Add Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 6s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 6s
This commit is contained in:
@ -0,0 +1,35 @@
|
||||
## Purpose
|
||||
This document outlines the Microsoft-recommended best practices for deploying a secure, internal-use-only, two-tier Public Key Infrastructure (PKI) using Windows Server 2022 or newer. The PKI supports securing S/MIME email, 802.1X Wi-Fi with NPS, and LDAP over SSL (LDAPS).
|
||||
|
||||
!!! abstract "Environment Breakdown"
|
||||
The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named `LAB-CA-01` and `LAB-CA-02`. This stands for "*Lab Certificate Authority [01|02]*" In a two-tier hierarchy, an offline Root CA signs a single "*Subordinate*" Enterprise CA certificate. The Subordinate CA is domain-joined and handles all certificate requests. Clients trust the PKI via Group Policy and Active Directory integration.
|
||||
|
||||
In this case, `LAB-CA-01` is the Root CA, while `LAB-CA-02` is the Intermediary/Subordinate CA. You can add more than one subordinate CA if you desire redundancy in your environment.
|
||||
|
||||
|
||||
2. Offline Root CA Setup
|
||||
Steps:
|
||||
1. Provision a non-domain-joined, isolated Windows Server.
|
||||
2. Install AD CS role as a Standalone Root CA.
|
||||
3. Use RSA 4096-bit key, SHA-256, 10-year validity.
|
||||
4. Configure AIA and CDP extensions with HTTP paths.
|
||||
5. Publish root cert and CRL to AD and internal HTTP.
|
||||
3. Online Subordinate CA Setup
|
||||
Steps:
|
||||
1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
|
||||
2. Generate CSR, sign with Root CA, import signed cert.
|
||||
3. Configure AIA/CDP extensions for CRL publication.
|
||||
4. Enable role separation and auditing.
|
||||
4. Certificate Templates and Autoenrollment
|
||||
Configure certificate templates for the following use cases:
|
||||
• - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption.
|
||||
• - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients.
|
||||
• - LDAPS: Use 'Kerberos Authentication' template for domain controllers.
|
||||
Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration.
|
||||
5. CRL and Revocation Management
|
||||
Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root.
|
||||
6. Security Recommendations
|
||||
• - Harden CA servers; limit access to PKI admins.
|
||||
• - Use BitLocker or HSM for key protection.
|
||||
• - Enforce strong cryptographic settings: RSA 2048+, SHA-256.
|
||||
• - Monitor issuance and renewals with audit logs and scripts.
|
||||
Reference in New Issue
Block a user