Sorry, this is one where you just have to read the full guide. I have tried to keep it as short and simple as possible.
What is this for?
Machine certificate templates can be used by the machine to identify and authenticate itself on the network. I not going to go to much into their use here however I will be linking back to this in lots of other guides such as setting up VPNs using certificates etc.
Server 2019 Core
(I have also tested with Windows 10)
Getting down to business…
Before we dive deep into the land of certificate authorities and templates we need to create a group in active directory. This will be used to grant devices the permission to automatically enrol the certificate later on. I am not going to go too much into why I structure AD like this in this post but one is coming to explain! I am going to create a “privilege group” as I call them. I will then just add all domain computers to the role group. Lets start by making a group using Active Directory Users and Computers.
Then we just need to add Domain Computers to the newly created group. I normally would create a Role Group and then nest along the lines of Computer/User Object -> Role Group -> Privilege Group -> Network Resource, but lets keep things simple for now.
With that done we need to run mmc.exe as a domain account with permission to create / modify certificate templates. In this case I am going to be use my domain admin account. If you are not familiar with how to do this start by creating a shortcut on your desktop.
Then set the location as “mmc.exe”.
Call it what ever you want (this is the text that will appear on the desktop).
Then hold down shift and right click the new shortcut and you will get the option to “Run as different user”.
Once we have that launched we need to go “File -> Add/Remove Snap-in…”
We can then add the “Certification Authority” snapin. In the event you can not see this you do not have Remote Server Administration Tools (RSAT) installed.
This will then open this popup where we need to click browse to find our Certificate Authority.
This snapin is quite nice as it will look for all servers with the Certification Authority role installed and present them to us to select. We just need to select our CA and OK/Finish out of the windows.
We can then expand open the “Certification Authority” snapin on the left hand side, don’t worry, this might take a moment.
Right, now we can get down to the interesting bit. We need to create a new template. To do this we are going to right click “Certificate Templates” and click manage.
This will then open the following window, where we will need to duplicate the Workstation Authentication Template.
We will then get the new template properties page come up. At this point we are just going to work through the tabs one by one and configure the best settings for us.
With Compatibility we want to ensure that we go as high as possible. My certificate authority is running on a Windows Server 2019, the highest I can go is Windows Server 2016 so I will select this. Everything else in my lab, that will receive certificates, is running either running on the latest version of Windows 10 or Server 2019 therefore the best option is “Windows 10 / Windows Server 2016”. If you have a few annoying Windows 7 laptops still left in your network this is a really good way to say “Oh, I’m really sorry, we just cant support that now. Please send it in and we will get it re-imaged”.
Note: If you have the “show resulting changes” box ticked, when you change these options you will get a pop-up with the features that will be enabled/disabled.
Moving onto the general tab we need to start off by giving the template a name. As a rule of thumb I tend to use the companies name followed by its purpose. The purpose should be as generic as possible. For example you might be configuring this certificate for start before login VPN, however unless its going to be really tied down to this purpose you might eventually start using it for wired and wireless 802.1x too. Therefore calling this “SBL VPN Certificate Template” is probably a bad idea and will cause confusion later on. This is why I just go for “Machine Authentication”.
Next we move onto the Validity and Renewal periods. The Validity period is quite simple, its how long the certificate will be valid for. 12 months is okay, in more secure environments you might want to reduce this to 6/3 months. The Renewal period can cause some confusion, this is not a case of the certificate will renew every 6 weeks; this means the certificate will renew when there is less than 6 weeks left of validity.
Finally, we have Publish certificate in Active Directory. This one is going to be important as we are going to configure domain machines to automatically enrol this certificate without any user interaction.
We now move onto the Request Handling tab. We will leave this as default so i wont explain every option. However, one box I never recommend you tick is the “Allow private key to be exported.” This helps to ensure that somebody cant export the certificate from this machine to another machine; the only way you can get this certificate is by being in the domain. In some of my later posts when I am using this to allow the machine to connect to then network I will give some justification for this.
We now move onto the Cryptography tab. As always the bigger the numbers the better.
On the Key Attestation tab we are not able to change anything, therefore we wont!
On the superseded Templates we have not created any previous template we need to supersede therefore we can just leave this as default
On the Extensions tab we need to add the Server Authentication to the Applications Policies extension. This can be done by selecting Application Policies and selecting Edit. Take a moment here to look at all the application policy options as this might give you some inspiration for some of the many things you can use certificates for!
We now need to edit the permissions. Mine are configured as so, the key bit is to make sure only the machines you want can autoenroll.
Now we move on to the Subject Name tab. One point to not here is your computer probably wont have an email address. Therefore in the event you were to include the e-mail the certificate would fail to deploy.
There is nothing we can modify here, so we wont.
Finally we have the Issuance Requirements, this is the idea of you can just have one person go rogue and issue a certificate. Its like the Hollywood idea of two keys idea for launching nuclear missiles. This is worth considering but is a blog post in its own rights so I’m going to keep things simple here and not configure it.
If we hit okay we should now see our new certificate in the list.
We can now close the templates console and move back to mmc. From here we can now start to issue the certificate template to the server. Do this by right clicking certificate templates and going New -> Certificate Template to Issue.
We just need to select our template and click “OK”.
Now our certificate template can be seen in the list.
Okay but nothing is going to autoenroll this certificate yet. The clients need to be told to autoenroll certificates. To do this we need to edit some group policy. Lets start by throwing the Group Policy Management snapin to our current mmc session.
From here we are just going to throw in a GPO at the root level of the domain, we could probably target this a bit better but its a lab. If you doing this in a production environment I can almost guarantee that one of the issues you will see will be around inheritance, I can not think of a single customer deployment where I haven’t seen this issue!
I will use the most imaginative name possible… Computer – All OS’s – Autoenrollment
As a force of habit, because this is a computer GPO, I am going to disable the user settings.
Once it is created we need to open it for editing. Do this by right clicking and selecting edit.
We are then going to navigate down into Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies. We should then see the “Certificate Services Client – Auto-Enrollment” object.
We just need to double click and set to enabled with both boxes ticked.
Right, so after all that lets see if it works. First, lets run a resultant set of policy (RSOP). As we need to access the computer settings for this we need to run this as an administrator (Right Click – Run as administrator).
Okay so bad news I let that run and the settings are not configured.
Lets try forcing group policy to update using the “gpupdate.exe /force” command in either PowerShell or Command Prompt.
Okay now we are looking better. If this didn’t fix the issue you are probably having some sort of inheritance issue in GPO or your GPO is linked in an OU chain that does not contain your computer.
Right next question, do we have the cert? As with the GPO, we are looking at computer settings therefore we need to open mmc.exe to run as an administrator (Right Click -> Run as administrator).
Once loaded we can add the certificates snap-in…
An then select the “Computer account” option. If this is greyed out or you do this this popup you are not running with admin rights.
Just to confirm we want to run this on the local computer.
We can now check in the Personal store. In my case its empty! If its empty we have no certificate.
So lets try and fix this, we need to run PowerShell (or cmd) as … you guested it.. an administrator. We can then run “certutil -pulse”, this will tell windows to go and enroll for any certificates that are available.
We can then go back to the local certificate store and press the trusty F5 key to refresh the store. Now we can see the certificate. In the event this doesn’t work you will most probably have some sort of issue with permissions.