Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services/Deployment.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -32,26 +32,28 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
|||||||
- Ensure the "**Include management tools (if applicable)**" checkbox is checked.
|
- Ensure the "**Include management tools (if applicable)**" checkbox is checked.
|
||||||
- Click "**Next**" > "**Next**" > "**Next**" > "**Install**"
|
- Click "**Next**" > "**Next**" > "**Next**" > "**Install**"
|
||||||
|
|
||||||
Install AD CS role as a Standalone Root CA.
|
|
||||||
3. Use RSA 4096-bit key, SHA-256, 10-year validity.
|
!!! warning "Raw Unprocessed Documentation - Do Not Use"
|
||||||
4. Configure AIA and CDP extensions with HTTP paths.
|
Install AD CS role as a Standalone Root CA.
|
||||||
5. Publish root cert and CRL to AD and internal HTTP.
|
3. Use RSA 4096-bit key, SHA-256, 10-year validity.
|
||||||
3. Online Subordinate CA Setup
|
4. Configure AIA and CDP extensions with HTTP paths.
|
||||||
Steps:
|
5. Publish root cert and CRL to AD and internal HTTP.
|
||||||
1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
|
3. Online Subordinate CA Setup
|
||||||
2. Generate CSR, sign with Root CA, import signed cert.
|
Steps:
|
||||||
3. Configure AIA/CDP extensions for CRL publication.
|
1. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
|
||||||
4. Enable role separation and auditing.
|
2. Generate CSR, sign with Root CA, import signed cert.
|
||||||
4. Certificate Templates and Autoenrollment
|
3. Configure AIA/CDP extensions for CRL publication.
|
||||||
Configure certificate templates for the following use cases:
|
4. Enable role separation and auditing.
|
||||||
• - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption.
|
4. Certificate Templates and Autoenrollment
|
||||||
• - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients.
|
Configure certificate templates for the following use cases:
|
||||||
• - LDAPS: Use 'Kerberos Authentication' template for domain controllers.
|
• - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption.
|
||||||
Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration.
|
• - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients.
|
||||||
5. CRL and Revocation Management
|
• - LDAPS: Use 'Kerberos Authentication' template for domain controllers.
|
||||||
Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root.
|
Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration.
|
||||||
6. Security Recommendations
|
5. CRL and Revocation Management
|
||||||
• - Harden CA servers; limit access to PKI admins.
|
Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root.
|
||||||
• - Use BitLocker or HSM for key protection.
|
6. Security Recommendations
|
||||||
• - Enforce strong cryptographic settings: RSA 2048+, SHA-256.
|
• - Harden CA servers; limit access to PKI admins.
|
||||||
• - Monitor issuance and renewals with audit logs and scripts.
|
• - Use BitLocker or HSM for key protection.
|
||||||
|
• - Enforce strong cryptographic settings: RSA 2048+, SHA-256.
|
||||||
|
• - Monitor issuance and renewals with audit logs and scripts.
|
||||||
Reference in New Issue
Block a user