Part 2: Microsoft Certification Authority and Group Policies

This section will cover:

  • Active Directory Certificate services installation and configuration

  • Microsoft Templates configuration

  • IIS configuration

  • Group Policies for auto enrollment

  • Testing native auto enrollment

In the examples below, the domain used is primekey.com (PRIMEKEY), the Certificate Services hostname is csserver.primekey.com, and the Tomcat server hostname is tomcatserver.primekey.com. The text highlighted in red should be replaced with names in your environment.

1. Install Active Directory Certificate Services

1.1 Installing Active Directory Certificate Services

  1. Open Server Manager

  2. Click Add roles and features.

  3. Click Next, then select Role-based or feature-based installation.

  4. Select "Select a server from the server pool" and click the Certificate Services server

  5. Select Active Directory Certificate Services.

  6. A popup will appear, click Add Features to add the Certification Authority Management Tools.

  7. Proceed until reaching the Roles Services page for Active Directory Certificate Services.

  8. Select 'Certification Authority' and 'Certification Authority Web Enrollment'.

  9. A popup will appear, click Add Features to add IIS and its corresponding features.

  10. Proceed until the Confirmation page and click Install.

  11. When installation is completed proceed to configure Active Directory Certificate Services.

1.2 Configuring Active Directory Certificate Services

  1. A credentials window will pop up. Enter an account that belongs to the Domain/Enterprise Admin group. Click Next.

  2. Click Certification Authority and Certification Authority Web Enrollment to configure

  3. Select Enterprise CA.

    1. Select Root CA.

  4. Create a new private key.

  5. Select the Cryptography to SHA256.

  6. Select the bit length to 4096 bits.

  7. Enter a common name for the CA such as MSCA-Proxy .

  8. Set the validity period 25 years.

  9. Configure the location for the certificate database and certificate database log.

  10. Click Configure.

2. Configure Active Directory Certificate Enrollment Policy Services on the Certificate Services Server

2.1 Prepare service account

  1. If not done so yet, create the service account ( ces-service ) for Certificate Enrollment Services and the service account ( servlet-service ) for Tomcat servlet

  2. Open the Local Users and Group manager (lusrmgr.msc)

  3. Add the ces-service account to the Local IIS_IUSRS group.

  4. Open command prompt with elevated permissions.

  5. Set service principal name for the service account by running these commands (ensure to replace the server FQDN and account name with your own configuration):

setspn -s HTTP/csserver.primekey.com ces-service
setspn -s HTTP/tomcatserver.primekey.com servlet-service

2.2 Install Active Directory Certificate Services

  1. Open Server Manager.

  2. Under the Active Directory Certificate Services section, click Manage and click Add Roles and Features.

  3. Expand Active Directory Certificate Services, and select Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service.

  4. After the roles have been installed, configure Active Directory services on the destination server.

  5. A credentials window will pop up. Enter an account that belongs to the Domain/Enterprise Admin group. Click Next.

  6. Check the Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service boxes. Click Next.

  7. Select the CA Name. Click the Select button to browse for your Microsoft CA. Select the Microsoft CA that will be issuing the certificates using certificate enrollment web service.

  8. For authentication type for CES, select Windows Integrated Authentication.

  9. For account for Certificate Enrollment Web Service, specify a service account.

  10. For authentication type for CEP, select Windows Integrated Authentication.

  11. Enter credentials for the service account ( ces-service ).

  12. Choose and assign a certificate for SSL later.

  13. Click Next.

  14. Review the confirmation page and click Configure.

  15. When installation completes, click Close.

2.3 Issue a server certificate to the CS Server

  1. Open Microsoft Management Console (mmc.exe)

  2. Add the Certificates snap-in.

  3. Choose Computer account and select Local Computer.

  4. Select Personal

  5. Right-click > All Tasks > Request new certificate.

  6. Select Active Directory Enrollment Policy.

  7. Select Computer and Enroll.

3. Configure Certificate Templates

  1. Open the Certificate Authority manager

  2. Expand the selection for your CA.

  3. Right click Certificate Templates and click Manage.

  4. Right click Computer and select Duplicate Template.

    1. Under Compatibility Settings for the Certification Authority select Windows Server 2003 and Certificate recipient select Windows XP/Server 2003.

    2. Click the General Tab and change the Template Name to Computer_Auto_Enrollment

    3. Click the Security tab, and give "Domain Computers" permissions to Enroll and Autoenroll.

    4. Select the Subject Name tab and change the Subject name format to be DNS Name.

    5. Check DNS Name

    6. Under the request handling tab uncheck "Allow private key to be exported"

    7. Click "OK" to go back to the template list.

  5. Right click User and select Duplicate Template.

    1. Under Compatibility Settings for the Certification Authority select Windows Server 2003 and Certificate recipient select Windows XP/Server 2003.

    2. Change the Template Name to User_Auto_Enrollment

    3. Select the Security tab, and give "Domain Users" permissions to Autoenroll.

    4. Select the Subject name format to "Common Name"

    5. Uncheck "Include email name in subject name"

    6. Uncheck "Email" in the subject alternative name.

    7. Check "User principal name (UPN)"

    8. Under the request handling tab uncheck "Allow private key to be exported"

    9. Click "OK" to go back to the template list.

  6. Return to the Certificate Authority manager.

    1. Right click Certificate Templates.

    2. Select New > Certificate Template to Issue.

    3. Select User_Auto_Enrollment and Computer_Auto_Enrollment.

    4. Click "OK".

  7. Delete all templates in the Certificate Templates section except the templates created during the cloning process.

  8. Obtain the Microsoft certificate template OIDs

    1. Open Powershell and run "Certutil -catemplates -v | select-string displayname,msPKI-Cert-Template-OID" to get the Certificate Template OID.

    2. Note the OIDs for the User_Certificate_Template Workstation_Certificate_Template. These values will be used later.

4. Configure IIS

  1. Open the IIS Manager.

  2. Click your server name on the left hand side

  3. Expand the selection for your server.

  4. Click Application Pools.

  5. Right click WSEnrollmentPolicyServer.

  6. Click Advanced Settings.

  7. Edit Identity and select a custom account and click set.

  8. Enter the credentials for PRIMEKEY \ces-service .

  9. Expand "Sites" in the Connection menu on the left hand side.

  10. Click Default Web Site.

  11. Click Bindings on the right hand side.

  12. Edit the https site binding.

  13. Select the CS Server's SSL certificate ( csserver.primekey.com ).

  14. Expand the Default Web Site option on the left hand side.

  15. Click ADPolicyProvider_CEP_Kerberos.

  16. Open Application Settings.

  17. Enter a FriendlyName for requesting certificates such as EJBCA_Enrollment. This is a name that clients will see only when manually requesting certificates.

  18. Click Add

  19. Create a new entry with name "RetryIntervalMs" and value "300000"

  20. Restart IIS by clicking on the server name and then click Restart on the right hand side.

5. Configure Group Policies on AD

  1. Access Group Policy Management on the AD Host.

  2. Edit the Default Domain Policy for your domain.

  3. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  4. Edit Certificate Services Client – Auto-Enrollment

    1. Change Configuration Model to Enabled

    2. Check "Update certificates that use certificate templates"

  5. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  6. Edit Certificate Services Client – Auto-Enrollment

    1. Change Configuration Model to Enabled

    2. Check "Update certificates that use certificate templates"

6. Test Microsoft Auto Enrollment

  1. Log in as any domain admin to a computer connected to the domain.

  2. Load mmc.exe and use add/remove snap in and pick certificates for both user and local computer.

images/download/attachments/3049549/worddav07cd6fda120371fe916140553727ca2a.png

  1. Verify the user certificate was generated (Current User/ Personal/ Certificates).

    1. Ensure the user certificate in the personal store is generated by the Windows CA using the correct template that was duplicated.

  2. Verify the computer certificate was generated. (Local Computer/ Personal/ Certificates - will need Admin privileges to check the Local computer certificate store).

    1. Ensure the computer certificate in the personal store is generated by the Windows CA using the correct template that was duplicated.

7. Update the MS Auto Enrollment Server URL

  1. Open a command prompt on the Certificate Services Server.

  2. Run this command to get the current URL:

    certutil -config csserver.primekey.com\MSCA-Proxy -enrollmentserverurl
  3. Remove the existing enrollment server URL:

    certutil -config csserver.primekey.com\MSCA-Proxy -enrollmentserverurl https://csserver.primekey.com/MSCA-Proxy_CES_Kerberos/service.svc/CES delete
  4. Add the new enrollment server URL:

    certutil -config csserver.primekey.com\MSCA-Proxy -enrollmentserverurl https://tomcatserver.primekey.com:8443/autoenroll/MSEnrollmentServlet Kerberos

Running the first command again should show the new URL updated:

Now that all of the changes have been made to the domain group policy and the certificate enrollment URL has been updated, time needs to be given for domain replication to occur. After this time, reboot all desktops that need to get the new profile applied. After logging in to the desktop with the new group policy it can take up to 10 minutes to get a new certificate.

8. Update Group Policy for Certificate Enrollment

  1. Access Group Policy Management on AD.

  2. Edit the Default Domain Policy for your domain.

  3. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  4. Edit Certificate Services Client – Certificate Enrollment Policy.

  5. Change Configuration Model to Enabled.

  6. Remove the Active Directory Enrollment Policy from the Certificate Enrollment policy list.

  7. Click Add.

  8. Enter the policy server URI: https:// csserver.primekey.com /ADPolicyProvider_CEP_Kerberos/service.svc/CEP

  9. Click Validate.

  10. Click Add.

  11. Select the check mark for Default.

  12. Click OK.

  13. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  14. Edit Certificate Services Client – Certificate Enrollment Policy.

  15. Change Configuration Model to Enabled.

  16. Remove the Active Directory Enrollment Policy from the Certificate Enrollment policy list.

  17. Click Add.

  18. Enter the policy server URI: https:// csserver.primekey.com /ADPolicyProvider_CEP_Kerberos/service.svc/CEP

  19. Click Validate.

  20. Click Add.

  21. Select the check mark for Default.

  22. Click OK.

9. Install Cert Chain from EJBCA onto Client Certificate Stores

9.1 Fetch CA certificates

On the AD Domain Services Server, go to the EJBCA Public Web located at: http:// ejbcaserver.primekey.com :8080/ejbca/retrieve/ca_certs.jsp

  • Download the Root, Intermediate and Issuing CA Certificates

9.2 Set group policies to automatically place the CA certificates into their respective certificate stores

  1. Open Group Policy Management on the AD Server

  2. Navigate to the domain

  3. Create a new Group Policy Object (Trusted EJBCA CA certs)

  4. Right Click the Trusted EJBCA CA certs GPO and click Edit

  5. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

  6. Click the Action menu or right-click and then click Import

  7. Follow the instructions in the Certificate Import Wizard to find and import the Root CA certificate

  8. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Intermediate Certification Authorities

  9. Click the Action menu or right-click and then click Import

  10. Follow the instructions in the Certificate Import Wizard to find and import the Intermediate CA certificate. Repeat the import process for the Issuing CA certificate