Domain Controller Certificate Installation
PKI-issued domain controller (DC) certificates must be installed on all DCs in the enterprise.Action for Windows Server 2008 R2 users: The Force strong key protection for user keys stored on the computer setting will need to be temporarily relaxed via Group Policy while the certificate request is generated. When this setting is set to User must enter a password each time they use a key, a Key Protection password is required for use of the Domain Controller’s private key. This will cause silent operations such as Smart Card Logon/Mutual Authentication to fail. Perform these steps before requesting the Domain Controller certificate.
1) Open the Group Policy Management console. Select Start > Administrative Tools > Group Policy Management.
2) Expand Forest > Domains > your domain.
3) Expand Domain Controllers. Right-click Default Domain Controllers Policy and select Edit.
4) Expand Computer Configuration/Policies/ Windows Settings/Security Settings/Local Policies. Select Security Options.
5) Double-click System Cryptography: Force strong key protection for user keys stored on the computer.
6) Set this setting to User input is not required when new keys are stored and used.
7) Restart the system.
Generate the Certificate Request on the Domain Controller
1) Open the Certificates snap-in in MMC. Navigate to Start >Run and enter MMC. Click OK.
2) Navigate to File > Add/Remove Snap-in.
3) At the Add/Remove Snap-in screen select Add.
4) Select the Certificates snap-in and click Add.
5) Select Computer Account for the type of certificates to manage. Click Next.
6) Select Local Computer as the computer to manage. Click Finish.
7) When returned to the Add/Remove Snap-in screen click Ok.
8) At the main MMC window, the Certificates (Local Computer) snap-in should appear. Expand Certificates (Local Computer), Personal. Right-click on Certificates and select All Tasks, Advanced Operations Create custom request.
9) Click Next.
Note: For Windows Server 2008 R2, select the Custom Request Proceed without Enrollment Policy on the next screen.
10) Select the template (No template) Legacy key. Check the Suppress default extensions box. Ensure PKCS #10 is selected. Click Next.
Note: For Windows Server 2008 R2, select the (No Template) CNG Key.
11) Click the drop down arrow next to Details and click the Properties button.
12) On the Subject tab under Subject name, select the drop-down type Common name. Enter the domain controller’s Fully Qualified Domain Name (FQDN), e.g. dc1.contoso.com
13) Click the Add button and the subject will appear on the right side in the form CN=<FQDN> (e.g., CN=dc1.contoso.com).
14) On the Private Key tab, expand Key options. Select the Key size 2048 and check only the box Make private key exportable. Click OK.
15) At the Certificate Information screen, verify the details and click Next.
16) Enter the file name to save the certificate request or click the Browse button to select a file path. Name the request with a .txt extension. Ensure the Base 64 radio button is selected. Click Finish to save the request and exit the certificate request wizard.
Note: If you are running Windows Server 2008 R2 and relaxed the Force strong key protection for user keys stored on the computer setting, you can reset it back to its original value now by following the same steps used at the beginning of this section to relax it, but setting the value to User must enter a password each time they use a key in step 7.
Submit the DC Certificate Request to your CA (Server)
1) Open a web browser and navigate to the CA URL:
https://caserver.domain.com/
2) Scroll down the list and select the profile for Manual PKCS10 Domain Controller 2048-bit Certificate Enrollment.
3) In Notepad, open the certificate .txt request file generated in the previous section. Copy the encoded certificate request from the text file and paste it into the Certificate Request field on the web site.
4) Click Submit.
5) Once the cert has approved and issued the certificate will be available for download.
Navigate to the URL with a web browser.
https://caserver.domain.com/
6) Click the Retrieval Tab, enter your request number and hit Submit.
7) Click on the Issued certificate (serial number) link.
8) Verify that the certificate and form contents are correct. Scroll down to the base 64-encoded certificate, highlight and copy the certificate to the clipboard, including the ----- BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.
9) Open Notepad and paste the certificate into a text file. Save the file to an easily accessible location; use All Files as the Save As Type, and save with a .cer extension. If the system from which the certificate is retrieved is different from the domain controller from which the request was generated, the retrieved certificate must be transported to the requesting domain controller via removable media or copied via the network.
Install the DC Certificate
1) Open a command prompt by clicking Start Run and typing cmd.
2) Within the command prompt, navigate to the location where the certificate file is located using the cd command. Install the certificate by typing the following command:
certreq –accept <file>.cer
Verify the DC Certificate
Open the certificate in MMC.
1) Navigate to Start Run and enter mmc. Click OK.
2) Select File Add/Remove Snap-in.
3) At the Add/Remove Snap-in screen, select Add.
4) Select the Certificates snap-in and click Add.
5) Select Computer Account for the type of certificates to manage. Click Next.
6) Select Local Computer as the computer to manage. Click Finish.
7) When returned to the Add/Remove Snap-in screen click OK.
8) At the main MMC window, the Certificates (Local Computer) snap-in should appear. Expand Certificates (Local Computer) Personal Certificates.
9) Observe the certificate for this domain controller is in the local computer’s personal certificate store. Ensure the certificate is verified and has a valid private key.
10) Close all windows from this section.
No comments:
Post a Comment