@lachellel @djpackham
This issue has been assigned to me by Chi for the week of 5/8. What is the priority level, please?

from piv-guides.

@lachellel @djpackham
The document has been converted to MD, see below. Need your decision if this one should be a separate document or merged to 2_domaincontrollers.md. I would think both document should be merged under the big title "Generating and Installing Domain Controller Certificate."

Generating and Installing Domain Controller Certificate

Accurate as of 3/17/2017 using Microsoft 2012 Server Standard Edition for Certification Authority and Domain Controller servers.

Use Case: Would like to use a local Enterprise Microsoft Certification Authority (CA) to issue a Domain Controller (DC) certificate to the DC server. The DC server must have a certificate installed with the appropriate fields/values as a pre-requisite to enabling PIV credential login for domain connected devices.

*Pre-requisite: Server hosting the CA must be on the domain

Install CA Role

1. Log on to the CA server as a member of the Enterprise Administrators group.
2. Open Server Manager
3. Click Manage , and then click Add Roles and Features.
4. Proceed through the Add Roles and Features Wizard, choosing the following options:

• Server Roles: Active Directory Certificate Services
• AD CS Roles Services: Certification Authority

5. On the Results page, click Configure Active Directory Certificate Services on the destination server.
6. Proceed through the AD CS Configuration, choosing the following options as necessary:

• Role Service: Certification Authority
• Setup Type: E_nterprise CA_
• CA Type: Root CA
• Private Key: Create a new private key
• Cryptography: RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256 6e
• CA Name should use Recommended naming convention:
  dc=[AD suffix], dc=[AD domain], cn=[certification authority name],
  e.g. dc=gov, dc=[AgencyName], cn=[AgencyName] NPE CA1
• Validity Period: 6 years
• Certificate Database: <your preference>

Configure CA Template for Domain Controller

* Certificate templates are only available on Enterprise CAs

7. Log on to the CA server as a member of the Enterprise Administrators group
8. Open the certificate templates MMC snap-in (i.e. certtmpl.msc )
9. Right-click the Domain Controller Authentication template and click Duplicate Template
10. Under the Compatibility Tab , modify the Compatibility Settings for both the CA and certificate recipients to as high as possible (e.g. Windows Server 2012 R2, Windows 7 / 2008 R2 )
11. Under the General tab :

• Recommend renaming template to: <Your organization> - Domain Controller Authentication
• Recommend modifying validity period to: 3 years
• Recommend modifying Renewal period to: 6 weeks

12. Under the Cryptography tab :

• Set minimum key size to 2048
• If possible, set Request hash to SHA256

13. Open the CA console (i.e. certsrv.msc )
14. In the console tree, click the name of the CA
15. In the details pane, double-click Certificate Templates
16. In the console tree, right-click Certificate Templates , click New , and then click Certificate Template To Issue
17. Select and enable the certificate template that were created in step 9 above, and then click OK

Auto-enroll Domain Controller Certificate Using Group Policy Object (GPO)

18. Log on to the Domain Controller server as a member of the Enterprise Administrators group
19. Open the GPMC (i.e. gpmc.msc )
20. Within the appropriate GPO, navigate to _Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies_
21. Configure Certificate Services Client – Auto-Enrollment with the following options:

• Configuration Model: Enabled
• Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates: Check
• Update Certificates That Use Certificate Templates: Check

22. You can now force the group policy to update via command-line: gpupdate /force or wait for the group policy to update on its own
23. If successful, you should see a new DC cert in the Certificate (Local Computer) -> Personal -> Certificates folder. _(_e. open MMC.exe -> File -> Add/Remove Snap-in ->Certificates ->Computer account ->Local computer). If you look at the furthest tab called "Certificate Template" you should see a cert generated with the custom template you created in step 9.

from piv-guides.

(nice doc. no specific technical feedback.)

Is there an assumption all PIV-connected Windows servers are domain-attached? (Some of us folks out here in vendor-land would prefer to start with stand-alone servers using PIV even if that's not a use case inside the government world.)

from piv-guides.

@lachellel @djpackham Is there a GSA branch other than Staging against which you would like the Pull Request submitted for this document? Thought I should ask. Thank you.

from piv-guides.

@lachellel @djpackham Question about formatting steps (procedures) in developer guides (domain controllers, ssh, etc.). The PIV-Guides's website style for steps seems to be one unnumbered paragraph for each step + sub-bullets for sub-steps. The developer guides' procedures are longer and more detailed than any on the website. We have been numbering all steps (which are visually easier to follow when you have a lot of steps). However, since the website uses the paragraph + sub-bullets format, I'm wondering if we should conform to that style...?

from piv-guides.