Certificate Authority Server setup ^
The first thing we’ll need to do in order to create the CA is to add the Active Directory Certificate Services Role. To accomplish this go to Start, right-click on Computer and select Manage.
Click on the Roles tree in the left panel and Add Roles on the right.
Tick the checkbox next to Active Directory Certificate Services and click Next.
This next dialog box is just some information about certificate services and how to get further help. Click Next.
This is the first, and in this case only, CA we will be deploying so check the Certificate Authority box and then Next.
Here we can select if we want to use Enterprise or Standard. In order to take advantage of all of the features Active Directory has to offer, select Enterprise and click Next.
Again, this is our first and only CA so select the Root CA radio button and click Next.
There are some cases in which you would want to use an existing private key such as an upgrade or migration. However, because this is a how to, select Create a new private key and click Next.
This next dialog box is where we can select the strength and hash algorithm of the private key. 2048 is the lowest recommended setting for character length. When you decide how secure you want the key to be, click Next.
Unless there is a specific reason to change this information, leave it default and click Next.
Selecting the length of time the CA certificate is valid is a company set policy. For the sake of this tutorial, I will leave it at five years. Click Next.
This is another screen that you should keep at the defaults unless there is a specific reason to change it. Click Next.
The next dialog box gives information about the installation that is about to take place and lets us verify everything. It also gives a nice little warning that you cannot change the CA name after the role has been installed. Once you have verified, click Install.
The role will then begin installation. Depending on your server specifications, this shouldn’t take long at all.
Once finished, the Installation Results will pop up and hopefully will read Installation succeeded at which point the basic CA installation has been completed.
Creating the certificates ^
Now that we have successfully installed our root CA, we can begin creating the certificates. Creating the user and computer certificates are very similar, but I will cover both of them for completeness of this article.
Go to Start, All Programs, Administrative Tools, and click Server Manager.
Expand the Roles tree and select Certificate Templates in the left pane.
In the right pane, all of the certificate templates will show up. Right click on the User template, click All Tasks¸ and select Duplicate Template.
Depending on your environment, you may select 2003 or 2008. For simplicity sake, I have selected 2003. Click OK.
You will need to give the certificate a useful name such as “CompanyName User Cert” or something similar. Then select the Request Handling tab at the top.
Again, 2048 is the smallest recommended length. You can always go stronger but remember that the longer the key is, the bigger the impact of performance.
Another thing that you have to think about at this point is whether or not you want this certificate to be exportable. The recommended setting is to not allow an export. Deselect Allow private key to be exported and click the Security tab at the top.
This is the user certificate so select Domain Users at the top and check the Enroll and Autoenroll boxes at the bottom and click OK.
Now we will need to make this new template available to be deployed. In the Server Manager, right click on Certificate Templates under the CA server name, select New, and Certificate Template to Issue.
Select the certificate template you just created, in this case Copy of User and click OK.
Ensure that the certificate is present under the Certificate Templates.
The steps are basically the same for creating the computer cert. Select Certificate Templates on the left above the server name in the left pane of the Server Manager.
This time we will right click the Computer template, select All Tasks, and then Duplicate Template.
Again, choose whether you will be utilizing 2003 or 2008. Click OK.
Give the computer cert a meaningful name such as “CompanyName Computer Cert” and select the Request Handling tab.
Ensure that the key length is at least 2048 and that it cannot be exported. Select the Security tab.
Since these are the computer certificates, select Domain Computers in the top, check the permissions for Enroll and Autoenroll at the bottom, and click OK.
Perform the same steps to make the computer certificate available to deploy by right clicking Certificate Templates under the server name, selecting New and Certificate Template to Issue.
Select the certificate you just created and click OK.
Ensure that the certificate is now available in the Certificate Templates.
Deploying the certificates ^
Now that the certificates have been created, we can automatically deploy them to our organization using GPO. Open Group Policy Management from Start, All Programs, Administrative Tools.
For simplicity sake, I have chosen to add the autoenroll to the Default Domain Policy. This will differ in many cases. Maybe only laptop users will get certificates or desktops etc. Right-click the policy and click Edit.
Expand Computer Configuration, Policies, Security Settings, and select Public Key Policies. In the right pane, double click Certificate Services Client – Auto-Enrollment.
Select the dropdown box next to Configuration Model and select Enabled. We also want to select the first two check boxes. Once complete, click OK.
Next, expand the User Configuration, Policies, Windows Settings, Security Settings, and select Public Key Settings. Again, double click on Certificate Services Client – Auto-Enrollment.
We want to select the same options as the computer certificate and then click OK.
That’s it! The next time a user or computer gets a GPO update either by running “gpupdate /force” from the command line or logging in, the computer and user will get the new certificates. You can now utilize them however you would like.
We have now completed the series for deploying computer and user certificates via Group Policy. We went over several things including best practices, uses, creation and deployment.
As always, if there are any questions please leave a comment below. I would love you hear from you. Until then, thanks for reading!