servebolt
IIAMWAD

3.1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS

Trust me, you are in the right way because security is something we must do extra implementations, in virtual test labs as well as in the production environment; otherwise, you may create holes in your AD network accidentally, or do troubles for yourself in connections, authentications, etc.

And the whole PKI system will remain useless.

[00:03] We've been investing AD CS theories for a long time via series: Installing and Configuring Active Directory Certificate Services Server Role and Publishing the Certificate Revocation List.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

AD CS is a Server Role of Windows Server. It helps to build PKI infrastructure in Microsoft Active Directory network by building Windows CAs with associated certificates, keys, types, scopes for further creating PKI's objects such as digital certificates, public keys, hierarchies, etc.

Let's take a look at AD CS and PKI again.

Recall about PKI, we must know: this is an infrastructure; a system help protected data, traffic inside/outside network by implementing strong encryptions/decryptions, authentications, integrity checking mechanisms via digital certificates.

A well-known protocol is HTTPS, which is based on PKI to secure web browsing on a daily basis.

More about PKI:

http://bit.ly/PKI-Model

Certificates or Digital certificate/Public-Key Key Certificate.

In cryptography, a public-key certificate (or identity certificate) is a certificate which uses a digital signature to bind together a public key with an identity – information such as the name of a person or an organization, their address, and so forth.

The certificate can be used to verify that a public key belongs to an individual.

Now, in this very first series about Configuring Active Directory Certificate Services Certificates.

We will see the real application of AD CS as well as the main object: certificates.

We early have a 2-Tier PKI with 2 CAs: Standalone Root and Enterprise Subordinate are taken place.

[00:41] "Certificate Templates Overview" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730826(v=ws.10)

[00:43] And CAs on Windows Server 2008 R2 machines are where we define certificate templates so that clients can request through the Web Enrollment app or via the Certificate MMC snap-in.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as auto-enrollment, enrollment only with authorized signatures, and manual enrollment.

[00:58] Open the Certificate Authority certsrv snap-in from the Start Menu.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

[01:12] Oops, this is a Standalone Root CA, so Certificate Templates are not used, though this type of CA should be only used to issue certificates to its Subordinate CAs.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

[01:33] "Public Key Infrastructure Part 6 – Manage certificate templates" – tech-coffee.net


http://www.tech-coffee.net/public-key-infrastructure-part-6-manage-certificate-templates/

[02:01] "Stand-Alone Certification Authorities" – technet.microsoft.com

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755290(v=ws.11)

[01:57]
[02:31] Open the Certificate Templates Console repository via the Manage menu to see available templates.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

In this demo, I will make a CT which based on the User template available with some customizations.

So I will duplicate this Template rather than edit the existing one so that we can re-utilize this basic template later.

You can create certificate templates with advanced properties. However, not all Windows CAs support all certificate template properties. Select the version of Windows Server (minimum supported CAs) for the duplicate certificate template.

[03:22] Since Windows Server 2003, 2008 R2, there are 2 versions of CTs, which offer compatibility reasons, of course, the higher the version number, the more advanced in its functions.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725838(v=ws.11)

With Windows Server 2003- based CAs, the Certificate Templates snap-in allowed you to define specific attributes for certificates that meet your organization's business needs. For example, you could define:

Whether the private key associated with a certificate can be exported.

Whether the certificate request must be approved by a certificate manager, and define how many managers must approve a request before the certificate is issued.

Which cryptographic service providers (CSPs) are supported by a certificate template.

Issuance and application policy for issued certificates.

Windows Server 2008 introduced version 3 certificate templates. These certificate templates have been updated to support new features available in the Windows Server 2008- based CA, including CNG, which introduces support for Suite B cryptographic algorithms such as ECC.

Let's specify these settings in the General tab:

Template display name.

Validity period.

Renewal period.

Publish certificate in Active Directory.

Do not automatically reenroll if a duplicate certificate exists in Active Directory.

For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.

In the Request Handling we can tweak:

– Purpose: Signature and encryption

Include symmetric algorithms allowed by the subject.

Archive subject's encryption private key

– Allow private key to be exported

– Do the following when the subject is enrolled and when the private key associated with this certificate is used:

Enroll subject without requiring any user input

Prompt the user during enrollment

Prompt the user during enrollment and require user input when the private key is used.

Cryptography

Algorithm name: RSA

Minimum key size: 2048

Choose which cryptographic providers can be used for requests

– Requests can use any provider available on the subject's computer

– Requests must use one of the following providers:

Providers:

Microsoft Software Key Storage Provider

Request hash: SHA1

Use alternate signature format.

For more information about restrictions and compatibility:

Subject Name

– Supply in the request

Use subject information from existing certificates for auto-enrolment

renewal requests.

– Build from this Active Directory information

Select this option to enforce consistency among subject names and to

simplify certificate administration.

Subject name format: Fully distinguished name

Include-mail name in the subject name

+ Include this information in the alternate subject name:

E-mail name

DNS name

User principal name (UPN)

Service principal name (SPN)

[05:02] "Securing PKI: Planning Certificate Algorithms and Usages" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786428(v=ws.11)

[05:20] Now, to allow Domain Users to Enroll through this Certificate Template, configure this permission from the Security tab.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

[05:57]
[06:59] Now users can request a certificate for themselves to do: Client Authentication, Secure Email, Encrypting File System with this SnoOpy-User certificate template.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

[07:13]
[07:25] It is a domain user who is running the Windows 7 machine.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

There are 2 options for clients who want to request certificates: the Certificate MMC snap-in and via the Web Enrollment app.

Let's add this console through the Add or Remove Snap-ins dialog of the Console Root.

The Certificate snap-in allows you to browse through the contents of the certificate stores for yourself, a service, or a computer.

– Personal is the store which contains obtained certificates of this Current User.

Other ones hold CAs certificates:

– Trusted Root Certification Authority

– Enterprise Trust

– Intermediate Certification Authority

– Active Directory User Object

– Trusted Publishers

– Untrusted Certificates

– Third-Party Root Certification Authority

– Trusted People

– Smart Card Trusted Roots

You can select snap-ins for this console from those available on your computer and configure the selected set of snap-ins. For extensible snap-ins, you can configure which extensions are enabled.

[08:26] Do the certificate issuance through All Tasks, Request New Certificate menu of the Personal store.

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

Before You Begin

The following steps will help you install certificates, which are digital credentials used to connect to wireless networks,

protect content, establish identity, and do other security-related tasks.

Before requesting a certificate, verify the following:

Your computer is connected to the network

You have credentials that can be used to verify your right to obtain the certificate

Select Certificate Enrollment Policy

Certificate enrollment policy enables enrollment for certificates based on predefined certificate templates. Certificate enrollment policy may already be configured for you.

Configured by your administrator: Active Directory Enrollment Policy

Configured by you (Add New only for special cases).

Request Certificates

You can request the following types of certificates. Select the certificates you want to request, and then click Enroll.

There are 2 CTs are assigned for domain users by default, plus the SnoOpy-User template which we just published with proper permissions.

[09:19] Requesting certificates. Please wait…

3 1 Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS | IIAMWAD

The enrollment server is being contacted to obtain the certificates you have requested.

After a couple of seconds, the certificate will be ready to be used by this User!

You can see that with Certificate and the AD Enrollment Policy service, the certificate issuance process can be simplified dramatically for both office users as well as advanced clients.

Check out my YOUTUBE channel to see other applications of AD CS, the next episode will be about: Create, duplicate, and supersede the local user template by using a new template that includes smart card logon.

[SHAZAM]


http://shazam.marvel-it.icu/s=29c8fd96&f=JNrriC5j

[YOUTUBE]
Configure a User certificate template Enterprise Sub WS 2008 R2 Win 7 Client Auth Secure Email EFS

[ Æsir Tales ]
Back to top button