Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -26,8 +26,6 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
||||
- You will be told that the name of the server cannot be changed after this point, and it will be associated with `WORKGROUP` > This is fine and you can proceed.
|
||||
- Check the boxes for the following role services:
|
||||
- `Certification Authority`
|
||||
- `Certificate Enrollment Policy Web Service`
|
||||
- `Certificate Enrollment Web Service`
|
||||
- `Certification Authority Web Enrollment`
|
||||
- When prompted to confirm multiple times, click the "**Add Features**" button
|
||||
- Ensure the "**Include management tools (if applicable)**" checkbox is checked.
|
||||
@ -46,19 +44,38 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
||||
- Set the hash algorithm to `SHA256`
|
||||
- Click "**Next**"
|
||||
- **Common Name for this CA**: `BunnyLab-RootCA`
|
||||
- **Distinguished name suffix**: `O=Bunny Lab, C=US`
|
||||
- **Preview of distinguished name**: `CN=BunnyLab-RootCA,O=Bunny Lab, C=US`
|
||||
- **Distinguished name suffix**: `O=Bunny Lab,C=US`
|
||||
- **Preview of distinguished name**: `CN=BunnyLab-RootCA,O=Bunny Lab,C=US`
|
||||
- Click "**Next**"
|
||||
- Specify the validity period: `10 Years` then click "**Next**"
|
||||
-
|
||||
- Specify the validity period: `10 Years` then click "**Next**" > "**Next**" > "**Configure**"
|
||||
|
||||
You will see a finalization screen confirming everything we have configured, it should look something like what is seen below:
|
||||
|
||||
| **Field** | **Value** |
|
||||
| :--- | :--- |
|
||||
| CA Type | Standalone Root |
|
||||
| Cryptographic provider | RSA#Microsoft Software Key Storage Provider |
|
||||
| Hash Algorithm | SHA256 |
|
||||
| Key Length | 4096 |
|
||||
| Allow Administrator Interaction | Disabled |
|
||||
| Certificate Validity Period | `<10 Years from Today>` |
|
||||
| Distinguished Name | CN=BunnyLab-RootCA,O=Bunny Lab,C=US |
|
||||
| Certificate Database Location | C:\Windows\system32\CertLog |
|
||||
| Certificate Database Log Location | C:\Windows\system32\CertLog |
|
||||
|
||||
!!! success "Active Directory Certificate Services"
|
||||
If everything went well, you will see that the "**Certificate Authority**" and "**Certification Authority Web Enrollment**" both have a status of "**Configuration succeeded**". At this point, you can click the "**Close**" button to conclude the Root CA configuration.
|
||||
|
||||
!!! info "RSA#Microsoft Software Key Storage Provider"
|
||||
Microsoft Software Key Storage Provider (KSP) is the latest, most flexible provider designed to work with the Cryptography Next Generation (CNG) APIs. It offers better support for modern algorithms and improved security management (such as support for key attestation, better hardware integration, and improved key protection mechanisms).
|
||||
|
||||
!!! warning "Raw Unprocessed Documentation - Do Not Use"
|
||||
3. 10-year validity.
|
||||
- `Certificate Enrollment Policy Web Service`
|
||||
- `Certificate Enrollment Web Service`
|
||||
|
||||
4. Configure AIA and CDP extensions with HTTP paths.
|
||||
5. Publish root cert and CRL to AD and internal HTTP.
|
||||
|
||||
3. Online Subordinate CA Setup
|
||||
Steps:
|
||||
1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
|
||||
|
||||
Reference in New Issue
Block a user