Solved

How can I sign certificates in Server 2008R2 and they roll them out using group policy?

Posted on 2011-03-03
3
747 Views
Last Modified: 2012-05-11
Can anyone recommend to me any good websites that explain the role of the CA in Server 2008R2 and how to automatically enrol signed certificates using group policy?  I have read a few books from Microsoft and some bits and pieces from their technical website but they don't really help very much.  They seem to assume that you already have a basic understanding, which I do not.

Here is some background to this question.
I am new to Server 2008R2 and have just installed IIS.  Whenever any client logs onto my Intranet site they are warned about an un-trusted certificate.  I would like to get my clients to automatically receive this certificate so that they trust this website (install it within their trusted certificate route store).  Once I can understand this I can then start to automatically distribute other certificates too.

Thanks.
0
Comment
Question by:evansjam
  • 2
3 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35026393
Basically, you need to understand few things:
First, Certification Authority is a service which will provide you a way to deliver certificates to clients.
If you install Certification Authority by yourself, the public key certificate assigned to the CA will be private (ie the CA certificate will not be signed with an already public trusted CA like Verisign or others...)

Second, the way you install CA. Microsoft provide two ways to install CA.
First is Standalone CA. In this mode the configuration isn't stored in Active Directory. Members of your domain do not automatically trust the public CA certificate (and therefore don't trust automatically any certificate delivered by the CA). You cannot use autoenrollment in this mode.
Second is the Enterprise CA. In this mode the configuration is stored in Active Directory. Members of your domain automatically trust the public CA certificate (and therefore trust automatically any certificate delivered by the CA). You can use autoenrollment in this mode.

Once you have configured your CA (take care with Certification Revocation List (CRL) paths), you are able to deliver certificates to clients, but only if they request one.

Autoenrollment is a feature that works only with certificate model v2 or above.
To configure autoenrollment, you need to edit the "user certificate template v1", and duplicate the model in order to provide a v2 model. then you can edit the security of the certificat in order to enable the autoenrollment right for authenticated users (or any group for which you want provide autoenrollment). Once done, you have to publish this model in your CA for your clients to be able to request it.
The last step is to configure your clients (by GPO), to instruct them to autoenroll certificate (and renew ...)

Basically, all the steps are described here: http://technet.microsoft.com/en-us/library/bb456981.aspx
To more instructions, refer to:
Configure the certificate template on the CA: http://technet.microsoft.com/en-us/library/cc739296%28WS.10%29.aspx
Configure the Group Policy: http://technet.microsoft.com/en-us/library/cc739637%28WS.10%29.aspx

The information are available for 2003/2008/2008R2.
The only difference for 2008R2 is that you don't need a 2008 R2 Enterprise version of Windows to be able to duplicate certificate templates. Only the Standard version.

Another link on this topic: http://technet.microsoft.com/en-us/library/cc731522.aspx
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35026439
I would like to add few things:
To be trusted, a certificate must matchs some points:
- the CA which delivered the certificate must be trusted by your clients
- the date of the certificate must not be expired
- the name of the certificate must match the URL requested by the client

If you deploy an enterprise CA, the CA certificate will automatically be delivered to your domain computers. If you have external computers/users who want access your web site, you will have to provide them the public CA certificate in order to add it in the trusted root store (certmgr.msc).
I think they can view it directly in IE and add it in the trusted root store.

Admit the name of your website is www.mycompany.com, the common name of your certificate must be www.mycompany.com, else clients will get warnings about the certificate name. Since 2003, it exists the SAN (Subject Alternate Name), this feature enable you to set multiples name to your certificate (ie www.mycompany.com, mycompany.com, owa.mycompany.com). This is commonly used with Exchange to provide all the names needed.
0
 

Author Closing Comment

by:evansjam
ID: 35026528
Many thanks :)
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question