Server Certificate Deployment Overview
Applies To: Windows Server 2012
This topic contains the following sections.
Server certificate deployment components
You can use this guide to install Active Directory® Certificate Services (AD CS) as an Enterprise root certification authority (CA) and to enroll a server certificate to servers running Network Policy Server (NPS), Routing and Remote Access service (RRAS), or both NPS and RRAS.
If you deploy certificate-based authentication, servers running NPS and RRAS are required to use a server certificate to prove their identities to client computers that are attempting to connect to the network.
The following illustration shows the components that are required to deploy server certificates to your NPS server.
In the illustration above, four servers are depicted: DC1, NPS1, WEB1, and CA1. This guide provides instructions for deploying and configuring CA1, and for configuring the other three servers, which this guide assumes you have already installed on your network by using the Core Network Guide.
For more information on each item depicted in the illustration above, see the following:
CA1 running the AD CS server role
The enterprise root certification authority (CA) is also an issuing CA. The CA issues certificates to computers and users that have the correct security permissions to enroll a certificate. Active Directory Certificate Services (AD CS) is installed on CA1.
In this scenario, the enterprise root CA is also an issuing CA. For larger networks or where security concerns provide justification, you can separate the roles of root CA and issuing CA, and deploy subordinate CAs that are issuing CAs.
In the most secure deployments, the enterprise root CA is taken offline and physically secured. For more information, see Additional Resources1.
Before you install AD CS, you configure the CAPolicy.inf file with specific settings for your deployment.
Copy of the RAS and IAS servers certificate template
When you deploy server certificates, you make a copy of the RAS and IAS servers certificate template and then configure the template according to your requirements and the instructions in this guide. You will be using a copy rather than the original so that the configuration of the original template is preserved for possible future use. The CA uses the copy of the RAS and IAS servers template to create server certificates that it issues to NPS servers that are members of the RAS and IAS servers group in Active Directory Users and Computers.
NPS servers that you have registered in Active Directory are automatically added to the RAS and IAS servers group.
Additional CA1 configuration
The CA publishes a certificate revocation list (CRL) that computers must check to ensure that certificates that are presented to them as proof of identity are valid certificates and have not been revoked. You must configure your CA with the correct location of the CRL so that computers know where to look for the CRL during the authentication process.
WEB1 running the Web Services (IIS) server role
The Web server is installed when you perform the tasks in the Windows Server 2012 Core Network Guide, so before you perform the tasks in this guide, you should already have a Web server installed on your network. On the computer that is running the Web Server (IIS) server role, WEB1, you must create a folder in Windows Explorer for use as the location for the CRL and AIA.
Virtual directory for the CRL and AIA
After you create a folder in Windows Explorer, you must configure the folder as a virtual directory in Internet Information Services (IIS) Manager, as well as configuring the access control list for the virtual directory to allow computers to access the AIA and CRL after they are published there.
DC1 running the AD DS and DNS server roles
The domain controller and DNS server is installed when you perform the tasks in the Windows Server 2012 Core Network Guide, so before you perform the tasks in this guide, you should already have a domain controller and DNS server installed on your network.
Group Policy default domain policy
After you configure the certificate template on the CA, you can configure the default domain policy in Group Policy so that certificates are autoenrolled to NPS servers. Group Policy is configured in AD DS on the server DC1.
DNS alias (CNAME) resource record
You must create an alias (CNAME) resource record for the Web server to ensure that other computers can find the server, as well as the AIA and the CRL that are stored on the server. In addition, using an alias CNAME resource record provides flexibility so that you can use the Web server for other purposes, such as hosting Web and FTP sites.
NPS1 running the Network Policy Server role service of the Network Policy and Access Services server role
The NPS server is installed when you perform the tasks in the Windows Server 2012 Core Network Guide, so before you perform the tasks in this guide, you should already have an NPS server installed on your network.
Group Policy applied and certificate enrolled to NPS1
After you have configured the certificate template and autoenrollment, you can refresh Group Policy on the NPS server. At this time, the NPS server enrolls the server certificate from CA1.
Server certificate deployment process overview
The details of how to perform these steps are provided in the section Server Certificate Deployment.
The process of configuring NPS and RRAS server certificate enrollment occurs in these stages:
On DC1, create an alias (CNAME) record for your Web server, WEB1.
Configure your Web server to host the CRL from the CA, then publish the CRL and copy the Enterprise Root CA certificate into the new virtual directory.
On the computer where you are planning to install AD CS, assign the computer a static IP address, rename the computer, join the computer to the domain, and then log on to the computer with a user account that is a member of the Domain Admins and Enterprise Admins groups.
On the computer where you are planning to install AD CS, configure the CAPolicy.inf file with settings that are specific to your deployment.
Install the AD CS server role and perform additional configuration of the CA.
Copy the CRL and CA certificate to the share on the Web server.
On the CA, configure a server certificate template. The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.
Configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all domain member servers that are running NPS, RRAS, or both on your network will automatically receive a server certificate when Group Policy on each server is refreshed. If you add more NPS or RRAS servers later, they will automatically receive a server certificate, too.
Refresh Group Policy on servers running NPS and RRAS. When Group Policy is refreshed, the servers receive the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers that attempt to connect to your network.
All domain member computers automatically receive the Enterprise Root CA’s certificate without the configuration of autoenrollment. This certificate is different than the server certificate that you configure and distribute by using autoenrollment. The CA's certificate is automatically installed in the Trusted Root Certification Authorities certificate store for all domain member computers so that they will trust certificates that are issued by this CA. For example, if you deploy EAP-TLS, client computers use a certificate to prove their identities to the NPS server. When the NPS server receives a certificate from a client computer as proof of the client computer’s identity, trust for the certificate is established because NPS has the issuing CA certificate in its own Trusted Root Certification Authorities certificate store.
Verify that the NPS server enrolled a valid server certificate.