4. Certificate Templates
Certificate
templates do just what you would expect: They let the CA issue
certificates preconfigured with specific settings or information.
Windows Server 2003 supports version 1 and 2 certificate templates.
Windows Server 2008 supports version 3, although ConfigMgr does not
currently support this version. Certificates templates are stored in
the configuration naming context in the following location:
CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain
Version
1 certificate templates are only capable of having their permissions
modified. Version 2 certificate templates allow you to create new
templates by duplicating existing version 1 or 2 templates.
ConfigMgr requires the use of the following certificate templates:
Web Server
Computer or Workstation
Authenticated Session
5. Certificate Validation
Certificate
validation guarantees that the information contained in the certificate
is authentic, what the certificate is to be used for, and that the
certificate is trusted. When you enable Certificate Revocation List
checking, the Windows OS using the certificate validates each
certificate in the chain until it reaches the CA.
CRL
checking is the process of searching for revoked certificates on a
server. The default setting for ConfigMgr in native mode is that the
clients validate their certificate against the CRL. Although disabling
CRL checking is not a best practice, some technologies offer scenarios
where CRL checking may not be necessary or ideal. As an example,
Windows mobile devices cannot perform CRL checking. You can disable CRL
checking using one of two methods:
Certificate validation also includes certificate discovery and path validation:
Certificate
discovery is used to build or enumerate the certificate chain at the
client while the issued certificate is being validated.
Path validation is the process of running checks against each certificate discovered in the chain until the root CA is reached.
These
checks include verifying Authenticode signatures, determining if the
issuing CA certificate is already in the certificate store, and
checking for policy object identifiers.
6. Deploying Certificates
Once
the PKI is built and the certificate templates are in place, ConfigMgr
administrators can begin issuing certificates to sites, site systems,
and clients. There are a number of ways to deploy the certificates to
each.
Deploying to Site Servers
ConfigMgr site servers can obtain their certificates in one of five ways:
If Microsoft’s PKI is used, the ConfigMgr administrator can modify a version 2 template that can be requested online.
If
Microsoft’s PKI with web enrollment is used, the certificate can be
requested from the website of the CA. A template can be created with
the necessary configuration, which can also be requested from the
website.
If IIS is installed on the site
server, site servers will always have one role available, because the
certificate request can be initiated through IIS.
The
certificate can be requested using the Microsoft Certreq command-line
utility included with Windows 2000 Server, Windows XP, Windows Server
2003, and Windows Server 2008.
The certificate can be created using the certificate management tools and then imported on the site server.
Note: Site Server Signing Certificate
Every
site in the Configuration Manager 2007 hierarchy configured for native
mode requires that each site server have its own site server signing
certificate. This includes a central site used for reporting that has
no clients assigned to it.
Deploying to Site Systems
ConfigMgr site systems can obtain their certificates in a number of ways:
Using
Microsoft’s PKI with an enterprise CA, you can create the certificates
based off a version 2 template and assign them to the servers using
group policy and auto-enrollment.
Using Microsoft’s PKI with web enrollment, the certificate can be requested from the website of the CA.
If
IIS is installed on the site server, site servers will always have one
role available, because the certificate request can be initiated
through IIS.
The certificate can be
requested using the Microsoft Certreq command-line utility included
with Windows 2000 Server, Windows XP, Windows Server 2003, and Windows
Server 2008.
The certificate can be created with the certificate management tools and then imported on to the site server.
Deploying to ConfigMgr Clients
ConfigMgr clients can obtain their certificates in one of three ways:
Automatically through Active Directory Domain Services.
Manually when the client is installed via ccmsetup.exe using the client.msi parameter SMSSIGNCERT with the path and filename of the exported certificate.
Automatically from the management point.
Certificate Auto-Enrollment
The
process of certificate auto-enrollment handles certificate enrollment,
certificate renewal, and certain other tasks, including removing
revoked certificates and downloading trusted root CA certificates.
Fortunately, Windows 2003 PKI extends certificate auto-enrollment for
users to all certificate types.
Microsoft’s PKI uses certificate auto-enrollment in several ways:
Every Windows DC automatically receives a DC certificate when the machine joins a domain with an enterprise CA defined.
Administrators
can use a group policy object (GPO) setting that automatically enrolls
machines for IP security (IPSec) or SSL certificates.
An administrator can use a GPO setting that automatically enrolls several users.
A
CA administrator who wants to change a property of a particular
certificate type can duplicate the old certificate template to create a
new certificate template and let the new template supersede the old
one. Auto-enrollment then automatically distributes to the appropriate
PKI users a new certificate based on the new template.
User and machine auto-enrollment requires that the machine and user be part of an AD domain.
