Deploying a Certificate Infrastructure

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

For your initial test lab deployment, use a simple certificate infrastructure. To be able to integrate the certificate services with Active Directory in your test environment (and, later, to use Group Policy to provide easier management of wireless clients), you must install the CA as an enterprise CA. After installing your enterprise root CA, you can install a computer certificate on the IAS server and install user and computer certificates on your wireless computers.

To set up the certificate infrastructure for your initial test environment, perform the following tasks:

  • Install a single-tier CA.

  • Install a computer certificate on the IAS server.

  • Install user and computer certificates on wireless computers.

Installing a Single-Tier CA

To keep your initial test deployment simple, install a single-tier CA.

To install a single-tier CA in your test environment

  • Install the enterprise root CA either on the domain controller or on a separate member server in your test environment.

    You must be logged on as a member of both the Enterprise Admins group and the Domain Admins group for the root domain.

    For installation instructions, see "Install an enterprise root certification authority" in Help and Support Center for Windows Server 2003. For your test lab deployment, you do not need to add certificate templates to the CA or configure the CA to allow subjects to request a certificate based on a template.

Installing a Computer Certificate on the IAS Server

On the IAS server, install a computer certificate from the issuing CA, which, in the single-tier CA infrastructure that you will deploy in your WLAN test environment, is the enterprise root CA. For your test lab deployment, use the Certificates Request Wizard located in the Certificates snap-in to obtain a computer certificate.

Start by creating a Certificates console on the IAS server that contains the Certificates - Local Computer snap-in, which you will use to request the computer certificate.

To install a computer certificate on the IAS Server

  1. Create a Certificates console on your IAS server that contains the Certificates - Local Computer snap-in. For the test lab deployment, name the console Certificates.

    For information about how to add a snap-in to manage certificates, see "Manage certificates for a computer" in Help and Support Center for Windows Server 2003. To perform this task, you must be a member of the Domain Admins group (or a member of the Administrators group on the local computer).

  2. Use the Certificates console to request a computer certificate for the IAS server.

    To install a computer certificate, click Certificates - Local Computer in the console tree, and select Computer as the certificate type (unless your IAS server is also a domain controller, in which case your only option is to select Domain Controller). For more information about how to use the Certificates console to request a certificate, see "Request a certificate" in Help and Support Center for Windows Server 2003.

For more information about using the Certificates Request Wizard for installing computer certificates, in addition to two alternative methods, see "Computer certificates for certificate-based authentication" in Help and Support Center for Windows Server 2003.

Verifying that the computer certificates meet IAS requirements

Each computer certificate installed on an IAS server must meet the following requirements:

  • The certificate must be installed in the Local Computer certificate store.

  • The cryptographic service provider for the certificate must support the secure channel (Schannel) security package. If not, the IAS server cannot use the certificate, and the certificate is not available for selection in the properties of the Smart Card or other certificate EAP type in the remote access policy.

The computer certificate for the IAS server must meet additional requirements. The following procedure tells how to verify each requirement.

To verify that the computer certificate for the IAS server meets all requirements

  1. From the Certificates console, double-click the certificate to open it.

  2. On the General tab, confirm that You have a private key that corresponds to this certificate appears.

  3. On the Details tab, under Field, click Enhanced Key Usage, and then confirm that there is an object identifier for Server Authentication (1.3.6.1.5.5.7.3.1).

  4. On the Details tab, under Field, click Subject Alternative Name, and then confirm that the fully qualified domain name (FQDN) of the computer account for the IAS server (for example, DNS Name=IASServerName.TestDomainName.com) appears.

  5. On the Certification Path tab, confirm that a valid certification path appears and that the statement This certificate is OK appears.

Verifying the root CA certificate

The root CA certificate of the CA that will issue the wireless client computer and user certificates must be installed in the Trusted Root Certification Authorities certificate store. The following procedure tells how to verify this.

To verify that the root CA is in the Trusted Root Certification Authorities store

  1. From the Certificates console, expand Certificates - Local Computer, expand Trusted Root Certification Authorities, and then click Certificates.

  2. In the Details pane, confirm that the name of your test lab enterprise root CA appears in the Issued To list.

    If the root CA is not in the list, you might need to refresh the display. To do this, click Action, and then click Refresh.

Installing User and Computer Certificates on Wireless Clients

When EAP-TLS is in use, as in your test lab deployment, wireless clients should have both a computer certificate and a user certificate in order to be authenticated to the network. When PEAP-MS-CHAP-v2 is in use, the root CA certificates of the issuing CAs for the computer certificates on the RADIUS servers must be installed on the wireless clients. You can do this manually by importing the root CA certificate on each wireless client, or you can publish the root CA certificate using Group Policy.

For your test lab deployment, use the Certificate Request Wizard located in the Certificates snap-in on the wireless client computer to obtain both a computer certificate and a user certificate for each wireless computer in your test lab.

Before you begin

  • Connect the wireless client directly to the wired network that contains the CA infrastructure.

    The connection is required in the test environment in order for the wireless client to receive computer and user certificates. In your enterprise environment, this step might not be necessary, depending upon how you decide to deploy certificates.

    If you connect the wireless client to the wired network, you can install the user certificate on the wireless client by using the Certificates - Current User snap-in (as described in the procedure), by using autoenrollment, by submitting a certificate request over the Web, or by implementing a CAPICOM program or script. If you prefer not to make a temporary connection between the wireless client and the wired network, you can install the certificate from a floppy disk.

Note

  • CAPICOM is a COM client, supporting Automation, that performs cryptographic functions (the CryptoAPI) using Microsoft® ActiveX® controls and COM objects.

To install user and computer certificates on a wireless client

  1. Create a single console that contains two snap-ins, for managing computer certificates and user certificates. For the test deployment, name the console Certificates.

    1. Install the snap-in for computer accounts under the name Certificates - Local Computer.

      For information about how to install a snap-in for managing computer certificates, see "Manage certificates for a computer" in Help and Support Center for Windows Server 2003.

    2. Install the snap-in for user accounts under the name Certificate - Current User.

      For information about how to install a snap-in for managing user certificates, see "Manage certificates for your user account" in Help and Support Center for Windows Server 2003.

    To install both snap-ins, log on under a user account with administrative credentials for the local computer. (You can install the user certificates snap-in but not the computer certificates snap-in if you log on under a user account in the test domain.)

    Note

    • For the initial test deployment, to receive computer and user certificates, the wireless client must be connected directly to the wired network that has the CA infrastructure.

  2. Use the Certificates - Local Computer snap-in to request a computer certificate for the wireless client.

    For instructions telling how to use the Certificates console to request a computer certificate, see "Request a certificate" in Help and Support Center for Windows Server 2003.

    The Help topic provides instructions for requesting a user certificate. To request a computer certificate, instead of clicking Certificates - Current User in the console tree, click Certificates - Local Computer. Then, when prompted for a certificate type, select Computer.

  3. Use the Certificates - Current User snap-in to request a user certificate.

    For instructions telling how to use the Certificates console to request a user certificate, see "Request a certificate" in Help and Support Center for Windows Server 2003. When prompted for a certificate type, select User.

Verifying that the certificates meet all requirements

After installing the computer and user certificates, perform the following procedures to verify that the certificates meet all requirements for the client to perform properly over a wireless connection.

To verify that the computer certificate for the wireless client meets requirements

  1. Verify that the computer certificate is installed in the Local Computer certificate store (required for EAP-TLS authentication).

    After verifying the correct certificate store, verify the certificate configuration.

  2. From the Certificates console, double-click the certificate to open it.

  3. On the General tab, confirm that the statement You have a private key that corresponds to this certificate appears.

  4. On the Details tab, under Field :

    1. Click Enhanced Key Usage, and confirm that the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.

    2. Click Subject Alternative Name, and confirm that the FQDN of the wireless computer account (for example, DNS Name=LaptopName.TestDomainName.com) appears.

  5. On the Certification Path tab:

    1. Confirm that a valid certification path appears.

    2. Confirm that the statement This certificate is OK appears.

To verify that the user certificate for the wireless client meets requirements

  1. Verify that the user certificate is installed in the Current User certificate store (required for EAP-TLS authentication).

  2. From the Certificates console, double-click the certificate to open it

  3. On the General tab, confirm that You have a private key that corresponds to this certificate appears.

  4. On the Details tab, under Field, confirm the following items:

    1. Click Enhanced Key Usage, and confirm that the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.

    2. Click Subject Alternative Name, and confirm that the universal principal name (UPN) of the user account (PrincipalName=WirelessUserName@TestDomainName.com, for example) appears.

  5. On the Certification Path tab:

    1. Confirm that a valid certification path appears.

    2. Confirm that the statement This certificate is OK appears.