servebolt
IIAMWAD

3.2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7

According to the part 1 about Configuring Active Directory Certificate Services Certificates, you now have a first experience with the AD CS, CAs, certificates as well as why we need Certificate Templates to simplify the issuance.

However, let's consider this scenario:

Some users in the organization are required to travel frequently. These users require access to network resources of your AD domain from any of the branch offices or across the public network. In addition, these users can use any machine to get access to the network resources. For this, you have to ensure that these users are authenticated and authorized from anywhere to access the network resources.

Therefore, you should decide to enroll these users for a certificate that can be embedded on a plastic chip.

[00:10] It's called Smart Card, we use it in conjunction with passwords to create layers of protection without further complexities in usage.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

Remember that, we can't use the previous certificate to use with this secure media because a certificate is designed to use with the particular purpose(s), our old one is used for: Client Authentication, Secure Email, and EFS.

[00:18] That's why we need to use another template with the Smart Card Logon application policy.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

[00:31] We will do this configuration on the Subordinate Enterprise CA Windows Server 2008 R2 because the Standalone Root doesn't utilize certificate templates.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

[00:37] "Stand-Alone Certification Authorities" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755290(v=ws.11)

[00:41] Navigate through the Certificate Templates section of Certificate Authority certsrv MMC console.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

Then enter the Manage menu to open the CTs Console.

You can create certificate templates with advanced properties. However, not all Windows CAs support all certificate template properties. Select the version of Windows Server (minimum supported CAs) for the duplicate certificate template.

Windows Server 2003/2008 Enterprise

We will duplicate the User template instead of modifying the SnoOpy-User of part 1 to do further demonstrations on the template supersede.

[00:55] You should check out the part 1 to learn more about this CT duplication.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

[01:04] "Supersede Templates" – technet.microsoft.com

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753044(v=ws.11)

Build from this Active Directory information

Select this option to enforce consistency among subject names and to

simplify certificate administration.

Subject name format: Fully distinguished name

Include e-mail name in the subject name

Include this information in the alternate subject name:

– E-mail name

– DNS name

– User principal name (UPN)

– Service principal name (SPN)

To modify an extension, select it. and then click Edit.

Extensions included in this template:

– Application Policies

– Basic Constraints

– Certificate Template Information

– Issuance Policies

– Key Usage

Description of Application Policies:

Encrypting File System

Secure Email

Client Authentication

[01:29]

Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized but MUST be processed if it is recognized.

[01:36] An application policy defines how a certificate can be used.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

Add the Smart Card Logon at the Edit Application Policies Extension dialog.

An application policy (called enhanced key usage in Windows 2000) defines how a certificate can be used. Select the application policy required

for valid signatures of certificates issued by this template.

[01:45] "Which properties of an X.509 certificate should be critical and which not?" – security.stackexchange.com


https://security.stackexchange.com/questions/30974/which-properties-of-a-x-509-certificate-should-be-critical-and-which-not

Certificates issued by this template supersede certificates issued by all templates added in this list. Add only those templates whose certificates allow tasks permitted by certificates issued by this template.

There may be times when you want to modify the properties of a type of certificate that has already been issued to clients. You can do this by creating an updated certificate template for that certificate purpose and specifying that you want subjects of certificates based on the old template to obtain new certificates based on the new template.

[02:00] With this Superseded Templates tab, we can force users who own this old SnoOpy-User certificate, that lack of Smart Card Logon capacity, to obtain this SnoOpy-SmartCard.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

In fact, you can specify who is eligible to obtain a certificate through this certificate template explicitly by using a feature of CT, that is Security.

For example, we allow Read/Enroll for Authenticated Users and Domain Users.

[02:35] "Securing PKI: Planning Certificate Algorithms and Usages" – technet.microsoft.com

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786428(v=ws.11)

[02:42] Publish this CT through this New, Certificate Template to Issue menu.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

Select one Certificate Template to enable on this Certification Authority.

Note: If a certificate template that was recently created does not appear in this list, you may need to wait until information about this template has been replicated to all domain controllers.

All the certificate templates in the organization may not be available to your CA.

[03:03] Now switch to this Windows 7 client machine, open up Certificates Console Root's Certificate Enrollment wizard through the Personal, All Tasks, Request New Certificate menu.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

If we did not have Certificate Templates' Active Directory Enrollment Policy alongside with AD CS CAs, you might use something like "Configured by you", that require you to enter a bunch of settings for the requested certificate: key length, cryptographic service providers (CSPs), application policies, etc.

[03:40] Furthermore, there is a way to implement auto-enrolment as well as security rules.

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

[03:43] "Administering Certificate Templates" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725621(v=ws.10)

So far so good, we all know about Certificate Templates and what is Supersede, how to extend the usage of a certificate with Application Policy, and Certificates snap-in can help request certificates.

Keep track on the next episode to see: Configure the Web enrollment site to use SSL, so that every client can do certificate issuance via a web browser through a secure channel.

This certificate is intended for the following purpose(s):

– Protects e-mail messages

– Allows data on disk to be encrypted

– Proves your identity to a remote computer

– Smart Card Logon

[04:02] "Certificate Templates Overview" – technet.microsoft.com

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730826(v=ws.10)

[04:06] Make sure you read included documents, links, references, notes, etc. as well as review my very first videos to have a deep view on theories about AD CS on my YOUTUBE channel :3

3 2 Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7 | IIAMWAD

[04:07]
[SHAZAM]


http://shazam.marvel-it.icu/s=d486afb0&f=g76Jk7pL

[YOUTUBE]
Supersede User certificate template Smart Card Logon Enterprise Subordinate WS 2008 R2 Windows 7

[ Æsir Tales ]
Back to top button