Certificate Services

Design:

The WolfTech AD Public Key Infrastructure is a second tier, Microsoft Enterprise subordinate CA (“North Carolina State University Enterprise CA”).  It is rooted to a campus self-signed, Windows standalone CA (“North Carolina State University Root CA”).  Both of these are 2048 bit certs, and this value was chosen as it was the largest bit size that could be used and maintain widespread compatibility.

We intend to develop and implement Windows certificate templates of the following types.  Other types will be considered as needs arise.

  • Default Client Certificate v1.0 (Computer): Auto-enrollment for domain computers w/ x509 v2 cert with OIDs {client authentication, server authentication} –  Implemented
  • Client authentication certificates, for Unity Users to be used for 802.1x:  Auto-enrollment  – In planning stages
  • Code signing certificates. NCSU-Departmental OU Admins can request a code signing cert (Remedy ticket to the ACTIVEDIRECTORY_TECHNICAL queue).
    • Code signing certs will only be issued to .admin accounts of full-time IT staff (no part-time, or student workers) and must be associated with a human being.
    • IT staff wanting code signing certs will have to submit a request, and will have their .admin account added to the Wolftech-PKI-CodeSigning-Autoenroll group.
    • At cert creation time, there is the option to add a password to the cert.
    • For a computer to trust (and, consequently, run) code signed by this cert, one has to deploy the public key of the author to the “Trusted Publishers” certificate store on all Windows machines expected to run the code.  To do this, you will have to push this cert, via group policy, to all your computers at your OU level. Only approved authors will have their certs pushed at the NCSU level.  Only certs with passwords will be eligible for signing scripts or packages at the NCSU level. You will have to type the password every time you sign something.
    • Example:
  • Key Recovery Agent

Uses:

  • SCCM
  • RDP
  • Code Signing – Powershell scripts, APP-V packages
  • Web Servers
  • 802.1x
  • ADFS

North Carolina State University Root CA Info:

Active Directory North Carolina State University Enterprise CA Info:

Notes:

  • Initial certificate creation for computers must contain a valid DNS name. ADToolkit is already sending OU admins a daily reminder to fix their DNS.
  • Initial certificate creation for user certificate auto-enrollment happens only at an interactive logon on a domain-joined Windows client.
  • Using >2048-bit keys for certs will break lots of things.
  • Using ADSI Edit, you can view the Certificate Services information here:

Links: