Test Lab Guide: Demonstrating Certificate Key-Based Renewal

  • Article

 

Applies To: Windows Server 2012 R2, Windows Server 2012

The purpose of this Test Lab Guide (TLG) is to give you hands-on experience configuring the Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service role services. These roles services are part of the Active Directory Certificate Services (AD CS) server role in Windows Server® 2012 and Windows Server® 2012 R2.

Note


To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

In this guide

This document provides instructions that explain how to extend the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy to provide Certificate Enrollment Web Services. In Windows Server® 2012, Windows Server® 2012 R2, and Windows® 8 and Windows® 8.1, you can configure certificate autorenewal for computers outside the domain. This includes computers from other forests, domains, and workgroups. This lab demonstrates the steps to issue a certificate to a computer that is not joined to your domain, and then configure that certificate for autorenewal.

Important


The configuration of the computers and network in this guide is designed to give you hands-on practice using Certificate Enrollment Web Services. The design decisions made in this guide were aimed at increasing your hands-on experience, and they do not reflect a best practices configuration. For best practice information, see Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure and PKI Design Brief Overview.

Test lab overview

The following test lab configuration adds three computers to the configuration that is outlined in Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy. One of the additional computers will be a Certificate Enrollment Web Services server. Another computer will be a Certificate Enrollment Policy Web Services server. The third computer will be a web server that is not joined to the domain. There are seven major steps to complete, which include multiple subordinate procedures.

  1. Step 1: Complete the Base configuration Test Lab

  2. Step 2: Complete the Test Lab Guide: Deploying an AD CS Two Tier PKI Hierarchy

  3. Step 3: Configure the CEP1 server

  4. Step 4: Configure the CES1 server

  5. Step 5: Prepare an appropriate certificate template

  6. Step 6: Configure WEB1

  7. Step 7: Obtain a certificate and test automatic renewal

Hardware and software requirements

The following are the minimum required components for this test lab:

  1. The product disc or files for Windows Server 2012 or Windows Server 2012 R2.

  2. The product disc or files for Windows 8 or Windows 8.1.

  3. Six computers that meet the minimum hardware requirements for Windows Server 2012 or Windows Server 2012 R2.

    Tip


    The CEP1 and CES1 servers should be allocated at least 1.5 GB of RAM, if possible.

  4. One computer that meets the minimum hardware requirements for Windows 8 or Windows 8.1.

  5. One removable storage device with enough free space to hold a few certificates and certificate revocation lists (about 10 kilobytes). This can be a physical or virtual removable storage device depending on whether your lab is using physical or virtual computers.

    Note


    For instructions about how to transfer files by using a virtual floppy disk in a server running Hyper-V , see Creating, Using, and Transferring Files using Virtual Floppy Disks.

  6. If you want to deploy the Base Configuration Test Lab in a virtualized environment, your virtualization solution must support Windows Server 2012 or Windows Server 2012 R2 and Windows 8 or Windows 8.1 64-bit virtual machines. The server hardware must support the amount of RAM required to run the virtual operating systems included in the Base Configuration Test Lab and any other virtual machines that may be required by additional TLGs.

Important


Run Windows Update on all computers or virtual machines either during the installation or immediately after installing the operating systems. After running Windows Update, you can isolate your physical or virtual test lab from your production network.

Note


Run Windows PowerShell® commands as an administrator. When you are not signed in as the default administrator, you can right-click the Windows PowerShell program icon and then select Run as administrator.

Step 1: Complete the Base Configuration Test Lab

Before you begin the instructions in this guide, you must complete the Base Configuration Test Lab. For more information, see Test Lab Guide: Base Test Lab Guide for Windows Server 2012.

Step 2: Complete the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

The two-tier PKI hierarchy provides the basis for the lab explained in this topic. For more information, see Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy .

Important


The ORCA1 certificate revocation list (CRL) for this lab was configured by using the CAPolicy.inf, and it is valid for 26 weeks. The APP1 CRL must be updated weekly. To update the CRL, run the following command on APP1 from Windows PowerShell: certutil -crl

Step 3: Configure the CEP1 server

The configuration of the CEP1 server allows two methods for client computers to obtain certificate enrollment policies:

  1. User name and password authentication

  2. Certificate authentication

Tip


For the remainder of this lab, only the domain controller (DC1) and the, APP1 server are needed from the Base Configuration Test Lab Guide. You will be installing three additional servers: CEP1, CES1, and WEB1. Before installing any new servers, ensure that DC1 and APP1 are running.

The procedures to configure the CEP1 server to support the configuration that is demonstrated in this guide are as follows:

  1. Install the operating system

  2. Configure TCP/IP

  3. Join the computer to the domain

  4. Install the Certificate Enrollment Policy Web Service to use user name and password authentication

  5. Install the Certificate Enrollment Policy Web Service to use certificate authentication

To install the operating system

  1. Start the installation of Windows Server 2012.

  2. Follow the instructions to complete the installation. Specify Windows Server 2012 (full installation), and create a strong password for the local Administrator account. Then sign in by using the local Administrator account.

  3. Connect the computer to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2012.

  4. Connect the computer to the Corpnet subnet.

To configure TCP/IP

  1. From Windows PowerShell, run ncpa.cpl.

  2. In Network Connections, right-click Ethernet, and then click Properties.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address. In IP address, type 10.0.0.4. In Subnet mask, type 255.255.255.0.

  5. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

  6. Click OK, and then click Close.

  7. Close the Network Connections window.

  8. In Windows PowerShell, run sysdm.cpl.

  9. In the System Properties dialog box, on the Computer Name tab, click Change.

  10. In Computer name, type CEP1 as the new name for the computer, and then click OK.

  11. When you are prompted that you must restart the computer, click OK.

  12. In the System Properties dialog box, click Close.

  13. When you are prompted to restart the computer, click Restart Now.

  14. After restarting, sign in by using the local Administrator account.

To join the computer to the domain

  1. From Windows PowerShell, run sysdm.cpl.

  2. In the System Properties dialog box, click the Computer Name tab, and then click Change.

  3. In Member of, select Domain, type corp.contoso.com, and then click OK.

  4. When you are prompted for a user name and password, enter the credentials for User1, and then click OK.

  5. When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.

  6. When you are prompted that you must restart the computer, click OK.

  7. In the System Properties dialog box, click Close.

  8. When you are prompted to restart the computer, click Restart Now.

  9. After the computer restarts, click Switch User, and then click Other User. Sign in to the CORP domain by using the User1 account, which is a member of Domain Admins and Enterprise Admins groups.

Tip


The Windows PowerShell commands to configure the IP address, rename the computer, and join the computer to the domain are: $NetIP = Get-NetIPAddress | where {$.Addressfamily -eq "IPv4" -and $.InterfaceAlias -like "Ethernet"} $NetAlias = $NetIP.InterfaceAlias New-NetIPAddress -InterfaceAlias $NetAlias -IPAddress 10.0.0.4 -PrefixLength 24 Set-DnsClientServerAddress -InterfaceAlias $NetAlias -ServerAddresses 10.0.0.1 Set-DnsClient -InterfaceAlias $NetAlias -ConnectionSpecificSuffix corp.contoso.com Add-Computer -NewName CEP1 -DomainName corp.contoso.com -Credential CORP\User1 Restart-computer

To install the Certificate Enrollment Policy Web Service to use user name and password authentication

  1. On the CEP1 server, ensure you are signed in as User1. Right-click Windows PowerShell and then click Run as Administrator, and then run the following commands:

    gpupdate /force
cd cert:\LocalMachine\My
dir | format-list

    Important


    You need a Server Authentication certificate for the CEP1 server to perform the following procedure. The certificate should be automatically distributed to your computer through Group Policy and the certification authority (CA) that is running on APP1, which was configured in the Test Lab Guide: Deploying a Two-Tier PKI Hierarchy. The gpupdate command forces the Group Policy to update and download the certificate. You should see that you have a certificate issued by IssuingCA-APP1, which you will be using to install the Certificate Enrollment Policy Web Service. If you do not see the certificate immediately after running these commands, wait a couple of minutes, and then run dir | format-list command again.

  2. In Server Manager, click Manage, and then click Add Roles and Features. On the Before you begin screen, click Next.

  3. On the Select installation type screen, ensure that Role-based or feature-based installation is selected, and then click Next.

  4. On the Select destination server screen, ensure that CEP1.corp.contoso.com is selected, and then click Next.

  5. On the Select server roles screen, select Active Directory Certificate Services. When you are prompted to add the Remote Server Administration Tools, click Add Features, and then click Next.

  6. On the Select features screen, click Next.

  7. On the Active Directory Certificate Services screen, click Next.

  8. On the Select role service screen, clear the Certification Authority role, and select the Certificate Enrollment Policy Web Service. When you are prompted to add roles and features, click Add Features, and then click Next.

  9. On the Web Server Role (IIS) screen, click Next.

  10. On the Select role services screen, click Next.

  11. On the Confirm installation selections screen, click Install.

  12. When the installation is complete, click Configure Active Directory Certificate Services on the destination computer.

    Tip


    If you clicked Close before the installation completed, you can complete the role service configuration through a link in the notifications icon in Server Manager.

  13. On the Credentials screen, click Next.

  14. On the Role Service screen, select Certificate Enrollment Policy Web Service, and then click Next.

  15. On the Authentication Type for CEP screen, select User name and password, and then click Next.

  16. On Enable Key-Based Renewal for CEP screen, select the Enable key-based renewal check box, and then click Next.

  17. On the Server Certificate screen, select the CEP1.corp.contoso.com certificate that was issued by IssuingCA-APP1, and then click Next.

  18. On the Confirmation screen, click Configure.

  19. After the configuration is complete, on the Results screen, click Close, and then in the Add Roles and Features Wizard, click Close.

    Tip


    The following Windows PowerShell commands run from the Cert:\LocalMachine\My path as an Administrator will also perform the installation that was described in the previous steps: Install-WindowsFeature Web-WebServer -IncludeManagementTools Add-WindowsFeature Adcs-Enroll-Web-Pol Install-AdcsEnrollmentPolicyWebService -AuthenticationType Username -KeyBasedRenewal -SSLCertThumbprint (dir -dnsname cep1.corp.contoso.com).Thumbprint

  20. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

  21. In the Connections pane of the Internet Information Services (IIS) Manager console, expand the CEP1 server.

    Note


    If you are prompted to get started with the Microsoft Web Platform, click Cancel.

  22. Expand Sites, and then expand the Default Web Site.

  23. Click the KeyBasedRenewal_ADPolicyProvider_CEP_UsernamePassword application.

  24. In the center pane, double-click Application Settings.

  25. In Application Settings, double-click FriendlyName. In the Value text box, type SSL Server Certificates, and then click OK.

  26. In Application Settings, double-click URI, and ensure that the URI value is https://cep1.corp.contoso.com/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP.

    Note


    This URI will be used in a Windows PowerShell command later from WEB1to contact the CEP1 server for certificate enrollment.

  27. Click OK, and then close Internet Information Services (IIS) Manager.

To install a Certificate Enrollment Policy Web Service that uses certificate authentication

  1. To install a second instance of the Certificate Enrollment Policy Web Service on the CEP1 server, you must use Windows PowerShell. Open Windows PowerShell as an Administrator, and run the following command:

    cd cert:\LocalMachine\My
Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -KeyBasedRenewal -SSLCertThumbprint (dir -dnsname cep1.corp.contoso.com).Thumbprint

  2. When you are prompted for confirmation, type Y, and then press ENTER.

    Note


    You will see a confirmation that reads ErrorString. If the confirmation is blank under ErrorString, the installation succeeded. Otherwise, review your command for errors, correct them, and try again.

  3. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

  4. In the Connections pane of the Internet Information Services (IIS) Manager console, expand the CEP1 server.

    Note


    If you are prompted to get started with the Microsoft Web Platform, click Cancel.

  5. Expand Sites, and then expand Default Web Site.

  6. Click the KeyBasedRenewal_ADPolicyProvider_CEP_Certificate application.

  7. In the center pane, double-click Application Settings.

  8. In Application Settings, double-click FriendlyName, and then in the Value text box, type SSL Server Certificates. Click OK.

  9. In Application Settings, double-click URI, and ensure that the URI value is https://cep1.corp.contoso.com/KeybasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP. This URI will be used to configure WEB1 to contact the CEP1 server for certificate renewal.

Step 4: Configure the CES1 server

The procedures to configure the CES1 server to support the configuration that is demonstrated in this guide are as follows:

  1. Install the operating system

  2. Configure TCP/IP

  3. Join the computer to the domain

  4. Configure the service account

  5. Install the Certificate Enrollment Web Service to use user name and password authentication

  6. Install the Certificate Enrollment Web Service to use certificate authentication

  7. Grant the service account Read permission on the CA

  8. Trust the service account for delegation

The Certificate Enrollment Web Services server is used to submit certificate requests to the CA. The certificate requests are submitted by the Certificate Enrollment Policy Web Services service account to APP1 on behalf of the users, computers, and devices that request them. In addition to the configuration for accepting user name and password authentication and certificate authentication, the service account requires Read permission to the CA.

To install the operating system

  1. Start the installation of Windows Server 2012

  2. Follow the instructions to complete the installation, specifying Windows Server 2012 (full installation) and a strong password for the local Administrator account. Sign in by using the local Administrator account.

  3. Connect the computer to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2012.

  4. Connect the computer to the Corpnet subnet.

To configure TCP/IP

  1. From Windows PowerShell, run ncpa.cpl.

  2. In Network Connections, right-click Ethernet, and then click Properties.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address. In IP address, type 10.0.0.5. In Subnet mask, type 255.255.255.0.

  5. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

  6. Click OK, and then click Close.

  7. Close the Network Connections window.

  8. From Windows PowerShell, run sysdm.cpl.

  9. On the System Properties dialog box on the Computer Name tab, click Change.

  10. In Computer name, type CES1 as the new name for the computer, and then click OK.

  11. When you are prompted that you must restart the computer, click OK.

  12. On the System Properties dialog box, click Close.

  13. When you are prompted to restart the computer, click Restart Now.

  14. After restarting, sign in using the local Administrator account.

To join the computer to the domain

  1. From Windows PowerShell, run sysdm.cpl.

  2. In the System Properties dialog box, click the Computer Name tab, click Change.

  3. In Member of, select Domain, and then type corp.contoso.com. Click OK.

  4. When you are prompted for a user name and password, type a domain user name and password (you can use any valid user account, including the default administrator), and then click OK.

  5. When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.

  6. When you are prompted that you must restart the computer, click OK.

  7. On the System Properties dialog box, click Close.

  8. When you are prompted to restart the computer, click Restart Now.

  9. After the computer restarts, click Switch User, and then click Other User and sign in to the CORP domain using an account that is a member of Enterprise Admins.

Tip


The Windows PowerShell commands to configure the IP address, rename the computer, and join the computer to the domain are: $NetIP = Get-NetIPAddress | where {$.Addressfamily -eq "IPv4" -and $.InterfaceAlias -like "Ethernet"} $NetAlias = $NetIP.InterfaceAlias New-NetIPAddress -InterfaceAlias $NetAlias -IPAddress 10.0.0.5 -PrefixLength 24 Set-DnsClientServerAddress -InterfaceAlias $NetAlias -ServerAddresses 10.0.0.1 Set-DnsClient -InterfaceAlias $NetAlias -ConnectionSpecificSuffix corp.contoso.com Add-Computer -NewName CES1 -DomainName corp.contoso.com -Credential CORP\User1 Restart-computer

To configure the service account

  1. On the domain controller, DC1, as User1, in Server Manager, click Tools, and then click Active Directory Administrative Center.

  2. In the console tree, click the corp (local).

  3. In the Tasks pane, click New, and then click User.

  4. In the Create User dialog box, in Full name, type CES, and in User SamAccountName logon:, ensure that corp\ is the displayed as the domain, and then type CES as the account name.

  5. In Password, type the password that you want to use for this account, and in Confirm password, type that password again.

  6. Under Password options, select Other password options, and select Password never expires.

  7. Click OK to create the user account, and then close the Create User dialog box.

    Tip


    Alternatively, you could create the service account using Windows PowerShell. You can run the following command to add the CES user account to Active Directory Domain Services (AD DS): New-ADUser -SamAccountName ces -AccountPassword (read-host "Set user password" -assecurestring) -name "ces" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false

  8. The CES user account requires a service principal name (SPN) to be delegated web enrollment permissions. To create the SPN, open Windows PowerShell and run the following command: setspn -s http/ces1.corp.contoso.com corp\ces

  9. In CES1, sign in as User1. In Server Manager, click Tools, and then click Computer Management.

  10. In the console tree, expand Local Users and Groups, and then click Groups.

  11. In the details pane, double-click IIS_IUSRS.

  12. In IIS_IUSRS Properties, click Add.

  13. In Select Users, Computers, Service Accounts, or Groups, type CES, and then click Check Names. Click OK twice.

    Tip


    Alternatively, you can use Windows PowerShell to add the CES user account to the IIS_IUSRS local group. To do so, run the following command: Net localgroup IIS_IUSRS corp\ces /Add

Important


You need a Server Authentication certificate for the CES1 server to perform the following procedure. The certificate should be automatically distributed to your computer through Group Policy and the CA that is running on APP1, which was configured in the Test Lab Guide: Deploying a Two-Tier PKI Hierarchy. The first command that you are asked to run in the following procedure is a command to update Group Policy to ensure that the certificate is distributed to CES1.

To install the Certificate Enrollment Web Service to use user name and password authentication

  1. On CES1, as User1, open Windows PowerShell as an Administrator, and run the following command:

    gpupdate /force
cd cert:\LocalMachine\My
dir | format-list

    You should see that you have a certificate issued by IssuingCA-APP1, which you will be using to install the Certificate Enrollment Web Service. If this is not the case, try restarting your computer.

  2. In Server Manager, click Manage, and then click Add Roles and Features. If the Before you begin screen appears, click Next.

  3. On the Select installation type screen, select Role-based or feature-based installation, and then click Next.

  4. On the Select destination server screen, select CES1.corp.contoso.com, and then click Next.

  5. On the Select server roles screen, select Active Directory Certificate Services. When you are prompted to add the Remote Server Administration Tools, click Add Features, and then click Next.

  6. On the Select features screen, click Next.

  7. On the Active Directory Certificate Services screen, click Next.

  8. On the Select role service screen, clear the Certification Authority role, and then select the Certificate Enrollment Web Service. When you are prompted to add roles and features, click Add Features, and then click Next.

  9. On the Web Server Role (IIS) screen, click Next.

  10. On the Select role services screen, click Next.

  11. On the Confirm installation selections screen, click Install.

  12. When the installation is complete, click Configure Active Directory Certificate Services on the destination computer.

    Tip


    If you clicked Close before the installation completed, you can complete the role service configuration through a link in the notifications icon in Server Manager.

  13. On the Credentials screen, ensure that you see CORP\User1 as the account to use for installation, and then click Next.

  14. On the Role Service screen, select Certificate Enrollment Web Service, and then click Next.

  15. On the CA for CES screen, click Select. In Select Certification Authority, select IssuingCA-APP1, click OK, and then click Next.

  16. On the Authentication Type for CES screen, select User name and password, and then click Next.

  17. On the Service Account for CES screen, ensure Specify service account (recommended) is selected, and then click Select.

  18. In AD CS Configuration enter the CORP\CES as the user name. Enter the password for the account and then click OK.

  19. On the Server Certificate screen, select the CES1.corp.contoso.com certificate that was issued by IssuingCA-APP1, and then click Next.

  20. On the Confirmation screen, click Configure.

  21. After the configuration is complete, on the Results screen, click Close, and then in the Add Roles and Features Wizard, click Close.

Tip


Alternatively, the following Windows PowerShell commands can be run from the Cert:\LocalMachine\My path as an Administrator to perform the installation and configuration described in the previous steps: Install-WindowsFeature Web-WebServer -IncludeManagementTools Add-WindowsFeature Adcs-Enroll-Web-Svc Install-AdcsEnrollmentWebService -ServiceAccountName "CORP\CES" -CAConfig "APP1.corp.contoso.com\IssuingCA-APP1" -SSLCertThumbprint (dir -dnsname ces1.corp.contoso.com).Thumbprint -AuthenticationType Username

To install the Certificate Enrollment Web Service to use certificate authentication

  1. To install a second instance of the Certificate Enrollment Web Service on CES1, you must use Windows PowerShell. Open Windows PowerShell.

  2. Type cd cert:\LocalMachine\My, and then press ENTER.

  3. Type certutil, and then press ENTER. Take note of the line that reads Config. This is the configuration that you will use when you install the Certificate Enrollment Web Service. For this lab, the configuration is APP1.corp.contoso.com\IssuingCA-APP1.

    Note


    The last line of the configuration output displays Web Enrollment Servers and shows https://ces1.corp.contoso.com/IssuingCA-APP1_CES_UsernamePassword/service.svc/CES, which is the URI that the Certificate Enrollment Policy Web Service will pass to the client during certificate enrollment.

  4. Type the following command to install the Certificate Enrollment Web Service:

    Install-AdcsEnrollmentWebService -CAConfig "APP1.corp.contoso.com\IssuingCA-APP1" -SSLCertThumbprint (dir -dnsname ces1.corp.contoso.com).Thumbprint -AuthenticationType Certificate -RenewalOnly -AllowKeyBasedRenewal

  5. Enter the password for the CES user account when you are prompted, and then press ENTER.

  6. When you are prompted for confirmation, type Y, and then press ENTER.

    Note

  • You will see a confirmation that reads ErrorString. If the confirmation is blank under ErrorString, the installation succeeded. Otherwise, review your command for errors, correct them, and try again.
  • After the service is configured, type certutil again. You willsee that there are now two Web Enrollment Servers. The URI added in this procedure is https://ces1.corp.contoso.com/IssuingCA-APP1_CES_Certificate/services.svc/CES. This is the URI that the Certificate Enrollment Web Service will pass to the client during renewal.

    • Grant service account Read permission on the CA

    1. On APP1, open the Certification Authority console as CORP\User1.

    2. In the navigation pane, right-click IssuingCA-APP1, and then click Properties.

    3. On the Security tab, click Add.

    4. In Enter the object names to select, type CES, click Check Names, and then click OK.

    5. Select CES, and then in Permissions for CES, select the check boxes that correspond to the Allow and Read permissions. Clear the check box that corresponds to Allow and Request Certificates, and then click OK.

      Note


      The Authenticated Users group has the Request Certificates permission set by default, and the Authenticated Users group includes all the computer accounts in the domain. This means that CES has Request Certificates permission through its membership in Authenticated Users.

    Trust the service account for delegation

    1. On DC1, open Active Directory Users and Computers as User1.

    2. In the navigation pane, expand corp.contoso.com, and then click Users.

    3. In the details pane, right-click the CES user account, and then click Properties.

    4. On the Delegation tab, select Trust this user for delegation to specified services only. Select Use any authentication protocol, and then click Add.

    5. In Add Services, click Users or Computers.

    6. In Select Users or Computers, under Enter the object names to select, type APP1, click Check Names, and then click OK.

    7. From the list of available services, select the HOST and rpcss services. Click OK twice.

      Tip


      You can hold the CTRL key to select multiple services in this interface.

    8. Close Active Directory Users and Computers.

    Step 5: Prepare an appropriate certificate template

    For Certificate Enrollment Web Services to provide certificates to clients, an appropriate certificate template must be configured and published.

    To prepare a certificate template

    1. In the navigation pane of the Certification Authority console on APP1, expand IssuingCA-APP1.

    2. Right-click Certificate Templates, and then click Manage. The Certificates Templates Console opens.

    3. In Template Display Name, right-click the Web Server template, and then click Duplicate Template.

    4. On the Compatibility tab, in Compatibility Settings, set Certification Authority to Windows Server 2012. When the Resulting changes dialog box appears, click OK.

    5. Set Certificate recipient to Windows 8 / Windows Server 2012. When the Resulting changes dialog box appears, click OK.

      Note


      Setting the certification authority and the certificate client to Windows Server 2012 / Windows 8 allows key-based renewal, which enables the client to renew its certificate by using the existing certificate.

    6. On the General tab, in Template display name, type Internet Server to rename the template. Set the Validity period to 1years and ensure the Renewal period is set to 6weeks.

    7. On the Security tab, under Group or user names, select Authenticated Users, and then select the check box that corresponds to Allow and Enroll permission. This ensures that the template is visible to all members of the Authenticated Users group, which includes any account (user, computer, or device) that successfully authenticates to the domain.

      Note


      In a production environment, you may elect to further secure this template so that only members of a specific group can access the template.

    8. On the Extensions tab, under Extensions included in this template, select Application Policies, and then click Edit.

    9. In Edit Application Policies Extension, click Add.

    10. In Add Application Policy, under Application Policies, double-click Client Authentication. In Edit Application Policies Extension, click OK.

      Note


      Under Description of Application Policies, Client Authentication and Server Authentication should appear. Client Authentication allows a certificate to prove the identity of the certificate services client. Server Authentication allows a certificate to prove the identity of a web server.

    11. On the Subject Name tab, select Supply in the request, and then select Use subject information from existing certificates for autoenrollment and renewal request.

    12. On the Issuance Requirements tab, under Require the following for enrollment, select CA certificate manager approval. Under Require the following for reenrollment, select Valid existing certificate, and then select Allow key based renewal. Click OK.

    13. Open Windows PowerShell as an Administrator. Type certutil, and then press ENTER. This shows you the CA configuration that is used in the following command.

    14. Run the following command:

      Certutil -config "APP1.corp.contoso.com\IssuingCA-APP1" -setreg policy\EditFlags +EDITF_ENABLERENEWONBEHALFOF

    15. Run the following command to restart the CA service to ensure that the configuration change is complete:

      Restart-service certsvc

    16. Close Windows PowerShell.

    17. Close the Certificate Templates Console.

    18. In the Certification Authority console, in the navigation console tree, click Certificate Templates. The details pane displays the issued certificate templates.

    19. In the console tree, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

    20. In the Enable Certificate Templates dialog box, under Name, click Internet Server, and then click OK.

      Note


      You can also enable the Internet Server certificate template in Windows PowerShell by running the following command: Add-CATemplate InternetServer

    Step 6: Configure WEB1

    In this step, you will configure WEB1 as a member of a workgroup that is connected to the CorpNet subnet. You will configure WEB1 to trust the root CA of corp.contoso.com. The procedures to complete this step are as follows:

    1. Install the operating system

    2. Configure TCP/IP

    3. Configure WEB1 to trust the root CA

    To install the operating system

    1. Start the installation of Windows Server 2012

    2. Follow the instructions to complete the installation, specifying Windows Server 2012 (full installation) and a strong password for the local Administrator account. Sign in by using the local Administrator account.

    3. Connect the computer to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2012.

    4. Connect the computer to the Corpnet subnet.

    To configure TCP/IP

    1. From Windows PowerShell, run ncpa.cpl.

    2. In Network Connections, right-click Ethernet, and then click Properties.

    3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

    4. Select Use the following IP address. In IP address, type 10.0.0.6. In Subnet mask, type 255.255.255.0.

    5. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

    6. Click OK, and then click Close.

    7. Close the Network Connections window.

    8. In Windows PowerShell, run sysdm.cpl.

    9. On the System Properties dialog box on the Computer Name tab, click Change.

    10. In Computer name, type WEB1 as the new name for the computer, and then click OK.

    11. When you are prompted that you must restart the computer, click OK.

    12. On the System Properties dialog box, click Close.

    13. When you are prompted to restart the computer, click Restart Now.

    14. After restarting, sign in by using the local Administrator account.

    Tip


    The Windows PowerShell commands change the IP address and rename the computer are as follows: $NetIP = Get-NetIPAddress | where {$.Addressfamily -eq "IPv4" -and $.InterfaceAlias -like "Ethernet"} $NetAlias = $NetIP.InterfaceAlias New-NetIPAddress -InterfaceAlias $NetAlias -IPAddress 10.0.0.6 -PrefixLength 24 Set-DnsClientServerAddress -InterfaceAlias $NetAlias -ServerAddresses 10.0.0.1 Set-DnsClient -InterfaceAlias $NetAlias -ConnectionSpecificSuffix corp.contoso.com Rename-computer WEB1 Restart-computer

    To configure WEB1 to trust the root CA

    1. On WEB1, insert the removable storage device that contains the certificates for APP1 and ORCA1.

      Tip


      If you no longer have the removable storage device, you can copy the orca1_ORCA-CA.crt files to a removable storage device from the c:\pki folder on APP1. The storage device can be physical or virtual, as discussed in Hardware and software requirements earlier in this document.

    2. On WEB1, open Windows PowerShell as an Administrator, and then type mmc.

    3. Click File, and then click Add/Remove Snap-in.

    4. In Add or Remove Snap-ins, click Certificates, and then click Add.

    5. In Certificates snap-in select Computer account. Click Next.

    6. In Select Computer, leave Local computer selected, click Finish, and then click OK.

    7. In the navigation pane, expand Certificates (Local Computer).

    8. Right-click Trusted Root Certification Authorities, click All Tasks, and then click Import.

    9. In the Certificate Import Wizard, click Next.

    10. On the File to Import screen, in File name, type the path to the ORCA1 certificate that is on your removable storage device. For example, if the ORCA1 certificate is named orca1_ORCA1-ContosoRootCA.crt and on a floppy disk, you would type A:\orca1_ORCA1-ContosoRootCA.crt. You can alternatively use the Browse button to search for the certificate. Select orca1_ORCA1-ContosoRootCA.crt, and then click Next.

    11. On the Certificate Store screen, select Place all certificates in the following store and set Certificate store to Trusted Root Certification Authorities. Click Next, and then click Finish. When the Certificate Import Wizard shows that the import was successful, click OK.

    12. On Console1, click File, and then click Save. Ensure that Save in is set to Desktop (to save the console on the current user account’s Desktop). In File name, type Certificates to change the console name from Console1 to Certificates. Click OK.

    Step 7: Obtain a certificate and test automatic renewal

    You will use user name and password authentication through Certificate Enrollment Web Services to request an initial certificate. Then, you will simulate the automatic renewal of that certificate by using the existing certificate. The procedures to complete this step are as follows:

    1. Request a certificate

    2. Approve the certificate request

    3. Install the certificate

    4. Configure WEB1 for automated certificate renewal

    5. Test the certificate renewal

    To request a certificate

    1. To use certificate-based authentication, you must first obtain a certificate. On WEB1, sign in as the local Administrator. Run Windows PowerShell as Administrator. Run the following command to obtain the initial certificate by using user name and password authentication:

      Get-Certificate -template InternetServer -Url "https://cep1.corp.contoso.com/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -SubjectName "CN=WEB1" -DnsName "web1.treyresearch.com" -Credential (Get-Credential) -CertStoreLocation "cert:\LocalMachine\My"

      Enter Corp\User1 credentials when you are prompted.

      Note


      The request will be pending, and you must approve the request on APP1. If the request does not complete successfully, check your command syntax and try again. If the request times out, try again.

    To approve the certificate request

    1. On APP1, as User1, open the Certification Authority console. In the navigation pane, click Pending Requests.

    2. In the details pane, make a note of the Request ID number, and then right-click the pending request. Click All Tasks, and then click Issue.

    To install the certificate

    1. On WEB1, run the following Windows PowerShell commands to retrieve the certificate

      Cd Cert:\LocalMachine\Request

      Dir | Get-Certificate -Credential (Get-Credential)

      Enter your Corp\User1 credentials when you are prompted. If the request does not complete successfully the first time, check your command syntax and try again. If the request times out, try again.

    To configure WEB1 for automated certificate renewal

    1. On WEB1, open the Local Group Policy Editor console. To do so, open Windows PowerShell as an Administrator and type the following command gpedit.msc.

    2. In the Local Group Policy Editor navigation pane, expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click Public Key Policies.

    3. In the details pane, double-click Certificate Services Client – Auto-Enrollment.

    4. On the Enrollment Policy Configuration tab, set Configuration Model to Enabled. Select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.

    5. In the Local Group Policy Editor console details pane, double-click Certificate Services Client – Certificate Enrollment Policy.

    6. Set Configuration Model to Enabled.

    7. On the Enrollment Policy tab, click Add.

    8. In Certificate Enrollment Policy Server, in the Enter enrollment policy server URI text box, enter the following URI:

      https://cep1.corp.contoso.com/KeyBasedRenewal\_ADPolicyProvider\_CEP\_Certificate/service.svc/CEP

    9. Set Authentication type to X.509 Certificate.

    10. Click Validate Server. Windows Security displays the web1.treyresearch.com certificate. Click OK.

      Note


      If you receive an operation timeout, ensure that the CEP1 and CES1 servers are online and then retry.

    11. When the path is successfully validated, click Add.

    12. On the Enrollment Policy tab, in the Certificate enrollment policy list, select the Default check box for SSL Server Certificates, and then click OK.

    To test the certificate renewal

    1. On WEB1, run the following command from Windows PowerShell as an Administrator:

      Cd Cert:\LocalMachine\My
Dir | format-list

      Copy the certificate thumbprint from the output. (You can copy by selecting the text and right-clicking.)

    2. Run the following command in to delete the policy cache:

      certutil -f -policyserver * -policycache delete

    3. Run the following command to renew the certificate. Replace <thumbprint> with the actual characters of the certificate thumbprint that you copied. (You can paste by right-clicking.)

      certreq -machine -q -enroll -cert <thumbprint> renew

      Note


      If the operation times out, try again. If you run into other errors, ensure that the CEP1 and CES1 servers are online by running the command iisreset from Windows PowerShell on the CES1 and CEP1 servers and then retry.

    4. On WEB1, run the following command from Windows PowerShell as an Administrator:

      Cd Cert:\LocalMachine\My
Dir | format-list

      Note that the certificate thumbprint has changed. This demonstrates that the certificate was successfully renewed.

    Note


    To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

    See Also

    Windows Server Security Forum Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Frequently Asked Questions (FAQ) Windows PKI Documentation Reference and Library Windows PKI Blog