certificate authority with microsoft windows server 2008-a4

Creating a Private Certificate Authority with NPS 0 of 39

April-2012-1

Installation & Configuration Overview

The following is an outline of the overall procedure and steps in this document. Step-by-step instructions will follow this section.

1. Install Microsoft Windows Server 2008 R2 (if not already installed)1 2. Join server to the Windows domain 3. Install and configure Certification Authority (CA) 4. Confirm the installation 5. Issue a certificate and test 6. Troubleshooting

Domain Membership A Certification Authority does not need to run on the domain controller, but it should be on a server that is a member of the domain.

Enterprise vs. Stand-Alone CAs Microsoft supports two different types of CAs: enterprise and standalone. Before installation it is a good idea to decide which one to use2.

Enterprise CAs are integrated with Active Directory. They publish certificates and Certificate Revocation Lists (CRLs) to Active Directory. Enterprise CAs use information stored in Active Directory, including user accounts and security groups, to approve or deny certificate requests. Enterprise CAs use certificate templates. When a certificate is issued, the enterprise CA uses information in the certificate template to generate a certificate with the appropriate attributes for that certificate type.

If you want to enable automated certificate approval and automatic user certificate enrollment, use enterprise CAs to issue certificates. These features are only available when the CA infrastructure is integrated with Active Directory. Additionally, only enterprise CAs can issue certificates that enable smart card logon, because this process requires that smart card certificates be mapped automatically to the user accounts in Active Directory.

Stand-alone CAs do not require Active Directory and do not use certificate templates. If you use stand-alone CAs, all information about the requested certificate type must be included in the certificate request. By default, all certificate requests submitted to stand-alone CAs are held in a pending queue

1 This document uses Microsoft Windows Server 2008 R2 Enterprise for the examples, however most Windows servers should also work with some possible differences. Installing Microsoft Windows is outside 2 Only Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. Other versions (except Windows Server 2008 Web) support a more limited version called a Standalone CA For more information, please see the appropriate Microsoft documentation.

Creating a Private Certificate Authority with NPS Page 11 of 39

April-2012-1

until a CA administrator approves them. You can configure stand-alone CAs to issue certificates automatically upon request, but this is less secure and is usually not recommended, because the requests are not authenticated.

From a performance perspective, using stand-alone CAs with automatic issuance enables you to issue certificates at a faster rate than you can by using enterprise CAs. However, unless you are using auto issuance, using stand-alone CAs to issue large volumes of certificates usually comes at a high administrative cost because an administrator must manually review and then approve or deny each certificate request. For this reason, stand-alone CAs are best used with public key security applications on extranets and the Internet, when users do not have Windows 2000 or Windows Server 2003 accounts, and when the volume of certificates to be issued and managed is relatively low.

You must use stand-alone CAs to issue certificates when you are using a third-party directory service or when Active Directory is not available.


April-2012-1

Installing and Configuring the CA

Installing a root CA allows the organization to issue both client and user certificates. Server certificates are typically issued to the RADIUS server, web servers, etc. Certificates can also be issued to both users and machines. These can be used as part of the EAP-TLS authentication process.

Installation steps:

1. Install Windows Server 2008 R2 2. Install and configure the Certification Authority 3. Confirm the CA installation 4. Issue a certificate and test

Install Windows Server 2008 R2 Installation of Windows Server is beyond the scope of this document. Please refer to the documentation from Microsoft for details. Requirements for this document are as follows:

Windows Server 2008 R2 Enterprise3 The server is a member of the domain.4

Install Root Certification Authority (CA) The following are the steps to install and configure the Microsoft Certification Authority:

1. Launch the Server Manager application and make sure you are on the main, root-level screen

2. Under Role Summary, click Add Roles 3. Select Active Directory Certificate Services from the available roles

3 Microsoft’s CA may be run on any Windows 2008 or 2003 server including domain controllers. There may be some configuration differences.


April-2012-1

4. Click Next 5. Click Next to begin the installation

6. The minimum role services required is the Certification Authority itself. However including the Certification Authority Web Enrollment can be helpful for initial interaction and testing of the CA.

7. Click Next 8. The next screen allows you to select which type of CA to setup. For this

example, select the Enterprise CA option 9. Click Next


April-2012-1

10. The next option is the type of CA. Unless there are other CAs in your organization, you should always choose Root CA

11. Click Next


April-2012-1

12. Select the Create a new private key in the next screen. This is the default unless you are re-installing the CA and want to keep any existing certificates

13. Click Next

14. The default cryptography is fine, click Next to accept and continue

15. The next screen gives you a chance to enter the name for the CA. This should be the hostname of the system as a client might see if via DNS. It is the name that will show up as the certificate issuer in any certificates it creates

16. Click Next


April-2012-1

17. Unless you have different requirements, accept the default validity period of 5 years for the certificate the CA will issue to itself.

18. Click Next

19. Click Next to accept the default location for the certificate database 20. If there are any components that the CA requires that are not already

installed, you will be prompted to install them next. E.g. web enrollment requires IIS. You may accept the defaults for these components unless you plan to use them for other applications

21. At the end, you will be presented with a summary screen listing the installation and configuration options. Check this screen carefully before clicking the Install button.


April-2012-1

Confirm the CA Installation At this point the Certification Authority should be ready for use. Before deploying, it is useful to verify the CA issued a certificate to itself and is ready.

1. Launch the Server Manager application and make sure you are on the main, root-level screen

2. In the left-hand navigation window, click Roles 3. Click Active Directory Certification Services from the available roles 4. Click the plus sign (+) next to Enterprise PKI to expand it 5. Click on the CA instance’s name 6. Examine the certificate information. All items should have a status of OK and

the common name should match what was configured

7. Click on Certificate Templates for this instance and verify the templates were installed. At a minimum, you will need the Computer, User and Workstation Authentication templates5

8. Next click on the plus sign next to the CA instance name to expand it

9. Click on Issued Certificates and verify at least one certificate has been issued to the CA itself. There may be other certificates if the server has other roles such as domain controller

5 If you are not issuing certificates to machines, only the User template is required


April-2012-1

Issue a Certificate and Test

Before a CA is put into production, a test certificate should be issued and tested. There are several different types of certificates that might be used; most commonly for users and machines. Although there are many different types of certificates (email, web servers, etc.) this document only deals with the certificates required for PEAP/EAP-TLS authentication over Wi-Fi.

Test steps:

1. Install and configure a RADIUS server, it not already installed6 2. Configure Wi-Fi network for PEAP/EAP-TLS 3. Install root CA certificate on a client 4. Issue a certificate to a user or client and install 5. Test the client and make sure it can authenticate and connect to the WLAN

Configure RADIUS Before a WLAN can be configured to support 802.1X, a RADIUS server must be configured. All Windows servers include an optional RADIUS server component. For more information on how to install and configure this for Wi-Fi authentication, please refer to the Ruckus application notes for NPS or IAS, depending on your installation.

Configure Wi-Fi for PEAP/EAP-TLS Once the back-end RADIUS system is ready, the Ruckus equipment should be configured to broadcast the 802.1X-based SSID. Two common EAP types are available, PEAP and EAP-TLS. For more information on the different EAP types, please refer to the Ruckus 802.1X application notes or the references listed in the appendix.

Install Root CA Certificate on the Client A root certificate is the public version of the CA’s own certificate. Devices that need to verify a certificate claiming to be signed by that CA is valid use this. All operating systems come with the root certificates of well-known CAs such as Verisign, GoDaddy, etc. They can be viewed in Internet Options (Windows) or the Keychain (Mac OS). Since this is a private CA, the clients do not have its root certificate. Therefore it must be installed on each client that will use PEAP or EAP-TLS authentication. If it is not present, the client will be unable to verify a certificate is valid and reject it.

6 For more information on how to configure a RADIUS server on Microsoft Windows, Ruckus offers step-by-step guides for NPS and IAS. Microsoft also has detailed documentation.


April-2012-1

There are several different ways to install the root CA certificate on a client. The easiest are:

• The user downloads and installs it individually • Push the certificate to all computers via a Group Policy (Windows only) • Auto-enrollment (Windows only)

Individual Installation of the Root CA Certificate There are two ways a user can install a certificate: obtain the certificate via email, etc. or download it from the CA via the web interface.

The first method is as easy as double-clicking the certificate file. It will install automatically. This is true for most operating systems, however it is a good idea to double-check the certificate was installed correctly. It should always be installed into the Trusted Root Certification Authority list.

Verify Root Certification Installation (Windows) To verify the certificate installed correctly on a Windows system, use the following steps:

1. Launch Internet Options from the Start Menu or the Control Panel

2. Click the Content tab 3. Click the Publishers button


April-2012-1

4. Click the Trusted Root Certification Authorities tab 5. Scroll down the list and make sure your CA’s certificate is in the list

Verify Root Certification Installation (Mac OS) To verify the certificate installed correctly on a Macintosh system, use the following steps:

1. Click on Spotlight and enter Keychain Access to launch (or launch it from the Finder via Applications->Utilities->Keychain Access

2. Click File->Import Item and select the certificate file 3. If prompted, mark the certificate as always trusted 4. Verify the certificate is installed


April-2012-1

Distributing the Root CA Certificate via a Group Policy (Windows) The root certificate can be distributed to multiple Windows machines in a domain via a group policy object (GPO). The steps are:

1. Open the Group Policy Management Console 2. Open the forest entry and click the plus sign next to your domain to expand it 3. Navigate down to Group Policy Objects->Default Domain Policy

4. Right click on Default Domain Policy and select Edit 5. Navigate down to Computer Configuration->Policies->Windows Settings-

>Security Settings->Public Key Policies


April-2012-1

6. Right click on Trusted Root Certification Authorities and select Import. This will launch the Certificate Import Wizard

7. Click Next 8. When prompted, browse to the location of the root certificate file 9. Make sure the certificate will be imported into the Trusted Root Certification

Authorities store


April-2012-1

10. Click Next 11. Click Finish to import the certificate 12. Verify the certificate appears inside the group object

13. You can make sure the group policy is updated immediately with the gpupdate command. This is run from a command window with administrator rights. The syntax is:

gpupdate /force


April-2012-1

The group policy is now complete. Domain users should automatically download the certificate the next time they login. You can test this by logging into a domain machine. Open Internet Options and verify the certificate shows up in the list of trusted root CAs.

Issue a Client Certificate First determine which kind of certificates you wish to deploy. There are two different kinds of client certificates that can be used: computer or user. A computer certificate is issued to a specific machine and cannot be used by another device. A user certificate it issued to a user account and can be used by any device.

Issue User Certificates with Auto Enrollment (Windows) 1. Open the Certification Authority program on the CA system 2. Click the plus sign next to the name of the CA instance

3. Right click on Certificate Templates and choose Manage. This will open the Certificate Templates Console


April-2012-1

4. Right click the User template in the panel to the right and choose Duplicate Template

5. In the next screen you are prompted to select the type of attributes supported in the certificate: Windows Server 2003 or Windows Server 2008. Choose whichever is most appropriate for you installation

6. Click Next 7. In the properties window, give the template a name. You may also adjust the

validity period and how re-enrollment is handled here


April-2012-1

8. Click the Security tab 9. Select the Domain Users group


April-2012-1

10. In the permissions section, select Enroll and Autoenroll 11. Click OK to same the template 12. Close the Certificate Authority Console and launch the Certification Authority

(certsrv) program again. This is the first one used, not the console editor 13. Click the plus sign next to your CA instance 14. Right click on Certificate Templates and select New->Certificate Template to

Issue


April-2012-1

15. Click the name of your template and click the OK button

Next add this to a group policy object (GPO) on the AD server.


19. Right click on Default Domain Policy and select Edit 20. Navigate down to User Configuration->Policies->Windows Settings->Security

Settings->Public Key Policies


April-2012-1

21. Double-click the Certificate Services Client – Auto-Enrollment 22. In the properties window, select Enabled from the Configuration Model drop-

down box

23. Check the box next to Update certificates that user certificate templates


April-2012-1

24. You may also wish to set other options on the screen regarding how expired certificates are handled

25. Click the OK button to save your changes 26. Use the gpupdate command to force an immediate update and deploy the

new GPO for all new client logins to the domain

Test the new GPO by logging into a domain client. Verify a user certificate is created an installed on the machine7.

Issue Device Certificates with Auto Enrollment (Windows) The process to generate client certificates is the same as user certificates with a few minor changes.

1. Open the Certification Authority program on the CA system 2. Click the plus sign next to the name of the CA instance

3. Right click on Certificate Templates and choose Manage. This will open the Certificate Templates Console

7 At the time of this document, there is a known issue with user certificates not being issued if the user account does not have an Email attribute in Active Directory. Adding an email address will fix this.


April-2012-1

4. Right click the Workstation Authentication template in the panel to the right and choose Duplicate Template

5. In the next screen you are prompted to select the type of attributes supported in the certificate: Windows Server 2003 or Windows Server 2008. Choose whichever is most appropriate for you installation

6. Click Next 7. In the properties window, give the template a name. You may also adjust the

validity period and how re-enrollment is handled here


April-2012-1

8. Click the Security tab 9. Select the Domain Computers group


April-2012-1

10. In the permissions section, select Enroll and Autoenroll 11. Click OK to same the template 12. Close the Certificate Authority Console and launch the Certification Authority

(certsrv) program again. This is the first one used, not the console editor 13. Click the plus sign next to your CA instance 14. Right click on Certificate Templates and select New->Certificate Template to

Issue


April-2012-1

15. Click the name of your template and click the OK button

Next we need to add this to a group policy object (GPO) on the AD server.


19. Right click on Default Domain Policy and select Edit 20. Navigate down to Computer Configuration->Policies->Windows Settings-

>Security Settings->Public Key Policies


April-2012-1

21. Double-click the Certificate Services Client – Auto-Enrollment object 22. In the properties window, select Enabled from the Configuration Model drop-

down box

23. Check the box next to Update certificates that user certificate templates 24. You may also wish to set other options on the screen regarding how expired

certificates are handled 25. Click the OK button to save your changes


April-2012-1

26. Use the gpupdate command to force an immediate update and deploy the new GPO for all new client logins to the domain

Test the new GPO by logging into a domain client. Verify a machine certificate is created an installed on the machine8.

Manually Issue Certificates with Web Enrollment (All Operating Systems) If the web enrollment option was included when the Certification Authority was install, users can go to a web URL and download the root CA as well as request a certificate.

All the user needs to do is point their browser to the URL: http://<servername>/certsrv. They will be prompted to enter their domain credentials and see the main request screen.

From here they can download the root CA certificate as well as request a new personal certificate. To request a personal certificate:

1. Click the Request a certificate link

8 At the time of this document, there is a known issue with user certificates not being issued if the user account does not have an Email attribute in Active Directory. Adding an email address will fix this.


April-2012-1

2. Select the certificate type (User Certificate for this example) 3. Click Submit to accept the default key strength on the next screen (it should

always be 2048)

4. Click the link on the next screen to download the certificate and install it

If automatic certificate approval is not enabled an administrator will need to use the Certification Authority console to approve the request. A user may come back at any time to view the status of a request.

This procedure works for any operating system as long as the user is allowed to authenticate to the web server.


April-2012-1

Implementing 802.1X with Certificates

Once the Certificate Authority is installed, there are a few additional steps required before 802.1X authentication may be used. These include:

1. Issue a certificate to your RADIUS server 2. Configure the RADIUS server for wireless 802.1X authentication 3. Configure the ZoneDirector for 802.1X 4. Configure wireless clients

RADIUS server installation and configuration (Microsoft and ZoneFlex) is covered in separate application notes from Ruckus. Please refer to these for step-by-step instructions.

For information on how to configure a client as an 802.1X supplicant, please refer to the application note from Ruckus Wireless and the vendor’s documentation.


April-2012-1

Appendix A – Further Reading

Digital (X.509) Certificates and How They Work Microsoft – Understanding Digital Certificates and Public Key Cryptography

http://technet.microsoft.com/en-us/library/bb123848(v=exchg.65).aspx

Installing Microsoft Certification Authority Active Directory Certificate Services Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx

Deploy Certificates with Group Policy (Auto-enrollment) http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx

Request/Generate SSL Certificates Obtain a Digital Certificate from an Online Certificate Authority (Windows)

http://www.petri.co.il/obtain_digital_certificate_from_online_ca.htm

How to Request a Certificate from a Microsoft CA (Mac OS) http://support.apple.com/kb/HT4784

certificate authority with microsoft windows server 2008-a4

Documents

certificate requests

standalone cas microsoft

enterprise cas use information

private certificate

microsoft windows server

r2 enterprise

requested certificate

active directory