According to the part 1 about Configuring Active Directory Certificate Services Certificates, you now have a first experience with the AD CS, CAs, certificates as well as why we need Certificate Templates to simplify the issuance.
However, let's consider this scenario:
Some users in the organization are required to travel frequently. These users require access to network resources of your AD domain from any of the branch offices or across the public network. In addition, these users can use any machine to get access to the network resources. For this, you have to ensure that these users are authenticated and authorized from anywhere to access the network resources.
Therefore, you should decide to enroll these users for a certificate that can be embedded on a plastic chip.
[00:10] It's called Smart Card, we use it in conjunction with passwords to create layers of protection without further complexities in usage.
Remember that, we can't use the previous certificate to use with this secure media because a certificate is designed to use with the particular purpose(s), our old one is used for: Client Authentication, Secure Email, and EFS.
[00:18] That's why we need to use another template with the Smart Card Logon application policy.
[00:31] We will do this configuration on the Subordinate Enterprise CA Windows Server 2008 R2 because the Standalone Root doesn't utilize certificate templates.
[00:37] "Stand-Alone Certification Authorities" – technet.microsoft.com
[00:41] Navigate through the Certificate Templates section of Certificate Authority certsrv MMC console.
Then enter the Manage menu to open the CTs Console.
You can create certificate templates with advanced properties. However, not all Windows CAs support all certificate template properties. Select the version of Windows Server (minimum supported CAs) for the duplicate certificate template.
Windows Server 2003/2008 Enterprise
We will duplicate the User template instead of modifying the SnoOpy-User of part 1 to do further demonstrations on the template supersede.
[00:55] You should check out the part 1 to learn more about this CT duplication.
[01:04] "Supersede Templates" – technet.microsoft.com
Build from this Active Directory information
Select this option to enforce consistency among subject names and to
simplify certificate administration.
Subject name format: Fully distinguished name
Include e-mail name in the subject name
Include this information in the alternate subject name:
– E-mail name
– DNS name
– User principal name (UPN)
– Service principal name (SPN)
To modify an extension, select it. and then click Edit.
Extensions included in this template:
– Application Policies
– Basic Constraints
– Certificate Template Information
– Issuance Policies
– Key Usage
Description of Application Policies:
Encrypting File System
Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized but MUST be processed if it is recognized.
[01:36] An application policy defines how a certificate can be used.
Add the Smart Card Logon at the Edit Application Policies Extension dialog.
An application policy (called enhanced key usage in Windows 2000) defines how a certificate can be used. Select the application policy required
for valid signatures of certificates issued by this template.
[01:45] "Which properties of an X.509 certificate should be critical and which not?" – security.stackexchange.com
Certificates issued by this template supersede certificates issued by all templates added in this list. Add only those templates whose certificates allow tasks permitted by certificates issued by this template.
There may be times when you want to modify the properties of a type of certificate that has already been issued to clients. You can do this by creating an updated certificate template for that certificate purpose and specifying that you want subjects of certificates based on the old template to obtain new certificates based on the new template.
[02:00] With this Superseded Templates tab, we can force users who own this old SnoOpy-User certificate, that lack of Smart Card Logon capacity, to obtain this SnoOpy-SmartCard.
In fact, you can specify who is eligible to obtain a certificate through this certificate template explicitly by using a feature of CT, that is Security.
For example, we allow Read/Enroll for Authenticated Users and Domain Users.
[02:35] "Securing PKI: Planning Certificate Algorithms and Usages" – technet.microsoft.com
[02:42] Publish this CT through this New, Certificate Template to Issue menu.
Select one Certificate Template to enable on this Certification Authority.
Note: If a certificate template that was recently created does not appear in this list, you may need to wait until information about this template has been replicated to all domain controllers.
All the certificate templates in the organization may not be available to your CA.
[03:03] Now switch to this Windows 7 client machine, open up Certificates Console Root's Certificate Enrollment wizard through the Personal, All Tasks, Request New Certificate menu.
If we did not have Certificate Templates' Active Directory Enrollment Policy alongside with AD CS CAs, you might use something like "Configured by you", that require you to enter a bunch of settings for the requested certificate: key length, cryptographic service providers (CSPs), application policies, etc.
[03:40] Furthermore, there is a way to implement auto-enrolment as well as security rules.
[03:43] "Administering Certificate Templates" – technet.microsoft.com
So far so good, we all know about Certificate Templates and what is Supersede, how to extend the usage of a certificate with Application Policy, and Certificates snap-in can help request certificates.
Keep track on the next episode to see: Configure the Web enrollment site to use SSL, so that every client can do certificate issuance via a web browser through a secure channel.
This certificate is intended for the following purpose(s):
– Protects e-mail messages
– Allows data on disk to be encrypted
– Proves your identity to a remote computer
– Smart Card Logon
[04:02] "Certificate Templates Overview" – technet.microsoft.com
[04:06] Make sure you read included documents, links, references, notes, etc. as well as review my very first videos to have a deep view on theories about AD CS on my YOUTUBE channel :3