Greetings, today we are going to modify the Default Policy Group Policy Object to set domain member computers to automatically request a machine certificate.
This assumes you already have a Domain and Certificate Services setup and ready to use for this. If you need to setup your domain or certificate services still, please refer to my other posts for steps to do so.
Click start and type Group and then select Group Policy Management
Expand Forest, Domains, lab, then right-click Default Domain Policy then select Edit
Expand Computer Configuration, Policies, Windows Settings, Security Settings, then click on Public Key Policies
Double-click on Certificate Services Client – Certificate Enrollment Policy. Change Configuration model from Not Configured to Enabled. Leave the defaults and select OK
Double-click Certificate Services Client – Auto-Enrollment and change Configuration Model from Not Configured to Enabled. Then check the Renew expired certificates and Update certificates check blocks. Select OK
Go to a server you can test with, right-click start, then select Windows PowerShell (admin)
Type in “gpupdate /force” and hit enter
Click start and type in certlm.msc, then select the result
Expand Personal and Certificates, you should now see the appropriate certs for your system.
Congrats, you now have a default setup to get certs out to your clients. Have a good one.
Greetings, this time we are going to be creating a Certificate Template for VMware Certificate Authority (VMCA). This would allow you to use VMCA to issue certificates for your VMware environment.
Expand Root-CA01, then right-click Certificate Templates and select Manage
Find and right-click the Subordinate Certification Authority, then select Duplicate Template
Change Certification Authority to Windows Server 2012 and Certificate Recipient to Windows 7/Server 2008 R2
Go to the General Tab and enter your preferred name for the Template. I would recommend a name that indicates its purpose.
Also select Publish certificate in Active Directory
Go to the Extensions tab, select Basic Constraints, click Edit and make sure that Make this extension critical is enabled. Select OK if changes were made, choose cancel if not.
Go down to Key Usage, click Edit and verify that Digital signature, Certificate signing, and CRL signing are all enabled. Also check to make sure Make this extension critical is enabled as well.
Click OK if changes were made, cancel if not.
Select OK
Authorize Template to be issued
Go back to Certificate Management, right-click Certificate Templates, hover over New, and Select Certificate Template to Issue
Scroll down to VMware VMCA (or whatever it may have been named) and select OK
Note: This is a subordinate Certificate Authority Level CA. Guard usage of this template very careful as misuse\unintended issue can cause significate issues if control is lost of it.
Now you have your certificate template to issue certs from VMware Certificate Authority. Have a good one.
Now that we have IIS installed on our CA Server, it’s time to setup a certificate for HTTPS connections
Login, click the Start Menu and type certlm.msc. You can also right-click start and select Run to do the same.
Expand Personal and then click on Certificates. Notice there is only the Root-CA’s Cert here, we don’t want that as the cert for our certsrv page cert.
Right-click either the Certificates folder, or in the white area on the right, hover over All Tasks, then select Request New Certificates
Select Next
Select Next
Now I want the Web Server template which is not shown here. That is because I’m using an account with privileges that isn’t authorized for that template. Were going to go fix that. So go ahead and select Cancel.
Select Start, type cert, then click Certification Authority
Expand Root-CA01 then select Certificate Templates, you can see Web Server is here. Next is to change the permissions.
Right-click Certificate Templates and select Manage
Scroll down the middle section and right-click Web Server, then select properties
Go to the Security tab and notice the permissions. Since this is a lab I’m just going to give authenticated users enroll permissions.
Now that enroll has been granted, select OK
Go back to your certlm window, and right-click the open area, hover over All Tasks and select Request New Certificate
Select Next
Select Next
And now we have the Web Server template as an option, click the blue line to enter your information
Change the Subject name drop down from Full DN to Common Name and Type from Directory name to DNS
For Common name, I prefer to enter the Fully Qualified Domain Name (FQDN), and for DNS I prefer to do both the FQDN and the short name. Once you enter them in the lines on the left, click the corresponding Add button to add them. Then change Type from DNS to IP Address (v4) (or v6 if needed) and enter the IP address.
Once it looks like this, go to the general tab
I generally will use the FQDN for the Friendly name as well. Select the Private Key tab
As a note, under Key Options you can mark the private key as exportable, if this cert is for another server, or perhaps is for a VIP or multiple servers, you would select this so that the cert can be exported\imported to those other servers. Once complete, select OK
Now that the blue line is gone, you can select the Web Server template and click Enroll
Once complete you should receive this window
Adding Certificate to IIS
Click start, type IIS and select IIS Manager
Expand Sites and click Default Web Site, then select Bindings on the right side
Select https and click Edit
Change SSL certificate from Root-CA01 to ca01.lab.scottbell.me. There are more options that can be selected from a security standpoint like specifying the IP, hostname, and Disabling Legacy TLS. Select options as appropriate for your environment. Then select OK
Select Close
Select Restart on the right side pane
Go to a browser and enter the address of your website with /CertSrv at the end. You should not get a untrusted website alert (assuming the client accessing the site trusts the Root CA) and a username\password prompt.
Once you enter account information that has access to the website, you should see the above and are now able to request certificates as you need. Congrats and have a good day.
Today we are going to be setting up a Certificate Server for the new domain in my home lab. This is part of the systematic rebuild of the lab so that I can write these articles to document the process to potentially help others and for a record of my own on the next rebuild.
The new lab so far has just two domain controllers. I need certificate services to continue with other functions such as the offline depot for VCF, the new jump box I will end up building, and VCF itself with its components.
This will be based on the assumption that you have already deployed a Windows Server, have named it, given it an IP, and domain joined it.
Installing Certificate Services
Select Add roles and features
Select Next
Select Next
Select Next
Select Active Directory Certificate Services
Select Add Features
Select Next
Please read this page before selecting Next, the note does matter
Select Certification Authority Web Enrollment, and Certificate Enrollment Web Service
Once you select Certificate Enrollment Web Service, this window will pop up, select Add Features
Once the selection matches the above, select Next
Read and select Next
Scroll down to Security section and select Basic Authentication, this is to support VCF functions later. Select Next
Review the selections and then select Install
Once the install is finished, select Configure Active Directory Certificate Services
Use your intended account if different than what’s pre-populated based on the logged in account. Then select Next
You can only setup the first two at the same time. We will have to come back after for the Certificate Enrollment Web Service after the Certificate Authority is setup. Select Next
In my case with it being a lab, I will do Enterprise CA where it stays online. If your doing a proper CA in the real world, I would suggested a Standalone Root CA that stays offline when not in use and an Domain-Joined Subordinate CA. Select Next
Again, since this is a lab environment, this will just be a Root CA. Select Next
Since this is a new server and not a transfer\upgrade\recovery, I will Create a new private key and select Next
I am going to stick with the defaults here, I am not using anything that needs the admin interaction for extra security so I will leave it unchecked.
I have changed the Common name to be more what I want, but I am leaving the rest the default format. Select Next
Use whatever timeframe is suitable for you. As this is a lab, it wont survive 5 years so I will leave it at that.
Security needs may require these locations to be moved to a different location\drive. I’m not operating under those requirements so I will be leaving them default. Select Next
Review the summary and select Configure
Once complete, select Close
Select Yes
Same thing, change account if needed then select Next
Select Certificate Enrollment Web Services and select Next
Select Next
This I will leave as default for Windows integrated authentication. Select Next
I’m not going to bother with a service account in this case and select the Use the built-in application pool identity.
I will indeed use the Root-CA01 as the default selection here. You will need to actually select (click) on the certificate and then select Next
Review the options and if everything is as expected, select Configure
Now we are completed for this configuration. Select Close
Select Close again
Click start and type IIS, then select IIS Manager
In IIS, expand CA01, then Sites, Then Default Web Site, click CertSrv, and double-click Authentication
Select Basic authentication, then click Enable
Please go to part 2 for setting up an Certificate in IIS for the CA Server. Have a good day.
