Create User and Computer Certificates with Auto Enrollment using Server 2019

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Applause] [Music] in this video we're going to take a look at how to create user and computer certificates and enable auto enrollment using server 2019 for those that follow my videos and my content you'll probably be aware that i did a similar video as well as an article around how to do this with server 2012 r2 so this is going to be an updated video using server 2019 so the first thing we need to do is we need to create certificate templates so to do that we just go to tools certification authority and then in here we need to go to expand this here and we can see we have certificate templates here so what we'll do is we will um we've got two here that i've created by default so computer and user so what we'll do is we'll copy each of those templates and we'll modify them for what we want so we'll start off with the computer you can see there it just gives you the the general information for that and likewise with user it gives you the general information for that one as well so we want to do is we want to right click on certificate templates and we'll click manage and then we need to find computer and we need to find user we'll start off with the user and we'll click right click and then duplicate template let's click on the generals tab and we'll just give this a new name so we'll give this a name of user modified let's say we can leave the validated period as one year renewal period of six weeks and public certificate in active directory that's fine now if we go to subject name we can leave the option built from this active directory information so what's this it's going to take the active directory information for for the users so to the um fqdn or fully disto english name and we can choose to include the email name in the subject name and we can include um as default you've got the email name and you've got the upn or the user principal name so for the purpose of this demonstration we'll just leave this as it is and then we'll head over now to security what we want to do is want to select the relevant user groups for the domain and select the permissions that are relevant as well so just click on domain users and what we're going to do is we'll click auto enroll i will also select read as well now click on extensions and while on extensions we now need to go to edit we can see that we've got a few policies here so we've got the client authentication encrypting the file system or efs and secure email so what we want to do is for the user we want to add in server authentication so just click add and then search for server authentication select okay you can see there now that it adds it into the application policies so just select ok on that we can see server authentications added in now and then for this demonstration we should be good uh with the remaining settings so we'll just click apply now okay and we can see that our modified template here is uh now created for the user so we'll go ahead and do the same for the computer so we'll just click on that right click duplicate template and if we click on general we'll do the same we'll just rename it computer modified we'll leave those settings as they are as default and then for the subject name uh we will build this from the active directory information so dns name and we also need to use the uh user principle name so we'll just go ahead and select that under security what we'll do is we will select the relevant group so in this case it's going to be domain computers and we need to also enable read on that as well as auto enroll just as we did with the user obviously not finished modifying that so we just go to extensions now and again what we want to do is want to add in server authentication we can see it there anyway so that's um that's already added so that's good let's just make sure so yeah if you click edit you can see client authentication and server authentication so we'll just go ahead and leave the rest of the settings as they are and apply that if you've not already and then okay and again we can see now at the bottom we've got computer modified so we've got our two policies that we've created user modified and computer modified now what we need to do is we need to add those certificate templates to the local ca so to do that what we'll do is we'll go back on there so we'll get back to our certificate authority we can see certificate templates and then we'll go to new certificate template to issue and then we'll find our user modified and computer modified can we select both yes we can if you all control and we'll add those in so now you can see that those templates have now been added to these ca at the top of the listing in regards to certificate templates that's a basic setup obviously depending on your environment you may want to change specific fields within the certificates but for this demonstration we have kept it minimal what we will do now is we'll configure the auto enrollment for the certificates for the user machine templates that we just created so what we need to do is we need to go now to tools and then we go to group policy management and then you'll get your domain up and then we go so here so we expand the domains uh so demands in my case network wizkid.com and then what we're going to do is we're going to in this case modify the default domain policy again in your environment it might be slightly different but the process should be the the same so what we want to do is want to right click on this and then we'll select edit and then we'll start by enabling our enrollment for the machines so we go to so we can see computer configuration and user configurations we'll start off with computer configuration and then we'll go to windows settings so if you expand policies window settings then we've got security settings let's expand that let's just make this a little bit bigger as well so you can see that so yeah computers computer configurations expand policies and windows settings and then what we need to look for within security settings that we're in here so within security settings what we need to look for is public key policies you can see that here and we should be able to see certificate services client or enrollment and there we go uh certificate that one certificate services client or enrollment so if we just double click on that we can change the configuration configuration model to enabled and then we'll select renew expire certificates update pending certificates and remove revoked certificates and then we can also select update certificates that use certificate templates we can leave the login of expiry events to 10 and we don't have to fill in the additional settings so we just click apply there and we should be good on that front and then what we need to do now if we just got that we need to do the same for users so let's go to policies windows settings security settings public key policies and again on here double click on there we'll enable that we'll also select the same settings as we did so renew the expired certificate so update pending certificates they remove revoked certificates update certificates that use templates so we'll do that and we'll leave the remaining settings as they are so again we'll apply that and we'll select okay on that that's the all auto enrollment uh completed so theoretically now we should be able to test and confirm that our machines and users are indeed getting certificates so what we'll do now is we'll verify this so we'll just create an idp session to one of the lab computers let's just change that continue with that okay so we're on the machine now um so what we'll do is we will get rid of all this let's go to the mmc see if on the machine we can verify the certificates so in mmc so we'll just run that and then what we want to do is want to um add a snap in so file add or remove snap in and then we're going to look for certificates add that snap in and we're going to add user account and we can also add in computer account just select okay on that let's start with the user so you can double click impersonal and you can see we have no certificates here so that means the group policy is not being pushed and then likewise if we check the computer i went with this issued that's an old one so that one's not relevant so that it's not being pushed so what we can do there's two things we can do we can either do a gp update on the actual device itself or could push the group policy updates from the server itself so we'll just on the machine we'll do a gpu update and that will update the policy we'll just give that a while to do that so we can see the computer update has been successful and also the user policy update has been successful so if we just um go back into these and if we can give them a refresh there now you go you can see now that our lab pc has been issued with a computer certificate today's date if we click into that we can see that that's issued by our server you can see the certificate path there as well and likewise it should not be able to see the user certificate so if we just refresh that as well you can see now that yeah there you go so this user kelvin charles has been given a certificate um as well and as the so you can see it's been issued by the server and you can see the subject includes the email address uh and all these were selected in the certificate template settings as well so again like i said you can modify these to uh what you want uh in the certificate templates um our intended purpose again you can select that so we change that if you remember in the certificate template to add server authentication client authentication and then you've got the default ones out there so that's essentially how you create user and computer certificates and enable auto enrollment for those certificates there's one last thing if we go back now to our certificate store or our ca we should be able to see on the issue certificates we can see that we've got on the issue certificates we can see that we've got um issues certificates now for uh for the machine so you can see here lab pc it's been issued and this one should be the user one uh yeah there we go so that's issued to kevin charles and you can also see computer modified templates being used and the user modified templates being used in that respect so yeah if you have enjoyed this video found it useful please do like if you've got any questions feel free to drop those in the comments section as well please show your support by uh subscribing and if you are interested in the other videos that i do regularly post on my channel please do hit that notifications bell so that every time i upload a new video you will be you will be notified of that there is a follow-on video to this uh which is going to be more focused around cisco ice and authenticating users and computers using etls with the certificates that we've just created and issued to our machines so do look out for that on my channel if that is of interest to you and as i said earlier before i do have a another video uh that's posted in relation to server 2000 2012 r2 but the process is is the same this is essentially just an updated video using server 2019 thank you for watching [Music] [Applause] you

Info

Channel: Network Wiizkiid

Views: 1,260

Rating: undefined out of 5

Keywords: Network Wizkid, Security, Labs, microsoft, microsoft server 2019 certificates, Server 2019 auto enrollment, server 2019 auto certificate encrollment, server 2019 certificate templates, certificate templates, Create user and machine certificates server 2019, create user and machine certificate templates, microsoft ca auto enroll

Id: useo1l-q5-s

Channel Id: undefined

Length: 19min 2sec (1142 seconds)

Published: Wed May 26 2021