Building out a PKI environment
Windows Active Directory domains are a great way to authenticate users and computers. Using a central store of accounts and passwords, requests can be easily authenticated, and accounts can be quickly added, updated, or removed as needed. While this is a great method for authentication within the domain, it does not work as well outside of the domain. Situations, where the domain controller may not be accessible, where the authority of the domain controller is in question, or when accessing resources outside of a domain, call for alternative authentication methods.
Certificates allow for creation of an authentication infrastructure by using a series of trusts. Instead of joining a domain, and thereby trusting the domain controllers, you trust a Certificate Authority (CA). The CA is responsible for handing out certificates that authenticate the user or computer. By trusting the CA, you implicitly trust the certificates it produces.
Windows server has the ability to operate both as an Active Directory domain and a Certificate Authority. This provides the basis for several technologies in a domain such as secure web servers, IPSec, and DirectAccess. The following will cover the necessary steps to install and configure a Private Key Infrastructure (PKI) environment.
Getting ready
This particular recipe installs and configures an enterprise root CA, which requires a domain environment to operate. If you do not have a domain environment, this can still be used, but the CAType needs to be changed to support a standalone system.
How to do it...
Carry out the following steps to build a PKI environment:
- Install certificate server:
Get-WindowsFeature | Where-Object Name -Like *cert* Install-WindowsFeature AD-Certificate -IncludeManagementTools -IncludeAllSubFeature
- Configure the server as an enterprise CA:
Install-AdcsCertificationAuthority -CACommonName corp.contoso.com -CAType EnterpriseRootCA -Confirm:$false
- Install root certificate to trusted root certification authorities store:
Certutil –pulse
- Request machine certificate from CA:
Set-CertificateAutoEnrollmentPolicy -PolicyState Enabled -Context Machine -EnableTemplateCheck
How it works...
The first two steps install and configure the certificate services on the target server. The certificate server is configured as an enterprise root CA named corp.contoso.com, with the default configuration settings.
The third step uses the Certutil.exe utility to download and install the root CA to the trusted root certification authorities store. Lastly, a machine certificate is requested using the default autoenrollment policy.
There are four types of Certificate Authorities supported by Windows server:
- Enterprise root CA
- Enterprise subordinate CA
- Standalone root CA
- Standalone subordinate CA
The two enterprise CA types are designed to integrate with Active Directory domains and provide more flexibility in AD environments. Standalone CA types operate similar to third party CAs and don't integrate with AD. Additionally, the subordinate CA types are child authorities that have been delegated permission from the root authorities to create certificates.
There's more…
Once the PKI environment is implemented, the next step is to create a group policy to have clients autoenroll. Unfortunately, there is not a built-in function to edit the group policy objects we need, so we have to perform the task manually. Following are the steps necessary to set up the autoenroll GPO:
- Open Server Manager and select Tools | Group Policy Management:
- Browse to Group Policy Management | Forest <forestname> | Domains | <domainname>.
- Right-click on Default Domain Policy and select Edit:
- In the Group Policy Management Editor, browse to Default Domain Policy | Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies:
- Right-click on Certificate Services Client – Auto-Enrollment and select Properties.
- In the Enrollment Policy Configuration window, set the following fields:
- Configuration Model: Enabled
- Check the Renew expired certificates, update pending certificates, and remove revoked certificates checkbox
- Check the Update certificates that use certificate templates checkbox
- Click on OK and close the Group Policy Management Editor.