Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -196,23 +196,34 @@ At this point, you need to check that there is a certificate installed within "*
|
||||
| LAB-DC-01.bunny-lab.io | BunnyLab-SubordinateCA-01 | 7/15/2026 | Client Authentication, Server Authentication, Smart Card Logon | Domain Controller Authentication |
|
||||
| LAB-DC-01.bunny-lab.io | BunnyLab-SubordinateCA-01 | 7/15/2026 | Client Authentication, Server Authentication, Smart Card Logon, KDC Authentication | Kerberos Authentication |
|
||||
|
||||
### Validate LDAPS Connectivity
|
||||
Lastly, we want to ensure that LDAPS is functioning. By default, once these certs are enrolled on the domain controller(s), LDAPS *should* just work out of the box. To verify this, you can run this command on any device on the same network as the domain controllers. If it comes back successful like in the following example output, then you are golden:
|
||||
|
||||
!!! warning "Under Construction"
|
||||
Section is still being written during lab deployment.
|
||||
```powershell
|
||||
PS C:\Users\nicole.rappe> Test-NetConnection LAB-DC-01.bunny-lab.io -Port 636
|
||||
ComputerName : LAB-DC-01.bunny-lab.io
|
||||
RemoteAddress : 192.168.3.25
|
||||
RemotePort : 636
|
||||
InterfaceAlias : Ethernet
|
||||
SourceAddress : 192.168.3.254
|
||||
TcpTestSucceeded : True
|
||||
|
||||
!!! abstract "Raw Unprocessed/Unrefined Steps - Do Not Use"
|
||||
3. Configure AIA/CDP extensions for CRL publication.
|
||||
4. Enable role separation and auditing.
|
||||
4. Certificate Templates and Autoenrollment
|
||||
Configure certificate templates for the following use cases:
|
||||
• - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption.
|
||||
• - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients.
|
||||
• - LDAPS: Use 'Kerberos Authentication' template for domain controllers.
|
||||
Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration.
|
||||
5. CRL and Revocation Management
|
||||
PS C:\Users\nicole.rappe> Test-NetConnection LAB-DC-02.bunny-lab.io -Port 636
|
||||
ComputerName : LAB-DC-02.bunny-lab.io
|
||||
RemoteAddress : 192.168.3.26
|
||||
RemotePort : 636
|
||||
InterfaceAlias : Ethernet
|
||||
SourceAddress : 192.168.3.254
|
||||
TcpTestSucceeded : True
|
||||
```
|
||||
|
||||
!!! success "Successful LDAPS Connectivity"
|
||||
LDAPS should now be functional on your domain controller(s).
|
||||
|
||||
!!! abstract "Raw Unprocessed/Unimplemented Steps"
|
||||
Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root.
|
||||
6. Security Recommendations
|
||||
• - Harden CA servers; limit access to PKI admins.
|
||||
• - Use BitLocker or HSM for key protection.
|
||||
• - Enforce strong cryptographic settings: RSA 2048+, SHA-256.
|
||||
• - Monitor issuance and renewals with audit logs and scripts.
|
||||
Security Recommendations
|
||||
|
||||
- Harden CA servers; limit access to PKI admins.
|
||||
- Use BitLocker or HSM for key protection.
|
||||
- Monitor issuance and renewals with audit logs and scripts.
|
||||
Reference in New Issue
Block a user