Part 2: MS Certification Authority and Group Policies

The following sections cover how to install and configure the Microsoft Certification Authority and Group Policies:

The examples below use the following denotations:

  • The domain used is yourcompany.com (YOURCOMPANY).
  • The Certificate Services hostname is csserver.yourcompany.com.
  • The Tomcat server hostname is tomcatserver.yourcompany.com.

Labels indicated in bold should be replaced with the names of your environment and in the examples below, the text enclosed in angle brackets should be replaced with names in your environment.

Step 1 - Install Active Directory Certificate Services

The following covers instructions for how to install and configure Active Directory (AD) Certificate Services.

Install Active Directory Certificate Services

To install Active Directory Certificate Services:

  1. Assign a static IP address for this host.

  2. Give the host an appropriate computer name (<csserver>).

  3. Add the host member of the domain (yourcompany.com) using an account that belongs to the Domain/Enterprise Admin group.
  4. Open the Server Manager.
  5. Click Add roles and features.
  6. Click Next.
  7. Select Role-based or feature-based installation and click Next.
  8. SelecSelect a server from the server pool, select this server, and then click Next.
  9. Select Active Directory Certificate Services.
  10. When prompted to add required features, click Add Features.
  11. Proceed until reaching the Role Services page.
  12. Select Certification Authority and Certification Authority Web Enrollment.
  13. In the appearing popup panel, click Add Features to add IIS and its corresponding features.
  14. Proceed until the Confirmation page and click Install.
  15. When the installation completes, click Close.

Configure Active Directory Certificate Services

To configure Active Directory Certificate Services:

  1. Click the new task shown in the Server Manager notifications: Configure Active Directory Certificate Services on the destination server.
  2. In the shown credentials panel, click Change.
  3. Enter an account that belongs to the Domain/Enterprise Admin group, click OK, and then click Next.
  4. Select role services to configure Certification Authority and Certification Authority Web Enrollment, and then click Next.
  5. Select Enterprise CA, and click Next.
  6. Select Root CA, and click Next.
  7. Select Create a new private key and click Next.
  8. Set the Cryptography provider to RSA#Microsoft Software Key Storage Provider.
  9. Set the Key Length to 4096 bits.
  10. Set the hash algorithm to SHA256 and click Next.
  11. Enter a unique name for the CA such as <MSCA-Proxy> and then click Next.
  12. Set the validity period 25 years.
  13. Configure the location for the certificate database and certificate database logs.
  14. Click Next, then click Configure, and then click Close.

Step 2 - Configure Active Directory Certificate Enrollment Policy Services

To configure the Active Directory Certificate Enrollment Policy Services on the Certificate Services Server, first create and prepare the Service Account and then install the Certificate Enrollment Services according to the instructions below.

Prepare Service Account

To prepare the Service Account:

  1. If not done yet, create the service account (<ces-service>) for Certificate Enrollment Services and the service account (<servlet-service>) for the Tomcat servlet on AD Domain Services Server
    (warning) Use the single service account if performing this installation with a single service account on a single host.
  2. Open the Local Users and Group manager (lusrmgr.msc).
  3. Navigate to Groups.
  4. Right-click the IIS_IUSRS group and select Properties.
  5. Click Add and enter the object name <YOURCOMPANY\ces-service>.
  6. Click OK and enter an account that belongs to the Domain/Enterprise Admin group, then click OK.
  7. Open the Command Prompt with Admin permissions.
  8. Set the service principal name for the service account by running the following commands as admin and ensure to replace the server <FQDN> and account names with your own configuration.
    setspn -s HTTP/csserver.yourcompany.com ces-service
    setspn -s HTTP/tomcatserver.yourcompany.com servlet-service

    (warning) If using a single service account and performing this installation on a single host (the csserver host), ensure to only run the setspn command once.

Install Certificate Enrollment Services

To install the Certificate Enrollment Services:

  1. Open the Server Manager.
  2. Click Add roles and features and click Next.
  3. Select Role-based or feature-based installation and click Next.
  4. Select Select a server from the server pool, select this server and click Next.
  5. Expand the Active Directory Certificate Services, select Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service and then click Next.
  6. Proceed until the Confirmation page and click Install.
  7. Reboot the server after the roles have been installed.

Step 3 - Configure Certificate Templates

Follow the instructions in the following sections to configure Certificate Templates and Certificate Enrollment Services, and issue a Server Certificate to the CS server.

Configure Certificate Templates

To configure Certificate Templates:

  1. Open the Certificate Authority Manager (certsrv.msc).
  2. Expand the selection for your CA.
  3. Right-click Certificate Templates and click Manage.
  4. Ignore the create the object identifier list warning and click OK, and then click Refresh.
  5. Right-click the Computer template, select Duplicate Template and specify the following:
    1. Under Compatibility Settings, specify Certification Authority=Windows Server 2003 and Certificate recipient=Windows XP/Server 2003.
    2. Click the General tab, and change the Template display name to Computer_Auto_Enrollment.
    3. Click the Security tab, and give "Domain Computers" permissions to Enroll and Autoenroll.
    4. Select the Subject Name tab, and change the Subject name format to DNS Name.
    5. Select DNS Name in the subject alternative name.
    6. Under the Request Handling tab, clear Allow private key to be exported.
    7. Click OK to go back to the template list.
  6. Right-click the User template and select Duplicate Template and specify the following:
    1. Under Compatibility Settings, specify Certification Authority=Windows Server 2003 and Certificate recipient=Windows XP/Server 2003.
    2. Click the General tab, and change the Template display name to User_Auto_Enrollment.
      (warning) If the requirement is to Publish the User certificate in Active Directory and Credential Roaming is enabled, ensure to s
      elect both Publish certificate in Active Directory and Do not automatically re-enroll if a duplicate certificate exists in Active Directory.
    3. Select the Security tab, and give "Domain Users" permissions to Enroll and Autoenroll.
    4. Select the Subject Name tab, and change the Subject name format to Common name.
    5. Clear Include email name in subject name and clear Email name in the subject alternative name.
    6. Select User principal name (UPN).
    7. Under the Request Handling tab, clear Allow private key to be exported.
    8. Click OK to go back to the template list and then close the Certificate Templates Console window.
  7. Return to the Certificate Authority manager, right-click Certificate Templates, specify the following and then click OK:
    1. Select NewCertificate Template to Issue.
    2. Select Computer_Auto_Enrollment and User_Auto_Enrollment.
  8. Delete all templates in the Certificate Templates section except for the 2 templates Computer_Auto_Enrollment and User_Auto_Enrollment.
  9. To obtain the Microsoft certificate template OIDs:
    1. Open Powershell and run the following command to get the Certificate Template OID:

      Certutil -catemplates -v | select-string displayname,msPKI-Cert-Template-OID
    2. Ensure to note the OIDs for the Computer_Auto_Enrollment and User_Auto_Enrollment templates since you will use these values later.

Configure Certificate Enrollment Services

To configure Certificate Enrollment Services:

  1. Click the new task shown in the Server Manager notifications: Configure Active Directory Certificate Services on the destination server.
  2. In the credentials panel shown, click Change.
  3. Enter an account that belongs to the Domain/Enterprise Admin group, click OK and then click Next.
  4. Select Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service and click Next.
  5. Select the CA Name.
  6. Click Select and select the Microsoft CA that will be issuing the certificates using certificate enrollment web service, click OK and then click Next.
  7. For CES authentication type, select Windows Integrated Authentication and then click Next.
  8. For CES service account, select Specify service account and then click Select.
  9. Specify the service account <ces-service> and credentials and ensure to use the single service account created if using a single service account.
  10. Click OK and then click Next.
  11. For CEP authentication type, select Windows Integrated Authentication and then click Next.
  12. For Certificate authentication, select Choose and assign a certificate for SSL later and click Next.
  13. Review the confirmation page and click Configure.
  14. When the installation completes, click Close.

Issue Server Certificate to CS Server

To issue a Server Certificate to the CS server:

  1. Open Microsoft Management Console (mmc.exe).
  2. Add the Certificates snap-in.
  3. Choose Computer account, select Local Computer and then click OK.
  4. Navigate to Certificate (Local Computer) and select Personal.
  5. Right-click and select All Tasks > Request New Certificate and click Next.
  6. Select Active Directory Enrollment Policy and click Next.
  7. Select Computer and Enroll, click Next, and then click Finish.

Step 4 - Configure IIS

To configure the Internet Information Services (IIS), do the following:

  1. Open the Internet Information Services (IIS) Manager (InetMgr.exe)
  2. Click your server name on the left-hand side
  3. Expand the selection for your server and click Application Pools
  4. Right-click WSEnrollmentPolicyServer, and select Advanced Settings.
  5. Edit Identity.
  6. In the appearing panel, select Custom account and click Set.
  7. Enter the username and credentials for <yourcompany\ces-service>. If using a single service account, ensure to use the single service account created.
  8. Click OK and expand Sites in the Connection menu on the left-hand side.
  9. Click Default Web Site and then click Bindings on the right-hand side.
  10. Edit the https site binding.
  11. From SSL certificate, select the CS Server's SSL certificate csserver.yourcompany.com, click OK and then click Close.
  12. Expand the Default Web Site option on the left-hand side.
  13. Click ADPolicyProvider_CEP_Kerberos and open Application Settings.
  14. Edit the entry name FriendlyName and set the value to EJBCA_Enrollment. This is a name that clients will see only when manually requesting certificates.
  15. Click Add and create a new entry with the name RetryIntervalMs and value 300000.
  16. Restart IIS by clicking on the server name and then click Restart on the right-hand side.

Step 5 - Configure Group Policies on AD server

Configure Group Policies on the AD server according to the following:

  1. Access Group Policy Management (gpmc.msc) on the AD Domain Services server.
  2. Expand your domain forest => Domains => your domain name => and select Default Domain Policy.
  3. Right-click Default Domain Policy and select Edit.
  4. Expand Computer Configuration and select Policies > Windows Settings > Security Settings > Public Key Policies.
  5. Edit Certificate Services Client – Auto-Enrollment according to the following and then click OK.
    1. Change Configuration Model to Enabled.
    2. Select Update certificates that use certificate templates.
  6. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  7. Edit Certificate Services Client – Auto-Enrollment according to the following and then click OK.
    1. Change Configuration Model to Enabled.
    2. Select Update certificates that use certificate templates.

Optional: If you require to Publish the User certificates in Active Directory and maintain the same User certificate across all domain-joined workstations, perform the following steps. If not, a user that logs on to multiple workstations will be issued a certificate for each workstation profile by design.

  1. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  2. Edit Certificate Services Client – Credential Roaming:
    1. Click the General tab, change to Enabled, and click OK.
    2. In the message about Roaming Uses Profile exclusion list displayed, acknowledge and click OK.

Step 6 - Test Microsoft Auto Enrollment

To test the Microsoft Auto Enrollment:

  1. Add the Windows Client host member of the domain (yourcompany.com).
  2. Log in as user member of the Domain Admins group.
  3. Open the Microsoft Management Console (mmc.exe).
  4. Click File>Add/Remove Snap-in and select certificates for both user and local computer.

  5. Verify that the user certificate was generated (Current User/ Personal/ Certificates).
    Ensure that the user certificate in the personal store is generated by the Windows CA using your duplicated template.

  6. Verify that the computer certificate was generated. (Local Computer/ Personal/ Certificates requires Admin privileges to check the local computer certificate store).
    Ensure that the computer certificate in the personal store is generated by the Windows CA using your duplicated template.

Step 7 - Update MS Auto Enrollment Server URL

To update the MS Auto Enrollment Server URL:

  1. Open a command prompt on the Certificate Services Server <csserver>.
  2. Run the following command as user to get the current URL, and ensure to replace the server <FQDN> and <MSCACN> names with your own configuration:

    certutil -config csserver.yourcompany.com\MSCA-Proxy -enrollmentserverurl


  3. Run the following command as user to remove the existing enrollment server URL, and ensure to replace the server <FQDN> and <Enrollment Server URL>with your own configuration:

    certutil -config csserver.yourcompany.com\MSCA-Proxy -enrollmentserverurl https://csserver.yourcompany.com/MSCA-Proxy_CES_Kerberos/service.svc/CES delete


  4. Run the following command as user to add the new enrollment server URL, and ensure to replace the server <FQDN> and <Enrollment Server URL> with your own configuration:

    certutil -config csserver.yourcompany.com\MSCA-Proxy -enrollmentserverurl https://tomcatserver.yourcompany.com:8443/autoenroll/MSEnrollmentServlet Kerberos


  5. To confirm, run the first command again to show the new updated URL.

Step 8 - Update Group Policy for Certificate Enrollment

To update the Group Policy for Certificate Enrollment, do the following:

  1. Access Group Policy Management (gpmc.msc) on the AD Domain Services server.
  2. Expand your domain forest > Domains > your domain name,  and then select Default Domain Policy
  3. Right-click Default Domain Policy and select Edit.
  4. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  5. Edit Certificate Services Client – Certificate Enrollment Policy.
  6. Change Configuration Model to Enabled.
  7. Remove the Active Directory Enrollment Policy from the Certificate Enrollment policy list, and then click Add.
  8. Enter the policy server URI: https://<csserver.yourcompany.com>/ADPolicyProvider_CEP_Kerberos/service.svc/CEP, click Validate Server, and then click Add.
  9. Select Default, and then click Add.
  10. Expand User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  11. Edit Certificate Services Client – Certificate Enrollment Policy.
  12. Change Configuration Model to Enabled.
  13. Remove the Active Directory Enrollment Policy from the Certificate Enrollment policy list, and then click Add.
  14. Enter the policy server URI https://<csserver.yourcompany.com>/ADPolicyProvider_CEP_Kerberos/service.svc/CEP, click Validate Server and then click Add.
  15. Select Default, and then click OK.