Building an Enterprise Root Certification Authority in Small and Medium Businesses

  • Article
On This Page

Introduction
Before You Begin
Installing and Configuring an Enterprise Root Certification Authority
Certificate Services Example Implementation: Establishing Autoenrollment for Wireless Users
Related Information

Introduction

Unprotected information exchange across the Internet, extranets, intranets, and between applications presents potential security risks to any organization today. The challenges include preventing an unauthorized third party from eavesdropping on information traveling over the Internet, masquerading as an authorized person, or disrupting the ability of an organization to conduct business.

This step-by-step guide will help you set up a public key certification authority (CA) in a network with servers running Microsoft Windows Server 2003 operating systems. You can install a CA on a server that is running Microsoft Windows Server 2003, Standard Edition; Microsoft Windows Server 2003, Enterprise Edition; or Microsoft Windows Server 2003, Datacenter Edition.

A CA is a service that issues and manages electronic credentials or certificates in a public key infrastructure (PKI). PKI is a system of digital certificates, CAs, and other registration authorities (RAs) that verify and authenticate the validity of each party that is involved in an electronic transaction through the use of public key cryptography. Standards for PKIs are still evolving, even as they are being widely implemented as a necessary element of electronic commerce. Many government agencies and private organizations have promulgated their own PKI standards. Consult with your legal counsel prior to implementing a PKI architecture to ensure compliance with all relevant local, state, federal, and international laws and regulations.

A Windows Server 2003 PKI, which can be integrated with Microsoft Windows XP Professional clients, can help secure network communications between an organization and its employees, partners, vendors, and customers. A server running Windows Server 2003 Certificate Services can issue public key certificates to a person, device, or service. The certificate holder uses PKI-enabled applications and technologies to enable centrally managed strong authentication, to ensure data confidentiality, and to secure data exchange. The PKI-enabled technologies supported by Windows Server 2003 provide a foundation for the following technologies and their associated business benefits:

  • Digital signatures. Establish non-repudiation, which is the ability to guarantee the authenticity of the sender.

  • Smart card usage. Provides two-factor authentication for smart card logon. Two-factor authentication requires a user to present a physical object (the smart card, which contains a chip that stores a digital certificate and the user's private key) plus a password or PIN in order to access network resources.

  • Secure e-mail. Services such as Secure/Multipurpose Internet Mail Extensions (S/MIME) provide confidential communication, data integrity, and non-repudiation for e-mails.

  • Software code signing. Authenticode technology allows software publishers to digitally sign any form of active content, including multiple-file archives. These signatures can be used to verify both the identity of the content publisher and the integrity of the content at the time of download.

  • Internet Protocol Security (IPSec). A suite of protocols that allows encrypted and digitally signed communication between two computers or between a computer and a router over a public network.

  • 802.11. Provides centralized user identification, authentication, dynamic key management, and accounting to provide authenticated network access to 802. wireless networks and wired Ethernet networks.

  • Encrypting file system. Supports encryption and decryption of files and folders.

  • Secure Web Connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). These protocols provide server and client authentication through a secured communications channel over public networks such as the Internet. Wireless versions of these protocols such as Wireless Transport Layer Security (WTLS) can be used to enhance the security of wireless networks.

In addition, with a Windows Server 2003 PKI, you can take advantage of the ability to integrate certificate services with the Active Directory directory service and Group Policy. In an Active Directory environment, a Windows Server 2003 CA uses certificate templates, which are published in Active Directory, to control the contents of the certificates that it issues. Certificate templates define the information that goes into a certificate and simplify the use and management of the CA by making technical details of certificate contents transparent to users. Depending on your organization's needs, you can use a single purpose template that generates certificates for a specific application, a multipurpose template that generates certificates for a number of applications, or even create new customized certificate templates.

The instructions provided in this document show you how to build an enterprise root CA, use a certificate template to enable client autoenrollment, and establish autoenrollment for wireless users. Specifically, you will learn how to perform the following tasks:

  • Install and configure an enterprise root CA.

  • Verify CA installation.

  • Install certificate templates.

  • Create a custom certificate template.

  • Configure a certificate template for client autoenrollment.

  • Grant enroll permissions for a default certificate template.

  • Configure the CA to issue certificates based on the certificate template.

  • Establish autoenrollment for wireless users.

Note: The screenshots in this document reflect a test environment and the information might differ from the information displayed on your screen.

After you complete these steps, your network will include an enterprise root CA and you will have access to all of the certificate templates available by using the Certificate Templates snap-in. In addition, client autoenrollment will strengthen authentication for your wireless users by requiring them to use digital certificates during the authentication process. Autoenrollment can make this requirement virtually transparent to users by enabling them to automatically request certificates, retrieve issued certificates, and renew expiring certificates. You can also broaden the protection the Windows Server 2003 PKI provides to your network by expanding your use of the PKI to support additional applications such as digital signatures, IPSec, and so on, that were mentioned earlier.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Before You Begin

This section describes the setup requirements for an enterprise CA. You must meet all these requirements before installing the CA. Failure to do so may cause your installation to fail or to limit the functionality of your CA.

The instructions in this document assume an existing PKI system has not been deployed. The solutions described in this document do not provide guidance for integrating additional Microsoft CA services into an existing PKI.

IT Infrastructure Prerequisites

Your organization must have the following IT infrastructure:

  • A deployed Active Directory domain infrastructure (Microsoft Windows 2000 Server with Service Pack 3 (SP3) or later, or Windows Server 2003). All users of Certificate Services in this solution should be members of a domain within the same Active Directory forest. This deployment assumes that you are using the Windows Server 2003 Active Directory schema extensions.

  • Server hardware adequate to run Windows Server 2003 Certificate Services. A suggested configuration is provided in the table, "Suggested Hardware Specification for Enterprise Root CA Server."

  • Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition licenses, installation media, and product keys.

    The following table shows the procedures you can perform on a server running Windows Server 2003, Standard Edition and the procedures that require the server to be running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

Windows Server 2003 Operating System Needed for Each Procedure

Procedure

Windows Server 2003 Operating System

Install and configure an enterprise root CA

Standard Edition

Verify CA installation

Standard Edition

Install certificate templates

Standard Edition

Create a certificate template

Enterprise Edition or Datacenter Edition

Configure a certificate template for client autoenrollment

Enterprise Edition or Datacenter Edition

Grant enroll permissions for a default certificate template

Standard Edition

Configure the CA to issue certificates based on the certificate template

Enterprise Edition if a version 2 certificate template is needed. Otherwise, Standard Edition.

Establish autoenrollment for wireless users

Enterprise Edition

Enterprise CA Requirements

To effectively set up an enterprise CA using Windows Server 2003, the following actions must be taken:

  • Windows Server 2003 Domain Name Service (DNS) installed on a DNS server on the network.

  • Windows Server 2003 Active Directory installed on a domain controller on the network. Enterprise policy places information into the Active Directory.

  • The computer that will host the enterprise root CA joined to the Active Directory domain.

  • Enterprise administrator privileges placed on the DNS, Active Directory, and CA servers. This is especially important because setup modifies information in numerous places, some of which require enterprise administrator privileges.

An enterprise root CA can be created by using only one server.

The following table provides the recommended hardware specification for a server used as an enterprise root CA, based on Windows Server 2003 recommendations. However, you might not need to purchase new hardware if you have something that fits these criteria outlined in "Build Guide 2 - Implementing the Public Key Infrastructure." For more information about hardware recommendation for a Microsoft Server 2003 enterprise root CA, see "Build Guide 2 - Implementing the Public Key Infrastructure" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22696.

Suggested Hardware Specification for Enterprise Root CA Server

Item

Requirement

CPU

Single CPU 733 MHz or better

Memory

256 MB

Disk storage

IDE (integrated device electronics) or SCSI (small computer system interface) RAID (redundant array of independent disks) Controller.2 x 18 GB (SCSI) or 2 x 20 GB (IDE) configured as RAID 1 volume (drive C).
Local removable media storage (CD-RW or tape for backup).1.44-MB disk drive for data transfer.

Choosing the Type of CA to Use

Some organizations use external commercial CAs, while other organizations run their own CAs. Because a CA is an important trust point in an organization, most organizations have their own CA. This document assumes your organization is deploying its own CA.

Windows Server 2003 provides two classes of CAs, determined by which policy modules are selected during installation?an enterprise CA or a stand-alone CA. The policy modules define the actions that a CA can take when it receives a certificate request.

Typically, you should install an enterprise CA if you will be issuing certificates to users or computers inside an organization that is part of a Windows Server 2003 domain. You should install a stand-alone CA if you will be issuing certificates to users or computers outside of a Windows Server 2003 domain.

An enterprise CA requires that all clients requesting certificates have an entry in Active Directory, whereas a stand-alone CA does not. Also, an enterprise CA can more easily issue certificates that are used to log on to a Windows Server 2003 domain than can a stand-alone CA.

Within the enterprise and stand-alone CA classes, there can be two types of CAs?a root or a subordinate. A root CA is the anchor for trust in an organization. If necessary, the root CA's certificate can be used to enable subordinate CAs for purposes such as implementing policy and issuing end user certificates. This document shows you how to install and configure an enterprise root CA, with no subordinate CAs.

For more information about the differences between enterprise, standalone, root, and subordinate CAs and key PKI design decisions, see "Determining CA Roles & Types" in "MSA Enterprise Design for Certificate Services" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22671.

What to Know Before You Start

  • A set of CA Web pages is provided with Certificate Services in Windows Server 2003. These Web pages allow you to connect to the CA by means of a Web browser and perform common tasks, such as requesting certificates from a CA, requesting the CA's certificate, submitting a certificate request, retrieving the CA's certificate revocation list (CRL), or performing smart card certificate enrollment. For a stand-alone CA, the Web pages are the primary way a certificate requester can interface with the CA, since the Certificates snap-in cannot be used to request certificates from a stand-alone CA. Enterprise CAs can accept certificate requests by means of the Certificates snap-in or the Web enrollment pages.

  • The Web interface for the CA requires running Active Server Pages. You can either enable Active Server Pages through Internet Information Services before you start, or you will be prompted to activate them.

  • The validity duration you choose for the CA will determine when the CA certificate "expires" or needs to be renewed. You can use longer validity and renewal periods for low security environments. For higher security, shorter validity and renewal periods are typically set.

  • A CA is one of the most sensitive servers in an organization. Therefore, you must plan for heightened security for a CA both during deployment and during day-to-day operations. Limit physical access to the CA and allow only the most trusted employees to manage this server. In addition, be sure to secure the server on which you install the CA by completing the steps in the document, "Securing Windows Server 2003 Domain Controllers," in the Security Guidance Kit.

What Cannot Change After CA Deployment

  • The preliminary information that you supply during setup, such as the name of the CA, cannot be changed after the CA setup is complete.

  • The computer's domain settings, such as joining a domain or promoting a server to a domain controller, cannot be changed after the certification authority is installed.

  • If you installed the enterprise CA as an Enterprise Admin or delegated user, then you must use the Enterprise Admin or delegated user account when you uninstall the enterprise CA.

Installing and Configuring an Enterprise Root Certification Authority

The installation process for a Certificate Services root authority generates a root CA certificate containing the CA's public key and the digital signature created by using the root's private key. This section provides the following step-by-step instructions for building an enterprise root CA, using a certificate template to enable client autoenrollment, and establishing autoenrollment.

  • Install and configure an enterprise root CA.

  • Verify CA installation.

  • Install certificate templates.

  • Create a custom certificate template.

  • Configure a certificate template for client autoenrollment.

  • Grant enroll permissions for a default certificate template.

  • Configure the CA to issue certificates based on the certificate template.

Installing and Configuring an Enterprise Root CA

You now need to log on as an enterprise administrator; using our example, log on with an account which is a member of the Enterprise Admins group and the root domain's Domain Admins group.

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group and the root domain's Domain Admins group.

  • Tools: Windows Components Wizard.

  • This task can only be completed on a server running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

  • To install and configure an enterprise root certification authority

    1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.

    2. Click Start, click Control Panel, click Add or Remove Programs, and then click Add/Windows Components.

    3. In the Windows Components Wizard, select the Certificate Services check box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click Yes.

      Note: If you intend to use the Web components of the Certificate Services, ensure that the IIS check box is selected by clicking Application Server (but do not select its check box), click Details, select Internet Information Services (IIS), and then click OK.

      Click Next.

    4. On the CA Type page, select Enterprise root CA, and then click Next.

      Windows Components Wizard

      Note: The private key is always stored locally on the server, except in the case where a cryptographic hardware device is used. In such a case, the private key is stored in the device. The public key is placed in the certificate.

    5. On the CA Identifying Information page, supply identifying information appropriate for your site and organization:

      1. In Common name for this CA, type the common name of the certification authority.
        The CA name (or common name) is critical because it is used to identify the CA object created in Active Directory.

      2. In Validity period, accept the default of 5 years, and then click Next.
        The Validity period time is the length of time the CA will be valid; the actual duration is a tradeoff between security and administrative overhead. Keep in mind that each time a root certificate expires, an administrator has to update all trust relationships, and administrative steps need to be taken to move the CA to a new certificate. A time period of five or more years is typically sufficient in most enterprise environments, although the period should conform to formal IT policies and procedures. Consult with legal counsel to ensure that your CA configuration meets all applicable legal requirements.

        Windows Components Wizard

    6. On the Certificate Database Settings page, click Next to accept the default storage locations of the certificate database, the certificate database log, and then confirm that select Store configuration information in a shared folder is not selected.

      Note: Setup might issue a warning about not being able to create a shared folder. This is expected because all network interfaces had been disabled. It is safe to ignore this and move on. You must place the certificate database and the Certificate database log on local NTFS drives.

      Windows Components Wizard

    7. If IIS is running, a message will prompt you to stop the service. Click Yes to stop IIS. IIS must be stopped before the Web components can be installed.

      Note: If you do not have IIS installed, you will not see this message, and Web enrollment will not be available unless IIS is installed.

      The Optional Component Manager then installs the Certificate Services components. If this requires the Windows Server 2003 installation media (CD), insert the Windows Server 2003 product CD into the CD drive.

    8. Click OK to finish the installation. Click Finish to close the wizard.

Once the certification authority is installed, add certificate templates to the certification authority and configure the certification authority to allow subjects to request a certificate that is based on a template.

Note: If you have or plan to use the advice in this guide to tighten the security of domain controllers in your organization, you will need to modify your domain Group Policy settings to re-enable Certificate Services. For more information on how to accomplish this, see the document, "Securing Windows Server 2003 Domain Controllers," in the Security Guidance Kit.

Verifying CA Installation

The simplest way to verify the successful completion of the Certificate Services installation is to open a command window, and type net start to see if Certificate Services is running.

You can also view the Certificate Services setup log at systemroot\certocm.log for further verification or to help troubleshoot in the event of errors.

You can also use the following procedure.

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group and the local Admins group on the computer running Certificate Services.

  • Tools: Certification Authority snap-in.

  • This task can only be completed on a server running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

  • To verify the correct installation of the root CA

    1. Click Start, click Control Panel, click Administrative Tools, and then click Certification Authority.

    2. Verify that Certificate Services has started and that you can view the properties of the CA. You should be able to see the CA listed with a checkmark symbol.

    3. Right-click the CA and click Properties.

    4. On the General tab, select Certificate #0 in the CA certificates list, and then click View Certificate.

    5. Click the Details tab of the CA Certificate, and then verify that the displayed values match those that the following table describes.

      Certificate Details Default Settings

      Field

      Value

      Version

      V3

      Issuer

      Should be identical to Subject and show the full CA Common name plus the distinguished name suffix that you supplied during the installation.

      Valid from

      The date you installed the enterprise CA root server.

      Valid to

      The date you installed the enterprise CA root server plus five years.

      Subject

      Should be identical to Issuer and show the full CA Common name plus the distinguished name suffix that you supplied during the installation.

      Public key

      RSA (2048 Bits)

      Basic Constraints

      Subject Type =CA
      Length Constraint=None

      Note: The presence of the Basic Constraints subject type is very important. This value distinguishes a CA certificate from an end entity certificate. In addition, there should be no CDP or AIA extensions listed.

      If any of the previous values are not what you expected, you should restart the installation of Certificate Services.

      If you need to re-run the installation of Certificate Services, you will receive a warning about the private key already existing. If you know that you have not issued any certificates using this key, you can safely ignore this and generate a new key. If the CA has already issued certificates (other than test certificates), you should not reinstall Certificate Services until you have safely backed up the previous key and certificate.

      For more information about CDP or AIA extensions or backing up the previous key and certificate, see "Operations Guide 2 - Managing the Public Key Infrastructure" on the TechNet Web site at "https://go.microsoft.com/fwlink/?LinkId=22675 or see "Windows Server 2003 PKI Operations Guide" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22673.

    6. Click OK twice, and then close Certification Authority.

Installing Certificate Templates

This procedure shows you how to install and view the default certificate templates. For a description of each of these default certificate templates, see the section "Default Templates" in "Implementing and Administering Certificate Templates in Windows Server 2003" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22669.

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group and the root domain's Domain Admins group.

  • Tools: Certificate Templates (certtmpl.msc)

  • This task can only be completed on a server running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

  • To install and view the default certificate templates

    1. Click Start, click Run, type certtmpl.msc in the Run dialog box, and then click OK.

    2. If this is the first time you are running the Certificate Templates snap-in on this CA, you will get messages that the certificate templates need to be installed, click Yes to each message.

    3. In the console tree, click Certificate Templates. All of the certificate templates will be displayed in the details pane.

      certtmpl - [Certificate Templates]

    4. Close Certificate Templates.

Creating a Custom Certificate Template

Certificate templates allow customization of certificates issued by Certificate Services, including both how certificates are issued and what they contain. A certificate template is the set of rules and settings that are applied against incoming certificate requests.

New certificate templates are created by copying an existing template and using the existing template's properties as the default for the new template. Copy the existing certificate template closest to the configuration of the intended new template to minimize the work necessary.

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group.

  • Tools: Certificate Templates (certtmpl.msc)

  • This task can only be completed on a server running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

  • To create a custom certificate template from an existing template

    1. Click Start, click Run, type certtmpl.msc in the Run dialog box, and then click OK to open Certificate Templates.

    2. In the details pane, right-click the template you want to copy, and then click Duplicate Template.

    3. Type a new name for this certificate template.

    4. Make any desired changes and click OK. The new template appears at the bottom of the list and shows Allowed in the Autoenrollment column.

    5. Close Certificate Templates.

Configuring a Certificate Template for Client Autoenrollment

Autoenrollment is a useful feature of Certification Services in Windows XP and Windows Server 2003, Enterprise Edition. Autoenrollment allows you to configure clients to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring client interaction. A client does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the client.

This section describes one way of modifying the certificate template: for client autoenrollment. For detailed information about autoenrollment, see "Certificate Autoenrollment in Windows Server 2003" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22668.

To properly configure client autoenrollment, you must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of client autoenrollment.

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group.

  • Tools: Certificate Templates (certtmpl.msc).

  • This task can only be completed on a server running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

  • To configure a certificate template for client autoenrollment

    1. Click Start, click Run, type certtmpl.msc in the Run dialog box, and then click OK.

    2. In the details pane of Certificate Templates, right-click the certificate template that you just created and want to configure for autoenrollment, and then click Properties.

    3. On the Security tab, click the user, computer, or group in the Group or user names list that you want to configure for autoenrollment.
      If the name of the user, computer, or group is not already listed on the Security tab, click Add. In the Select Users, Computers, or Groups dialog box, type the name you want to add, and then click OK.

    4. In the Permissions for ObjectName list, under the Allow column, select the Read, Enroll, and Autoenroll check boxes, and then click Apply. Repeat steps 3 and 4 for each user, computer, or group that you want to configure for autoenrollment, and then click OK.

    5. Close Certificate Templates.

Granting Enroll Permissions for a Default Certificate Template

This procedure configures default templates to be used by clients that have been autoenrolled by the procedure in "Configuring a Certificate Template for Client Autoenrollment."

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group.

  • Tools: Certificate Templates (certtmpl.msc).

  • This task can only be completed on a server running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

  • To allow clients to request a certificate that is based on the template

    1. Click Start, click Run, type certtmpl.msc in the Run dialog box, and then click OK.

    2. In the details pane of Certificate Templates, right-click the certificate template that you want to change, and then click Properties.

    3. On the Security tab, add the groups, computers, or users that you want.

    4. In Group or user names, click one of the new objects, and then, in the Permissions for ObjectName list, under the Allow column, select the Read and Enroll check boxes.

    5. Repeat the previous step for each new object.

Note: To disallow subjects from requesting a certificate based on a template, clear the Read and Enroll check boxes using the same steps as in this procedure.

Configuring the CA to Issue Certificates Based on the Certificate Template

This procedure adds a new certificate template to the CA to be issued by the CA.

Requirements

  • Credentials: You must be logged on with an account which is a member of the local admins group on the computer running Certificate Services.

  • Tools: Certification Authority snap-in.

  • This task can only be completed on a server running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

  • To add a certificate template to a CA

    1. Click Start, click Control Panel, click Administrative Tools, and then click Certification Authority.

    2. Expand the enterprise root CA.

    3. Right-click the Certificate Templates container, click New, and then click Certificate Template to Issue.

    4. In the Enable Certificate Templates dialog box, select the certificate template to enable on the CA, and then click OK. The certificate template you enabled will appear in the Certificate Templates container.

    5. Close Certification Authority.

Removing a Certificate Template from a CA

After you have defined and configured the certificate templates that you plan to use, it is a best practice to remove from the CA any certificate templates that you do not plan to use. Removing a certificate template only unlinks a certificate from a CA instead of deleting it physically from the certificate template store. If you need any of the removed certificate templates in the future, you can repeat the procedures in the section "Installing Certificate Templates" to perform this task.

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group.

  • Tools: Certification Authority snap-in.

  • This task can only be completed on a server running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

  • To remove a certificate template from a CA

    1. Click Start, click Control Panel, click Administrative Tools, and then click Certification Authority.

    2. Expand the enterprise root CA.

    3. Right-click the Certificate Templates container.

    4. In the details pane, right-click the certificate template you wish to remove from the CA, and then click Delete.

    5. In the Disable Certificate Templates dialog box, click Yes.
      The certificate template no longer appears in the details pane.

Certificate Services Example Implementation: Establishing Autoenrollment for Wireless Users

To configure your server to provide autoenrollment for computer and user certificates, perform the following steps:

  • Create a certificate template for wireless users.

  • Configure the certificate template for client autoenrollment.

  • Configure the CA to issue certificates based on the template.

Requirements

  • Credentials: You must be logged on with an account which is a member of the Enterprise Admins group.

  • Tools: Certificate Templates (certtmpl.msc) snap-in and the Certification Authority snap-in.

  • The tasks in this example implementation can only be completed on a server running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

Creating a Certificate Template for Wireless Users

  • To create a certificate template for wireless users

    1. Click Start, click Run, type certtmpl.msc in the Run dialog box, and then click OK.

    2. In the details pane of Certificate Templates, click the User template.

    3. On the Action menu, click Duplicate Template.

    4. On the General tab of the Properties of New Template page, in the Template display Name box, type Wireless User Certificate Template.

      Properties of New Template

    5. Click Apply and continue to the next procedure.

Configuring Certificate Template for Client Autoenrollment

  • To configure a certificate template for client autoenrollment

    1. On the General tab of the Wireless User Certificate Template Properties page, make sure that the Publish certificate in Active Directory check box is selected.

    2. Click the Security tab.

    3. In the Group or user names list, click Domain Users.

    4. In the Permissions for Domain Users list, under the Allow column, select the Read, Enroll, and Autoenroll check boxes.

      Wireless User Certificate Template Properties

    5. Click the Subject Name tab, clear Include e-mail name in subject name and E-mail name, and then click OK.

      Wireless User Certificate Template Properties

      IMPORTANT: These two options are disabled because in this example for a lab deployment an e-mail name was not entered for the WirelessUser account in the Active Directory Users and Computers snap-in. You need to either enter an e-mail address for the WirelessUser account or not select the two e-mail boxes for the autoenrollment of the user certificate to be distributed to the client.

    6. Click OK, and then close Certificate Templates.

Configuring the CA to Issue Certificates Based on the Template

  • To configure the CA to issue certificates based on the template

    1. Click Start, point to All Programs, point to Administrative Tools, and then click Certification Authority.

    2. In the console tree, expand the enterprise root CA, and then click Certificate Templates.

      Certification Authority

    3. On the Action menu, point to New, and then click Certificate to Issue.

    4. If necessary, scroll down, and then click Wireless User Certificate Template.

      Enable Certificate Template

    5. Click OK.

    6. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

    7. In the console tree, if necessary, double-click Active Directory Users and Computers, right-click the Contoso.com domain, and then click Properties.

    8. On the Group Policy tab, click Default Domain Policy, and then click Edit. This opens the Group Policy Object Editor snap-in.

    9. In the console tree, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and then click Automatic Certificate Request Settings.

      Group Policy Object Editor

    10. Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

    11. On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.

    12. On the Certificate Template page, click Computer, and then click Next.

      Automatic Certificate Request Setup Wizard

    13. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish. The Computer certificate type now appears in the details pane of the Group Policy Object Editor snap-in.

      Group Policy Object Editor

    14. In the console tree, if necessary, scroll down and then expand User Configuration, Windows Settings, Security Settings, and Public Key Policies. Click Public Key Policies.

      Group Policy Object Editor

    15. In the details pane, double-click Autoenrollment Settings.

    16. Click Enroll certificates automatically, select the Renew expired certificates, update pending certificates, and remove revoked certificates check box, select the Update certificates that use certificate templates check box, and then click OK.

      Autoenrollment Settings Properties

    17. Close Group Policy Object Editor and Active Directory Users and Computers.

When the updated default domain Group Policy object is in effect, clients must restart their computers and log on to the domain with a wired connection to allow the new Group Policy settings to be applied and the certificates to be issued. You can verify that the certificates have been issued by using the Certificates snap-in on the client computer to look in the personal certificate store for the user or computer.

For more information about wireless networking options, see "Microsoft Solution for Securing Wireless LANs" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22676.

For more information about building an enterprise root CA, see the following:

For more information about Public Key Infrastructure and configuring and managing CAs in small- and medium-sized businesses, see the following: