650) this.width=650; "height=" 276 "title=" clip_image001 "style=" border:0px; "alt=" clip_image001 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z1vgcukdaaq6vglhtmw168.jpg "border=" 0 "/>
Based on the principle of application isolation, it is recommended that Certificate Services be deployed in a standalone Windows Server R2 virtual machine. Certificate servers can be highly available, and because Certificate Services is down, it does not affect additional validation of certificates in addition to the inability to continue issuing certificates and accessing certificate revocation information.
The installation of Certificate Services is simple, run Server Manager, add roles and features, select Active Directory Certificate Services,
650) this.width=650; "height=" 561 "title=" clip_image002 "style=" border:0px; "alt=" clip_image002 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z1ygwi6uaakk6qqises077.jpg "border=" 0 "/>
In the role service, select certification Authority and Certification authority Web enrollment (not the Certificate Enrollment Web service), the certification authority Web enrollment is the traditional Http://<ca-ip>/certsrv registration method, Although it is not possible to request a certificate in this way in most cases, it will be used in some special cases (such as some non-Microsoft third-party applications), so please install it.
650) this.width=650; "height=" 559 "title=" clip_image003 "style=" border:0px; "alt=" clip_image003 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z13qg602aaipku0mbho118.jpg "border=" 0 "/>
Other steps select Default.
After the installation is complete, there will be a triangle icon in the top right corner of Server Manager, click on it,
650) this.width=650; "height=" Bayi "title=" clip_image004 "style=" border:0px "alt=" clip_image004 "src="/http S3.51cto.com/wyfs02/m02/70/96/wkiol1w50u3axldyaab5nobmyg4866.jpg "border=" 0 "/>
Select the two installed for the role service that you want to configure.
650) this.width=650; "height=" 555 "title=" clip_image005 "style=" border:0px; "alt=" clip_image005 "src=" http:/ S3.51cto.com/wyfs02/m00/70/96/wkiol1w50u3gwb2kaagvvjfxq_0887.jpg "border=" 0 "/>
Select Enterprise CA,
650) this.width=650; "height=" 545 "title=" clip_image006 "style=" border:0px; "alt=" clip_image006 "src=" http:/ S3.51cto.com/wyfs02/m01/70/96/wkiol1w50u7big9zaahftxrlinq577.jpg "border=" 0 "/>
Choose the root CA, for the general enterprise, a root CA is enough, do not make too complex.
650) this.width=650; "height=" 552 "title=" clip_image007 "style=" border:0px; "alt=" clip_image007 "src=" http:/ S3.51cto.com/wyfs02/m02/70/96/wkiol1w50u_dpminaaibnrdzhzs747.jpg "border=" 0 "/>
In the next options, choose Create new private key, encryption option default, key length at least 2048 bits, other options default.
Although the basic Certificate Services are available after the installation is complete, the following configuration is recommended in a production environment:
Modify the certificate validity period issued at the server level, such as 10 years
Create a custom Enterprise certificate template (Computer Class)
Adjust the CRL release period to be as long as possible (if security requirements are high, shorten)
Configure HTTP access to CRLs and AIA, and both inside and outside accessible
Create an EFS recovery agent
About certificate Renewals
To modify the certificate validity period issued at the server level
By default, the certificate is valid for only two years, and even if your certificate template is configured for more than two years, you need to modify the following master switch on the Certificate server:
Hkey_local_machine\system\currentcontrolset\services\certsvc\configuration\<caname> the following " ValidityPeriodUnits ", default is 2, modified to the required age, modified to restart the Certificate Services.
In an enterprise environment, if you do not modify here, every two years to renew or update the certificate is also a nuisance (such as the mail system with the certificate), for security compliance requirements are not very high environment can be adjusted to increase the age here.
Create a custom Enterprise certificate template (Computer Class)
By default, users can request a "computer" type of certificate from the MMC, but this certificate has all the parameters fixed, cannot add a custom domain name (CN and SAN), and cannot export the private key, is not suitable for production environment, need to create a new production-appropriate template to automatically request the relevant certificate, the steps are as follows:
Running MMC, adding a certificate template, and then selecting the computer template, then copying the template, will copy a new template based on the computer template, and we can define a template that is appropriate for you based on this template, which is suitable for both server authentication and client authentication, which is different from Web server templates , the Web server is only suitable for server authentication, and templates for different purposes are suitable for different scenarios, in exchange and Lync deployments, usually as long as the computer type of certificate is available (such as when you apply for a user-type certificate).
650) this.width=650; "height=" 511 "title=" clip_image008 "style=" border:0px; "alt=" clip_image008 "src=" http:/ S3.51cto.com/wyfs02/m00/70/96/wkiol1w50u-hy0dmaaha8o51yse323.jpg "border=" 0 "/>
Then, in the Copy Template Compatibility tab, select the default setting (if you do not select the Windows Server 2003 compatibility setting, such as a later version, you cannot request it via the web),
650) this.width=650; "height=" 689 "title=" clip_image009 "style=" border:0px; "alt=" clip_image009 "src=" http:/ S3.51cto.com/wyfs02/m01/70/96/wkiol1w50vdjiickaagqw3baauq599.jpg "border=" 0 "/>
Under the General tab, the validity period is set to 10, the renewal period is set to a little longer, such as a year, if the renewal period is too short, after the renewal period, only the new application certificate, but not the original certificate, which will lead to a lot of trouble (such as the application to replace the certificate).
650) this.width=650; "height=" 556 "title=" clip_image010 "style=" border:0px; "alt=" clip_image010 "src=" http:/ S3.51cto.com/wyfs02/m02/70/96/wkiol1w50vchcv1aaafrdcqn1gc807.jpg "border=" 0 "/>
In the Request Processing tab, select Allow to export the private key.
650) this.width=650; "height=" 482 "title=" clip_image011 "style=" border:0px; "alt=" clip_image011 "src=" http:/ S3.51cto.com/wyfs02/m00/70/96/wkiol1w50vhbucdvaagubbogdck330.jpg "border=" 0 "/>
In the User Name tab, select provide in the request, so that you can easily customize the common name and the user alternative name, such as a multi-domain or wildcard certificate.
650) this.width=650; "height=" 513 "title=" clip_image012 "style=" border:0px; "alt=" clip_image012 "src=" http:/ S3.51cto.com/wyfs02/m01/70/96/wkiol1w50vgrz02waahelw-awzm640.jpg "border=" 0 "/>
Finally, return to the certification authority, right-click the certificate template, choose New, select the certificate template to issue.
650) this.width=650; "height=" "title=" clip_image013 "style=" border:0px; "alt=" clip_image013 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z2lxrgjlaafzzuj-sdk648.jpg "border=" 0 "/>
Then select the newly created certificate template so that you can request this type of certificate by Mmc,web. If you do not add to the certificate template under the certification authority, you cannot request this type of certificate through the Mmc/web method.
650) this.width=650; "height=" 468 "title=" clip_image014 "style=" border:0px; "alt=" clip_image014 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z2pao7syaajrg7lhni0685.jpg "border=" 0 "/>
650) this.width=650; "height=" 347 "title=" clip_image015 "style=" border:0px; "alt=" clip_image015 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z2tgry77aakvx0e1hpq964.jpg "border=" 0 "/>
You can find a domain client or server for authentication, run MMC, add a certificate (computer) plug-in, right-click under Personal > Certificates, select All Tasks, and choose to apply for a new certificate.
650) this.width=650; "height=" 382 "title=" clip_image016 "style=" border:0px; "alt=" clip_image016 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z2sc0zb9aajmfuvvsw4433.jpg "border=" 0 "/>
650) this.width=650; "height=" 452 "title=" clip_image017 "style=" border:0px; "alt=" clip_image017 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z2wsvfpnaaewjyofrp4517.jpg "border=" 0 "/>
Select the appropriate certificate template, and click Configure settings,
650) this.width=650; "height=" 452 "title=" clip_image018 "style=" border:0px; "alt=" clip_image018 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z2wcl36zaafhitmj_8g557.jpg "border=" 0 "/>
Fill in the name of the user in the common name, and then fill in the Alternate name DNS column with another domain name or wildcard character. Finalize the application and you will see the certificate immediately.
650) this.width=650; "height=" 507 "title=" clip_image019 "style=" border:0px; "alt=" clip_image019 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z2bxs1l_aak2irl18sq378.jpg "border=" 0 "/>
Adjusting the CRL publishing period
Right-click the revoked certificate, and at the CRL publishing interval, 1 years, unpublish the delta CRL. The purpose of this is not to enhance security, but to reduce the workload, after all, most environments do not have high CRL requirements.
650) this.width=650; "height=" 669 "title=" clip_image020 "style=" border:0px; "alt=" clip_image020 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z2etqosvaahhs-1gliy495.jpg "border=" 0 "/>
Configure HTTP to access CRLs, and both inside and outside accessible
By default, the CRL certificate revocation list is accessed through LDAP, but is inaccessible outside of the domain network, and for both internal and external access, and simplifies deployment, it is recommended that the CRL distribution point be set to be accessed via HTTP and published to the Extranet for internal and external unified access.
Go to the Certification Authority properties, choose the Extension tab, select the CRL distribution point, first unpublish to LDAP, this thing can only be accessed internally, the external is not accessible, so cancel it, only the HTTP way to access the CRL.
650) this.width=650; "height=" 572 "title=" clip_image021 "style=" border:0px; "alt=" clip_image021 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z2fydmwqaakz_sfknqa714.jpg "border=" 0 "/>
Then select the HTTP line above, then add the following, add the following address, ca.cme-cq.com for the internal and external network can access the domain name, point to the actual Certificate Server, the last JDJT-ROOTCA.CRL is the certificate Authority name and CRL extension combination.
650) this.width=650; "height=" 496 "title=" clip_image022 "style=" border:0px; "alt=" clip_image022 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z2icqhx4aagub0dy9is161.jpg "border=" 0 "/>
OK, if you tick.
650) this.width=650; "height=" 490 "title=" clip_image023 "style=" border:0px; "alt=" clip_image023 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z2jjoie7aaji5jeerzo216.jpg "border=" 0 "/>
Publish the CRL manually when you are done.
650) this.width=650; "height=" 323 "title=" clip_image024 "style=" border:0px; "alt=" clip_image024 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z2ncby4saafopy8nun4995.jpg "border=" 0 "/>
650) this.width=650; "height=" 377 "title=" clip_image025 "style=" border:0px; "alt=" clip_image025 "src=" http:/ S3.51cto.com/wyfs02/m00/70/96/wkiol1w50vngo8wsaadxjzjdnku966.jpg "border=" 0 "/>
Note that these CRLs are actually published under System32\certsrv\certenroll (associated to the IIS CertEnroll directory, so they can be accessed via HTTP), and the CRL in the red box is the revocation list.
650) this.width=650; "height=" 205 "title=" clip_image026 "style=" border:0px; "alt=" clip_image026 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z2qwbdvjaac7rtj3ro0492.jpg "border=" 0 "/>
650) this.width=650; "height=" 454 "title=" clip_image027 "style=" border:0px; "alt=" clip_image027 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z2rtiy08aajnn_9lgku821.jpg "border=" 0 "/>
Refer to the above CDP similarly modify the AIA location, cancel the LDAP publication, and add the HTTP path, the path and the CRL publishing path only after the file name is not the same, this is the previous System32\certsrv\certenroll path under the CRT file name.
650) this.width=650; "height=" 569 "title=" clip_image028 "style=" border:0px; "alt=" clip_image028 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z2uzkqq-aai33owxoks139.jpg "border=" 0 "/>
650) this.width=650; "height=" 660 "title=" clip_image029 "style=" border:0px; "alt=" clip_image029 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z2yturnyaaj1pkkvqtg624.jpg "border=" 0 "/>
Next is to add ca.cme-cq.com resolution on the internal and external DNS server, external access also need to be published in the Edge firewall, it is recommended to use TMG (TMG can be deployed as bypass), TMG can use different domain names to achieve the same IP and 80 port reuse.
When you are finished requesting a certificate from the client, check the CRL distribution point location and the Authority information access two settings as we configured.
650) this.width=650; "height=" 481 "title=" clip_image030 "style=" border:0px; "alt=" clip_image030 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z2zhv7m-aagrsmsg514775.jpg "border=" 0 "/>
650) this.width=650; "height=" 475 "title=" clip_image031 "style=" border:0px; "alt=" clip_image031 "src=" http:/ S3.51cto.com/wyfs02/m01/70/96/wkiol1w50vydolvxaagduwwzewa005.jpg "border=" 0 "/>
and test if you can access it.
650) this.width=650; "height=" 291 "title=" clip_image032 "style=" border:0px; "alt=" clip_image032 "src=" http:/ S3.51cto.com/wyfs02/m02/70/96/wkiol1w50v3xt2bbaaeuu9i6jok369.jpg "border=" 0 "/>
Create an EFS recovery agent
Individual users will use EFS encryption, but because they do not know the knowledge, not aware of backing up their own certificates and private keys, resulting in the original EFS file after reloading the system can no longer open (after reloading the system, the private key and the certificate have been removed, although the public key in the certification authority has, but the private key as stated in the preceding principle, He is only saved on the user's computer). As a means of rescue, administrators need to create at least one EFS recovery agent in advance so that when the user finds you, you can play the Savior or you will only shrug your shoulders. In fact, the operation is very simple, open Group Policy Management, edit the default Domain policy, under the Computer Configuration >windows Settings > Security Settings > Public key Policy, right-click the Encrypting File System, select Create Data recovery agent, will automatically create a recovery agent with the current user,
650) this.width=650; "height=" 492 "title=" clip_image033 "style=" border:0px; "alt=" clip_image033 "src=" http:/ S3.51cto.com/wyfs02/m00/70/96/wkiol1w50v3y5aeiaajcqlzfnzw493.jpg "border=" 0 "/>
Double-click the certificate to see that the certificate is intended to be file recovery,
650) this.width=650; "height=" 498 "title=" clip_image034 "style=" border:0px; "alt=" clip_image034 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z2-stzb4aaj4pnpg_qo361.jpg "border=" 0 "/>
Switch to details, copy to file, and back up the recovery agent certificate with the private key for emergencies.
650) this.width=650; "height=" 418 "title=" clip_image035 "style=" border:0px; "alt=" clip_image035 "src=" http:/ S3.51cto.com/wyfs02/m01/70/96/wkiol1w50v_gwuslaae2ivhqfnw892.jpg "border=" 0 "/>
650) this.width=650; "height=" 413 "title=" clip_image036 "style=" border:0px; "alt=" clip_image036 "src=" http:/ S3.51cto.com/wyfs02/m00/70/99/wkiom1w5z2_c9omaaadybv-rgik212.jpg "border=" 0 "/>
650) this.width=650; "height=" 255 "title=" clip_image037 "style=" border:0px; "alt=" clip_image037 "src=" http:/ S3.51cto.com/wyfs02/m01/70/99/wkiom1w5z3dgcy3maacrkhet8cu886.jpg "border=" 0 "/>
When you are finished refreshing Group Policy on the client side, you can see that the recovery agent is already in the associated encrypted file properties.
650) this.width=650; "height=" 683 "title=" clip_image038 "style=" border:0px; "alt=" clip_image038 "src=" http:/ S3.51cto.com/wyfs02/m02/70/96/wkiol1w50wdrhyybaanca1ncs4g920.jpg "border=" 0 "/>
If there is a user problem, how to recover it?
The step is to log on to the user's desktop and import this PFX certificate into the current user, which is now open.
About certificate Renewals
Certificate renewals need to be made within the renewal period, go to MMC, find the appropriate certificate, select All Tasks > Advanced Actions > Renew this certificate with the same key
650) this.width=650; "height=" 334 "title=" clip_image039 "style=" border:0px; "alt=" clip_image039 "src=" http:/ S3.51cto.com/wyfs02/m02/70/99/wkiom1w5z3hrzjueaakwssqjlzs518.jpg "border=" 0 "/>
This article is from the "FireWire Technology Brothers Blog" blog, please be sure to keep this source http://huoxian.blog.51cto.com/9437529/1680132
Certificate Resolution (II): Windows R2 Certificate Services installation and Advanced Configuration