1 3 Client Certificate Validation

pcbuck April 22, 2021 0 Comments



1.3 Client Certificate Validation


Login on a client * Open cmd with administrative rights * Run gpupdate /force * Open Manage computer certificate * Check for the certificate under Personal->Certificates

Exporting Certification authority (CA) certificate


On CA machine we issued certificate, name of this CA will be written in thatcertificate, so we need to export personal certificate of this CA and transferit to Linux machine.This certificate will be used to validate certificate ofDomain controller we are going to enroll in next steps.Open Local computer certificate store (start-run-`certlm.msc`)Expand Personal,right click on Certificates-All tasks-ExportSelect No, do not export private key, for format select Base-64 encoded X.509(.CER)Save certificate to file with cer extension and move it to Linux machine

Create and issue the web server certificate template on the certification


authorityThis procedure creates a certificate template for Configuration Manager sitesystems and adds it to the certification authority.

Request the web server certificate


This procedure lets you specify the intranet and internet FQDN values thatwill be set up in the site system server properties and then installs the webserver certificate on to the member server that runs IIS.

To request the web server certificate


1. Restart the member server that runs IIS to ensure that the computer can access the certificate template that you created by using the Read and Enroll permissions that you configured. 2. Choose Start, choose Run, and then type mmc.exe. In the empty console, choose File, and then choose Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of Available snap-ins, and then choose Add. 4. In the Certificate snap-in dialog box, choose Computer account, and then choose Next. 5. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then choose Finish. 6. In the Add or Remove Snap-ins dialog box, choose OK. 7. In the console, expand Certificates (Local Computer), and then choose Personal. 8. Right-click Certificates, choose All Tasks, and then choose Request New Certificate. 9. On the Before You Begin page, choose Next. 10. If you see the Select Certificate Enrollment Policy page, choose Next. 11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of available certificates, and then choose More information is required to enroll for this certificate. Click here to configure settings. 12. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, choose the Type drop-down list, and then choose DNS. 13. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then choose OK to close the Certificate Properties dialog box.Examples: * If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is server1.internal.contoso.com, enter server1.internal.contoso.com, and then choose Add. * If the site system will accept client connections from the intranet and the internet, and the intranet FQDN of the site system server is server1.internal.contoso.com and the internet FQDN of the site system server is server.contoso.com: 1. Enter server1.internal.contoso.com, and then choose Add. 2. Enter server.contoso.com, and then choose Add.NoteYou can specify the FQDNs for Configuration Manager in any order. However,check that all devices that will use the certificate, such as mobile devicesand proxy web servers, can use a certificate subject alternative name (SAN)and multiple values in the SAN. If devices have limited support for SAN valuesin certificates, you might have to change the order of the FQDNs or use theSubject value instead. 14. On the Request Certificates page, choose ConfigMgr Web Server Certificate from the list of available certificates, and then choose Enroll. 15. On the Certificates Installation Results page, wait until the certificate is installed, and then choose Finish. 16. Close Certificates (Local Computer).

To request the custom web server certificate


1. Restart the member server after you create and configure the ConfigMgr Site Servers security group to ensure that the computer can access the certificate template that you created by using the Read and Enroll permissions that you configured. 2. Choose Start, choose Run, and then enter mmc.exe. In the empty console, choose File, and then choose Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of Available snap-ins, and then choose Add. 4. In the Certificate snap-in dialog box, choose Computer account, and then choose Next. 5. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then choose Finish. 6. In the Add or Remove Snap-ins dialog box, choose OK. 7. In the console, expand Certificates (Local Computer), and then choose Personal. 8. Right-click Certificates, choose All Tasks, and then choose Request New Certificate. 9. On the Before You Begin page, choose Next. 10. If you see the Select Certificate Enrollment Policy page, choose Next. 11. On the Request Certificates page, identify the ConfigMgr Cloud-Based Distribution Point Certificate from the list of available certificates, and then choose More information is required to enroll for this certificate. choose here to configure settings. 12. In the Certificate Properties dialog box, in the Subject tab, for the Subject name, choose Common name as the Type. 13. In the Value box, specify your choice of service name and your domain name by using an FQDN format. For example: clouddp1.contoso.com.NoteMake the service name unique in your namespace. You will use DNS to create analias (CNAME record) to map this service name to an automatically generatedidentifier (GUID) and an IP address from Windows Azure. 14. Choose Add, and then choose OK to close the Certificate Properties dialog box. 15. On the Request Certificates page, choose ConfigMgr Cloud-Based Distribution Point Certificate from the list of available certificates, and then choose Enroll. 16. On the Certificates Installation Results page, wait until the certificate is installed, and then choose Finish. 17. Close Certificates (Local Computer).

Create and issue a Mac client certificate template on the certification


authorityThis procedure creates a custom certificate template for Configuration ManagerMac computers and adds the certificate template to the certificationauthority.NoteThis procedure uses a different certificate template from the certificatetemplate that you might have created for Windows client computers or fordistribution points.When you create a new certificate template for this certificate, you canrestrict the certificate request to authorized users.

Add the SCCM client certificate on the workgroup computer


1. From the workgroup computer, logon to the certificate request page as the account you gave the Enroll permission to above – http://certserver/certsrv 2. Click on Request a certificate 3. Advanced certificate request 4. Create and submit a request to this CA. 5. Fill in all the details as shown Leave the rest default, click next. 6. Click Install this certificate 7. Because the certificate will end up in the user certificate store of the workgroup computer, you will need to export it from there and import it into the local computer certificate store. Open the Certificates MMC console for the user account > Expand the Personalstore > Click on Certificates > Right click on the certificate and export. 8. Click next 9. Type a password 10. Browse to a location for the file and give a name, the file will have a .PFX extension. 11. Import Process – Open the Certificates MMC console for the computer account > Right click on the Personal store and choose Import > browse to the certificate you just exported.

Create client authentication certificate template


1. Right-click on Workstation Authentication and click Duplicate Template. 2. In General tab, change display name to ConfigMgr Client Certificate 3. Change Validity period as your wish 4. Click on tab Security, click Add. 5. Add Domain Computers, give permissions Allow Read, Enroll, Autoenroll 6. Click OK to close the dialog.

Export Cloud management gateway certificates


1. Right-Click on ConfigMgr CMG certificate, choose All Tasks – Export, go thought the wizard 2. Choose No, do not export the private key, save it as CMG.cer to D:ConfigMgr folder. 3. Export ConfigMgr CMG certificate again, this time choose Yes, export private key * Add password to protect you private certificate * Next, Save it as CMG.pfx to D:ConfigMgr folder.

Publishing a Certificate that Supports Server Authentication


1. On the issuing Certification Authority computer, open the Certificates console or Certsrv console. To open Certsrv, click Start. Type certsrv.msc and then click OK. 2. Ensure that Certification Authority is expanded as well as the name of the certification authority. 3. Right-click Certificate Templates and then click Manage. 4. In the Certificate Templates Console, right-click Kerberos Authentication and then select Duplicate Template. You don’t have to use the Kerberos template. You can create your own or use one of the existing templates that has Server Authentication as a purpose, such as Domain Controller Authentication, Domain Controller, Web Server, and Computer. Important: You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. If you have legitimate reasons for using more than one, you may end up having certificate selection issues, which is discussed further in the Active Directory Domain Services Certificate Storage. 5. On the Duplicate Template dialog box, leave the default selected Windows Server 2003 Enterprise selected and then click OK. 6. The Properties of New Template appear. Ensure that settings are as you want them to be for this certificate template. Pay close attention to ensure that the Template display name is set to an appropriate name along with the following settings: * Validity and Renewal periods are set according to your organization’s security policy * Key lengths are appropriate * Select whether you want to place the certificate in Active Directory * Subject Name tab: DNS name and Service principal name (SPN) are selected * If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable. 7. Click OK. 8. Return to the Certificates or Certsrv console and in the details pane of Certificate Templates, right-click an open area of the console, click New, and then click Certificate Template to Issue. 9. In the Enable Certificate Templates dialog box, select the name of the new template you created and then click OK.

Publishing a Certificate that Supports Server Authentication


1. On the issuing Certification Authority computer, open the Certificates console or Certsrv console. To open Certsrv, click Start. Type certsrv.msc and then click OK. 2. Ensure that Certification Authority is expanded as well as the name of the certification authority. 3. Right-click Certificate Templates and then click Manage. 4. In the Certificate Templates Console, right-click Kerberos Authentication and then select Duplicate Template. You don’t have to use the Kerberos template. You can create your own or use one of the existing templates that has Server Authentication as a purpose, such as Domain Controller Authentication, Domain Controller, Web Server, and Computer. Important: You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. If you have legitimate reasons for using more than one, you may end up having certificate selection issues, which is discussed further in the Active Directory Domain Services Certificate Storage. 5. On the Duplicate Template dialog box, leave the default selected Windows Server 2003 Enterprise selected and then click OK. 6. The Properties of New Template appear. Ensure that settings are as you want them to be for this certificate template. Pay close attention to ensure that the Template display name is set to an appropriate name along with the following settings: * Validity and Renewal periods are set according to your organization’s security policy * Key lengths are appropriate * Select whether you want to place the certificate in Active Directory * Subject Name tab: DNS name and Service principal name (SPN) are selected * If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable. 7. Click OK. 8. Return to the Certificates or Certsrv console and in the details pane of Certificate Templates, right-click an open area of the console, click New, and then click Certificate Template to Issue. 9. In the Enable Certificate Templates dialog box, select the name of the new template you created and then click OK.

Leave a Reply

Your email address will not be published. Required fields are marked *