Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How can I sign certificates in Server 2008R2 and they roll them out using group policy?

Posted on 2011-03-03
3
Medium Priority
?
754 Views
Last Modified: 2012-05-11
Can anyone recommend to me any good websites that explain the role of the CA in Server 2008R2 and how to automatically enrol signed certificates using group policy?  I have read a few books from Microsoft and some bits and pieces from their technical website but they don't really help very much.  They seem to assume that you already have a basic understanding, which I do not.

Here is some background to this question.
I am new to Server 2008R2 and have just installed IIS.  Whenever any client logs onto my Intranet site they are warned about an un-trusted certificate.  I would like to get my clients to automatically receive this certificate so that they trust this website (install it within their trusted certificate route store).  Once I can understand this I can then start to automatically distribute other certificates too.

Thanks.
0
Comment
Question by:evansjam
  • 2
3 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35026393
Basically, you need to understand few things:
First, Certification Authority is a service which will provide you a way to deliver certificates to clients.
If you install Certification Authority by yourself, the public key certificate assigned to the CA will be private (ie the CA certificate will not be signed with an already public trusted CA like Verisign or others...)

Second, the way you install CA. Microsoft provide two ways to install CA.
First is Standalone CA. In this mode the configuration isn't stored in Active Directory. Members of your domain do not automatically trust the public CA certificate (and therefore don't trust automatically any certificate delivered by the CA). You cannot use autoenrollment in this mode.
Second is the Enterprise CA. In this mode the configuration is stored in Active Directory. Members of your domain automatically trust the public CA certificate (and therefore trust automatically any certificate delivered by the CA). You can use autoenrollment in this mode.

Once you have configured your CA (take care with Certification Revocation List (CRL) paths), you are able to deliver certificates to clients, but only if they request one.

Autoenrollment is a feature that works only with certificate model v2 or above.
To configure autoenrollment, you need to edit the "user certificate template v1", and duplicate the model in order to provide a v2 model. then you can edit the security of the certificat in order to enable the autoenrollment right for authenticated users (or any group for which you want provide autoenrollment). Once done, you have to publish this model in your CA for your clients to be able to request it.
The last step is to configure your clients (by GPO), to instruct them to autoenroll certificate (and renew ...)

Basically, all the steps are described here: http://technet.microsoft.com/en-us/library/bb456981.aspx
To more instructions, refer to:
Configure the certificate template on the CA: http://technet.microsoft.com/en-us/library/cc739296%28WS.10%29.aspx
Configure the Group Policy: http://technet.microsoft.com/en-us/library/cc739637%28WS.10%29.aspx

The information are available for 2003/2008/2008R2.
The only difference for 2008R2 is that you don't need a 2008 R2 Enterprise version of Windows to be able to duplicate certificate templates. Only the Standard version.

Another link on this topic: http://technet.microsoft.com/en-us/library/cc731522.aspx
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 2000 total points
ID: 35026439
I would like to add few things:
To be trusted, a certificate must matchs some points:
- the CA which delivered the certificate must be trusted by your clients
- the date of the certificate must not be expired
- the name of the certificate must match the URL requested by the client

If you deploy an enterprise CA, the CA certificate will automatically be delivered to your domain computers. If you have external computers/users who want access your web site, you will have to provide them the public CA certificate in order to add it in the trusted root store (certmgr.msc).
I think they can view it directly in IE and add it in the trusted root store.

Admit the name of your website is www.mycompany.com, the common name of your certificate must be www.mycompany.com, else clients will get warnings about the certificate name. Since 2003, it exists the SAN (Subject Alternate Name), this feature enable you to set multiples name to your certificate (ie www.mycompany.com, mycompany.com, owa.mycompany.com). This is commonly used with Exchange to provide all the names needed.
0
 

Author Closing Comment

by:evansjam
ID: 35026528
Many thanks :)
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question