diff --git a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md index 0f0335d..5533ea3 100644 --- a/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md +++ b/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md @@ -15,7 +15,8 @@ This document outlines the Microsoft-recommended best practices for deploying a - Ensure the timezone is correctly configured - Ensure the hostname is correctly configured -### Offline (Non-Domain-Joined) Root CA `LAB-CA-01` Role Deployment +## Offline (Non-Domain-Joined) Root CA `LAB-CA-01` +### Role Deployment This is the initial deployment of the root certificate authority, the settings here should be double and triple checked before proceeding through each step. - Provision a **non-domain-joined** Windows Server - This is critical that this device is not domain-joined for security purposes @@ -34,7 +35,7 @@ This is the initial deployment of the root certificate authority, the settings h - Click "**Next**" > "**Next**" > "**Next**" > "**Install**" - Restart the Server -### Offline (Non-Domain-Joined) Root CA `LAB-CA-01` Role Configuration +### Role Configuration We have a few things we need to configure within the CA to make it ready to handle certificate requests. - Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**" - You will be prompted for an admin user, in this example, you will use the pre-populated `LAB-CA-01\Administrator` @@ -70,7 +71,8 @@ You will see a finalization screen confirming everything we have configured, it !!! success "Active Directory Certificate Services" If everything went well, you will see that the "**Certificate Authority**" and "**Certification Authority Web Enrollment**" both have a status of "**Configuration succeeded**". At this point, you can click the "**Close**" button to conclude the Root CA configuration. -### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Role Deployment +## Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` +### Role Deployment Now that we have set up the root certificate authority, we can focus on setting up the subordinate CA. - Navigate to "**Server Manager > (Alert Flag) > Post-deployment Configuration: Active Directory Certificate Services**" @@ -114,7 +116,7 @@ You will see a finalization screen confirming everything we have configured, it !!! quote "Pending Certificate Signing Request" You will see a screen telling you that the **Certification Authority Web Enrollment** was successful but it will give a warning about the **Certification Authority**. The Active Directory Certificate Services installation is incomplete. To complete the installation, use the request file to obtain a certificate from the parent CA [*The RootCA*]. Then, use the Certification Authority snap-in to install the certificate. To complete this procedure, right-click the node with the name of the CA, and then click "Install CA Certificate". -### Online (Domain-Joined) Subordinate/Intermediary CA `LAB-CA-02` Configuration Deployment +### Configuration Deployment At this point, we will need to focus on getting the certificate signing request generated on `LAB-CA-02` to `LAB-CA-01` (the rootCA), this can be via temporary network access or via a USB flashdrive. !!! danger @@ -155,6 +157,7 @@ At this point, we will need to focus on getting the certificate signing request ## Create Auto-Enrollment Group Policy The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*computers, including domain controllers*) to automatically request, renew, and install certificates from the Enterprise CA (in this case, the Subordinate CA `LAB-CA-02`). +### Create GPO - Open the Group Policy Management editor on one of your domain controllers, then "Create a GPO in this domain, and link it here" wherever it will be able to target the domain controllers, this may be at the root, or in a specific OU that holds domain controllers. (e.g. `bunny-lab.io\Domain Controllers` ) - Name the new GPO something like "**Certificate Auto-Enrollment**" - Edit the GPO @@ -165,6 +168,14 @@ The Certificate Auto-Enrollment Group Policy enables domain-joined devices (*com - Click "**OK**" - Run a `gpupdate /force` on your domain controller(s) and give it a few minutes to pull down their new domain controller certificates +### Validate Auto-Enrollment Functionality +At this point, you need to check that there is a certificate installed within "**Certificates - Local Computer > Personal > Certificates**" for "Domain Controller Server Authentication" + +- PLACEHOLDER + - PLACEHOLDER + - PLACEHOLDER + - PLACEHOLDER + !!! warning "Under Construction" Section is still being written during lab deployment.