From d2360a27a097fb6cc120d81fc90dea50575badc0 Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Fri, 11 Jul 2025 16:58:33 -0600 Subject: [PATCH] Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md --- .../Deployment.md | 48 ++++++++++--------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md index 315553f..1803f38 100644 --- a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md +++ b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md @@ -32,26 +32,28 @@ This document outlines the Microsoft-recommended best practices for deploying a - Ensure the "**Include management tools (if applicable)**" checkbox is checked. - Click "**Next**" > "**Next**" > "**Next**" > "**Install**" -Install AD CS role as a Standalone Root CA. -3. Use RSA 4096-bit key, SHA-256, 10-year validity. -4. Configure AIA and CDP extensions with HTTP paths. -5. Publish root cert and CRL to AD and internal HTTP. -3. Online Subordinate CA Setup -Steps: -1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA. -2. Generate CSR, sign with Root CA, import signed cert. -3. Configure AIA/CDP extensions for CRL publication. -4. Enable role separation and auditing. -4. Certificate Templates and Autoenrollment -Configure certificate templates for the following use cases: - • - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption. - • - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients. - • - LDAPS: Use 'Kerberos Authentication' template for domain controllers. -Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration. -5. CRL and Revocation Management -Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root. -6. Security Recommendations - • - Harden CA servers; limit access to PKI admins. - • - Use BitLocker or HSM for key protection. - • - Enforce strong cryptographic settings: RSA 2048+, SHA-256. - • - Monitor issuance and renewals with audit logs and scripts. \ No newline at end of file + +!!! warning "Raw Unprocessed Documentation - Do Not Use" + Install AD CS role as a Standalone Root CA. + 3. Use RSA 4096-bit key, SHA-256, 10-year validity. + 4. Configure AIA and CDP extensions with HTTP paths. + 5. Publish root cert and CRL to AD and internal HTTP. + 3. Online Subordinate CA Setup + Steps: + 1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA. + 2. Generate CSR, sign with Root CA, import signed cert. + 3. Configure AIA/CDP extensions for CRL publication. + 4. Enable role separation and auditing. + 4. Certificate Templates and Autoenrollment + Configure certificate templates for the following use cases: + • - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption. + • - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients. + • - LDAPS: Use 'Kerberos Authentication' template for domain controllers. + Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration. + 5. CRL and Revocation Management + Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root. + 6. Security Recommendations + • - Harden CA servers; limit access to PKI admins. + • - Use BitLocker or HSM for key protection. + • - Enforce strong cryptographic settings: RSA 2048+, SHA-256. + • - Monitor issuance and renewals with audit logs and scripts. \ No newline at end of file