Comments (5)
@lachellel @djpackham
This issue has been assigned to me by Chi for the week of 5/8. What is the priority level, please?
from piv-guides.
@lachellel @djpackham
The document has been converted to MD, see below. Need your decision if this one should be a separate document or merged to 2_domaincontrollers.md. I would think both document should be merged under the big title "Generating and Installing Domain Controller Certificate."
Generating and Installing Domain Controller Certificate
Accurate as of 3/17/2017 using Microsoft 2012 Server Standard Edition for Certification Authority and Domain Controller servers.
Use Case: Would like to use a local Enterprise Microsoft Certification Authority (CA) to issue a Domain Controller (DC) certificate to the DC server. The DC server must have a certificate installed with the appropriate fields/values as a pre-requisite to enabling PIV credential login for domain connected devices.
*Pre-requisite: Server hosting the CA must be on the domain
Install CA Role
- Log on to the CA server as a member of the Enterprise Administrators group.
- Open Server Manager
- Click Manage , and then click Add Roles and Features.
- Proceed through the Add Roles and Features Wizard, choosing the following options:
- Server Roles: Active Directory Certificate Services
- AD CS Roles Services: Certification Authority
- On the Results page, click Configure Active Directory Certificate Services on the destination server.
- Proceed through the AD CS Configuration, choosing the following options as necessary:
- Role Service: Certification Authority
- Setup Type: E_nterprise CA_
- CA Type: Root CA
- Private Key: Create a new private key
- Cryptography: RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256 6e
- CA Name should use Recommended naming convention:
dc=[AD suffix], dc=[AD domain], cn=[certification authority name],
e.g. dc=gov, dc=[AgencyName], cn=[AgencyName] NPE CA1 - Validity Period: 6 years
- Certificate Database: <your preference>
Configure CA Template for Domain Controller
* Certificate templates are only available on Enterprise CAs
- Log on to the CA server as a member of the Enterprise Administrators group
- Open the certificate templates MMC snap-in (i.e. certtmpl.msc )
- Right-click the Domain Controller Authentication template and click Duplicate Template
- Under the Compatibility Tab , modify the Compatibility Settings for both the CA and certificate recipients to as high as possible (e.g. Windows Server 2012 R2, Windows 7 / 2008 R2 )
- Under the General tab :
- Recommend renaming template to: <Your organization> - Domain Controller Authentication
- Recommend modifying validity period to: 3 years
- Recommend modifying Renewal period to: 6 weeks
- Under the Cryptography tab :
- Set minimum key size to 2048
- If possible, set Request hash to SHA256
- Open the CA console (i.e. certsrv.msc )
- In the console tree, click the name of the CA
- In the details pane, double-click Certificate Templates
- In the console tree, right-click Certificate Templates , click New , and then click Certificate Template To Issue
- Select and enable the certificate template that were created in step 9 above, and then click OK
Auto-enroll Domain Controller Certificate Using Group Policy Object (GPO)
- Log on to the Domain Controller server as a member of the Enterprise Administrators group
- Open the GPMC (i.e. gpmc.msc )
- Within the appropriate GPO, navigate to _Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies_
- Configure Certificate Services Client – Auto-Enrollment with the following options:
- Configuration Model: Enabled
- Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates: Check
- Update Certificates That Use Certificate Templates: Check
- You can now force the group policy to update via command-line: gpupdate /force or wait for the group policy to update on its own
- If successful, you should see a new DC cert in the Certificate (Local Computer) -> Personal -> Certificates folder. _(_e. open MMC.exe -> File -> Add/Remove Snap-in ->Certificates ->Computer account ->Local computer). If you look at the furthest tab called "Certificate Template" you should see a cert generated with the custom template you created in step 9.
from piv-guides.
(nice doc. no specific technical feedback.)
Is there an assumption all PIV-connected Windows servers are domain-attached? (Some of us folks out here in vendor-land would prefer to start with stand-alone servers using PIV even if that's not a use case inside the government world.)
from piv-guides.
@lachellel @djpackham Is there a GSA branch other than Staging against which you would like the Pull Request submitted for this document? Thought I should ask. Thank you.
from piv-guides.
@lachellel @djpackham Question about formatting steps (procedures) in developer guides (domain controllers, ssh, etc.). The PIV-Guides's website style for steps seems to be one unnumbered paragraph for each step + sub-bullets for sub-steps. The developer guides' procedures are longer and more detailed than any on the website. We have been numbering all steps (which are visually easier to follow when you have a lot of steps). However, since the website uses the paragraph + sub-bullets format, I'm wondering if we should conform to that style...?
from piv-guides.
Related Issues (20)
- Redcloth vulnerability HOT 1
- Steps for Digital Signing in MS Word HOT 7
- Firefox page missing certificate installation HOT 2
- Add Search Box To PIV Guides HOT 2
- tree -accept
- Update network retrieval and timeout settings for Microsoft domains HOT 1
- uilt -repairstore HOT 1
- Need script for AD to update EDIPI UPN field with PIV UPN HOT 1
- PIV credential graphic HOT 2
- PIV code signing support HOT 1
- How to configure Windows web server to only accept PIV certificate HOT 1
- update jQuery
- How to configure authentication to office 365/Azure AD with on-prem AD using PIV (UPN identifier) HOT 3
- Remove EOL versions (Windows 7 and 2008R2) HOT 1
- Remove issuance of domain controller certs
- Add reference to FPKI-Guides PIV CAs and Agencies List
- Digitital Signatures During pandemic. HOT 3
- Common Policy Root CA - new root, updates to PIV guides HOT 1
- 1st attempt HOT 1
- Broken link in PIV Usage Guides page HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from piv-guides.