lotte/ChamplainTechJournals
1
Code Activity
ChamplainTechJournals/sysadmin-ii-sys265/labs/lab07-certs.md
Charlotte Croce fbd588721e migrate to git.charlotte.sh
2025-04-19 23:42:08 -04:00

149 lines
No EOL
4.8 KiB
Markdown
Raw Permalink Blame History

# Lab07 - certs
make certain -adm account is in the Enterprise Admins
```powershell
Get-ADGroupMember "Enterprise Admins"
```
add RSAT to MGMT01. needs to run as administrator
```powershell
Install-WindowsFeature RSAT-ADCS -IncludeManagementTools
```
Start remote PowerShell session
```powershell
$session = New-PSSession -ComputerName ad01-charlotte
```
Install AD Certificate Services Role
```powershell
Invoke-Command -Session $session -ScriptBlock {
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools
# Import the ADCS module
Import-Module ADCSDeployment
}
```
Configure Enterprise Root CA
```powershell
Invoke-Command -Session $session -ScriptBlock {
Install-AdcsCertificationAuthority `
-CAType EnterpriseRootCA `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-HashAlgorithmName SHA512 `
-ValidityPeriod Years `
-ValidityPeriodUnits 7 `
-Force
}
```
Create Certificate Share
```powershell
Invoke-Command -Session $session -ScriptBlock {
# create the shared folder for certs
New-Item -Path "C:\Shares\Certs" -ItemType Directory -Force
New-SmbShare -Name "Certs" -Path "C:\Shares\Certs" -FullAccess "Domain Admins" -ChangeAccess "Authenticated Users"
# copt cert to shared directory
$cert = Get-ChildItem -Path "Cert:\LocalMachine\CA" | Where-Object {$_.Subject -like "*charlotte-ad01-CHARLOTTE-CA*"}
# export cert to shared folder
Export-Certificate -Cert $cert -FilePath "C:\Shares\Certs\charlotte-AD01-CHARLOTTE-CA.cer" -Type CERT
}
```
Install AD CS role with Certification Authority and Web Enrollment
```
Install-WindowsFeature -Name ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools
```
Configure the Subordinate CA and generate certificate request
```powershell
Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "mgmt01-CHARLOTTE-SubCA" `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-HashAlgorithmName SHA512 `
-OutputCertRequestFile "C:\SubCARequest.req"
```
Install the Web Enrollment service
```powershell
Install-AdcsWebEnrollment
```
Move the certificate request to the Root CA, get it signed, and retrieve it
```powershell
# Copy request to Root CA's shared folder
Copy-Item -Path "C:\SubCARequest.req" -Destination "\\ad01-charlotte\Certs\"
# Sign the request on the Root CA
Invoke-Command -Session $session -ScriptBlock {
# Sign the subordinate CA certificate request
certreq -submit -config "ad01-charlotte\charlotte-AD01-CHARLOTTE-CA" -attrib "CertificateTemplate:SubCA" "C:\Shares\Certs\SubCARequest.req" "C:\Shares\Certs\SubCACert.cer"
}
# Copy the signed certificate back to the Subordinate CA
Copy-Item -Path "\\ad01-charlotte\Certs\SubCACert.cer" -Destination "C:\"
```
```powershell
# Start the CA service
Start-Service -Name CertSvc
# Install the issued certificate
certutil -installcert "C:\SubCACert.cer"
# Configure CA settings
certutil -setreg CA\CRLPeriodUnits 1
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLOverlapPeriodUnits 12
certutil -setreg CA\CRLOverlapPeriod "Hours"
# Restart the service to apply changes
Restart-Service -Name CertSvc
```
```
# Verify the CA status
certutil -ping
```
Clean up the remote session
```
Remove-PSSession $session
```
___
*at this point I stopped using PS and just used the GUI*
___
### Create Certificate Template
- open the CA console: `certsrv.msc`
- Expand root cert tree > RC Certificate Templates > Manage
- Duplicate User template
- General tab: Set name "Champ Lab User"
- Subject Name: Select "Build from AD info", uncheck all email options
- Extensions: Add "Smart Card Logon" to Application Policies
- Security: set "Authenticated Users" to Read, Enroll, Autoenroll permissions
## Issue Certificate Template
- in CA console
- Right-click Certificate Templates > New > Certificate Template to Issue > Select "Champ Lab User"
## Configure Group Policy
- `gpmc.msc`
- Create GPO "Champ Lab Users" at domain level
- Edit GPO > User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
- Enable "Certificate Services Client - Auto-Enrollment"
- Check both renewal options > OK
## Test Auto-Enrollment
- on WKS01:
- `gpupdate /force`
- Verify: `gpresult /r`
- `certmgr.msc` > Personal > Certificates > Verify "Champ Lab User" certificate is present
## Windows Admin Center Installation
- Download Windows Admin Center 2019 Evaluation
- https://info.microsoft.com/ww-landing-windows-admin-center.html
- download the msi
- you will have to put in information. i just used fake info
- Express setup. Generate self-signed cert. Disable updates
- Logon via -adm account, add ad01 + wks10, install AD + DNS extensions, and uninstall Azure + Cluster extensions
View git blame Copy permalink