伺服器的憑證部署概觀Server Certificate Deployment Overview

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題包含下列各節。This topic contains the following sections.

伺服器的憑證部署元件Server certificate deployment components

安裝企業版根憑證授權單位 Active Directory 憑證 Services (AD CS) 以及註冊伺服器的憑證來執行網路原則 Server (NPS)、 路由並遠端存取的服務 (RRAS),或 NPS 和 RRAS 的伺服器,您可以使用此指南。You can use this guide to install Active Directory Certificate Services (AD CS) as an Enterprise root certification authority (CA) and to enroll server certificates to servers that are running Network Policy Server (NPS), Routing and Remote Access service (RRAS), or both NPS and RRAS.

如果部署 SDN 憑證式驗證時,它們的身份其他伺服器,讓他們獲得安全通訊使用伺服器的憑證需要伺服器。If you deploy SDN with certificate-based authentication, servers are required to use a server certificate to prove their identities to other servers so that they achieve secure communications.

下圖顯示伺服器的憑證部署至伺服器 SDN 基礎結構中所需的元件。The following illustration shows the components that are required to deploy server certificates to servers in your SDN infrastructure.

伺服器的憑證部署所需的基礎結構

注意

圖、 在多部伺服器描繪: DC1、 CA1、 WEB1 和許多 SDN 伺服器。In the illustration above, multiple servers are depicted: DC1, CA1, WEB1, and many SDN servers. 本指南指示部署及 CA1 和 WEB1,設定和設定 DC1,本指南假設您已安裝在您的網路。This guide provides instructions for deploying and configuring CA1 and WEB1, and for configuring DC1, which this guide assumes you have already installed on your network. 如果您未安裝您 Active Directory domain,您可以透過使用核心網路指南Windows Server 2016。If you have not already installed your Active Directory domain, you can do so by using the Core Network Guide for Windows Server 2016.

如需在每個項目上述圖所示的方法如下:For more information on each item depicted in the illustration above, see the following:

CA1 執行 AD CS 伺服器角色CA1 running the AD CS server role

在本案例中,也企業根憑證授權單位是發行 CA。In this scenario, the Enterprise Root certification authority (CA) is also an issuing CA. CA 伺服器電腦具有正確的安全性權限新使用者註冊憑證問題的憑證。The CA issues certificates to server computers that have the correct security permissions to enroll a certificate. Active Directory 憑證 Services (AD CS) 已安裝於 CA1。Active Directory Certificate Services (AD CS) is installed on CA1.

大網路或安全性考量,提供理由,您可以分開根 CA 及發行加拿大的角色,並部署,發行 Ca 附屬 Ca。For larger networks or where security concerns provide justification, you can separate the roles of root CA and issuing CA, and deploy subordinate CAs that are issuing CAs.

在 [最安全的部署,企業根 CA 是拍攝離線和實體安全。In the most secure deployments, the Enterprise Root CA is taken offline and physically secured.

CAPolicy.infCAPolicy.inf

您安裝 AD CS 之前,您設定 CAPolicy.inf 檔案的特定設定為您的部署。Before you install AD CS, you configure the CAPolicy.inf file with specific settings for your deployment.

複製的RAS 及 IAS 伺服器]憑證範本Copy of the RAS and IAS servers certificate template

當您部署伺服器的憑證時,您可以將一份RAS 及 IAS 伺服器]憑證範本],然後本指南設定範本依據您的需求和指示操作。When you deploy server certificates, you make one copy of the RAS and IAS servers certificate template and then configure the template according to your requirements and the instructions in this guide.

您可以使用一份範本,而不是原始範本,以便未來保留原始範本設定。You utilize a copy of the template rather than the original template so that the configuration of the original template is preserved for possible future use. 您設定的備份RAS 及 IAS 伺服器]範本,CA 可以建立伺服器的憑證問題 Active Directory 使用者與您所指定的電腦中的群組。You configure the copy of the RAS and IAS servers template so that the CA can create server certificates that it issues to the groups in Active Directory Users and Computers that you specify.

其他 CA1 設定Additional CA1 configuration

CA 發行憑證撤銷清單 (CRL) 的電腦必須檢查以確保憑證,以證明身分為他們所提出的有效的憑證,並未撤銷。The CA publishes a certificate revocation list (CRL) that computers must check to ensure that certificates that are presented to them as proof of identity are valid certificates and have not been revoked. 使電腦知道 CRL 尋找驗證程序期間,您必須使用 CRL 的正確的位置設定 CA。You must configure your CA with the correct location of the CRL so that computers know where to look for the CRL during the authentication process.

WEB1 執行 Web 服務 (IIS) 伺服器角色WEB1 running the Web Services (IIS) server role

在的電腦執行的網頁伺服器 (IIS) 伺服器角色 WEB1,您必須為 CRL 和 AIA 位置使用 Windows 檔案總管] 中建立資料夾。On the computer that is running the Web Server (IIS) server role, WEB1, you must create a folder in Windows Explorer for use as the location for the CRL and AIA.

CRL 和 AIA virtual directoryVirtual directory for the CRL and AIA

Windows 檔案總管] 中建立資料夾之後,您必須設定為 virtual directory 管理員網際網路服務 (IIS),以及設定的 virtual directory 存取控制清單好讓電腦存取 AIA 和 CRL 那里發行之後的資料夾。After you create a folder in Windows Explorer, you must configure the folder as a virtual directory in Internet Information Services (IIS) Manager, as well as configuring the access control list for the virtual directory to allow computers to access the AIA and CRL after they are published there.

DC1 執行 AD DS 和 DNS 伺服器角色DC1 running the AD DS and DNS server roles

DC1 為網域控制站和網路上的 DNS 伺服器。DC1 is the domain controller and DNS server on your network.

群組原則預設網域原則Group Policy default domain policy

設定 ca 憑證範本之後,您可以設定預設網域原則群組原則中,憑證會自動註冊 NPS 及遠端存取伺服器。After you configure the certificate template on the CA, you can configure the default domain policy in Group Policy so that certificates are autoenrolled to NPS and RAS servers. 群組原則被設定在 AD DS DC1 伺服器上。Group Policy is configured in AD DS on the server DC1.

DNS 別名 (CNAME) 資源記錄DNS alias (CNAME) resource record

您必須建立別名 (CNAME) 資源記錄 Web 伺服器,以確保伺服器,以及 AIA 和 CRL 儲存在伺服器上的其他電腦,可以找到。You must create an alias (CNAME) resource record for the Web server to ensure that other computers can find the server, as well as the AIA and the CRL that are stored on the server. 此外,使用別名 CNAME 資源記錄彈性,讓網頁伺服器可用於其他用途,例如裝載網頁和 FTP 網站。In addition, using an alias CNAME resource record provides flexibility so that you can use the Web server for other purposes, such as hosting Web and FTP sites.

NPS1 執行伺服器角色網路原則與服務存取權的網路原則伺服器角色服務NPS1 running the Network Policy Server role service of the Network Policy and Access Services server role

當您在 Windows Server 2016 核心網路節目表中執行工作,所以您在這個節目表中執行工作之前,您應該已經有一或更多 NPS 伺服器安裝網路上已安裝 NPS 伺服器。The NPS server is installed when you perform the tasks in the Windows Server 2016 Core Network Guide, so before you perform the tasks in this guide, you should already have one or more NPS servers installed on your network.

套用群組原則和退出伺服器的憑證Group Policy applied and certificate enrolled to servers

您設定的憑證範本和自動註冊之後,您可以在所有的目標伺服器更新群組原則。After you have configured the certificate template and autoenrollment, you can refresh Group Policy on all target servers. 此時,伺服器註冊 CA1 來自伺服器的憑證。At this time, the servers enroll the server certificate from CA1.

伺服器的憑證部署程序概觀Server certificate deployment process overview

注意

如何執行這些步驟的詳細資料一節中提供伺服器的憑證部署The details of how to perform these steps are provided in the section Server Certificate Deployment.

設定伺服器的憑證註冊的程序就會發生在這些階段:The process of configuring server certificate enrollment occurs in these stages:

  1. 在 WEB1,安裝網頁伺服器 (IIS) 角色。On WEB1, install the Web Server (IIS) role.

  2. DC1,在建立您的網頁伺服器,WEB1 別名 (CNAME) 記錄。On DC1, create an alias (CNAME) record for your Web server, WEB1.

  3. 設定您的網頁伺服器裝載 ca CRL 然後發行 CRL 和複製新 virtual directory 企業根憑證。Configure your Web server to host the CRL from the CA, then publish the CRL and copy the Enterprise Root CA certificate into the new virtual directory.

  4. 在電腦上您打算安裝 AD CS,指定電腦靜態 IP 位址、 重新命名電腦、 將電腦加入網域,然後再登入的電腦上的網域系統管理員 」 及企業系統管理員群組成員帳號。On the computer where you are planning to install AD CS, assign the computer a static IP address, rename the computer, join the computer to the domain, and then log on to the computer with a user account that is a member of the Domain Admins and Enterprise Admins groups.

  5. 在您的計劃安裝 AD CS 的電腦上,設定 CAPolicy.inf 檔案使用您的部署特定的設定。On the computer where you are planning to install AD CS, configure the CAPolicy.inf file with settings that are specific to your deployment.

  6. 安裝 AD CS 伺服器角色,以及執行 CA 的額外的設定。Install the AD CS server role and perform additional configuration of the CA.

  7. 在網頁伺服器 WEB1 共用複製 CA1 CRL 和 CA 憑證。Copy the CRL and CA certificate from CA1 to the share on the Web server WEB1.

  8. 在加拿大設定 RAS 及 IAS 伺服器的憑證範本複本。On the CA, configure a copy of the RAS and IAS Servers certificate template. CA 問題根據憑證範本,因此您必須設定伺服器的憑證範本之前 CA 可以發行憑證的憑證。The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.

  9. 群組原則中設定伺服器認證自動授權。Configure server certificate autoenrollment in Group Policy. 當您設定自動註冊時,自動指定的 Active Directory 群組成員資格所有伺服器重新整理每個伺服器上的群組原則時,就會都收到伺服器的憑證。When you configure autoenrollment, all servers that you have specified with Active Directory group memberships automatically receive a server certificate when Group Policy on each server is refreshed. 如果您稍後再新增更多的伺服器,它們將會自動接收伺服器的憑證,也可以。If you add more servers later, they will automatically receive a server certificate, too.

  10. 重新整理群組原則的伺服器上。Refresh Group Policy on servers. 重新整理群組原則時,伺服器便會收到伺服器的憑證,以您在上一個步驟中設定範本為基礎。When Group Policy is refreshed, the servers receive the server certificate, which is based on the template that you configured in the previous step. 將其身份 client 電腦伺服器及其他伺服器會使用此憑證驗證程序期間。This certificate is used by the server to prove its identity to client computers and other servers during the authentication process.

    注意

    所有成員網域的電腦自動都接收企業根 CA 憑證未自動註冊的設定。All domain member computers automatically receive the Enterprise Root CA's certificate without the configuration of autoenrollment. 這是憑證不同設定並使用自動註冊散發伺服器憑證。This certificate is different than the server certificate that you configure and distribute by using autoenrollment. 將信任的憑證,來這個憑證授權單位發行 CA 憑證會自動安裝的所有成員網域的電腦的受信任的根憑證授權單位憑證存放區。The CA's certificate is automatically installed in the Trusted Root Certification Authorities certificate store for all domain member computers so that they will trust certificates that are issued by this CA.

  11. 請確認 [所有伺服器,已都退出有效的伺服器的憑證。Verify that all servers have enrolled a valid server certificate.