Solved

How can I sign certificates in Server 2008R2 and they roll them out using group policy?

Posted on 2011-03-03
3
751 Views
Last Modified: 2012-05-11
Can anyone recommend to me any good websites that explain the role of the CA in Server 2008R2 and how to automatically enrol signed certificates using group policy?  I have read a few books from Microsoft and some bits and pieces from their technical website but they don't really help very much.  They seem to assume that you already have a basic understanding, which I do not.

Here is some background to this question.
I am new to Server 2008R2 and have just installed IIS.  Whenever any client logs onto my Intranet site they are warned about an un-trusted certificate.  I would like to get my clients to automatically receive this certificate so that they trust this website (install it within their trusted certificate route store).  Once I can understand this I can then start to automatically distribute other certificates too.

Thanks.
0
Comment
Question by:evansjam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35026393
Basically, you need to understand few things:
First, Certification Authority is a service which will provide you a way to deliver certificates to clients.
If you install Certification Authority by yourself, the public key certificate assigned to the CA will be private (ie the CA certificate will not be signed with an already public trusted CA like Verisign or others...)

Second, the way you install CA. Microsoft provide two ways to install CA.
First is Standalone CA. In this mode the configuration isn't stored in Active Directory. Members of your domain do not automatically trust the public CA certificate (and therefore don't trust automatically any certificate delivered by the CA). You cannot use autoenrollment in this mode.
Second is the Enterprise CA. In this mode the configuration is stored in Active Directory. Members of your domain automatically trust the public CA certificate (and therefore trust automatically any certificate delivered by the CA). You can use autoenrollment in this mode.

Once you have configured your CA (take care with Certification Revocation List (CRL) paths), you are able to deliver certificates to clients, but only if they request one.

Autoenrollment is a feature that works only with certificate model v2 or above.
To configure autoenrollment, you need to edit the "user certificate template v1", and duplicate the model in order to provide a v2 model. then you can edit the security of the certificat in order to enable the autoenrollment right for authenticated users (or any group for which you want provide autoenrollment). Once done, you have to publish this model in your CA for your clients to be able to request it.
The last step is to configure your clients (by GPO), to instruct them to autoenroll certificate (and renew ...)

Basically, all the steps are described here: http://technet.microsoft.com/en-us/library/bb456981.aspx
To more instructions, refer to:
Configure the certificate template on the CA: http://technet.microsoft.com/en-us/library/cc739296%28WS.10%29.aspx
Configure the Group Policy: http://technet.microsoft.com/en-us/library/cc739637%28WS.10%29.aspx

The information are available for 2003/2008/2008R2.
The only difference for 2008R2 is that you don't need a 2008 R2 Enterprise version of Windows to be able to duplicate certificate templates. Only the Standard version.

Another link on this topic: http://technet.microsoft.com/en-us/library/cc731522.aspx
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35026439
I would like to add few things:
To be trusted, a certificate must matchs some points:
- the CA which delivered the certificate must be trusted by your clients
- the date of the certificate must not be expired
- the name of the certificate must match the URL requested by the client

If you deploy an enterprise CA, the CA certificate will automatically be delivered to your domain computers. If you have external computers/users who want access your web site, you will have to provide them the public CA certificate in order to add it in the trusted root store (certmgr.msc).
I think they can view it directly in IE and add it in the trusted root store.

Admit the name of your website is www.mycompany.com, the common name of your certificate must be www.mycompany.com, else clients will get warnings about the certificate name. Since 2003, it exists the SAN (Subject Alternate Name), this feature enable you to set multiples name to your certificate (ie www.mycompany.com, mycompany.com, owa.mycompany.com). This is commonly used with Exchange to provide all the names needed.
0
 

Author Closing Comment

by:evansjam
ID: 35026528
Many thanks :)
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question