Update Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 7s
This commit is contained in:
@ -16,6 +16,7 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
||||
- Ensure the hostname is correctly configured
|
||||
|
||||
### Offline (Non-Domain-Joined) Root CA `LAB-CA-01` Role Deployment
|
||||
This is the initial deployment of the root certificate authority, the settings here should be double and triple checked before proceeding through each step.
|
||||
- Provision a **non-domain-joined** Windows Server
|
||||
- This is critical that this device is not domain-joined for security purposes
|
||||
- Navigate to "**Server Manager > Manage > Add Roles and Features**"
|
||||
@ -34,6 +35,7 @@ This document outlines the Microsoft-recommended best practices for deploying a
|
||||
- Restart the Server
|
||||
|
||||
### Offline (Non-Domain-Joined) Root CA `LAB-CA-01` Role Configuration
|
||||
We have a few things we need to configure within the CA to make it ready to handle certificate requests.
|
||||
- Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**"
|
||||
- You will be prompted for an admin user, in this example, you will use the pre-populated `LAB-CA-01\Administrator`
|
||||
- Check the boxes for `Certification Authority` and `Certification Authority Web Enrollment` then click "**Next**"
|
||||
@ -69,6 +71,7 @@ You will see a finalization screen confirming everything we have configured, it
|
||||
If everything went well, you will see that the "**Certificate Authority**" and "**Certification Authority Web Enrollment**" both have a status of "**Configuration succeeded**". At this point, you can click the "**Close**" button to conclude the Root CA configuration.
|
||||
|
||||
### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Role Deployment
|
||||
Now that we have set up the root certificate authority, we can focus on setting up the subordinate CA.
|
||||
- Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**"
|
||||
- Under credentials, let it automatically populate a domain admin. (e.g. `BUNNY-LAB\nicole.rappe`)
|
||||
- Click "**Next**"
|
||||
@ -111,6 +114,10 @@ You will see a finalization screen confirming everything we have configured, it
|
||||
You will see a screen telling you that the **Certification Authority Web Enrollment** was successful but it will give a warning about the **Certification Authority**. The Active Directory Certificate Services installation is incomplete. To complete the installation, use the request file <file-name> to obtain a certificate from the parent CA [*The RootCA*]. Then, use the Certification Authority snap-in to install the certificate. To complete this procedure, right-click the node with the name of the CA, and then click "Install CA Certificate".
|
||||
|
||||
### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Configuration Deployment
|
||||
At this point, we will need to focus on getting the certificate signing request transferred to `LAB-CA-01` (the rootCA), this can be via temporary network access (sharing a CSR via a SMB network share from `LAB-CA-02`) (not recommended) or via a USB flashdrive (more secure).
|
||||
- Once the certificate signing request file `C:\LAB-CA-02.bunny-lab.io_bunny-lab-LAB-CA-02-CA.req` is on `LAB-CA-01` (RootCA) we can proceed to get it signed.
|
||||
- **PLACEHOLDER**
|
||||
|
||||
!!! warning "Under Construction"
|
||||
Section is still being written during lab deployment.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user