伺服器的憑證部署計劃Server Certificate Deployment Planning

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

部署伺服器的憑證之前,您必須計劃下列項目:Before you deploy server certificates, you must plan the following items:

計劃基本的伺服器設定Plan basic server configuration

您計劃要做為您憑證授權單位和網頁伺服器的電腦上安裝 Windows Server 2016 之後,您必須重新命名電腦指派並設定為 [本機電腦靜態 IP 位址。After you install Windows Server 2016 on the computers that you are planning to use as your certification authority and Web server, you must rename the computer and assign and configure a static IP address for the local computer.

如需詳細資訊,查看 Windows Server 2016核心網路指南For more information, see the Windows Server 2016 Core Network Guide.

規劃網域存取Plan domain access

若要登入至網域中,電腦必須成員網域的電腦和使用者 account 必須建立在嘗試登入之前 AD DS。To log on to the domain, the computer must be a domain member computer and the user account must be created in AD DS before the logon attempt. 此外,在本指南大部分程序都需要帳號,因此您必須登入以具有適當群組成員資格帳號 CA 是的企業系統管理員或網域管理員 Active Directory 使用者與電腦群組成員。In addition, most procedures in this guide require that the user account is a member of the Enterprise Admins or Domain Admins groups in Active Directory Users and Computers, so you must log on to the CA with an account that has the appropriate group membership.

如需詳細資訊,查看 Windows Server 2016核心網路指南For more information, see the Windows Server 2016 Core Network Guide.

在您的網頁伺服器計劃名稱 virtual directory 與位置Plan the location and name of the virtual directory on your Web server

若要提供存取 CRL 並 CA 憑證到其他電腦,您必須在您的網頁伺服器的這些項目儲存在 virtual directory。To provide access to the CRL and the CA certificate to other computers, you must store these items in a virtual directory on your Web server. 本指南,virtual directory 位於 WEB1 網頁伺服器上。In this guide, the virtual directory is located on the Web server WEB1. 此資料夾 「 c: 「 磁碟機上,為 「 pki 」。This folder is on the "C:" drive and is named "pki." 您可以在任何資料夾位置,適用於您的部署網頁伺服器上找到您 virtual directory。You can locate your virtual directory on your Web server at any folder location that is appropriate for your deployment.

您的網頁伺服器的 DNS 別名 (CNAME) 記錄計劃Plan a DNS alias (CNAME) record for your Web server

(CNAME) 別名資源記錄有時候也稱為的正式名稱資源記錄。Alias (CNAME) resource records are also sometimes called canonical name resource records. 這些記錄時,您可以使用多個名稱指向單一主機,讓您輕鬆地執行等主機相同的電腦上的網頁伺服器和檔案傳輸通訊協定 () 失敗。With these records, you can use more than one name to point to a single host, making it easy to do such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer. 例如,已知伺服器名稱 (ftp、 www) 被登記使用別名 (CNAME) 對應的網域名稱系統 」 (DNS) 主機名稱,例如 WEB1,伺服器電腦至該主機的資源記錄這些服務。For example, the well-known server names (ftp, www) are registered using alias (CNAME) resource records that map to the Domain Name System (DNS) host name, such as WEB1, for the server computer that hosts these services.

本指南指示來設定您的網頁伺服器管理您憑證授權單位憑證撤銷清單 (CRL)。This guide provides instructions for configuring your Web server to host the certificate revocation list (CRL) for your certification authority (CA). 您也可以在主機 FTP 或網站適用於其他用途,使用您的網頁伺服器像是,因為它最好別名資源記錄 DNS 中建立您的網頁伺服器。Because you might also want to use your Web server for other purposes, such as to host an FTP or Web site, it's a good idea to create an alias resource record in DNS for your Web server. 本指南,CNAME 記錄稱為 「 pki 」,但您可以選擇適合您的部署的名稱。In this guide, the CNAME record is named "pki," but you can choose a name that is appropriate for your deployment.

計劃設定的 CAPolicy.infPlan configuration of CAPolicy.inf

您安裝 AD CS 之前,您必須設定 CAPolicy.inf CA 是正確的部署的資訊。Before you install AD CS, you must configure CAPolicy.inf on the CA with information that is correct for your deployment. CAPolicy.inf 檔案包含下列資訊:A CAPolicy.inf file contains the following information:

[Version]  
Signature="$Windows NT$"  
[PolicyStatementExtension]  
Policies=InternalPolicy  
[InternalPolicy]  
OID=1.2.3.4.1455.67.89.5  
Notice="Legal Policy Statement"  
URL=http://pki.corp.contoso.com/pki/cps.txt  
[Certsrv_Server]  
RenewalKeyLength=2048  
RenewalValidityPeriod=Years  
RenewalValidityPeriodUnits=5  
CRLPeriod=weeks  
CRLPeriodUnits=1  
LoadDefaultTemplates=0  
AlternateSignatureAlgorithm=1  

您必須計劃此檔案下列項目:You must plan the following items for this file:

  • URLURL. 範例 CAPolicy.inf 檔案的 URL 值為http://pki.corp.contoso.com/pki/cps.txtThe example CAPolicy.inf file has a URL value of http://pki.corp.contoso.com/pki/cps.txt. 這是因為本文中的網頁伺服器為 WEB1 且為 pki 記錄 DNS CNAME 資源。This is because the Web server in this guide is named WEB1 and has a DNS CNAME resource record of pki. Web 伺服器也加入 corp.contoso.com 網域。The Web server is also joined to the corp.contoso.com domain. 除此之外,有位於 virtual directory 網頁伺服器名為 「 pki 」 憑證撤銷清單儲存的位置。In addition, there is a virtual directory on the Web server named "pki" where the certificate revocation list is stored. 請確定您所提供的 URL virtual directory 您 CAPolicy.inf 檔案指向在您的網域中的網頁伺服器的值。Ensure that the value that you provide for URL in your CAPolicy.inf file points to a virtual directory on your Web server in your domain.

  • RenewalKeyLengthRenewalKeyLength. Windows Server 2012 中 AD CS 預設續約按鍵長度為 2048年。The default renewal key length for AD CS in Windows Server 2012 is 2048. 您的主要長度應該儘同時提供與您想要使用的應用程式的相容性。The key length that you select should be as long as possible while still providing compatibility with the applications that you intend to use.

  • RenewalValidityPeriodUnitsRenewalValidityPeriodUnits. 範例 CAPolicy.inf 檔案具有 5 年的 RenewalValidityPeriodUnits 值。The example CAPolicy.inf file has a RenewalValidityPeriodUnits value of 5 years. 這是因為預期的 CA 壽命約 10 年。This is because the expected lifespan of the CA is around ten years. RenewalValidityPeriodUnits 值應能反映 CA 或您想要提供註冊年最多的整體有效期。The value of RenewalValidityPeriodUnits should reflect the overall validity period of the CA or the highest number of years for which you want to provide enrollment.

  • CRLPeriodUnitsCRLPeriodUnits. 範例 CAPolicy.inf 檔案有 1 CRLPeriodUnits 值。The example CAPolicy.inf file has a CRLPeriodUnits value of 1. 這是因為為 1 星期的憑證本指南撤銷清單的範例重新整理間隔。This is because the example refresh interval for the certificate revocation list in this guide is 1 week. 間隔指定的值,您使用此設定時,您必須到您將儲存 CRL Web 的伺服器 virtual directory 發行 CRL CA 上的以及驗證程序的電腦提供存取權限。At the interval value that you specify with this setting, you must publish the CRL on the CA to the Web server virtual directory where you store the CRL and provide access to it for computers that are in the authentication process.

  • AlternateSignatureAlgorithmAlternateSignatureAlgorithm. 這個 CAPolicy.inf 實作替代簽章格式實作改善的安全機制。This CAPolicy.inf implements an improved security mechanism by implementing alternate signature formats. 如果您仍然擁有的是 Windows XP 戶端需要從這個 CA 憑證,您應該不執行這項設定。You should not implement this setting if you still have Windows XP clients that require certificates from this CA.

如果您不打算任何附屬 Ca 加入稍後公用基礎結構,如果您想要避免加入的任何附屬 Ca 您可以新增 PathLength 金鑰 CAPolicy.inf 檔案與設定為 0。If you do not plan on adding any subordinate CAs to your public key infrastructure at a later time, and if you want to prevent the addition of any subordinate CAs, you can add the PathLength key to your CAPolicy.inf file with a value of 0. 若要加入此機碼,複製並貼下列程式碼到您的檔案:To add this key, copy and paste the following code into your file:

[BasicConstraintsExtension]  
PathLength=0  
Critical=Yes  

重要

不建議您變更 CAPolicy.inf 檔案中的任何其他設定,除非您有特定的原因。It is not recommended that you change any other settings in the CAPolicy.inf file unless you have a specific reason for doing so.

CA1 計劃設定的 CDP 和 AIA 擴充功能Plan configuration of the CDP and AIA extensions on CA1

當您在 CA1 設定憑證撤銷清單 (CRL) Distribution 點 (CDP) 和的授權單位資訊存取權 (AIA) 的設定時,您需要您的網頁伺服器和您的網域名稱的名稱。When you configure the Certificate Revocation List (CRL) Distribution Point (CDP) and the Authority Information Access (AIA) settings on CA1, you need the name of your Web server and your domain name. 您也需要在您的網頁伺服器的憑證撤銷清單 (CRL) 和憑證授權單位憑證的儲存位置建立 virtual directory 的名稱。You also need the name of the virtual directory that you create on your Web server where the certificate revocation list (CRL) and the certification authority certificate are stored.

您必須在此步驟中部署輸入 CDP 位置具有格式:The CDP location that you must enter during this deployment step has the format:

`http:\/\/*DNSAlias\(CNAME\)RecordName*.*Domain*.com\/*VirtualDirectoryName*\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl.`  

例如如果 WEB1 名為您的網頁伺服器 DNS 別名網頁伺服器 CNAME 記錄是 「 pki 」,您的網域 corp.contoso.com,以及您 virtual directory 稱為 pki,CDP 的位置處於:For example, if your Web server is named WEB1 and your DNS alias CNAME record for the Web server is "pki," your domain is corp.contoso.com, and your virtual directory is named pki, the CDP location is:

`http:\/\/pki.corp.contoso.com\/pki\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl`  

您必須輸入 AIA 位置具有格式:The AIA location that you must enter has the format:

`http:\/\/*DNSAlias\(CNAME\)RecordName*.*Domain*.com\/*VirtualDirectoryName*\/<ServerDNSName>\_<CaName><CertificateName>.crt.`  

例如如果 WEB1 名為您的網頁伺服器 DNS 別名網頁伺服器 CNAME 記錄是 「 pki 」,您的網域 corp.contoso.com,與您 virtual directory 稱為 pki,AIA 位置:For example, if your Web server is named WEB1 and your DNS alias CNAME record for the Web server is "pki," your domain is corp.contoso.com, and your virtual directory is named pki, the AIA location is:

`http:\/\/pki.corp.contoso.com\/pki\/<ServerDNSName>\_<CaName><CertificateName>.crt`  

規劃 CA 與 Web 伺服器之間複製作業Plan the copy operation between the CA and the Web server

若要發行 CRL 和 CA 憑證 ca 網頁伺服器 virtual directory,您可以 CA 上設定 CDP 和 AIA 位置之後,執行 certutil-crl 命令。To publish the CRL and CA certificate from the CA to the Web server virtual directory, you can run the certutil -crl command after you configure the CDP and AIA locations on the CA. 確認您的 CA 屬性設定正確的路徑的擴充功能索引標籤上,才能執行此命令本指南使用的指示。Ensure that you configure the correct paths on the CA Properties Extensions tab before you run this command using the instructions in this guide. 此外,複製企業 CA 憑證 Web 伺服器,您必須已經建立 virtual directory 網頁伺服器上並設定資料夾為的共用資料夾。In addition, to copy the Enterprise CA certificate to the Web server, you must have already created the virtual directory on the Web server and configured the folder as a shared folder.

CA 計劃的設定伺服器的憑證範本Plan the configuration of the server certificate template on the CA

若要部署自動註冊伺服器的憑證,您必須將複製憑證範本名為RAS 及 IAS 伺服器To deploy autoenrolled server certificates, you must copy the certificate template named RAS and IAS Server. 根據預設,這複製名為的 RAS 複製及 IAS 伺服器By default, this copy is named Copy of RAS and IAS Server. 如果您想要重新命名此範本複製、 計畫您想要在此步驟中部署使用的名稱。If you want to rename this template copy, plan the name that you want to use during this deployment step.

注意

本指南三張部署區段的程式,可讓您設定伺服器認證自動授權、 重新整理群組原則伺服器,並確認伺服器,已收到 CA 有效的伺服器的憑證-不需要額外計劃的步驟。The last three deployment sections in this guide - which allow you to configure server certificate autoenrollment, refresh Group Policy on servers, and verify that the servers have received a valid server certificate from the CA - do not require additional planning steps.