Solved

How can I sign certificates in Server 2008R2 and they roll them out using group policy?

Posted on 2011-03-03
3
743 Views
Last Modified: 2012-05-11
Can anyone recommend to me any good websites that explain the role of the CA in Server 2008R2 and how to automatically enrol signed certificates using group policy?  I have read a few books from Microsoft and some bits and pieces from their technical website but they don't really help very much.  They seem to assume that you already have a basic understanding, which I do not.

Here is some background to this question.
I am new to Server 2008R2 and have just installed IIS.  Whenever any client logs onto my Intranet site they are warned about an un-trusted certificate.  I would like to get my clients to automatically receive this certificate so that they trust this website (install it within their trusted certificate route store).  Once I can understand this I can then start to automatically distribute other certificates too.

Thanks.
0
Comment
Question by:evansjam
  • 2
3 Comments
 
LVL 11

Expert Comment

by:Tasmant
Comment Utility
Basically, you need to understand few things:
First, Certification Authority is a service which will provide you a way to deliver certificates to clients.
If you install Certification Authority by yourself, the public key certificate assigned to the CA will be private (ie the CA certificate will not be signed with an already public trusted CA like Verisign or others...)

Second, the way you install CA. Microsoft provide two ways to install CA.
First is Standalone CA. In this mode the configuration isn't stored in Active Directory. Members of your domain do not automatically trust the public CA certificate (and therefore don't trust automatically any certificate delivered by the CA). You cannot use autoenrollment in this mode.
Second is the Enterprise CA. In this mode the configuration is stored in Active Directory. Members of your domain automatically trust the public CA certificate (and therefore trust automatically any certificate delivered by the CA). You can use autoenrollment in this mode.

Once you have configured your CA (take care with Certification Revocation List (CRL) paths), you are able to deliver certificates to clients, but only if they request one.

Autoenrollment is a feature that works only with certificate model v2 or above.
To configure autoenrollment, you need to edit the "user certificate template v1", and duplicate the model in order to provide a v2 model. then you can edit the security of the certificat in order to enable the autoenrollment right for authenticated users (or any group for which you want provide autoenrollment). Once done, you have to publish this model in your CA for your clients to be able to request it.
The last step is to configure your clients (by GPO), to instruct them to autoenroll certificate (and renew ...)

Basically, all the steps are described here: http://technet.microsoft.com/en-us/library/bb456981.aspx
To more instructions, refer to:
Configure the certificate template on the CA: http://technet.microsoft.com/en-us/library/cc739296%28WS.10%29.aspx
Configure the Group Policy: http://technet.microsoft.com/en-us/library/cc739637%28WS.10%29.aspx

The information are available for 2003/2008/2008R2.
The only difference for 2008R2 is that you don't need a 2008 R2 Enterprise version of Windows to be able to duplicate certificate templates. Only the Standard version.

Another link on this topic: http://technet.microsoft.com/en-us/library/cc731522.aspx
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
Comment Utility
I would like to add few things:
To be trusted, a certificate must matchs some points:
- the CA which delivered the certificate must be trusted by your clients
- the date of the certificate must not be expired
- the name of the certificate must match the URL requested by the client

If you deploy an enterprise CA, the CA certificate will automatically be delivered to your domain computers. If you have external computers/users who want access your web site, you will have to provide them the public CA certificate in order to add it in the trusted root store (certmgr.msc).
I think they can view it directly in IE and add it in the trusted root store.

Admit the name of your website is www.mycompany.com, the common name of your certificate must be www.mycompany.com, else clients will get warnings about the certificate name. Since 2003, it exists the SAN (Subject Alternate Name), this feature enable you to set multiples name to your certificate (ie www.mycompany.com, mycompany.com, owa.mycompany.com). This is commonly used with Exchange to provide all the names needed.
0
 

Author Closing Comment

by:evansjam
Comment Utility
Many thanks :)
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now