gallery.technet.microsoft.com€¦ · web view5. in domains, ous, and linked group policy objects,...
TRANSCRIPT
Windows Server® 2012 Core Network Companion Guide: Server Certificate Deployment
Microsoft Corporation
Published: May, 2012
Authors: James McIllece and Kurt Hudson
AbstractThe Windows Server 2012 Core Network Guide provides instructions for planning and deploying the components required for a fully functioning network and a new Active Directory® domain in a new forest.
This guide explains how to build upon the foundation network by deploying server certificates for computers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both. Server certificates are required when you deploy certificate-based authentication methods with Extensible Authentication Protocol (EAP) and Protected EAP (PEAP) for network access authentication. Deploying server certificates with Active Directory Certificate Services (AD CS) for EAP and PEAP certificate-based authentication methods provides the following benefits:
Binding the identity of the NPS or RRAS server to a private key A cost-efficient and secure method for automatically enrolling certificates to domain member
NPS and RRAS servers An efficient method for managing certificates and certification authorities Security provided by certificate-based authentication The ability to expand the use of certificates for additional purposes
Copyright Information for Core Network Guide DocumentationInformation in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, OneApp, SQL Server, Windows, and Windows Server are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners
ContentsCore Network Companion Guide: Server Certificate Deployment..................................................5
Prerequisites for using this guide................................................................................................5About this guide........................................................................................................................... 6
Requirements for deploying server certificates........................................................................6What this guide does not provide................................................................................................7Technology overviews................................................................................................................. 7
EAP.......................................................................................................................................... 7EAP in Windows Server 2012...............................................................................................8
PEAP....................................................................................................................................... 8Features of PEAP................................................................................................................. 9
Active Directory Certificate Services........................................................................................9
Server Certificate Deployment Overview........................................................................................9Server certificate deployment components................................................................................10
CA1 running the AD CS server role........................................................................................10CAPolicy.inf.........................................................................................................................11Copy of the RAS and IAS servers certificate template........................................................11Additional CA1 configuration...............................................................................................11
WEB1 running the Web Services (IIS) server role..................................................................11Virtual directory for the CRL and AIA...................................................................................11
DC1 running the AD DS and DNS server roles......................................................................12Group Policy default domain policy.....................................................................................12DNS alias (CNAME) resource record.................................................................................12
NPS1 running the Network Policy Server role service of the Network Policy and Access Services server role............................................................................................................12Group Policy applied and certificate enrolled to NPS1.......................................................12
Server certificate deployment process overview....................................................................12
Server Certificate Deployment Planning.......................................................................................13Plan basic server configuration.................................................................................................14Plan domain access.................................................................................................................. 14Plan the location and name of the virtual directory on your Web server....................................14Plan a DNS alias (CNAME) record for your Web server............................................................14Plan configuration of CAPolicy.inf..............................................................................................15Plan configuration of the CDP and AIA extensions on CA1.......................................................16Plan the copy operation between the CA and the Web server...................................................17Plan the configuration of the server certificate template on the CA...........................................17
Server Certificate Deployment......................................................................................................17
Create an Alias (CNAME) Record in DNS for WEB1....................................................................18
Configure WEB1 to Distribute Certificate Revocation Lists (CRLs)..............................................19
Prepare the CAPolicy.inf File........................................................................................................20
Install the Certification Authority....................................................................................................22
Configure the CDP and AIA Extensions on CA1...........................................................................24
Copy the CA Certificate and CRL to the Virtual Directory.............................................................26
Configure the Server Certificate Template....................................................................................27
Configure Server Certificate Autoenrollment.................................................................................28
Refresh Group Policy.................................................................................................................... 29
Verify NPS Server Enrollment of a Server Certificate...................................................................29
Additional Resources.................................................................................................................... 31
Core Network Companion Guide: Server Certificate DeploymentThe Windows Server 2012 Core Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® domain in a new forest.
This guide explains how to build on the core network by providing instructions for deploying server certificates for computers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.
This guide is also available in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/p/?linkid=251761).
This guide contains the following sections.
Prerequisites for using this guide About this guide What this guide does not provide Technology overviews Server Certificate Deployment Overview Server Certificate Deployment Planning Server Certificate Deployment Additional Resources
Prerequisites for using this guideThis is a companion guide to the Windows Server 2012 Core Network Guide. To deploy server certificates with this guide, you must first do the following.
Deploy a core network using the Core Network Guide, or already have the technologies provided in the Core Network Guide installed and functioning correctly on your network. These technologies include TCP/IP v4, DHCP, Active Directory Domain Services (AD DS), DNS, NPS, and Web Server (IIS).
The Windows Server 2012 Core Network Guide is available in the Windows Server 2012 Technical Library (http://go.microsoft.com/fwlink/?LinkId=154884).
The Core Network Guide is also available in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=157742).
Tip Notes
About this guideThis guide provides instructions for deploying server certificates to servers running NPS, RRAS, or both, by using AD CS in Windows Server 2012.
Server certificates are required when you deploy certificate-based authentication methods with Extensible Authentication Protocol (EAP) and Protected EAP (PEAP) for network access authentication.
Deploying server certificates with Active Directory Certificate Services (AD CS) for EAP and PEAP certificate-based authentication methods provides the following benefits:
Binding the identity of the server running NPS or the RRAS server to a private key A cost-effective and secure method for automatically enrolling certificates to domain member
NPS and RRAS servers An efficient method for managing certificates and certification authorities (CAs) Security provided by certificate-based authentication The ability to expand the use of certificates for additional purposes
This guide is designed for network and system administrators who have followed the instructions in the Windows Server 2012 Core Network Guide to deploy a core network, or for those who have previously deployed the technologies included in the Core Network Guide, including Active Directory Domain Services (AD DS), Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, Web Server (IIS), and Network Policy Server (NPS).
This guide, which provides instructions for deploying server certificates using an online Enterprise Root certification authority (CA), is designed for small organizations that have limited computing resources. For security reasons - if your organization has the computing resources - it is recommended that you deploy an offline Enterprise Root CA in a two tier public key infrastructure (PKI). For more information, see Additional Resources.
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Requirements for deploying server certificatesFollowing are the requirements for using certificates:
To deploy server certificates by using autoenrollment, AD CS requires the Windows Server 2012 Standard, Enterprise, or Datacenter operating systems. AD DS must be installed before AD CS is installed. Although AD CS can be deployed on a single server, many deployments involve multiple servers configured as CAs.
To provide computers with access to the Authority Information Access (AIA) and certificate revocation list (CRL) that is generated by your certification authority, you must have a Web server that is properly configured according to the instructions in this guide.
Important
To deploy PEAP or EAP for virtual private networks (VPNs), you must deploy RRAS configured as a VPN server. The use of NPS is optional; however, if you have multiple VPN servers, using NPS is recommended for ease of administration and for the RADIUS accounting services that NPS provides.
To deploy PEAP or EAP for Remote Desktop Gateway (RD Gateway), you must deploy RD Gateway and NPS.
In previous versions of Windows Server, Remote Desktop Services was named Terminal Services.
To deploy PEAP or EAP for 802.1X secure wired or wireless, you must deploy NPS and additional hardware, such as 802.1X-capable switches and wireless access points.
To deploy certificate-based authentication methods that require certificates for user and computer authentication in addition to requiring certificates for server authentication, such as EAP with Transport Layer Security (EAP-TLS) or PEAP-TLS, you must also deploy user or computer certificates through autoenrollment or by using smart cards.
What this guide does not provideThis guide does not provide comprehensive instructions for designing and deploying a public key infrastructure (PKI) by using AD CS. It is recommended that you review AD CS documentation and PKI design documentation before deploying the technologies in this guide. For more information, see the Additional Resources section later in this document.
This guide does not provide instructions on how to install Web Server (IIS) or Network Policy Server technologies on server computers; those instructions are provided in the Core Network Guide.
This guide also does not provide detailed instructions for deploying the network access technologies for which server certificates can be used.
Technology overviewsFollowing are technology overviews for EAP, PEAP, and AD CS.
EAPExtensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to an increasing demand for authentication methods that use security devices such as smart cards, token cards, and crypto calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.
With EAP, an arbitrary authentication mechanism is used to verify the identities of the client and server that are establishing a network access connection. The exact authentication scheme to be used is negotiated by the access client and the authenticator - the network access server or the Remote Authentication Dial-In User Service (RADIUS) server.
Note
With EAP authentication, both the network access client and the authenticator (such as the server running NPS) must support the same EAP type for successful authentication to occur.
Strong EAP types, such as those that are based on certificates, offer better security against brute-force attacks, dictionary attacks, and password-guessing attacks than password-based authentication protocols, such as CHAP or MS-CHAP, version 1.
EAP in Windows Server 2012Windows Server 2012 includes an EAP infrastructure, EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS) such as NPS.
By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2012 are:
Transport Layer Security (TLS). EAP-TLS requires the use of computer certificates or user certificates, in addition to server certificates that are enrolled to computers running NPS.
Microsoft Challenge-Handshake Authentication Protocol, version 2 (MS-CHAP v2). This EAP type is a password-based authentication protocol. When used within EAP as the authentication method EAP-MS-CHAP v2, NPS and RRAS servers provide a server certificate as proof of identity to client computers, while users prove their identity with a user name and password.
Tunneled Transport Layer Security (TTLS). EAP-TTLS is new in Windows Server 2012 and is not available in other versions of Windows Server. EAP-TTLS is a standards-based EAP tunneling method that supports mutual authentication. EAP-TTLS provides a secure tunnel for client authentication using EAP methods and other legacy protocols. EAP-TTLS also provides you with the ability to configure EAP-TTLS on client computers for network access solutions in which non-Microsoft Remote Authentication Dial In User Service (RADIUS) servers that support EAP-TTLS are used for authentication.
In addition, you can install other non-Microsoft EAP modules on the server running NPS or Routing and Remote Access to provide other EAP authentication types. In most cases, if you install additional EAP types on servers, you must also install matching EAP client authentication components on client computers so that the client and server can successfully negotiate an authentication method to use for connection requests.
PEAPPEAP uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running NPS or other RADIUS server.
PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MSCHAP v2) that can operate through the TLS-encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers:
802.1X-capable wireless access points
Important
802.1X-capable authenticating switches Computers running Windows Server 2012 or Windows Server 2008 R2 and RRAS that are
configured as VPN servers Computers running Windows Server 2012 or Windows Server 2008 R2 and RD Gateway
Features of PEAPTo enhance the EAP protocols and network security, PEAP provides:
A TLS channel that provides protection for the EAP method negotiation that occurs between the client and server. This TLS channel helps prevent an attacker from injecting packets between the client and the network access server to cause the negotiation of a less secure EAP type. The encrypted TLS channel also helps prevent denial of service attacks against the server running NPS.
Support for the fragmentation and reassembly of messages, which allows the use of EAP types that do not provide this functionality.
Clients with the ability to authenticate the NPS or other RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
Protection against the deployment of an unauthorized wireless access point at the moment when the EAP client authenticates the certificate provided by the server running NPS. In addition, the TLS master secret that is created by the PEAP authenticator and the client is not shared with the access point. Because of this, the access point cannot decrypt the messages that are protected by PEAP.
PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the NPS or other RADIUS server. Fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for the client and the server, and it minimizes the number of times that users are prompted for credentials.
Active Directory Certificate ServicesAD CS in Windows Server 2012 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Server Certificate Deployment OverviewThis topic contains the following sections.
Server certificate deployment components Server certificate deployment process overview
Server certificate deployment componentsYou can use this guide to install Active Directory® Certificate Services (AD CS) as an Enterprise root certification authority (CA) and to enroll a server certificate to servers running Network Policy Server (NPS), Routing and Remote Access service (RRAS), or both NPS and RRAS.
If you deploy certificate-based authentication, servers running NPS and RRAS are required to use a server certificate to prove their identities to client computers that are attempting to connect to the network.
The following illustration shows the components that are required to deploy server certificates to your NPS server.
In the illustration above, four servers are depicted: DC1, NPS1, WEB1, and CA1. This guide provides instructions for deploying and configuring CA1, and for configuring the other three servers, which this guide assumes you have already installed on your network by using the Core Network Guide.
For more information on each item depicted in the illustration above, see the following:
CA1 running the AD CS server role WEB1 running the Web Services (IIS) server role DC1 running the AD DS and DNS server roles NPS1 running the Network Policy Server role service of the Network Policy and Access
Services server role
CA1 running the AD CS server roleThe enterprise root certification authority (CA) is also an issuing CA. The CA issues certificates to computers and users that have the correct security permissions to enroll a certificate. Active Directory Certificate Services (AD CS) is installed on CA1.
Note
In this scenario, the enterprise root CA is also an issuing CA. For larger networks or where security concerns provide justification, you can separate the roles of root CA and issuing CA, and deploy subordinate CAs that are issuing CAs.
In the most secure deployments, the enterprise root CA is taken offline and physically secured. For more information, see Additional Resources.
CAPolicy.infBefore you install AD CS, you configure the CAPolicy.inf file with specific settings for your deployment.
Copy of the RAS and IAS servers certificate templateWhen you deploy server certificates, you make a copy of the RAS and IAS servers certificate template and then configure the template according to your requirements and the instructions in this guide. You will be using a copy rather than the original so that the configuration of the original template is preserved for possible future use. The CA uses the copy of the RAS and IAS servers template to create server certificates that it issues to NPS servers that are members of the RAS and IAS servers group in Active Directory Users and Computers.
NPS servers that you have registered in Active Directory are automatically added to the RAS and IAS servers group.
Additional CA1 configurationThe CA publishes a certificate revocation list (CRL) that computers must check to ensure that certificates that are presented to them as proof of identity are valid certificates and have not been revoked. You must configure your CA with the correct location of the CRL so that computers know where to look for the CRL during the authentication process.
WEB1 running the Web Services (IIS) server role The Web server is installed when you perform the tasks in the Windows Server 2012 Core Network Guide, so before you perform the tasks in this guide, you should already have a Web server installed on your network. On the computer that is running the Web Server (IIS) server role, WEB1, you must create a folder in Windows Explorer for use as the location for the CRL and AIA.
Virtual directory for the CRL and AIAAfter you create a folder in Windows Explorer, you must configure the folder as a virtual directory in Internet Information Services (IIS) Manager, as well as configuring the access control list for the virtual directory to allow computers to access the AIA and CRL after they are published there.
Note
DC1 running the AD DS and DNS server rolesThe domain controller and DNS server is installed when you perform the tasks in the Windows Server 2012 Core Network Guide, so before you perform the tasks in this guide, you should already have a domain controller and DNS server installed on your network.
Group Policy default domain policyAfter you configure the certificate template on the CA, you can configure the default domain policy in Group Policy so that certificates are autoenrolled to NPS servers. Group Policy is configured in AD DS on the server DC1.
DNS alias (CNAME) resource recordYou must create an alias (CNAME) resource record for the Web server to ensure that other computers can find the server, as well as the AIA and the CRL that are stored on the server. In addition, using an alias CNAME resource record provides flexibility so that you can use the Web server for other purposes, such as hosting Web and FTP sites.
NPS1 running the Network Policy Server role service of the Network Policy and Access Services server roleThe NPS server is installed when you perform the tasks in the Windows Server 2012 Core Network Guide, so before you perform the tasks in this guide, you should already have an NPS server installed on your network.
Group Policy applied and certificate enrolled to NPS1After you have configured the certificate template and autoenrollment, you can refresh Group Policy on the NPS server. At this time, the NPS server enrolls the server certificate from CA1.
Server certificate deployment process overviewThe details of how to perform these steps are provided in the section Server Certificate Deployment.
The process of configuring NPS and RRAS server certificate enrollment occurs in these stages:
1. On DC1, create an alias (CNAME) record for your Web server, WEB1.2. Configure your Web server to host the CRL from the CA, then publish the CRL and copy the
Enterprise Root CA certificate into the new virtual directory.3. On the computer where you are planning to install AD CS, assign the computer a static IP
address, rename the computer, join the computer to the domain, and then log on to the computer with a user account that is a member of the Domain Admins and Enterprise Admins groups.
Note
4. On the computer where you are planning to install AD CS, configure the CAPolicy.inf file with settings that are specific to your deployment.
5. Install the AD CS server role and perform additional configuration of the CA.6. Copy the CRL and CA certificate to the share on the Web server.7. On the CA, configure a server certificate template. The CA issues certificates based on a
certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.
8. Configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all domain member servers that are running NPS, RRAS, or both on your network will automatically receive a server certificate when Group Policy on each server is refreshed. If you add more NPS or RRAS servers later, they will automatically receive a server certificate, too.
9. Refresh Group Policy on servers running NPS and RRAS. When Group Policy is refreshed, the servers receive the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers that attempt to connect to your network.
All domain member computers automatically receive the Enterprise Root CA’s certificate without the configuration of autoenrollment. This certificate is different than the server certificate that you configure and distribute by using autoenrollment. The CA's certificate is automatically installed in the Trusted Root Certification Authorities certificate store for all domain member computers so that they will trust certificates that are issued by this CA. For example, if you deploy EAP-TLS, client computers use a certificate to prove their identities to the NPS server. When the NPS server receives a certificate from a client computer as proof of the client computer’s identity, trust for the certificate is established because NPS has the issuing CA certificate in its own Trusted Root Certification Authorities certificate store.
10. Verify that the NPS server enrolled a valid server certificate.
Server Certificate Deployment PlanningBefore you deploy server certificates, you must plan the following items:
Plan basic server configuration Plan domain access Plan the location and name of the virtual directory on your Web server Plan a DNS alias (CNAME) record for your Web server Plan configuration of CAPolicy.inf Plan configuration of the CDP and AIA extensions on CA1 Plan the copy operation between the CA and the Web server Plan the configuration of the server certificate template on the CA
Note
Plan basic server configurationAfter you install Windows Server 2012 on your certification authority, you must rename the computer and assign and configure a static IP address for the local computer.
For more information, see the Windows Server 2012 Core Network Guide in the Windows Server 2012 Technical Library.
Plan domain accessTo log on to the domain, the computer must be a domain member computer and the user account must be created in AD DS before the logon attempt. In addition, most procedures in this guide require that the user account is a member of the Enterprise Admins or Domain Admins groups in Active Directory Users and Computers, so you must log on to the CA with an account that has the appropriate group membership.
For more information, see the Windows Server 2012 Core Network Guide in the Windows Server 2012 Technical Library.
Plan the location and name of the virtual directory on your Web serverTo provide access to the CRL and the CA certificate to other computers, you must store these items in a virtual directory on your Web server. In this guide, the virtual directory is located on the Web server WEB1. This folder is on the “C:” drive and is named “pki.” You can locate your virtual directory on your Web server at a folder location that works for your deployment.
Plan a DNS alias (CNAME) record for your Web serverAlias (CNAME) resource records are also sometimes called canonical name resource records. With these records, you can use more than one name to point to a single host, making it easy to do such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer. For example, the well-known server names (ftp, www) are registered using alias (CNAME) resource records that map to the Domain Name System (DNS) host name, such as WEB1, for the server computer that hosts these services.
This guide provides instructions for configuring your Web server to host the certificate revocation list (CRL) for your certification authority (CA). Because you might also want to use your Web server for other purposes, such as to host an FTP or Web site, it’s a good idea to create an alias resource record in DNS for your Web server. In this guide, the CNAME record is named “pki,” but you can choose a name that is appropriate for your deployment.
Plan configuration of CAPolicy.infBefore you install AD CS, you must configure CAPolicy.inf on the CA with information that is correct for your deployment. A CAPolicy.inf file contains the following information:
[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.corp.contoso.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=weeks
CRLPeriodUnits=1
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
You must plan the following items for this file:
URL. The example CAPolicy.inf file has a URL value of http://pki.corp.contoso.com/pki/cps.txt. This is because the Web server in this guide is named WEB1 and has a DNS CNAME resource record of pki. The Web server is also joined to the corp.contoso.com domain. In addition, there is a virtual directory on the Web server named “pki” where the certificate revocation list is stored. Ensure that the value that you provide for URL in your CAPolicy.inf file points to a virtual directory on your Web server in your domain.
RenewalKeyLength. The default renewal key length for AD CS in Windows Server 2012 is 2048. The key length that you select should be as long as possible while still providing compatibility with the applications that you intend to use.
RenewalValidityPeriodUnits. The example CAPolicy.inf file has a RenewalValidityPeriodUnits value of 5 years. This is because the expected lifespan of the CA is around ten years. The value of RenewalValidityPeriodUnits should reflect the overall validity period of the CA or the highest number of years for which you want to provide enrollment.
CRLPeriodUnits. The example CAPolicy.inf file has a CRLPeriodUnits value of 1. This is because the example refresh interval for the certificate revocation list in this guide is 1 week.
At the interval value that you specify with this setting, you must publish the CRL on the CA to the Web server virtual directory where you store the CRL and provide access to it for computers that are in the authentication process.
AlternateSignatureAlgorithm. This CAPolicy.inf implements an improved security mechanism by implementing alternate signature formats. You should not implement this setting if you still have Windows XP clients that require certificates from this CA. For more information, see Additional Resources.
If you do not plan on adding any subordinate CAs to your public key infrastructure at a later time, and if you want to prevent the addition of any subordinate CAs, you can add the PathLength key to your CAPolicy.inf file with a value of 0. To add this key, copy and paste the following code into your file:
[BasicConstraintsExtension]
PathLength=0
Critical=Yes
It is not recommended that you change any other settings in the CAPolicy.inf file unless you have a specific reason for doing so.
Plan configuration of the CDP and AIA extensions on CA1When you configure the Certificate Revocation List (CRL) Distribution Point (CDP) and the Authority Information Access (AIA) settings on CA1, you need the name of your Web server and your domain name. You also need the name of the virtual directory that you create on your Web server where the certificate revocation list (CRL) and the certification authority certificate are stored.
The CDP location that you must enter during this deployment step has the format:
http://DNSAlias(CNAME)RecordName.Domain.com/VirtualDirectoryName/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl.
For example, if your Web server is named WEB1 and your DNS alias CNAME record for the Web server is “pki,” your domain is corp.contoso.com, and your virtual directory is named pki, the CDP location is:
http://pki.corp.contoso.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
The AIA location that you must enter has the format:
http://DNSAlias(CNAME)RecordName.Domain.com/VirtualDirectoryName/<ServerDNSName>_<CaName><CertificateName>.crt.
For example, if your Web server is named WEB1 and your DNS alias CNAME record for the Web server is “pki,” your domain is corp.contoso.com, and your virtual directory is named pki, the AIA location is:
Important
http://pki.corp.contoso.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt
Plan the copy operation between the CA and the Web serverTo publish the CRL from the CA to the Web server virtual directory, you can run the certutil –crl command after you configure the CDP and AIA locations on the CA. Ensure that you configure the correct paths on the CA Properties Extensions tab before you run this command using the instructions in this guide. In addition, to copy the Enterprise CA certificate to the Web server, you must have already created the virtual directory on the Web server and configured the folder as a shared folder.
Plan the configuration of the server certificate template on the CATo deploy autoenrolled server certificates, you must copy the certificate template named RAS and IAS Server. By default, this copy is named Copy of RAS and IAS Server. If you want to rename this template copy, plan the name that you want to use during this deployment step.
The last three deployment sections in this guide – which allow you to configure server certificate autoenrollment, refresh Group Policy on the NPS server, and verify that the NPS server has received a valid server certificate from the CA – do not require additional planning steps.
Server Certificate DeploymentFollow these steps to install an enterprise root certification authority (CA) and to deploy server certificates for use with PEAP and EAP.
To perform the steps in this guide, you must already have a server that is running Network Policy Server (NPS) and a server that is running the Web Server (IIS) server role. If you do not have an NPS server and a Web server, you cannot complete all of the steps in this guide. You must install these servers before performing the steps in this guide. For more information on how to accomplish these tasks, see the Windows Server® 2012 Core Network Guide at http://technet.microsoft.com/en-us/library/hh911995.aspx.
Before you install Active Directory Certificate Services, you must name the computer, configure the computer with a static IP address, and join the computer to the domain. After you install AD CS, you cannot change the computer name or the domain membership of the computer, however you can change the IP address if needed. For more information on how to accomplish these tasks, see the Windows Server® 2012 Core Network Guide at http://technet.microsoft.com/en-us/library/hh911995.aspx.
Create an Alias (CNAME) Record in DNS for WEB1
Note Important
Configure WEB1 to Distribute Certificate Revocation Lists (CRLs) Prepare the CAPolicy.inf File Install the Certification Authority Configure the CDP and AIA Extensions on CA1 Copy the CA Certificate and CRL to the Virtual Directory Configure the Server Certificate Template Configure Server Certificate Autoenrollment Refresh Group Policy Verify NPS Server Enrollment of a Server Certificate
The procedures in this guide do not include instructions for cases in which the User Account Control dialog box opens to request your permission to continue. If this dialog box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.
Create an Alias (CNAME) Record in DNS for WEB1You can use this procedure to add a CNAME resource record for your Web server to a zone in DNS on your domain controller. When you perform this procedure, replace Alias name and other variables with values
To perform this procedure, you must be a member of Domain Admins.
1. On DC1, in Server Manager, click Tools and then click DNS. The DNS Manager Microsoft Management Console (MMC) opens.
2. In the console tree, double-click Forward Lookup Zones, right-click the forward lookup zone where you want to add the Alias resource record, and then click New Alias (CNAME). The New Resource Record dialog box opens.
3. In Alias name, type the alias name pki.4. When you typed the Alias name, the Fully qualified domain name (FQDN) auto-fills in the
dialog box. For example, if your alias name is “pki” and your domain is corp.contoso.com, the value pki.corp.contoso.com is auto-filled for you.
5. In Fully qualified domain name (FQDN) for target host, type the FQDN of the DNS host computer for which this alias is to be used.
Note As an option, you can click Browse to search the DNS namespace for hosts in
Note To add an alias (CNAME) resource record to a zone
this domain that have host (A) resource records already defined.
6. Click OK to add the new record to the zone.
Configure WEB1 to Distribute Certificate Revocation Lists (CRLs)You can use this procedure to configure the web server WEB1 to distribute CRLs.
In the extensions of the root CA, it was stated that the CRL from the root CA would be available via http://pki.corp.contoso.com/pki. Currently, there is not a PKI virtual directory on WEB1, so one must be created.
To perform this procedure, you must be a member of Domain Admins.
In the procedure below, replace the user account name, the Web server name, folder names and locations, and other values with those that are appropriate for your deployment.
1. On WEB1, run Windows PowerShell as an administrator, type explorer c:\, and then press ENTER. Windows Explorer opens.
2. Create a new folder named PKI on the C: drive. To do so, click Home, and then click New Folder. Type pki and then press ENTER.
3. In Windows Explorer, right-click the folder you just created, hover the mouse cursor over Share with, and then click Specific people. The File Sharing dialog box opens.
4. In File Sharing, type Cert Publishers, and then click Add. The Cert Publishers group is added to the list. In the list, in Permission Level, click the arrow next to Cert Publishers, and then click Read/Write. Click Share, and then click Done.
5. Close Windows Explorer.6. Open the IIS console. In Server Manager, click Tools, and then click Internet
Information Services (IIS) Manager.7. In the Internet Information Services (IIS) Manager console tree, expand WEB1. If you are
invited to get started with Microsoft Web Platform, click Cancel.8. Expand Sites and then right-click the Default Web Site and then click Add Virtual
Directory.9. In Alias, type pki. In Physical path type C:\pki, then click OK.10. Enable Anonymous access to the pki virtual directory, so that any client can check the
validity of the CA certificates and CRLs. To do so:
Note To configure WEB1 to distribute certificates and CRLs
a. In the Connections pane, ensure that pki is selected.b. On pki Home click Authentication.c. In the Actions pane, click Edit Permissions.d. On the Security tab, click Edite. On the Permissions for pki dialog box, click Add.f. In the Select Users, Computers, Service Accounts, or Groups, type
ANONYMOUS LOGON; Everyone and then click Check Names. Click OK. g. Click OK on the Select Users, Computers, Service Accounts or Groups dialog
box.h. Click OK on the Permissions for pki dialog box.
11. Click OK on the pki Properties dialog box.12. In the pki Home pane, double-click Request Filtering.13. The File Name Extensions tab is selected by default in the Request Filtering pane. In
the Actions pane, click Edit Feature Settings. 14. In Edit Request Filtering Settings, select Allow double escaping and then click OK.15. In the Internet Information Services (IIS) Manager MMC, click your Web server name. For
example, if your Web server is named WEB1, click WEB1. 16. In Actions, click Restart. Internet services are stopped and then restarted.
Prepare the CAPolicy.inf FileOn CA1, you must prepare the CAPolicy.inf file before installing Active Directory Certificate Services.
To perform this procedure, you must be a member of the Administrators group.
1. Open Windows PowerShell, type notepad c:\Windows\CAPolicy.inf and press ENTER.2. When prompted to create a new file, click Yes.3. Enter the following as the contents of the file:
[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
To prepare the CAPolicy.inf file
[InternalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.corp.contoso.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=weeks
CRLPeriodUnits=1
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
[CRLDistributionPoint]
[AuthorityInformationAccess]
4. Click File, and then click Save As. Ensure the following: File name is set to CAPolicy.inf Save as type is set to All Files Encoding is ANSI
5. When you are prompted to overwrite the file, click Yes.
Ensure CAPolicy.inf file has appropriate settings
Caution Be sure to save the CAPolicy.inf with the inf extension. If you do not specifically type .inf at the end of the file name and select the options as described, the file will be saved as a text file and will not be used during CA installation.
6. Close Notepad.
In the CAPolicy.inf, you can see there is a line specifying the URL http://pki.corp.contoso.com/pki/cps.txt. The Internal Policy section of the CAPolicy.inf is just shown as an example of how you would specify the location of a certificate practice statement (CPS). In this guide, you are not instructed to create the certificate practice statement (CPS). To learn more about policy statements including CPS, see Additional Resources.
Install the Certification AuthorityYou can use this procedure to install Active Directory® Certificate Services (AD CS) so that you can enroll a server certificate to servers running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.
Before you install Active Directory Certificate Services, you must name the computer, configure the computer with a static IP address, and join the computer to the domain. For
Important Important
more information on how to accomplish these tasks, see the Windows Server® 2012 Core Network Guide at http://technet.microsoft.com/en-us/library/hh911995.aspx.
To perform this procedure, the computer on which you are installing AD CS must be joined to a domain where Active Directory Domain Services (AD DS) is installed. To autoenroll server certificates to computers running NPS and RRAS, you must install AD CS on either the Windows Server 2012 Enterprise or Datacenter operating systems.
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.
To perform this procedure by using Windows PowerShell, open Windows PowerShell and type the following command, and then press ENTER. You must also replace the domain name with the name that you want to use.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
After AD CS is installed, type the following command and press ENTER.
Install-AdcsCertificationAuthority –CAType EnterpriseRootCA
1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.
2. In Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.
3. In Before You Begin, click Next.
Note The Before You Begin page of the Add Roles and Features Wizard is not displayed if you have previously selected Skip this page by default when the Add Roles and Features Wizard was run.
4. In Select Installation Type, ensure that Role-Based or feature-based installation is selected, and then click Next.
5. In Select destination server, ensure that Select a server from the server pool is selected. In Server Pool, ensure that the local computer is selected. Click Next.
6. In Select Server Roles, in Roles, select Active Directory Certificate Services. When you are prompted to add required features, click Add Features, and then click Next.
7. In Select features, click Next.8. In Active Directory Certificate Services, read the provided information, and then click
Next.9. In Confirm installation selections, click Install. Do not close the wizard during the
installation process. When installation is complete, click Configure Active Directory Certificate Services on the destination server. The AD CS Configuration wizard opens. Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. Click Next.
10. In Role Services, click Certification Authority, and then click Next.
Notes To install Active Directory Certificate Services
11. On the Setup Type page, verify that Enterprise CA is selected, and then click Next.12. On the Specify the type of the CA page, verify that Root CA is selected, and then click
Next.13. On the Specify the type of the private key page, verify that Create a new private key
is selected, and then click Next.14. On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft
Software Key Storage Provider) and hash algorithm (SHA1), and determine the best key character length for your deployment. Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048. Click Next.
15. On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. Ensure that you are certain the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. Click Next.
16. On the Validity Period page, in Specify the validity period, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next.
17. On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click Next.
18. In Confirmation, click Configure to apply your selections, and then click Close.
Configure the CDP and AIA Extensions on CA1You can use this procedure to configure the Certificate Revocation List (CRL) Distribution Point (CDP) and the Authority Information Access (AIA) settings on CA1.
To perform this procedure, you must be a member of Domain Admins.
1. In Server Manager, click Tools and then click Certification Authority.2. In the Certification Authority console tree, right-click corp-CA1-CA, and then click
Properties.
To configure the CDP and AIA extensions on CA1
Note The name of your CA is different if you did not name the computer CA1 and your domain name is different than the one in this example. The CA name is in the format domain-CAComputerName-CA.
3. Click the Extensions tab. Ensure that Select extension is set to CRL Distribution Point (CDP), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:a. Select the entry
file://\\<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. In Confirm removal, click Yes.
b. Select the entry http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. In Confirm removal, click Yes.
c. Select the entry that starts with the path ldap://CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>, and then click Remove. In Confirm removal, click Yes.
4. In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. The Add Location dialog box opens.
5. In Add Location, in Location, type http://pki.corp.contoso.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. This returns you to the CA properties dialog box.
6. On the Extensions tab, select the following checkboxes: Include in CRLs. Clients use this to find the Delta CRL locations Include in the CDP extension of issued certificates
7. In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. The Add Location dialog box opens.
8. In Add Location, in Location, type file://\\pki.corp.contoso.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. This returns you to the CA properties dialog box.
9. On the Extensions tab, select the following checkboxes: Publish CRLs to this location Publish Delta CRLs to this location
10. Change Select extension to Authority Information Access (AIA), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:a. Select the entry that starts with the path
ldap://CN=<CATruncatedName>,CN=AIA,CN=Public Key Services, and then click Remove. In Confirm removal, click Yes.
b. Select the entry http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><Certificate
Name>.crt, and then click Remove. In Confirm removal, click Yes.c. Select the entry
file://\\<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt, and then click Remove. In Confirm removal, click Yes.
11. In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. The Add Location dialog box opens.
12. In Add Location, in Location, type http://pki.corp.contoso.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt, and then click OK. This returns you to the CA properties dialog box.
13. On the Extensions tab, select Include in the AIA of issued certificates.14. In Add Location, in Location, type
file://\\pki.corp.contoso.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt, and then click OK. This returns you to the CA properties dialog box.
Important Ensure that Include in the AIA extension of issued certificates is not selected.
15. When prompted to restart Active Directory Certificate Services, click No. You will restart the service later.
Copy the CA Certificate and CRL to the Virtual DirectoryYou can use this procedure to copy the Certificate Revocation List and Enterprise root CA certificate from your certification authority to a virtual directory on your Web server, and to ensure that AD CS is configured correctly. Before running the commands below, ensure that you replace directory and server names with those that are appropriate for your deployment.
To perform this procedure you must be a member of Domain Admins.
1. On CA1, run Windows PowerShell as an Administrator, and then publish the CRL with the following command:
Type certutil –crl, and then press ENTER.
To copy the CA certificate to the file share on your Web server, type copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB1\pki, and then press ENTER.
To restart AD CS, type Restart-Service certsvc, and then press ENTER.
2. To verify that your CDP and AIA extension locations are correctly configured, type
To copy the certificate revocation list from CA1 to WEB1
pkiview.msc, and then press ENTER. The pkiview Enterprise PKI MMC opens.3. Click your CA name. For example, if your CA name is corp-CA1-CA, click corp-CA1-CA.
In the details pane, verify that the Status value for the CA Certificate, AIA Location #1, and CDP Location #1 are all OK.
Important If Status for any item is not OK, do the following:
Verify that you have entered the correct locations for the CDP and AIA on the CA Extensions tab. Ensure that there are no extra spaces or other characters in the locations that you have provided.
Verify that you copied the CRL and CA certificate to the correct location on your Web server, and that the location matches the location you provided for the CDP and AIA locations on the CA.
Verify that you correctly configured permissions for the virtual folder where the CA certificate and CRL are stored.
Configure the Server Certificate TemplateYou can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for server certificates enrolled to servers running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.
1. On CA1, in Server Manager, click Tools, and then click Certification Authority. The Certification Authority Microsoft Management Console (MMC) opens.
2. In the MMC, double-click the CA name, right-click Certificate Templates, and then click Manage.
3. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane.
4. In the details pane, click the RAS and IAS Server template.5. Click the Action menu, and then click Duplicate Template. The template Properties
dialog box opens. 6. Click the Security tab. In Group or user names, click RAS and IAS servers.7. In Permissions for RAS and IAS servers, under Allow, ensure that Enroll is selected,
and then select the Autoenroll check box. Click OK, and close the Certificate Templates MMC.
8. In the Certification Authority MMC, click Certificate Templates. On the Action menu,
To configure the certificate template
point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens.
9. In Enable Certificate Templates, click the name of the certificate template that you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of RAS and IAS Server, and then click OK.
Configure Server Certificate AutoenrollmentBefore you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS.
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.
1. On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and then press ENTER. The Microsoft Management Console opens.
2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens.
3. In Available snap-ins, scroll down to and double-click Group Policy Management Editor. The Select Group Policy Object dialog box opens.
Important Ensure that you select Group Policy Management Editor and not Group Policy Management. If you select Group Policy Management, your configuration using these instructions will fail and a server certificate will not be autoenrolled to your NPS servers.
4. In Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens.
5. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
6. Click Finish, and then click OK.7. Double-click Default Domain Policy. In the console, expand the following path:
Computer Configuration, Policies, Windows Settings, Security Settings, and then Public Key Policies.
8. Click Public Key Policies. In the details pane, double-click Certificate Services Client - Auto-Enrollment. The Properties dialog box opens. Configure the following items, and then click OK:a. In Configuration Model, select Enabled.
Note To configure server certificate autoenrollment
b. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
c. Select the Update certificates that use certificate templates check box. 9. Click OK.
Refresh Group PolicyYou can use this procedure to manually refresh Group Policy on the local computer. When Group Policy is refreshed, if certificate autoenrollment is configured and functioning correctly, the local computer is autoenrolled a certificate by the certification authority (CA).
Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes.
Membership in Administrators, or equivalent, is the minimum required to complete this procedure.
1. On the computer where NPS is installed, open Windows PowerShell® by using the icon on the taskbar.
2. At the Windows PowerShell prompt, type gpupdate, and then press ENTER.
Verify NPS Server Enrollment of a Server CertificateYou can use this procedure to verify that your NPS server has enrolled a server certificate from the certification authority. To verify that a server certificate is correctly configured and is enrolled to the NPS server, you must configure a test network policy and allow NPS to verify that NPS can use the certificate for authentication.
Membership in the Domain Admins group is the minimum required to complete this procedure.
1. In Server Manager, click Tools, and then click Network Policy Server. The Network Policy Server Microsoft Management Console (MMC) opens.
2. Double-click Policies, right-click Network Policies, and click New. The New Network Policy wizard opens.
Note To refresh Group Policy on the local computerTo verify NPS server enrollment of a server certificate
3. In Specify Network Policy Name and Connection Type, in Policy name, type Test policy. Ensure that Type of network access server has the value Unspecified, and then click Next.
4. In Specify Conditions, click Add. In Select condition, click Windows Groups, and then click Add.
5. In Groups, click Add Groups. In Select Group, type Domain Users, and then press ENTER. Click OK, and then click Next.
6. In Specify Access Permission, ensure that Access granted is selected, and then click Next.
7. In Configure Authentication Methods, click Add. In Add EAP, click Microsoft: Protected EAP (PEAP), and then click OK. In EAP Types, select Microsoft: Protected EAP (PEAP), and then click Edit. The Edit Protected EAP Properties dialog box opens.
8. In the Edit Protected EAP Properties dialog box, in Certificate issued to, NPS displays the name of your server certificate in the format ComputerName.Domain. For example, if your NPS server is named NPS-01 and your domain is example.com, NPS displays the certificate NPS-01.example.com. In addition, in Issuer, the name of your certification authority is displayed, and in Expiration date, the date of expiration of the server certificate is shown. This demonstrates that your NPS server has enrolled a valid server certificate that it can use to prove its identity to client computers that are trying to access the network through your network access servers, such as virtual private network (VPN) servers, 802.1X-capable wireless access points, Remote Desktop Gateway servers, and 802.1X-capable Ethernet switches.
Important If NPS does not display a valid server certificate and if it provides the message that such a certificate cannot be found on the local computer, there are two possible reasons for this problem. It is possible that Group Policy did not refresh properly, and the NPS server has not enrolled a certificate from the CA. In this circumstance, restart the NPS server. When the computer restarts, Group Policy is refreshed, and you can perform this procedure again to verify that the server certificate is enrolled. If refreshing Group Policy does not resolve this issue, either the certificate template, certificate autoenrollment, or both are not configured correctly. To resolve these issues, start at the beginning of this guide and perform all steps again to ensure that the settings that you have provided are accurate.
9. When you have verified the presence of a valid server certificate, you can click OK and Cancel to exit the New Network Policy wizard.
Note Because you are not completing the wizard, the test network policy is not created in NPS.
Additional ResourcesFor more information about the technologies that are discussed in this guide, see the following resources:
The Windows Server 2012 Core Network Guide in Word format in the Microsoft Download Center (http://www.microsoft.com/download/en/details.aspx?id=29248) and in HTML format in the Windows Server 2012 Technical Library (http://technet.microsoft.com/en-us/library/hh911995.aspx).
PKI Design Guidance in the Microsoft TechNet Wiki (http://social.technet.microsoft.com/wiki/contents/articles/2901.pki-design-guidance.aspx)
Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide in the Microsoft TechNet Wiki http://social.technet.microsoft.com/wiki/contents/articles/7421.ad-cs-pki-design.aspx
Guidelines for Using Alternate Signature Formats, which is available at the Windows Server 2008 and Windows Server 2008 R2 Technical Library (http://technet.microsoft.com/en-us/library/cc753169.aspx)
Creating Certificate Policies and Certificate Practice Statements in the Technical Library (http://technet.microsoft.com/library/cc780454.aspx)
Request for Comments 2527, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework, at the IETF Web site (http://www.ietf.org/rfc/rfc2527.txt)
CA Policy.inf Syntax in the Technical Library (http://technet.microsoft.com/en-us/library/cc728279.aspx)
Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure) in Windows Server TechCenter (http://go.microsoft.com/fwlink/?LinkId=106049)
Active Directory Domain Services in the Windows Server® 2012 Technical Library (http://technet.microsoft.com/en-us/library/hh831484.aspx)
Group Policy in the Windows Server 2012 Technical Library (http://technet.microsoft.com/en-us/library/hh831683.aspx)
Network Policy and Access Services in the Windows Server 2012 Technical Library (http://go.microsoft.com/fwlink/?LinkId=154883)
Windows Server 2008 R2 Core Network Guide, which is available at the Windows Server 2008 and Windows Server 2008 R2 Technical Library (http://go.microsoft.com/fwlink/?LinkId=154884)
"Configuring All Servers" topic in the Windows Server 2008 R2 Core Network Guide in the Windows Server 2008 and Windows Server 2008 R2 Technical Library (http://go.microsoft.com/fwlink/?LinkId=154885)
"Joining Computers to the Domain and Logging On" topic in the Windows Server 2008 R2 Core Network Guide in the Windows Server 2008 and Windows Server 2008 R2 Technical Library (http://go.microsoft.com/fwlink/?LinkId=154886)