bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3623b83ef1cde5f898ae5cc482cddcc1f9203050
docs/Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
Nicole Rappe 3623b83ef1
All checks were successful
GitOps Automatic Deployment / GitOps Automatic Deployment (push) Successful in 6s
Details
Add Workflows/Windows/Windows Server/Roles/Active Directory Certificate Services.md
2025-07-11 16:25:24 -06:00

2.4 KiB
Raw Blame History

Purpose

This document outlines the Microsoft-recommended best practices for deploying a secure, internal-use-only, two-tier Public Key Infrastructure (PKI) using Windows Server 2022 or newer. The PKI supports securing S/MIME email, 802.1X Wi-Fi with NPS, and LDAP over SSL (LDAPS).

!!! abstract "Environment Breakdown" The environment will consist of at least 2 virtual machines. For the purposes of this document they will be named LAB-CA-01 and LAB-CA-02. This stands for "Lab Certificate Authority [01|02]" In a two-tier hierarchy, an offline Root CA signs a single "Subordinate" Enterprise CA certificate. The Subordinate CA is domain-joined and handles all certificate requests. Clients trust the PKI via Group Policy and Active Directory integration.

In this case, `LAB-CA-01` is the Root CA, while `LAB-CA-02` is the Intermediary/Subordinate CA.  You can add more than one subordinate CA if you desire redundancy in your environment.
  1. Offline Root CA Setup Steps:
  2. Provision a non-domain-joined, isolated Windows Server.
  3. Install AD CS role as a Standalone Root CA.
  4. Use RSA 4096-bit key, SHA-256, 10-year validity.
  5. Configure AIA and CDP extensions with HTTP paths.
  6. Publish root cert and CRL to AD and internal HTTP.
  7. Online Subordinate CA Setup Steps:
  8. Domain-join a Windows Server and install AD CS as Enterprise Subordinate CA.
  9. Generate CSR, sign with Root CA, import signed cert.
  10. Configure AIA/CDP extensions for CRL publication.
  11. Enable role separation and auditing.
  12. Certificate Templates and Autoenrollment Configure certificate templates for the following use cases: • - S/MIME Email: Use separate templates for signing and encryption. Enable key archival for encryption. • - 802.1X Wi-Fi: Use 'RAS and IAS Server' for NPS, and 'Workstation Authentication' for clients. • - LDAPS: Use 'Kerberos Authentication' template for domain controllers. Enable autoenrollment via GPOs under Public Key Policies for both Computer and User configuration.
  13. CRL and Revocation Management Publish CRLs regularly, configure overlap periods, and monitor expiration. Enable Delta CRLs on the Subordinate CA, but not on the Root.
  14. Security Recommendations • - Harden CA servers; limit access to PKI admins. • - Use BitLocker or HSM for key protection. • - Enforce strong cryptographic settings: RSA 2048+, SHA-256. • - Monitor issuance and renewals with audit logs and scripts.