diff --git a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md new file mode 100644 index 0000000..c3ae240 --- /dev/null +++ b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md @@ -0,0 +1,35 @@ +## Purpose +This document outlines the Microsoft-recommended best practices for deploying a secure, internal-use-only, two-tier Public Key Infrastructure (PKI) using Windows Server 2022 or newer. The PKI supports securing S/MIME email, 802.1X Wi-Fi with NPS, and LDAP over SSL (LDAPS). + +!!! abstract "Environment Breakdown" + The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named `LAB-CA-01` and `LAB-CA-02`. This stands for "*Lab Certificate Authority [01|02]*" In a two-tier hierarchy, an offline Root CA signs a single "*Subordinate*" Enterprise CA certificate. The Subordinate CA is domain-joined and handles all certificate requests. Clients trust the PKI via Group Policy and Active Directory integration. + + In this case, `LAB-CA-01` is the Root CA, while `LAB-CA-02` is the Intermediary/Subordinate CA. You can add more than one subordinate CA if you desire redundancy in your environment. + + +2. Offline Root CA Setup +Steps: +1. Provision a non-domain-joined, isolated Windows Server. +2. Install AD CS role as a Standalone Root CA. +3. Use RSA 4096-bit key, SHA-256, 10-year validity. +4. Configure AIA and CDP extensions with HTTP paths. +5. Publish root cert and CRL to AD and internal HTTP. +3. Online Subordinate CA Setup +Steps: +1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA. +2. Generate CSR, sign with Root CA, import signed cert. +3. Configure AIA/CDP extensions for CRL publication. +4. Enable role separation and auditing. +4. Certificate Templates and Autoenrollment +Configure certificate templates for the following use cases: + • - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption. + • - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients. + • - LDAPS: Use 'Kerberos Authentication' template for domain controllers. +Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration. +5. CRL and Revocation Management +Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root. +6. Security Recommendations + • - Harden CA servers; limit access to PKI admins. + • - Use BitLocker or HSM for key protection. + • - Enforce strong cryptographic settings: RSA 2048+, SHA-256. + • - Monitor issuance and renewals with audit logs and scripts. \ No newline at end of file