Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 756
  • Last Modified:

How can I sign certificates in Server 2008R2 and they roll them out using group policy?

Can anyone recommend to me any good websites that explain the role of the CA in Server 2008R2 and how to automatically enrol signed certificates using group policy?  I have read a few books from Microsoft and some bits and pieces from their technical website but they don't really help very much.  They seem to assume that you already have a basic understanding, which I do not.

Here is some background to this question.
I am new to Server 2008R2 and have just installed IIS.  Whenever any client logs onto my Intranet site they are warned about an un-trusted certificate.  I would like to get my clients to automatically receive this certificate so that they trust this website (install it within their trusted certificate route store).  Once I can understand this I can then start to automatically distribute other certificates too.

Thanks.
0
evansjam
Asked:
evansjam
  • 2
1 Solution
 
TasmantCommented:
Basically, you need to understand few things:
First, Certification Authority is a service which will provide you a way to deliver certificates to clients.
If you install Certification Authority by yourself, the public key certificate assigned to the CA will be private (ie the CA certificate will not be signed with an already public trusted CA like Verisign or others...)

Second, the way you install CA. Microsoft provide two ways to install CA.
First is Standalone CA. In this mode the configuration isn't stored in Active Directory. Members of your domain do not automatically trust the public CA certificate (and therefore don't trust automatically any certificate delivered by the CA). You cannot use autoenrollment in this mode.
Second is the Enterprise CA. In this mode the configuration is stored in Active Directory. Members of your domain automatically trust the public CA certificate (and therefore trust automatically any certificate delivered by the CA). You can use autoenrollment in this mode.

Once you have configured your CA (take care with Certification Revocation List (CRL) paths), you are able to deliver certificates to clients, but only if they request one.

Autoenrollment is a feature that works only with certificate model v2 or above.
To configure autoenrollment, you need to edit the "user certificate template v1", and duplicate the model in order to provide a v2 model. then you can edit the security of the certificat in order to enable the autoenrollment right for authenticated users (or any group for which you want provide autoenrollment). Once done, you have to publish this model in your CA for your clients to be able to request it.
The last step is to configure your clients (by GPO), to instruct them to autoenroll certificate (and renew ...)

Basically, all the steps are described here: http://technet.microsoft.com/en-us/library/bb456981.aspx
To more instructions, refer to:
Configure the certificate template on the CA: http://technet.microsoft.com/en-us/library/cc739296%28WS.10%29.aspx
Configure the Group Policy: http://technet.microsoft.com/en-us/library/cc739637%28WS.10%29.aspx

The information are available for 2003/2008/2008R2.
The only difference for 2008R2 is that you don't need a 2008 R2 Enterprise version of Windows to be able to duplicate certificate templates. Only the Standard version.

Another link on this topic: http://technet.microsoft.com/en-us/library/cc731522.aspx
0
 
TasmantCommented:
I would like to add few things:
To be trusted, a certificate must matchs some points:
- the CA which delivered the certificate must be trusted by your clients
- the date of the certificate must not be expired
- the name of the certificate must match the URL requested by the client

If you deploy an enterprise CA, the CA certificate will automatically be delivered to your domain computers. If you have external computers/users who want access your web site, you will have to provide them the public CA certificate in order to add it in the trusted root store (certmgr.msc).
I think they can view it directly in IE and add it in the trusted root store.

Admit the name of your website is www.mycompany.com, the common name of your certificate must be www.mycompany.com, else clients will get warnings about the certificate name. Since 2003, it exists the SAN (Subject Alternate Name), this feature enable you to set multiples name to your certificate (ie www.mycompany.com, mycompany.com, owa.mycompany.com). This is commonly used with Exchange to provide all the names needed.
0
 
evansjamAuthor Commented:
Many thanks :)
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now