In the previous part of this two part series I talked about what certificates were, why they were important, and where they could be utilized as well as some best practices. In this article, I will show you how to set up a basic one tier Certificate Authority using a Windows 2008 R2 Standard server, create user and machine certificates from the templates, deploy them via GPO, and verify them.

Andrew Jacops

Andrew Jacops is a system/network administrator with over ten years experience managing Windows environments and the network infrastructures they run on.

Latest posts by Andrew Jacops (see all)

Certificate Authority Server setup ^

The first thing we’ll need to do in order to create the CA is to add the Active Directory Certificate Services Role. To accomplish this go to Start, right-click on Computer and select Manage.

Manage

Click on the Roles tree in the left panel and Add Roles on the right.

Manage - Add Roles

Tick the checkbox next to Active Directory Certificate Services and click Next.

Roles Role

This next dialog box is just some information about certificate services and how to get further help. Click Next.

Roles Info

This is the first, and in this case only, CA we will be deploying so check the Certificate Authority box and then Next.

Roles - Role Services

Here we can select if we want to use Enterprise or Standard. In order to take advantage of all of the features Active Directory has to offer, select Enterprise and click Next.

Type

Again, this is our first and only CA so select the Root CA radio button and click Next.

Type Root

There are some cases in which you would want to use an existing private key such as an upgrade or migration. However, because this is a how to, select Create a new private key and click Next.

Key - New Key

This next dialog box is where we can select the strength and hash algorithm of the private key. 2048 is the lowest recommended setting for character length. When you decide how secure you want the key to be, click Next.

Key Encryption

Unless there is a specific reason to change this information, leave it default and click Next.

Key Info

Selecting the length of time the CA certificate is valid is a company set policy. For the sake of this tutorial, I will leave it at five years. Click Next.

Key - Validity Period

This is another screen that you should keep at the defaults unless there is a specific reason to change it. Click Next.

Certificate Database

The next dialog box gives information about the installation that is about to take place and lets us verify everything. It also gives a nice little warning that you cannot change the CA name after the role has been installed. Once you have verified, click Install.

Certificate - Confirmation

The role will then begin installation. Depending on your server specifications, this shouldn’t take long at all.

Certificate - Installing

Once finished, the Installation Results will pop up and hopefully will read Installation succeeded at which point the basic CA installation has been completed.

Certificate - Results

Creating the certificates ^

Now that we have successfully installed our root CA, we can begin creating the certificates. Creating the user and computer certificates are very similar, but I will cover both of them for completeness of this article.

Go to Start, All Programs, Administrative Tools, and click Server Manager.

Template - Server Manager

Expand the Roles tree and select Certificate Templates in the left pane.

clip_image034

In the right pane, all of the certificate templates will show up. Right click on the User template, click All Tasks¸ and select Duplicate Template.

Template - Duplicate User Template

Depending on your environment, you may select 2003 or 2008. For simplicity sake, I have selected 2003. Click OK.

Template - Duplicate User Template Type

You will need to give the certificate a useful name such as “CompanyName User Cert” or something similar. Then select the Request Handling tab at the top.

Template Duplicate User Template General

Again, 2048 is the smallest recommended length. You can always go stronger but remember that the longer the key is, the bigger the impact of performance.

Another thing that you have to think about at this point is whether or not you want this certificate to be exportable. The recommended setting is to not allow an export. Deselect Allow private key to be exported and click the Security tab at the top.

Template - Duplicate User Template Request

This is the user certificate so select Domain Users at the top and check the Enroll and Autoenroll boxes at the bottom and click OK.

Template - Duplicate User Template Security

Now we will need to make this new template available to be deployed. In the Server Manager, right click on Certificate Templates under the CA server name, select New, and Certificate Template to Issue.

Template - Duplicate User Template Deploy

Select the certificate template you just created, in this case Copy of User and click OK.

Template Duplicate User Template Select

Ensure that the certificate is present under the Certificate Templates.

Template - Duplicate User Template Verify

The steps are basically the same for creating the computer cert. Select Certificate Templates on the left above the server name in the left pane of the Server Manager.

Template - Templates Copy

This time we will right click the Computer template, select All Tasks, and then Duplicate Template.

Template - Duplicate Computer Template

Again, choose whether you will be utilizing 2003 or 2008. Click OK.

Template - Duplicate Computer Template Type

Give the computer cert a meaningful name such as “CompanyName Computer Cert and select the Request Handling tab.

Template - Duplicate Computer Template General

Ensure that the key length is at least 2048 and that it cannot be exported. Select the Security tab.

Template - Duplicate Computer Template Request

Since these are the computer certificates, select Domain Computers in the top, check the permissions for Enroll and Autoenroll at the bottom, and click OK.

Template - Duplicate Computer Template Security

Perform the same steps to make the computer certificate available to deploy by right clicking Certificate Templates under the server name, selecting New and Certificate Template to Issue.

Template - Duplicate Computer Template Deploy

Select the certificate you just created and click OK.

Template - Duplicate Computer Template Select

Ensure that the certificate is now available in the Certificate Templates.

Template - Duplicate Computer Template Verify

Deploying the certificates ^

Now that the certificates have been created, we can automatically deploy them to our organization using GPO. Open Group Policy Management from Start, All Programs, Administrative Tools.

Deploy GPM

For simplicity sake, I have chosen to add the autoenroll to the Default Domain Policy. This will differ in many cases. Maybe only laptop users will get certificates or desktops etc. Right-click the policy and click Edit.

Deploy - GPM Policy

Expand Computer Configuration, Policies, Security Settings, and select Public Key Policies. In the right pane, double click Certificate Services Client – Auto-Enrollment.

Deploy GPM Computer

Select the dropdown box next to Configuration Model and select Enabled. We also want to select the first two check boxes. Once complete, click OK.

Client Certificated Services

Next, expand the User Configuration, Policies, Windows Settings, Security Settings, and select Public Key Settings. Again, double click on Certificate Services Client – Auto-Enrollment.

Deploy - GPM User

We want to select the same options as the computer certificate and then click OK.

Client Certificated Services

That’s it! The next time a user or computer gets a GPO update either by running “gpupdate /force from the command line or logging in, the computer and user will get the new certificates. You can now utilize them however you would like.

Summary ^

We have now completed the series for deploying computer and user certificates via Group Policy. We went over several things including best practices, uses, creation and deployment.

As always, if there are any questions please leave a comment below. I would love you hear from you. Until then, thanks for reading!

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
6 Comments
  1. David Johnson 6 years ago

    Is there a reason why you did not create a capolicy.inf in %windir%, I was taught that was the very first step in setting up any CA

    0

  2. Author
    Andrew Jacops 6 years ago

    Hi David. Thanks for the response! The capolicy.inf file is not required to do a default installation of a certificate authority. If, however, the defaults are not sufficient due to a company's security policy, or if they just want greater control, a capolicy.inf file should be created in the %systemroot%. Thanks again for reading.

    0

  3. Michael Schell 4 years ago

    I enjoyed the article. But the title and theme is a little misleading. You're not using Group Policy to deploy certificates. You're using Group Policy to control the enrollment policy on machine that will then go and autoenroll certificates based on the Autoenroll permission on certificate templates in a CA that's trusted by the client. The enrollment mechanism on the client doesn't use the Group Policy processing engine (e.g, you'd run certutil -pulse to force an enrollment cycle, not gpupdate), and the trust of the CA flows from AD objects in the Configuration partition, but not through Group Policy. You CAN distribute certificates using Group Policy, for things like KRAs, etc., but that's not what you're describing here. Hope that clarifies things!

    1+

  4. Krzysztof 3 years ago

    Hi, it is well explained, thanks, going to try this approach. My final goal is to use those public keys to encrypt PDFs, then allow only specified group read/decrypt with their own private keys available on their machines.

    Am I on the  right way? Any suggestions?

    0

  5. K Naveen Reddy 1 year ago

    I am using windows server 2012 ADCS and issues a computer certificate template with right permissions on Domain Computers. I have enabled GPO with certificate auto enrollment and the GPO is applied to windows 10 machines, but the certificate is not present in the computer store.

    I cannot even request the computer certificate manually as well. But the user certificate is working fine. The issue is only with computer certificate.

    Any thoughts around this.

    0

  6. berry 7 months ago

    how does the gpo know which certificate template to use / to auto-enroll to endpoint?

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account