With the episode: “Request and install a basic encryption file system certificate by using the Web enrollment”, we do see the benefit of EFS in protecting data from breaching, destruction, etc., which require an unforgeable method in obtaining certificates as well as Windows AD CS PKI.
Moreover, the cost to implement PKI infrastructure in the AD DS network is gradually lower and lower, in technical requirements, hardware, human, etc.
[00:09] “Configuring EFS with ADCS Server 2008” – journeyofthegeek.com
For example, a website with HTTPS SSL may be complained with a low response and long loading time, etc due to the cost of encrypting/decrypt operations.
Nowadays, this problem/characteristic of PKI was yesterday; that’s because of not only servers hardware/user machines/browsers but also PKI software implementations are evolving more than ever: better algorithms, modern architecture, etc.
During your daily HTTPS SSL web surfing, you may see insecure content warnings from your browsers, that informs at least one element of the web page is loaded through the trivial HTTP channel, and possibly, it can be leveraged as a cyber attack vector.
So, every component in a secure model must be protected, that is the spirit of PKI AD CS.
[00:31] “Deploying Certificates via ‘Auto Enrollment’ | PeteNetLive” – petenetlive.com
Furthermore, there are no reasons to not take advantages of AD CS automation, firstly, auto-enrollment in certificates to harden the consistency of our PKI infrastructure’s core entity which is the vital insurance of Windows Server services.
That’s because we have the naming template, queried info from AD DS, further criteria (security, conditions) mechanisms from Microsoft Windows Server.
Basically, this auto-enrollment process is usually associated with further advanced features of Windows Server like EFS and NAP/RADIUS, etc. through Group Policy enforcement.
But there are other features don’t take certificate as a mandatory requirement: web servicing, FTP, etc.; but it’s best to have a consistency method in delivering the certificate so that further expansions in the scale of our secure network aren’t a problem.
Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.
To automatically enroll clients for certificates in a domain environment, you must:
– Configure a certificate template with Autoenroll permissions.
– Configure an autoenrollment policy for the domain.
[01:07] The scenario is: we will issue certificates to domain users automatically so that they can: Encrypting File System, Secure Email, Client Authentication; so the basic template User is enough.
[01:17] Let’s duplicate the User template Windows Server 2008 Enterprise rather than edit the existing one so that you still have a bare-metal for further deployments with the certificate template.
[01:28] “Certificate Services Error – The Email name is unavailable and cannot be added to the Subject or Subject Alternate name” – petenetlive.com
[01:32] Give it a meaningful Template display name for identifying later.
Build from this Active Directory information
Select this option to enforce consistency among subject names and to
simplify certificate administration.
Subject name format: Fully distinguished name
Include e-mail name in the subject name
Include this information in the alternate subject name:
– E-mail name
– DNS name
– User principal name (UPN)
– Service principal name (SPN)
This information of the requested certificate don’t rely on the user’s supplements, the CA does queries with the domain Active Directory server internally; therefore, this info remain truthful, disinformation problems can be eliminated.
We are defining who will able to apply auto enroll policy.
In the production environment, you must deploy to particular security principals: OUs, groups, etc.
In this demo, we will apply to all users in the domain: Authenticated Users, Domain Users.
[02:25] “Add a Certificate Template to a Certification Authority” – technet.microsoft.com
[02:36] “Issuing Certificates Based on Certificate Templates” – technet.microsoft.com
[02:40] Before certificates can be issued by a certification authority (CA), the certificate template must be added to a CA.
Select one Certificate Template to enable on this Certification Authority.
Note: If a certificate template that was recently created does not appear on this list, you may need to wait until
information about this template has been replicated to all domain controllers.
All the certificate templates in the organization may not be available to your CA.
This is subpart 1: “Intro and Publish CT – Duplicate and configure the user certificate template permissions to enable autoenrollment”.
Check out 2nd one soon: “Auto Enroll policy GPO and Test”!