部署 802.1 X 有線與 Wireless 部署伺服器的憑證Deploy Server Certificates for 802.1X Wired and Wireless Deployments

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用此節目表伺服器的憑證部署至您遠端存取和網路原則 Server (NPS) 的基礎結構伺服器。You can use this guide to deploy server certificates to your Remote Access and Network Policy Server (NPS) infrastructure servers.

本指南包含下列各節。This guide contains the following sections.

數位伺服器的憑證Digital server certificates

本指南使用 Active Directory 憑證 Services (AD CS) 自動註冊遠端存取和 NPS 基礎結構伺服器的憑證的指示操作。This guide provides instructions for using Active Directory Certificate Services (AD CS) to automatically enroll certificates to Remote Access and NPS infrastructure servers. AD CS 可讓您建置公用基礎結構 (PKI),並提供您的組織公用密碼編譯、數位憑證及數位簽章的功能。AD CS allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

當您使用數位伺服器的憑證來驗證您的網路上的電腦之間時,會提供的憑證:When you use digital server certificates for authentication between computers on your network, the certificates provide:

  1. 透過加密機密性。Confidentiality through encryption.
  2. 透過數位簽章完整性。Integrity through digital signatures.
  3. 將憑證按鍵相關聯的電腦在網路上的電腦、使用者或裝置帳號驗證。Authentication by associating certificate keys with computer, user, or device accounts on a computer network.

伺服器類型Server types

使用此快速入門,您可以將伺服器的憑證部署至下列類型的伺服器。By using this guide, you can deploy server certificates to the following types of servers.

  • 執行的伺服器遠端存取服務,DirectAccess 或標準 virtual 私人網路 (VPN) 伺服器、而成員的RAS 及 IAS 伺服器]群組。Servers that are running the Remote Access service, that are DirectAccess or standard virtual private network (VPN) servers, and that are members of the RAS and IAS Servers group.
  • 正在執行的網路原則 Server (NPS) 服務,伺服器的成員RAS 及 IAS 伺服器]群組。Servers that are running the Network Policy Server (NPS) service that are members of the RAS and IAS Servers group.

認證自動授權的優點Advantages of certificate autoenrollment

自動註冊伺服器的憑證,也稱為「自動註冊,提供下列優點。Automatic enrollment of server certificates, also called autoenrollment, provides the following advantages.

  • AD CS 憑證授權單位自動註冊伺服器所有 NPS 及遠端存取伺服器的憑證。The AD CS certification authority (CA) automatically enrolls a server certificate to all of your NPS and Remote Access servers.
  • 網域中的所有電腦就能都享受您所安裝的受信任的根憑證授權單位的 CA 憑證存放在每個成員網域的電腦上。All computers in the domain automatically receive your CA certificate, which is installed in the Trusted Root Certification Authorities store on every domain member computer. 因為網域中的所有電腦標示為都信任的憑證所發行的授權。Because of this, all computers in the domain trust the certificates that are issued by your CA. 這個信任可讓您驗證伺服器它們的身份彼此和參與安全通訊。This trust allows your authentication servers to prove their identities to each other and engage in secure communications.
  • 以外重新整理群組原則,不需要手動重新設定的每個伺服器。Other than refreshing Group Policy, the manual reconfiguration of every server is not required.
  • 每個伺服器的憑證包含伺服器驗證目的和 Client 驗證目的增強金鑰使用量 (EKU) 的擴充功能。Every server certificate includes both the Server Authentication purpose and the Client Authentication purpose in Enhanced Key Usage (EKU) extensions.
  • 擴充性。Scalability. 部署本指南使用您的企業根 CA 之後, 您可以透過新增企業附屬 Ca 展開公用基礎結構 (PKI)。After deploying your Enterprise Root CA with this guide, you can expand your public key infrastructure (PKI) by adding Enterprise subordinate CAs.
  • 管理性。Manageability. 您可以管理 AD CS,請使用 AD CS 主機或使用 Windows PowerShell 命令和指令碼。You can manage AD CS by using the AD CS console or by using Windows PowerShell commands and scripts.
  • 簡單。Simplicity. 指定的伺服器,使用 Active Directory 群組帳號和群組成員資格註冊伺服器的憑證。You specify the servers that enroll server certificates by using Active Directory group accounts and group membership.
  • 當您部署伺服器的憑證時,憑證依據您使用本文中的指示來設定範本。When you deploy server certificates, the certificates are based on a template that you configure with the instructions in this guide. 這表示您可以自訂不同的憑證範本特定伺服器類型,或您可以使用相同的範本所有伺服器的憑證,以您想要發行。This means that you can customize different certificate templates for specific server types, or you can use the same template for all server certificates that you want to issue.

必要條件使用本指南Prerequisites for using this guide

本指南使用中 Windows Server 2016 AD CS 與 Web 伺服器 (IIS) 伺服器角色部署伺服器的憑證的方式指示。This guide provides instructions on how to deploy server certificates by using AD CS and the Web Server (IIS) server role in Windows Server 2016. 以下是此節目表中執行的程序的必要條件。Following are the prerequisites for performing the procedures in this guide.

  • 您必須部署核心網路使用「Windows Server 2016 核心網路快速入門,或是您必須已經核心網路指南安裝,您網路上正確運作中所提供的技術。You must deploy a core network using the Windows Server 2016 Core Network Guide, or you must already have the technologies provided in the Core Network Guide installed and functioning correctly on your network. 這些技術包括 TCP/IP v4,DHCP、Active Directory Domain Services (AD DS),DNS 及 NPS。These technologies include TCP/IP v4, DHCP, Active Directory Domain Services (AD DS), DNS, and NPS.

    注意

    Windows Server 2016 核心網路指南可在 Windows Server 2016 技術媒體櫃。The Windows Server 2016 Core Network Guide is available in the Windows Server 2016 Technical Library. 如需詳細資訊,請查看核心網路指南For more information, see Core Network Guide.

  • 您必須讀取以確保您的準備此部署部署執行之前,先本指南計劃一節。You must read the planning section of this guide to ensure that you are prepared for this deployment before you perform the deployment.

  • 您必須執行步驟本指南則會顯示順序。You must perform the steps in this guide in the order in which they are presented. 不要加大和部署 CA 您無須執行導致部署伺服器或您的部署步驟將會失敗。Do not jump ahead and deploy your CA without performing the steps that lead up to deploying the server, or your deployment will fail.
  • 您必須準備好要部署兩部新伺服器您網路中的上一個伺服器時,您將會安裝 AD CS 企業根加拿大、時,您將會安裝網頁伺服器 (IIS),讓您 CA 可以發行網頁伺服器的憑證撤銷清單 (CRL) 伺服器。You must be prepared to deploy two new servers on your network - one server upon which you will install AD CS as an Enterprise Root CA, and one server upon which you will install Web Server (IIS) so that your CA can publish the certificate revocation list (CRL) to the Web server.

注意

您已準備好將靜態 IP 位址指派給本指南,以及至於名稱根據您的組織命名規格的電腦與您部署的網路與 AD CS 伺服器。You are prepared to assign a static IP address to the Web and AD CS servers that you deploy with this guide, as well as to name the computers according to your organization naming conventions. 此外,您必須將電腦加入您的網域。In addition, you must join the computers to your domain.

未提供哪些本指南What this guide does not provide

本指南設計和部署公用基礎結構 (PKI),請使用 AD CS 不提供完整的指示操作。This guide does not provide comprehensive instructions for designing and deploying a public key infrastructure (PKI) by using AD CS. 建議您檢視的文件 AD CS 和部署本文中的技術之前 PKI 設計文件。It is recommended that you review AD CS documentation and PKI design documentation before deploying the technologies in this guide.

技術概觀Technology overviews

以下是 AD CS 與 Web 伺服器 (IIS) 技術概觀。Following are technology overviews for AD CS and Web Server (IIS).

Active Directory 憑證服務Active Directory Certificate Services

在 Windows Server 2016 AD CS 提供自訂建立及管理 x.509 軟體安全性系統的運用公用主要技術中所使用的服務。AD CS in Windows Server 2016 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. 組織可用來提升安全性繫結至對應公用按鍵的人員、裝置或服務的身分 AD CS。Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS 也包含了功能,可讓您管理憑證註冊與撤銷各種不同的延展性環境中。AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.

如需詳細資訊,請查看Active Directory 憑證服務概觀公開鍵基礎結構設計指導方針For more information, see Active Directory Certificate Services Overview and Public Key Infrastructure Design Guidance.

網頁伺服器 (IIS)Web Server (IIS)

在 Windows Server 2016 網頁伺服器 (IIS) 角色提供安全,輕鬆管理、模組,且最具擴充性的平台會可靠地裝載的網站、服務和應用程式。The Web Server (IIS) role in Windows Server 2016 provides a secure, easy-to-manage, modular, and extensible platform for reliably hosting websites, services, and applications. 使用 IIS,您可以分享網際網路、 內部網路,或外部網路使用者的資訊。With IIS, you can share information with users on the Internet, an intranet, or an extranet. IIS 是整合 IIS、 ASP.NET、 FTP 服務、 PHP 及 Windows 通訊基本知識 (WCF) 的整合的 web 平台。IIS is a unified web platform that integrates IIS, ASP.NET, FTP services, PHP, and Windows Communication Foundation (WCF).

如需詳細資訊,請查看網頁伺服器 (IIS) 概觀For more information, see Web Server (IIS) Overview.