Server Certificate Deployment Planning
Updated: January 8, 2008
Applies To: Windows Server 2008
Before you deploy server certificates, you must plan the following items:
Public key infrastructure (PKI)
Basic server configuration
Server certificate configuration
This guide provides instructions for deploying one certification authority (CA) that is both an enterprise root CA and an issuing CA. For security and CA availability reasons, this PKI deployment might not be the best choice for your network. In some cases, you might want to add one or more subordinate CAs and design a full PKI plan that allows your network and CA deployment to scale as your information technology needs change.
For information about designing and deploying a PKI, see the Additional Resources section later in this document.
After you install Windows Server 2008 on the computer that will be the CA for the foundation network, you must change the password for the Administrator account on the local computer, rename the computer, and assign and configure a static IP address for the local computer.
For more information, see the "Configuring All Servers" topic in Windows Server 2008 Foundation Network Guide in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106050).
To log on to the domain, the computer must be a domain member computer and the user account must be created in AD DS before the logon attempt.
For more information, see the "Joining Computers to the Domain and Logging On" topic in the Windows Server 2008 Foundation Network Guide in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106051).
All certificates that are used for network access authentication with EAP-TLS and PEAP must meet the requirements for X.509 certificates and work for connections that use Secure Sockets Layer/Transport Layer Security (SSL/TLS).
When you plan the design of your server certificate by using a copy of the RAS and IAS Servers certificate template, make sure that you review the instructions in this guide. These instructions meet all of the following requirements for deploying server certificates for use with EAP and PEAP:
The Subject name contains a value. If you issue a certificate to your server running NPS that has a blank Subject, the certificate is not available to authenticate your server running NPS.
The server certificate chains to a trusted root CA and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.
The NPS or VPN server certificate is configured with the Server Authentication purpose in Application Policies extensions (also called Enhanced Key Usage or EKU extensions). The object identifier for Server Authentication is 184.108.40.206.220.127.116.11.1.
The server certificate is configured with a required algorithm value of RSA.
The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server.
With PEAP and EAP-TLS, servers running NPS display a list of all installed certificates in the computer certificate store, with the following exceptions:
Certificates that do not contain the Server Authentication purpose in Application Policies extensions are not displayed.
Certificates that do not contain a Subject name are not displayed.
Registry-based and smart card logon certificates are not displayed.