Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (eMicrosof)
  • When: 29 Feb 2012 11:18 AM
  • Last revision by
  • When: 10 Sep 2013 5:07 AM
  • Revisions: 11
  • Comments: 7
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012

Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012

Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012

Windows Server 2012 Base Configuration Test Lab Mini-Module for a Basic PKI

 

This Test Lab Guide Mini-Module describes how to add a basic public key infrastructure (PKI) as an optional addition to the Windows Server 2012 base configuration test lab. If you are running the base configuration test lab in a virtual environment, you can create snapshots of the virtual machines (VMs) for all of the test lab computers before performing the following procedure. There are two steps to adding a basic PKI deployment to the Windows Server 2012 Base Configuration test lab.

1.    Install an enterprise root certification authority (CA) on APP1.x

2.    Enable computer certificate auto-enrollment for the corp.contoso.com domain, and verify computer certificate enrollment.

Step 1: Install an Enterprise Root CA on APP1

Do this step using Windows PowerShell

To install the Certification Services server role on APP1

  1. One the Server Manager Dashboard screen, under Configure this local server, click Add roles and features.
  2. Click Next three times to get to the server role selection screen.
  3. On the Select Server Roles page, select Active Directory Certificate Services, click Add Features when prompted, and then click Next.
  4. Click Next three times to accept the default settings, and then click Install.
  5. Wait for the installation to complete.
  6. In the Installation Progress dialog, click the Configure Active Directory Certificate Services on the destination server link.
  7. On the Credentials screen, click Next.
  8. On the Role Services page, select Certification Authority, and click Next.
  9. Click Next seven times to accept the default configuration options for Enterprise Root CA.
  10. On the confirmation screen, click Configure.
  11. Verify that configuration succeeded, and click Close.
  12. Click Close in the Add Roles and Features Wizard.

 

 Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

 

Install-WindowsFeature AD-Certificate -IncludeManagementTools

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -Force

 

Step 2: Enable Computer Certificate Auto-enrollment

Next, configure Group Policy on DC1 so that domain members automatically request computer certificates.

To configure computer certificate auto-enrollment

  1. On DC1, from the Start screen, click Group Policy Management.
  2. In the console tree, open Forest: corp.contoso.com\Domains\corp.contoso.com.
  3. In the console tree, right-click Default Domain Policy, and then click Edit.
  4. In the console tree of the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
  5. In the details pane, double-click Certificate Services Client – Auto-Enrollment. In Configuration Model, select Enabled.
  6. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Click OK.

7.   Close Group Policy Management Editor and Group Policy Management Console.

 

Configure a client-server authentication template for auto-enrollment on APP1

Next, configure a custom client-server authentication template that can be used by servers and clients in further test lab guides.

To configure the client-server authentication template

  1. On APP1, from the Start screen, click Certification Authority.
  2. In the details pane, expand corp-APP1-CA.
  3. Right-click Certificate Templates and select Manage.
  4. In the Certificate Templates console, right-click Workstation Authentication and click Duplicate Template.
  5. On the General tab, change the Template display name to Client-Server Authentication and select Publish certificate in Active Directory.
  6. On the Extensions tab, click Application Policies and then click Edit. Click Add, and then select Server Authentication. Click OK twice to return to the Properties of New Template dialog.
  7. Click the Security tab. For Domain Computers, select the checkbox to Allow Autoenroll. Click OK. Close the Certificate Templates Console.
  8. In the Certification Authority snap-in console tree, right-click Certificate Templates and select New then Certificate Template to Issue.
  9. Select Client-Server Authentication and then click OK.
  10. Close the Certification Authority console.

 

Snapshot the Configuration

This completes the Basic PKI configuration. To save this configuration for additional test labs, do the following:

  1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.
  2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots Windows Server 2012 Base Configuration with Basic PKI. If your lab uses physical computers, create disk images to save the Base Configuration.

Additional Resources

For a list of all of the Windows Server 2012 TLGs, see Windows Server 2012 Test Lab Guides in the TechNet Wiki.


, , , , , , [Edit tags]
Leave a Comment
  • Please add 6 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 14 Aug 2013 10:21 AM

    Adam Cooperman edited Revision 8. Comment: Corrected the Install-AdcsCertificationAuthority to correctly install an EnterpriseRootCA and not a standalone.

  • 3 Oct 2012 7:32 PM

    Ed Price - MSFT edited Revision 4. Comment: Font style; added tags

  • 11 Sep 2012 6:22 PM

    Joe Davies edited Revision 3. Comment: Misc editing

  • 11 Sep 2012 6:12 PM

    Joe Davies edited Revision 2. Comment: Updates for Windows Server 2012

Page 1 of 1 (4 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 11 Sep 2012 6:12 PM

    Joe Davies edited Revision 2. Comment: Updates for Windows Server 2012

  • Posted by
    on 11 Sep 2012 6:22 PM

    Joe Davies edited Revision 3. Comment: Misc editing

  • Posted by
    on 3 Oct 2012 7:32 PM

    Ed Price - MSFT edited Revision 4. Comment: Font style; added tags

  • Posted by
    on 12 Feb 2013 6:50 AM

    This doesn't work well for me (tried in SCEP 2012 and SCSM 2012 TLGs, computers do not get their certificates). It is better to add AD CS role to DC1 and than add automatic certificate request for computers. Something like Base Config for Windows Server 2008 R2.

  • Posted by
    on 19 Jul 2013 5:10 AM

    Works for me, but  I did have to add the READ permission in step 7, section 'Configure a client-server authentication template for auto-enrollment on APP1'.

  • Posted by
    on 14 Aug 2013 10:21 AM

    Adam Cooperman edited Revision 8. Comment: Corrected the Install-AdcsCertificationAuthority to correctly install an EnterpriseRootCA and not a standalone.

  • Posted by
    on 14 Aug 2013 10:22 AM

    is it possible to post correction to the main test lab guides ? there are some bits of powershell that need sorting ?

Page 1 of 1 (7 items)