为 802.1X 有线和无线部署部署服务器证书Deploy Server Certificates for 802.1X Wired and Wireless Deployments

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

你可以使用本指南将服务器证书部署到远程访问和网络策略服务器 (NPS) 基础结构服务器。You can use this guide to deploy server certificates to your Remote Access and Network Policy Server (NPS) infrastructure servers.

本指南包含下列各节。This guide contains the following sections.

数字服务器证书Digital server certificates

本指南提供有关使用 Active Directory 证书服务 (AD CS) 自动向远程访问和 NPS 基础结构服务器注册证书的说明。This guide provides instructions for using Active Directory Certificate Services (AD CS) to automatically enroll certificates to Remote Access and NPS infrastructure servers. AD CS 使你可以 (PKI) 构建公钥基础结构,并为你的组织提供公钥加密、数字证书和数字签名功能。AD CS allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

当你在网络中的计算机之间使用数字服务器证书进行身份验证时,证书将提供:When you use digital server certificates for authentication between computers on your network, the certificates provide:

  1. 通过加密的机密性。Confidentiality through encryption.
  2. 数字签名的完整性。Integrity through digital signatures.
  3. 通过将证书密钥与计算机网络上的计算机、用户或设备帐户相关联进行身份验证。Authentication by associating certificate keys with computer, user, or device accounts on a computer network.

服务器类型Server types

通过使用本指南,你可以将服务器证书部署到下列类型的服务器。By using this guide, you can deploy server certificates to the following types of servers.

  • 运行远程访问服务的服务器,即 DirectAccess 或标准虚拟专用网络 (VPN) 服务器,并且是RAS 和 IAS 服务器组的成员。Servers that are running the Remote Access service, that are DirectAccess or standard virtual private network (VPN) servers, and that are members of the RAS and IAS Servers group.
  • 运行网络策略服务器的服务器 (NPS) 服务,该服务是RAS 和 IAS 服务器组的成员。Servers that are running the Network Policy Server (NPS) service that are members of the RAS and IAS Servers group.

证书自动注册的优点Advantages of certificate autoenrollment

服务器证书的自动注册(也称为自动注册)提供以下优点。Automatic enrollment of server certificates, also called autoenrollment, provides the following advantages.

  • AD CS 证书颁发机构 (CA) 自动向你的所有 NPS 和远程访问服务器注册服务器证书。The AD CS certification authority (CA) automatically enrolls a server certificate to all of your NPS and Remote Access servers.
  • 域中的所有计算机都自动接收你的 CA 证书,该证书安装在每个域成员计算机上的 "受信任的根证书颁发机构" 存储中。All computers in the domain automatically receive your CA certificate, which is installed in the Trusted Root Certification Authorities store on every domain member computer. 因此,域中的所有计算机都信任 CA 颁发的证书。Because of this, all computers in the domain trust the certificates that are issued by your CA. 这种信任使身份验证服务器能够彼此证明其身份,并参与安全通信。This trust allows your authentication servers to prove their identities to each other and engage in secure communications.
  • 除了刷新组策略以外,无需手动重新配置每个服务器。Other than refreshing Group Policy, the manual reconfiguration of every server is not required.
  • 每个服务器证书都在增强型密钥用法中包括服务器身份验证目的和客户端身份验证目的 (EKU) 扩展。Every server certificate includes both the Server Authentication purpose and the Client Authentication purpose in Enhanced Key Usage (EKU) extensions.
  • 可伸缩性。Scalability. 使用本指南部署企业根 CA 后,你可以通过添加企业从属 Ca (PKI) 来扩展你的公钥基础结构。After deploying your Enterprise Root CA with this guide, you can expand your public key infrastructure (PKI) by adding Enterprise subordinate CAs.
  • 可管理性。Manageability. 你可以使用 AD CS 控制台或 Windows PowerShell 命令和脚本来管理 AD CS。You can manage AD CS by using the AD CS console or by using Windows PowerShell commands and scripts.
  • 简单。Simplicity. 使用 Active Directory 组帐户和组成员身份来指定注册服务器证书的服务器。You specify the servers that enroll server certificates by using Active Directory group accounts and group membership.
  • 部署服务器证书时,证书基于你使用本指南中的说明配置的模板。When you deploy server certificates, the certificates are based on a template that you configure with the instructions in this guide. 这意味着,你可以为特定服务器类型自定义不同的证书模板,也可以为要颁发的所有服务器证书使用同一模板。This means that you can customize different certificate templates for specific server types, or you can use the same template for all server certificates that you want to issue.

使用本指南的先决条件Prerequisites for using this guide

本指南提供有关如何使用 AD CS 以及 Windows Server 2016 中的 Web 服务器 (IIS) 服务器角色部署服务器证书的说明。This guide provides instructions on how to deploy server certificates by using AD CS and the Web Server (IIS) server role in Windows Server 2016. 下面是执行本指南中的过程的先决条件。Following are the prerequisites for performing the procedures in this guide.

  • 你必须使用 Windows Server 2016 核心网络指南部署核心网络,或者你必须已在网络上安装并正常运行核心网络指南中提供的技术。You must deploy a core network using the Windows Server 2016 Core Network Guide, or you must already have the technologies provided in the Core Network Guide installed and functioning correctly on your network. 这些技术包括 TCP/IP v4、DHCP、Active Directory 域服务 (AD DS) 、DNS 和 NPS。These technologies include TCP/IP v4, DHCP, Active Directory Domain Services (AD DS), DNS, and NPS.

    备注

    Windows server 2016 Core 网络指南在 Windows Server 2016 技术库中提供。The Windows Server 2016 Core Network Guide is available in the Windows Server 2016 Technical Library. 有关详细信息,请参阅核心网络指南For more information, see Core Network Guide.

  • 你必须阅读本指南的 "规划" 部分,以确保你已准备好进行此部署,然后再执行部署。You must read the planning section of this guide to ensure that you are prepared for this deployment before you perform the deployment.

  • 必须按显示的顺序执行本指南中的步骤。You must perform the steps in this guide in the order in which they are presented. 不要提前尝试并部署 CA,而不执行用于部署服务器的步骤,否则部署将失败。Do not jump ahead and deploy your CA without performing the steps that lead up to deploying the server, or your deployment will fail.

  • 您必须准备好在您的网络上部署两个新服务器:一台服务器上将 AD CS 安装为企业根 CA,而您将在其上安装 Web Server (IIS) 以便您的 CA 可以将证书吊销列表 (CRL) 发布到 Web 服务器。You must be prepared to deploy two new servers on your network - one server upon which you will install AD CS as an Enterprise Root CA, and one server upon which you will install Web Server (IIS) so that your CA can publish the certificate revocation list (CRL) to the Web server.

备注

准备将静态 IP 地址分配到使用本指南部署的 Web 和 AD CS 服务器,并根据组织的命名约定为计算机命名。You are prepared to assign a static IP address to the Web and AD CS servers that you deploy with this guide, as well as to name the computers according to your organization naming conventions. 此外,必须将计算机加入到域。In addition, you must join the computers to your domain.

本指南未提供的内容What this guide does not provide

本指南未提供有关使用 AD CS (PKI) 设计和部署公钥基础结构的综合说明。This guide does not provide comprehensive instructions for designing and deploying a public key infrastructure (PKI) by using AD CS. 建议你在部署本指南中的技术之前查看 AD CS 文档和 PKI 设计文档。It is recommended that you review AD CS documentation and PKI design documentation before deploying the technologies in this guide.

技术概述Technology overviews

下面是 AD CS 和 Web 服务器 (IIS) 的技术概述。Following are technology overviews for AD CS and Web Server (IIS).

Active Directory 证书服务Active Directory Certificate Services

Windows Server 2016 中的 AD CS 提供可自定义的服务,用于创建和管理在采用公钥技术的软件安全系统中使用的 x.509 证书。AD CS in Windows Server 2016 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. 组织可以通过将个人、设备或服务的标识绑定到相应的公钥,使用 AD CS 来增强安全性。Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS 还包括允许在各种可伸缩环境中管理证书注册及吊销的功能。AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.

有关详细信息,请参阅Active Directory 证书服务概述公钥基础结构设计指南For more information, see Active Directory Certificate Services Overview and Public Key Infrastructure Design Guidance.

Web 服务器 (IIS)Web Server (IIS)

Windows Server 2016 中的 Web 服务器 (IIS) 角色提供一个安全、易于管理的模块化和可扩展的平台,以可靠地托管网站、服务和应用程序。The Web Server (IIS) role in Windows Server 2016 provides a secure, easy-to-manage, modular, and extensible platform for reliably hosting websites, services, and applications. 使用 IIS,你可以与 Internet、intranet 或 extranet 上的用户共享信息。With IIS, you can share information with users on the Internet, an intranet, or an extranet. IIS 是一个统一的 web 平台,它将 IIS、ASP.NET、FTP 服务、PHP 和 Windows Communication Foundation (WCF) 相集成。IIS is a unified web platform that integrates IIS, ASP.NET, FTP services, PHP, and Windows Communication Foundation (WCF).

有关详细信息,请参阅Web 服务器 (IIS) 概述For more information, see Web Server (IIS) Overview.