| layout | title | permalink |
|---|---|---|
default |
Local Certification Authority |
networkconfig/localca/ |
This page provides some tips for using a local certification authority to issue a domain controller certificate. This is for local Microsoft CAs. Other platforms may be used and have different procedures.
{% include alert-info.html content="These procedures are accurate for using Microsoft 2012 Server, Standard Edition, for CA and Domain Controller servers as of March 2017." %}
- Prerequisites
- Install CA Role
- Configure Certificate Template for Domain Controller
- Auto-Enroll Domain Controllers Using Group Policy Object (GPO)
- The server that hosts the CA must be joined to the domain.
- The CA should never reside on the same server(s) that are acting as Domain Controller(s).
- You must be an Enterprise Administrator in the domain to perform these steps.
- Log into the CA server as a member of the Enterprise Administrators group.
- Open the Server Manager and click on Manage -> Add Roles and Features.
- Proceed through the Add Roles and Features Wizard options. Choose the following: Server Roles: Active Directory Certificate Services AD CS Roles Services: Certification Authority
- On the Results page, click on Configure Active Directory Certificate Services on the destination server.
- Proceed through the AD CS Configuration options. Choose the following values, as required: Role Service: Certification Authority Setup Type: Enterprise CA CA Type: Root CA Private Key: Create a new private key Cryptography: RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256 6e CA Name: Use the naming convention: dc=[AD suffix], dc=[AD domain], cn=[certification authority name] (e.g., dc=gov, dc=[AgencyName], cn=[AgencyName] NPE CA1) Validity Period: 6 years Certificate Database: <your preference>
The domain controller(s) certificate must contain valid information. These steps provide recommended options and settings.
- Log into the CA server as a member of the Enterprise Administrators group.
- Open the certificate template's MMC snap-in (i.e., certtmpl.msc).
- Right-click on the Domain Controller Authentication template. Then, click on Duplicate Template.
- Under the Compatibility tab, modify the Compatibility Settings for both the CA and certificate recipients to the highest compatible version (e.g., Windows Server 2012 R2 or Windows 2008 R2).
- Under the General tab, use these recommended settings: Template Name: <Your organization> - Domain Controller Authentication. Validity Period: 3 years. Renewal Period: 6 weeks.
- Under the Cryptography tab, set these values: Minimum Key Size: 2048. Request Hash: SHA256
- Open the CA console (i.e., certsrv.msc).
- In the console tree, click on the [CA's name].
- In the details pane, double-click on Certificate Templates.
- In the console tree, right-click on Certificate Templates. Then, click on New > Certificate Template To Issue.
- Select and enable the certificate template that was created. Click on OK.
- Log into a Domain Controller server as a member of the Enterprise Administrators group.
- Open the GPMC: gpmc.msc
- Within the appropriate GPO applied to the Domain Controllers, go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\
- Configure Certificate Services Client – Auto-Enrollment with the following options: Configuration Model: Enabled. Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates: Check_all checkboxes. Update Certificates That Use Certificate Templates: Check the checkbox.
- Replicate the group policy. Use the command: gpupdate /force at the command line, or wait for the group policy to replicate based on your replication time and settings.
- Open MMC.exe -> File -> Add/Remove Snap-in -> Certificates -> Computer account -> Local computer.
If successful, you will see a new Domain Controller certificate in the Certificate (Local Computer) -> Personal -> Certificates folder. At the Certificate Template tab, you will also see a certificate generated with the custom certificate template.