The following Certificate Templates will need to be created in the Certification Authority console on the TFS-CA01 server:
Template Name Validity Publish in ADDS Additional Security TFS Labs User Certificate 1 Year Yes TFS-CA01 (Enroll)Domain Users (Read, Enroll, Autoenroll) TFS Labs Workstation Certificate 1 Year Yes TFS-CA01 (Enroll)Domain Computers (Enroll, Autoenroll) TFS Labs Web Server Certificate 1 Year No TFS-CA01 (Enroll) These Certificate Templates will be used for issues Certificates to the organization.
The Key Recovery Agent feature of Active Directory Certificate Services allows for the archival of private keys that are generated by the Certificate Authority. This is very important if a certificate is deleted and needs to be restored.
This entire section is optional. Not implementing private key archive and recovery will have no impact on the functionality of your Certificate Authority, nor will it interfere with any later steps. This functionality can be added at any time in the future if needed.
Enabling the auto-enrollment feature in Group Policy will allow users and workstations within the organization the ability to automatically receive a certificate from the Active Directory Certificate Authority server. This level of automation is helpful for large organizations that need to quickly deploy certificates for users or workstations.
7.1 User Auto-Enrollment 7.2 Workstation Auto-Enrollment AD CS on Windows Server 2019 Guide 7.1 User Auto-Enrollment To enable certificate auto-enrollment for user accounts in the TFS Labs domain, perform the following steps on the TFS-DC01 server:
The following Certificate Templates will need to be created in the Certification Authority console on the TFS-CA01 server:
Template Name Validity Publish in ADDS Additional Security TFS Labs User Certificate 1 Year Yes TFS-CA01 (Enroll)Domain Users (Read, Enroll, Autoenroll) TFS Labs Workstation Certificate 1 Year Yes TFS-CA01 (Enroll)Domain Computers (Enroll, Autoenroll) These Certificate Templates will be used for issues Certificates to the organization.
Once the Certificate Authority has been successfully implemented and completed, there are a few files that should be deleted and a few tasks that will need to be performed now and in the future.
8.1 TFS-CA01 Server Cleanup 8.2 Virtual Floppy Disk 8.3 Root CA Shutdown 8.4 Renewing the Root CA CRL AD CS on Windows Server 2019 Guide 8.1 TFS-CA01 Server Cleanup Delete the following files on the TFS-CA01 server:
Enabling the auto-enrollment feature in Group Policy will allow users and workstations within the organization the ability to automatically receive a certificate from the Active Directory Certificate Authority server. This level of automation is helpful for large organizations that need to quickly deploy certificates for users or workstations.
Certificate Auto-Enrollment
This entire section is optional. Not implementing certificate auto-enrollment will have no impact on the functionality of your Certificate Authority, nor will it interfere with any later steps.
This guide is archived and will no longer be updated. It has been superseded with the AD CS on Windows Server 2022 guide. This guide was originally posted on the https://mjcb.ca website in March 2020. This guide has received updates to fix minor errors and to improve readability. Goals of this Guide Guide Sections Environment Assumptions Environment Design and Overview Certificate Hierarchy Overview Design Considerations Why Use an Offline CA?
This is an updated version of the AD CS on Windows Server 2019 guide that is already available on this website. This guide reflects any changes that are present in Active Directory Certificate Services, Windows Server 2022, and Windows 11.
Goals of this Guide AD CS Guide Sections Windows Versions and Virtualization Environment Design and Overview Certificate Hierarchy Overview Certificate Authority Design Considerations Why Use an Offline CA?
