From 7bd3e93dee7afb7cdbcccff5d1718b82a69bb2b3 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Wed, 16 Jul 2025 00:06:01 -0600 Subject: [PATCH] Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md --- .../Active Directory Certificate Services.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md index 511d388..0f0335d 100644 --- a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md +++ b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md @@ -150,24 +150,24 @@ At this point, we will need to focus on getting the certificate signing request - Click "**Next**" and finish importing the Certificate Revocation List - Right-click the CA node in the treeview on the left-hand sidebar (e.g. `BunnyLab-SubordinateCA-01`) - Click on "**All Tasks" > "Start Service**" + - Verify that the CA status is now green (running). -5. Ensure the Root CA certificate is also imported into the Trusted Root Certification Authorities store for both the local machine and the CA service. -- Open certlm.msc, right-click Trusted Root Certification Authorities > Certificates, and select Import... -6. Start the Certification Authority service: -- Right-click the CA node > All Tasks > Start Service. -7. Verify that the CA status is now green (running). +## Create Auto-Enrollment Group Policy +The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*computers, including domain controllers*) to automatically request, renew, and install certificates from the Enterprise CA (in this case, the Subordinate CA `LAB-CA-02`). -!!! success "Next Steps" -- Publish a new CRL: -- Right-click the CA node > All Tasks > Publish > New CRL. -- Export and distribute the CA certificate(s) as needed for client trust via Group Policy. -- Proceed with further PKI configuration (CRL/AIA paths, templates, permissions, etc). +- Open the Group Policy Management editor on one of your domain controllers, then "Create a GPO in this domain, and link it here" wherever it will be able to target the domain controllers, this may be at the root, or in a specific OU that holds domain controllers. (e.g. `bunny-lab.io\Domain Controllers` ) + - Name the new GPO something like "**Certificate Auto-Enrollment**" + - Edit the GPO + - Navigate to "**Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies**" + - Find and open "**Certificate Services Client - Auto-Enrollment.**" + - Set the Configuration Model to "**Enabled**" + - Check both checkboxes for "**Renew expired certificates, update pending certificates, and remove revoked certificates**" and "**Update certificates that use certificate templates**" + - Click "**OK**" +- Run a `gpupdate /force` on your domain controller(s) and give it a few minutes to pull down their new domain controller certificates !!! warning "Under Construction" Section is still being written during lab deployment. - I will go over setting up additional roles **AFTER** documenting the process of getting the certificate signing request from `LAB-CA-02` to `LAB-CA-01` - !!! abstract "Raw Unprocessed/Unrefined Steps - Do Not Use" 3. Configure AIA/CDP extensions for CRL publication. 4. Enable role separation and auditing.