Creating a certificate template to prepare for issuing machine certificates to your clients

This recipe is the first hurdle that many new certificate admins bump into. You may have a CA server up and running, but what's next? Before you can start granting certificates to computers and users, you need to establish certificate templates that you are going to publish. You will configure these templates with particular settings, and when a certificate is requested against the template, that new certificate will be built based on the information in the template combined with the information provided by the certificate requestor.

There are some built-in certificate templates that preinstall when you add the CA role to your server. Some companies utilize these built-in templates for issuing certificates, but it is a better practice to create your own templates. There is no need to start from scratch, though. You can take one of the built-in templates, find one that comes close to meeting your needs, and tweak it to do your bidding with your particular certificate needs. This is the process we are going to be taking. We need to issue machine certificates to each of our systems in the network to authenticate some IPsec tunnels. There are a few criteria we need to meet in these certificates, and the built-in Computer template comes close to checking all the options that we need. So we will take that template, copy it, and modify it to meet our requirements.

Getting ready

This is a Server 2016 domain environment with a new CA server running. We will utilize the CA console on our CA server to accomplish this work today. The new template that we create will be automatically replicated with other CA servers in the domain.

How to do it…

The following steps will help you build a new certificate template:

  1. Launch the Certification Authority management tool from inside Server Manager.
  2. Expand the name of your CA and click on Certificate Templates. You will see a list of the built-in templates available to us.
  3. Right-click on Certificate Templates and choose Manage.

    How to do it…

  4. Right-click on the Computer template and choose Duplicate Template.

    How to do it…

  5. Now we adjust options within the certificate template. Any attributes that your certificates must have, you set here in the template properties. As an example, let's configure a few items that our new IPsec certificates must contain to be valid.
  6. Go to the General tab and set the Template display name so that you can identify this new template we are building.

    How to do it…

  7. On the same tab, adjust the Validity period field to 2 years.
  8. Browse to the Subject Name tab and set Common name as the Subject name format field. This will cause the subject name of the certificate to reflect the hostname of the computer that is requesting the certificate. Using the DNS name as the alternate subject name is another requirement that we have been given for our new certificates. You can see it checked in the screenshot below. Since we used the built-in Computer template as our starting point, this checkbox, as well as other requirements that we needed covered, were already taken care of for us.

    How to do it…

  9. Click OK. There is now a brand new certificate template in the list called IPsec Certificate (or whatever name you gave to yours).

How it works…

When installing any new technology that requires certificates to be issued, your first stop should be the certificate templates on your CA server. You need to make sure that you have a template configured with the appropriate settings and switches that you need in your new certificates. By duplicating one of the built-in templates that came with our CA server, we were able to build a new template without having to configure every single option from the ground up.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.217.193.85