Oct 10, 2013

AD CA basic - study notes


  1. There are 3 snapins for certificate-related management
    1. on client, there is Certificates snappin, this manages the actual certificates
    2. on server, you have CA snapin and Certificate Templates snapin
  2. Just because you have a certificate template, doesn't mean CA is going to use it
  3. In order to issue a certain type of certificate, you have to let CA know that you want to issue that type of cert:
    1. In CA snapin, right click server name, New Certificate Template To Issue
    2. To check the current template that your CA can issue, click on "certificate templates"
  4. To manage your templates (in use/not in use), in CA snapin, expand CA server name, right click "Certificate Templates", select manage
  5. After #3, you are in "Certificate Templates" snapin
    1. Templates listed in here can be in use or not in use, depending on if you have perform #3 above
    2. You can directly publish a built-in template, but more typically, you should clone a template, make change on clone, then publish it (not a clone any more since we have made changes)
  6. For client to request:
    1. on a client machine, open Certificate snapin
      Optionally you can use IIS Admin Console or certreq command line
    2. Generate a request, send it to CA admin
    3. CA admin approves it
    4. Client enrolls the cert
  7. You can automate #6 by enabling auto enrollment in group policy
  8. Enterprise CA vs. Standalone CA
    1. standalone CA doesn't have certificate templates
    2. standalone doesn't support auto-enrollment