A public key infrastructure (PKI) is
responsible for creating, managing, distributing, storing, and revoking digital
certificates. Digital certificates are used in Windows settings to secure
various types of connections.
Lookups for Microsoft Active Directory LDAPS
(Lightweight Directory Access Protocol over Secure Sockets Layer), Internet
Information Services (IIS) HTTPS connections, Exchange Server communications,
and Windows Server Update Services are among the connection types.
You can, however, manage your certificates
with a Windows-hosted PKI in an Amazon Web Services (AWS) account. This feature
assists you in reducing unsecure, unsigned network traffic. Install and
configure certification authority (CA) roles on one or more Windows servers to
implement a PKI environment.
Microsoft PKI Quick Start installs a root CA
and a subordinate CA. The primary certification authority for an Active
Directory Forest is the root CA. This root CA's certificates sign the server
and application certificates issued by the subordinate CA.
The Quick Start generates an initial root
certificate and terminates the root CA's Amazon Elastic Compute Cloud (Amazon
EC2) instance. This instance remains offline except when a new root certificate
is required, assisting in the integrity of the root certificate.
Here are five ways in which you can easily
set up Microsoft PKI.
1. After Windows 2000 Server base setup has been completed
Double-click Add/Remove Programs in Control
Panel to install Certificate Services on a server that already has Windows 2000
Server installed. The Certificate Services Installation wizard then walks you
through the installation procedure after you pick Certificate Services for
installation.
2. As part of the Windows 2000 Server base setup
Although Certificate Services is a Windows
2000 service with Windows 2000 Server, Microsoft PKI is not installed by
default during the Windows 2000 Server installation process. You can learn more
about Microsoft PKI here.
Certificate Services must be installed during
the initial base installation of Windows 2000 Server by selecting it from the
optional components list provided during setup. Certificate Services will not
be installed until you log on to the server once Windows 2000 installation is
complete. Then, a notification will prompt you to finish configuring the CA.
3. Enabling computer certificate auto-enrollment
- From the Start screen on 3-DC1, select Group Policy Management.
- Open Forest: Forest: corp.contoso.com\Domains\corp.contoso.com in the console tree.
- Right-click Default Domain Policy in the console tree, then select Edit.
- In the Group Policy Management Editor console tree, navigate to Computer Configuration\ Policies\ Windows Settings\ Security Settings\ Public Key Policies.
- Double-click Certificate Services Client - Auto-Enrollment in the information pane. Select Enabled from the Configuration Model drop-down menu.
- Check the boxes for renewing expired certificates, updating pending certificates, deleting revoked certificates, and updating certificates that employ certificate templates. Select OK.
- Next, create a unique client-server authentication template.
4. To install the Certification Services server role on 3-DC1
- On the Server Manager Dashboard, select Add roles and features under Configure this local server.
- To proceed to the server role selection screen, click Next three times.
- On the Select Server Roles page, choose Active Directory Certificate Services, then click Add Features when requested.
- Accept the default settings by clicking Next three times, then click Install.
- Wait for the installation to finish.
- In the Installation Progress window, click the Configure Active Directory Certificate Services link on the target server.
- On the Credentials screen, press the Next button.
- On the Role Services page, click Next after selecting Certification Authority.
- Click Next seven times to accept the Enterprise Root CA's default configuration parameters.
- Click Configure on the confirmation screen.
- Confirm that the setup was successful, then click Close.
- After that, in the Add Roles and Features Wizard, click Close.
5. To configure the client-server authentication template
- From the Start screen of 3-DC1, select Certification Authority.
- Expand corp-3-DC1-CA in the details pane.
- Select Manage from the Certificate Templates menu.
- Right-click Workstation Authentication in the Certificate Templates interface and select Duplicate Template.
- Change the Template display name to Client-Server Authentication and select Publish certificate in Active Directory on the General tab.
- Click Application Policies, then Edit, on the Extensions tab. Select Server Authentication after clicking Add. Select OK. Select IP security IKE intermediate and click Add.
- Click OK after selecting Client-Server Authentication.
- Log out of the Certification Authority console.
Why Microsoft Enterprise PKI?
Passwords are insecure because they can be
lost or stolen; hence networks that use credential-based authentication are
always vulnerable to over-the-air credential theft. Furthermore,
credential-based authentication systems necessitate password reset rules, which
are inconvenient for network administrators and end users.
Because digital certificates may be locked
onto devices and act as the device or user's identity in the digital landscape,
they allow improved identification. Administrators can quickly configure
devices for certificate-based 802.1X authentication or EAP-TLS using
certificates. PKIs serve as the foundation for administrators to construct a certificate-based
network.
Bottomline
We've provided you with some fast guidelines and best practice guidance on effectively setting up a PKI that includes offline standalone CAs and enterprise-based online issuing CAs in this article. If you employ a 3-level hierarchy, the script to publish the root CA's certificate and CRL file to the issuing, CA's local store and Active Directory must be modified. This is because the policy CA must be issued to our enterprise-based issuing CA's local certificate store and Active Directory.
