Certificate Services

Design:

The WolfTech AD Public Key Infrastructure is a single tier, Microsoft Enterprise CA (“North Carolina State University Root CA256”). It is a self-signed root certificate authority (CA). It is a 2048 bit cert, and this value was chosen as it was the largest bit size that could be used and maintain widespread compatibility. It uses the “RSASSA-PSS” signature algorithm as opposed to the more common “sha256RSA” algorithm.

We intend to develop and implement Windows certificate templates of the following types.  Other types will be considered as needs arise.

  • “NCSU-Computer-Certificate” : Auto-enrollment for domain computers w/ x509 v2 cert with OID for “Client Authentication” –  Implemented
  • “NCSU-Server-Certificate” : Auto-enrollment for domain computers w/ x509 v2 cert with OID for “Server Authentication” – Implemented
  • Code signing certificates. NCSU-Departmental OU Admins can request a code signing cert (Service Now ticket to the ACTIVEDIRECTORY_TECHNICAL queue).
    • Code signing certs will only be issued to .admin accounts of full-time IT staff (no part-time, or student workers) and must be associated with a human being.
    • IT staff wanting code signing certs will have to submit a request, and will have their .admin account added to the Wolftech-PKI-CodeSigning-Autoenroll group.
    • At cert creation time, there is the option to add a password to the cert.
    • For a computer to trust (and, consequently, run) code signed by this cert, one has to deploy the public key of the author to the “Trusted Publishers” certificate store on all Windows machines expected to run the code.  To do this, you will have to push this cert, via group policy, to all your computers at your OU level. Only approved authors will have their certs pushed at the NCSU level.  Only certs with passwords will be eligible for signing scripts or packages at the NCSU level. You will have to type the password every time you sign something.
    • Example:
  • Key Recovery Agent

Uses:

  • SCCM
  • RDP
  • Code Signing – Powershell scripts, APP-V packages
  • Web Servers
  • 802.1x
  • ADFS

Notes:

  • Initial certificate creation for computers must contain a valid DNS name. ADToolkit is already sending OU admins a daily reminder to fix their DNS.
  • Initial certificate creation for user certificate auto-enrollment happens only at an interactive logon on a domain-joined Windows client.
  • Using >2048-bit keys for certs will break lots of things.
  • Using ADSI Edit, you can view the Certificate Services information here:

Links: