence with QuickSight