Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -32,26 +32,28 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
||||
- Ensure the "**Include management tools (if applicable)**" checkbox is checked.
|
||||
- Click "**Next**" > "**Next**" > "**Next**" > "**Install**"
|
||||
|
||||
Install AD CS role as a Standalone Root CA.
|
||||
3. Use RSA 4096-bit key, SHA-256, 10-year validity.
|
||||
4. Configure AIA and CDP extensions with HTTP paths.
|
||||
5. Publish root cert and CRL to AD and internal HTTP.
|
||||
3. Online Subordinate CA Setup
|
||||
Steps:
|
||||
1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
|
||||
2. Generate CSR, sign with Root CA, import signed cert.
|
||||
3. Configure AIA/CDP extensions for CRL publication.
|
||||
4. Enable role separation and auditing.
|
||||
4. Certificate Templates and Autoenrollment
|
||||
Configure certificate templates for the following use cases:
|
||||
• - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption.
|
||||
• - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients.
|
||||
• - LDAPS: Use 'Kerberos Authentication' template for domain controllers.
|
||||
Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration.
|
||||
5. CRL and Revocation Management
|
||||
Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root.
|
||||
6. Security Recommendations
|
||||
• - Harden CA servers; limit access to PKI admins.
|
||||
• - Use BitLocker or HSM for key protection.
|
||||
• - Enforce strong cryptographic settings: RSA 2048+, SHA-256.
|
||||
• - Monitor issuance and renewals with audit logs and scripts.
|
||||
|
||||
!!! warning "Raw Unprocessed Documentation - Do Not Use"
|
||||
Install AD CS role as a Standalone Root CA.
|
||||
3. Use RSA 4096-bit key, SHA-256, 10-year validity.
|
||||
4. Configure AIA and CDP extensions with HTTP paths.
|
||||
5. Publish root cert and CRL to AD and internal HTTP.
|
||||
3. Online Subordinate CA Setup
|
||||
Steps:
|
||||
1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
|
||||
2. Generate CSR, sign with Root CA, import signed cert.
|
||||
3. Configure AIA/CDP extensions for CRL publication.
|
||||
4. Enable role separation and auditing.
|
||||
4. Certificate Templates and Autoenrollment
|
||||
Configure certificate templates for the following use cases:
|
||||
• - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption.
|
||||
• - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients.
|
||||
• - LDAPS: Use 'Kerberos Authentication' template for domain controllers.
|
||||
Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration.
|
||||
5. CRL and Revocation Management
|
||||
Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root.
|
||||
6. Security Recommendations
|
||||
• - Harden CA servers; limit access to PKI admins.
|
||||
• - Use BitLocker or HSM for key protection.
|
||||
• - Enforce strong cryptographic settings: RSA 2048+, SHA-256.
|
||||
• - Monitor issuance and renewals with audit logs and scripts.
|
||||
Reference in New Issue
Block a user