Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012

Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012

Windows Server 2012 Base Configuration Test Lab Mini-Module for a Basic PKI

 

This Test Lab Guide Mini-Module describes how to add a basic public key infrastructure (PKI) as an optional addition to the Windows Server 2012 base configuration test lab. If you are running the base configuration test lab in a virtual environment, you can create snapshots of the virtual machines (VMs) for all of the test lab computers before performing the following procedure. There are two steps to adding a basic PKI deployment to the Windows Server 2012 Base Configuration test lab.

1.    Install an enterprise root certification authority (CA) on APP1.x

2.    Enable computer certificate auto-enrollment for the corp.contoso.com domain, and verify computer certificate enrollment.

Step 1: Install an Enterprise Root CA on APP1

Do this step using Windows PowerShell

To install the Certification Services server role on APP1

  1. One the Server Manager Dashboard screen, under Configure this local server, click Add roles and features.
  2. Click Next three times to get to the server role selection screen.
  3. On the Select Server Roles page, select Active Directory Certificate Services, click Add Features when prompted, and then click Next.
  4. Click Next three times to accept the default settings, and then click Install.
  5. Wait for the installation to complete.
  6. In the Installation Progress dialog, click the Configure Active Directory Certificate Services on the destination server link.
  7. On the Credentials screen, click Next.
  8. On the Role Services page, select Certification Authority, and click Next.
  9. Click Next seven times to accept the default configuration options for Enterprise Root CA.
  10. On the confirmation screen, click Configure.
  11. Verify that configuration succeeded, and click Close.
  12. Click Close in the Add Roles and Features Wizard.

 

 Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

 

Install-WindowsFeature AD-Certificate -IncludeManagementTools

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -Force

 

Step 2: Enable Computer Certificate Auto-enrollment

Next, configure Group Policy on DC1 so that domain members automatically request computer certificates.

To configure computer certificate auto-enrollment

  1. On DC1, from the Start screen, click Group Policy Management.
  2. In the console tree, open Forest: corp.contoso.com\Domains\corp.contoso.com.
  3. In the console tree, right-click Default Domain Policy, and then click Edit.
  4. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
  5. In the details pane, double-click Certificate Services Client – Auto-Enrollment. In Configuration Model, select Enabled.
  6. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Click OK.

7.   Close Group Policy Management Editor and Group Policy Management Console.

 

Configure a client-server authentication template for auto-enrollment on APP1

Next, configure a custom client-server authentication template that can be used by servers and clients in further test lab guides.

To configure the client-server authentication template

  1. On APP1, from the Start screen, click Certification Authority.
  2. In the details pane, expand corp-APP1-CA.
  3. Right-click Certificate Templates and select Manage.
  4. In the Certificate Templates console, right-click Workstation Authentication and click Duplicate Template.
  5. On the General tab, change the Template display name to Client-Server Authentication and select Publish certificate in Active Directory.
  6. On the Extensions tab, click Application Policies and then click Edit. Click Add, and then select Server Authentication. Click OK twice to return to the Properties of New Template dialog.
  7. Click the Security tab. For Domain Computers, select the checkbox to Allow Autoenroll. Click OK. Close the Certificate Templates Console.
  8. In the Certification Authority snap-in console tree, right-click Certificate Templates and select New then Certificate Template to Issue.
  9. Select Client-Server Authentication and then click OK.
  10. Close the Certification Authority console.

 

Snapshot the Configuration

This completes the Basic PKI configuration. To save this configuration for additional test labs, do the following:

  1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.
  2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots Windows Server 2012 Base Configuration with Basic PKI. If your lab uses physical computers, create disk images to save the Base Configuration.

Additional Resources

For a list of all of the Windows Server 2012 TLGs, see Windows Server 2012 Test Lab Guides in the TechNet Wiki.



Sort by: Published Date | Most Recent | Most Useful
Comments
  • This doesn't work well for me (tried in SCEP 2012 and SCSM 2012 TLGs, computers do not get their certificates). It is better to add AD CS role to DC1 and than add automatic certificate request for computers. Something like Base Config for Windows Server 2008 R2.