As a result, when running a Windows server or standard edition, you only hace access to v1 templates. The Directory Email Replication template is a v2 template. These default templates cannot be fully modified e. I strongly recommend creating new templates and then deploying these templates to the CA. You can create a new template by right-clicking the Certificate Templates view, and choose "Manage". You will now get the list with all available templates.
Select one of the templates, right-click and choose "Duplicate Template". The first thing that you will be asked to do is to select the Template version. Even if you have not updated the Schema to , you will still get the option to create a Windows Server , Enterprise Edition template. You can modify and save the template, but if you have not updated the schema, this template will NOT work. You can now change all of the templates parameters.
In the Template Name, I recommend not to use any strange characters or spaces. Otherwise, you would disable all of the existing enabled templates, and only enable the WebServerInternal1Y template.
The template is the place where you can set the security for this template. You can basically state who can use this template to request certificates, you can determine who can manage this template etc. Before changing the security or any other parameter , disable the template, make the changes, and then enable it again. You can then grant the "Read and Enroll" permission to a group of users in order to allow certain users to generate a certificate request.
If security has been set, you can enable the template again using the certutil command see above. Depending on your needs, you may want to enable AUthentication on the Web Enrollment website. But in any case, I would recommend you to enable SSL on the website. Otherwise, you may not be able to properly request certificates. But if you want to fix this, you need to request a certificate from this Issuing CA and install it on the webserver…. A quick cli command to list all certificates that will expire in a given number of days Example : list all certificates that will expire in less than one year.
If you want to know which certificate was enrolled using autoenrollment and may be renewed automatically based upon your template settings, and which ones will required manual intervention :.
The first command will list the Requests, the second command will indicate the Process used to enroll the certificate. If you put those 2 outputs next to each other, you can easily build a list of certificates that will require manual renewal.
Of course, you can limit the scope of this command using the -restrict parameter as well. Processes including "CertEnrollCtrl. Processed including "inetmgr. As part of your daily operations, you must back up the CA. YOu can only backup the private key by right clicking the CA and selecting "Backup".
The nice thing is that you only need to do this once in the lifetime of the certificate. As long as you keep the key in a safe place, you should be fine. If you want to backup the CA database, then you can use a certutil command in a scheduled task script. The only requirement for the script to work is that the target directory is empty.
If you ever need to restore the CA, you can simply build a new server with exact the same hostname. During the setup of the CA , you can select to restore the CA from a backup and feed it your backup key and backup database. There are a couple of ways to deploy the root CA certificate into the Trusted Root Certificate Authorities store on your computers.
If the computers are part of the domain, you can use a Group Policy to deploy the root CA certificate. If you cannot use a GPO, you will have to. In both cases, you need to have local administrator access in order to perform the task. The nice thing about the command line option is the fact that you can use e. First, make sure you have a copy of the root CA certificate on disk. Next, edit the GPO. This should take care of the deployment of the root CA when the GPO gets applied to all computer objects in the domain.
You will be asked to enter the keystore password. First, verify that the Domain Controller certificate allows autoenrollment. Edit the Default Domain Controller Certificate. You can create a webserver certificate request that includes a Subject Alternate Name using Exchange powershell :. Copy the request file to the CA and submit the request file. Issue the certificate and export the issued certificate to file again. You can now import the certificate manually using Certificates Local Computer mmc or using the following Exchange powershell cmdlet :.
So if you set the parameters right, you will have maximum flexibility. If you need to create a custom certificate request, you can basically build a custom request using the certreq command line utility and a template.
Just make sure to create the request on the machine where the certificate needs to be installed. In my example, I will explain how to create a certificate request for a domain controller certificate using certreq. Furthermore, you should get the exact TemplateName for the template that will be used on the CA while submitting the request. In my example, the Domain Controller request must have the fqdn of the DC as the subject field, and the template is called DomainControllerAuthentication.
Create a template file for each domain controller, fill out the Subject field, KeyLength and CertificateTemplate name and put the template file on the domain controller. This may not be required all the time. Also, this may not be required when submitting the request onto an Enterprise CA.
Once you have created the templates, you can create a request using the following command :. Export the certificates and and save the exported. Copy signed file back to the host where the request was created and run the following command :.
If you now check the certificates store, you should see the certificate. Verify that, when you open the certificate, it contains a private key which indicates that the certreq -accept command has bound the request and the signed certificate together. If you want to use the certificate on another machine, you can now export this certificate including the private key — of course, if that was allowed in the request.
If you want to create a template file for creating a SSL certificate for server with fqdn webserver1. To see all possible entries in the template. Better safe than sorry. The reason for this is the fact that, under Vista, Internet Explorer does no longer run with administrative permissions, so you cannot save anything in the local machine store.
As a result of this design change, the feature was removed from the website. So if you want certificates to be stored in the local machine store, you will have to create a custom request using inf templates, as explained in this chapter. As with every system configuration, you need to think about the management and maintenance processes that need to be put in place. You would only use that option if perhaps a server failed that was hosting a CA previously, you have the back up of the private key of it and now you want to reinstall the server to host it again.
That doesn't apply so create a new private key it is. Then I get to choose the cryptographic provider from the drop down list. I'm going to stick with all the defaults here. Should work just fine. So RSA as the cryptographic provider with the key length of 2, bits and for the digital signing algorithm for digitally signing certificates, I'll leave it on SHA, the secure hashing algorithm and then I'll click next. I have to come up with a common name for this certificate authority so I'm just going to called it fake domain one and down below it's come up with the distinguish name and the suffix for that, so I'm okay with that so I'm going to go ahead and click next.
Now bear in mind that PKI certificates have an expiration date. They're only valid for a certain period of time and that includes certificate authorities so here it's set five years as the validity period by default for this certificate authority, not for certificates it will issue. Let's say here I'm going to change that to 10 years in accordance with our organizational security policies so having done that, I'll go ahead and click next.
I will accept the default database locations for the certificate database and the certificate database log and then I'll click next. Okay, looks good so I'm going to go ahead and click configure on the summary screen and now it's just a matter of waiting. So I can now see that the configuration has succeeded for both components, the certification authority and the certification authority web enrollment so I'm going to go ahead and click close.
Now here in the server manager if I go to the tools menu to start the certification authority tool which you could also start from the start menu, this time it will not give us an error because we've configured a CA. We can actually see it over here on the left, fake domain one. If I expand that, notice underneath it I have folders for revoked certificates, issued certificates, pending requests that might require administrator approval, failed requests, even certificate templates or blueprints that are used to issue PKI certificates and we'll be working with this in other demonstrations.
Also if I were to go let's say into my start menu on this server and run cert MGR, the certificate manager MMC console, it gives me the option then to manage computer certificates. Configure the Certificate Services for the Enterprise and use the backed up private key from the Windows server. Restore the private key, certificate database and certificate database log on the Windows server.
Edit the. Do not change any Certificate Authority names. Restart the Windows R2 server and verify functionality. Verify services are started, previously issued certificates are in the database, and even request a new Certificate. I am fairly new to the Windows Certification Authority and our is expiring next month. I want to make sure that I do not break anything when renewing.
But is there anything special that needs to be done to renew the Certification Authority or anything I should look out for? We only have 1 CA. I just renewed mine without any gotcha's. Any website, VPN device, etc.
0コメント