Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -150,24 +150,24 @@ At this point, we will need to focus on getting the certificate signing request
|
|||||||
- Click "**Next**" and finish importing the Certificate Revocation List
|
- Click "**Next**" and finish importing the Certificate Revocation List
|
||||||
- Right-click the CA node in the treeview on the left-hand sidebar (e.g. `BunnyLab-SubordinateCA-01`)
|
- Right-click the CA node in the treeview on the left-hand sidebar (e.g. `BunnyLab-SubordinateCA-01`)
|
||||||
- Click on "**All Tasks" > "Start Service**"
|
- Click on "**All Tasks" > "Start Service**"
|
||||||
|
- Verify that the CA status is now green (running).
|
||||||
|
|
||||||
5. Ensure the Root CA certificate is also imported into the Trusted Root Certification Authorities store for both the local machine and the CA service.
|
## Create Auto-Enrollment Group Policy
|
||||||
- Open certlm.msc, right-click Trusted Root Certification Authorities > Certificates, and select Import...
|
The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*computers, including domain controllers*) to automatically request, renew, and install certificates from the Enterprise CA (in this case, the Subordinate CA `LAB-CA-02`).
|
||||||
6. Start the Certification Authority service:
|
|
||||||
- Right-click the CA node > All Tasks > Start Service.
|
|
||||||
7. Verify that the CA status is now green (running).
|
|
||||||
|
|
||||||
!!! success "Next Steps"
|
- Open the Group Policy Management editor on one of your domain controllers, then "Create a GPO in this domain, and link it here" wherever it will be able to target the domain controllers, this may be at the root, or in a specific OU that holds domain controllers. (e.g. `bunny-lab.io\Domain Controllers` )
|
||||||
- Publish a new CRL:
|
- Name the new GPO something like "**Certificate Auto-Enrollment**"
|
||||||
- Right-click the CA node > All Tasks > Publish > New CRL.
|
- Edit the GPO
|
||||||
- Export and distribute the CA certificate(s) as needed for client trust via Group Policy.
|
- Navigate to "**Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies**"
|
||||||
- Proceed with further PKI configuration (CRL/AIA paths, templates, permissions, etc).
|
- Find and open "**Certificate Services Client - Auto-Enrollment.**"
|
||||||
|
- Set the Configuration Model to "**Enabled**"
|
||||||
|
- Check both checkboxes for "**Renew expired certificates, update pending certificates, and remove revoked certificates**" and "**Update certificates that use certificate templates**"
|
||||||
|
- Click "**OK**"
|
||||||
|
- Run a `gpupdate /force` on your domain controller(s) and give it a few minutes to pull down their new domain controller certificates
|
||||||
|
|
||||||
!!! warning "Under Construction"
|
!!! warning "Under Construction"
|
||||||
Section is still being written during lab deployment.
|
Section is still being written during lab deployment.
|
||||||
|
|
||||||
I will go over setting up additional roles **AFTER** documenting the process of getting the certificate signing request from `LAB-CA-02` to `LAB-CA-01`
|
|
||||||
|
|
||||||
!!! abstract "Raw Unprocessed/Unrefined Steps - Do Not Use"
|
!!! abstract "Raw Unprocessed/Unrefined Steps - Do Not Use"
|
||||||
3. Configure AIA/CDP extensions for CRL publication.
|
3. Configure AIA/CDP extensions for CRL publication.
|
||||||
4. Enable role separation and auditing.
|
4. Enable role separation and auditing.
|
||||||
|
|||||||
Reference in New Issue
Block a user