Windows Certificate Authority – User Certificate Template

tl;dr

Sorry, this is one where you just have to read the full guide. I have tried to keep it as short and simple as possible.

What is this for?


User certificate templates can be used by the user to identify and authenticate themselves on the network. I not going to go to much into their use here however I will be linking back to this in lots of other guides such as setting up VPNs using certificates etc.

System Setup:


Certificate Authority:
Server 2019 Core

Certificate Client:
Server 2019
(I have also tested with Windows 10)

Getting down to business…

Before we dive deep into the land of certificate authorities and templates we need to create a group in active directory. This will be used to grant users the permission to automatically enrol the certificate later on. I am not going to go too much into why I structure AD like this in this post but one is coming to explain! I am going to create a “privilege group” as I call them. I will then just add all domain users to the role group. Lets start by making a group using Active Directory Users and Computers.

Then we just need to add Domain Users to the newly created group. I normally would create a Role Group and then nest along the lines of Computer/User Object -> Role Group -> Privilege Group -> Network Resource, but lets keep things simple for now. If you are planning to test your certificate enrolment using this user/computer combination towards the end now would be the best time to logoff and back in to get your updated permissions.

With that done we need to run mmc.exe as a domain account with permission to create / modify certificate templates. In this case I am going to be use my domain admin account. If you are not familiar with how to do this start by creating a shortcut on your desktop.

Then set the location as “mmc.exe”.

Call it what ever you want (this is the text that will appear on the desktop).

Then hold down shift and right click the new shortcut and you will get the option to “Run as different user”.

Once we have that launched we need to go “File -> Add/Remove Snap-in…”

We can then add the “Certification Authority” snapin. In the event you can not see this you do not have Remote Server Administration Tools (RSAT) installed.

This will then open this popup where we need to click browse to find our Certificate Authority.

This snapin is quite nice as it will look for all servers with the Certification Authority role installed and present them to us to select. We just need to select our CA and OK/Finish out of the windows.

We can then expand open the “Certification Authority” snapin on the left hand side, don’t worry, this might take a moment.

Right, now we can get down to the interesting bit. We need to create a new template. To do this we are going to right click “Certificate Templates” and click manage.

This will then open the following window, where we will need to duplicate the User Template.

We will then get the new template properties page come up. At this point we are just going to work through the tabs one by one and configure the best settings for us.

With Compatibility we want to ensure that we go as high as possible. My certificate authority is running on a Windows Server 2019, the highest I can go is Windows Server 2016 so I will select this. Everything else in my lab, that will receive certificates, is running either running on the latest version of Windows 10 or Server 2019 therefore the best option is “Windows 10 / Windows Server 2016”. If you have a few annoying Windows 7 laptops still left in your network this is a really good way to say “Oh, I’m really sorry, we just cant support that now. Please send it in and we will get it re-imaged”.

Note: If you have the “show resulting changes” box ticked, when you change these options you will get a pop-up with the features that will be enabled/disabled.

Moving onto the general tab we need to start off by giving the template a name. As a rule of thumb I tend to use the companies name followed by its purpose. The purpose should be as generic as possible. For example you might be configuring this certificate for start before login VPN, however unless its going to be really tied down to this purpose you might eventually start using it for wired and wireless 802.1x too. Therefore calling this “SBL VPN Certificate Template” is probably a bad idea and will cause confusion later on. This is why I just go for “User Authentication”.

Next we move onto the Validity and Renewal periods. The Validity period is quite simple, its how long the certificate will be valid for. 12 months is okay, in more secure environments you might want to reduce this to 6/3 months. The Renewal period can cause some confusion, this is not a case of the certificate will renew every 6 weeks; this means the certificate will renew when there is less than 6 weeks left of validity.

One point to note is the “Publish certificate in Active Directory” option is checked. This one is going to be important as we are going to configure domain users to automatically enrol this certificate without any user interaction.

We now move onto the Request Handling tab. We will leave most of this as default so I wont explain every option. However, we must untick the “Allow private key to be exported”. This helps to ensure that somebody cant export the certificate from this machine to another machine; the only way you can get this certificate is by being in the domain. In some of my later posts when I am using this to allow the user to connect to then network I will give some justification for this.

We now move onto the Cryptography tab. As always the bigger the numbers the better.

On the Key Attestation tab we are not able to change anything, therefore we wont!

On the superseded Templates we have not created any previous template we need to supersede therefore we can just leave this as default.

On the Extensions tab we need to add the Server Authentication to the Applications Policies extension. This can be done by selecting Application Policies and selecting Edit. Take a moment here to look at all the application policy options as this might give you some inspiration for some of the many things you can use certificates for!

Note: The default template also contains “Secure Email” and “Encrypting File System”. Its my intention this certificate is only going to be used for authentication, therefore I have removed these.

We now need to edit the permissions. Mine are configured as so, the key bit is to make sure only the users you want can autoenroll.

Now we move on to the Subject Name tab. One point to not here is my lab users don’t have email address so I have unticked these boxes. If these are ticked and your users do not have an email address they will not be able to autoenroll for the certificate.

The defaults here are fine.

Finally we have the Issuance Requirements, this is the idea of you can just have one person go rogue and issue a certificate. Its like the Hollywood idea of two keys idea for launching nuclear missiles. This is worth considering but is a blog post in its own rights so I’m going to keep things simple here and not configure it.

If we hit okay we should now see our new certificate in the list. I have ordered the list by the display name here to make it easier to find.

We can now close the templates console and move back to mmc. From here we can now start to issue the certificate template to the server. Do this by right clicking certificate templates and going New -> Certificate Template to Issue.

We just need to select our template and click “OK”.

Now our certificate template can be seen in the list.

Okay but no one is going to autoenroll this certificate yet. The clients need to be told to autoenroll certificates. To do this we need to edit some group policy. Lets start by throwing the Group Policy Management snapin to our current mmc session.

From here we are just going to throw in a GPO at the root level of the domain, we could probably target this a bit better but its a lab. If you doing this in a production environment I can almost guarantee that one of the issues you will see will be around inheritance, I can not think of a single customer deployment where I haven’t seen this issue!

I will use the most imaginative name possible… User – All Types – Autoenrollment

As a force of habit, because this is a user GPO, I am going to disable the machine settings.

Once it is created we need to open it for editing. Do this by right clicking and selecting edit.

We are then going to navigate down into User Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies. We should then see the “Certificate Services Client – Auto-Enrollment” object.

We just need to double click and set to enabled with both boxes ticked.

Right, so after all that lets see if it works. First, lets run a resultant set of policy (RSOP).To do this just open the run dialogue (Win + R) and type rsop.msc.

You will get an error saying you can not read computer settings. Don’t worry we don’t need to look at the computer configuration for this one.

Okay so good news I let that run and the settings are configured.

Ideally I would have liked to have got there before the GPO refreshed itself but it looks like I was too slow! In the event you do find the local security policy hasn’t updated, try forcing group policy to update using the “gpupdate.exe /force” command in either PowerShell or Command Prompt. If this didn’t fix the issue you are probably having some sort of inheritance issue in GPO or your GPO is linked in an OU chain that does not contain your user.

Right next question, do we have the cert? As with the GPO, we are looking at computer settings therefore we need to open mmc.exe to run as an administrator (Right Click -> Run as administrator).

Once loaded we can add the certificates snap-in…

We can now check in the Personal store. In my case its empty! If it is empty we have no certificate.

So lets try and enroll it through MMC. Right click on the snapin and go “All Tasks -> Automatically Enroll and Retrieve Certificates”.

We get a nice welcome screen.

The computer will then search for available certificates and present them to you. You then just need to ensure the box is ticked and then click Enroll.

We can then go back to the local certificate store and press the trusty F5 key to refresh the store. Now we can see the certificate. In the event this doesn’t work you will most probably have some sort of issue with permissions.

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *