{"id":1199,"date":"2013-12-11T11:35:23","date_gmt":"2013-12-11T17:35:23","guid":{"rendered":"http:\/\/www.poweradmin.com\/blog\/?p=1199"},"modified":"2015-04-24T16:52:37","modified_gmt":"2015-04-24T21:52:37","slug":"how-to-configure-a-public-key-infrastructure-on-a-windows-server-part-1","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/how-to-configure-a-public-key-infrastructure-on-a-windows-server-part-1\/","title":{"rendered":"How to configure Public Key Infrastructures"},"content":{"rendered":"<p>\n\t<a href=\"\/blog\/wp-content\/uploads\/2013\/12\/pki.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Public Key Infrastructure\" class=\"alignright size-medium wp-image-1223\" height=\"187\" src=\"\/blog\/wp-content\/uploads\/2013\/12\/pki-300x300.jpg\" width=\"187\" srcset=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/pki-300x300.jpg 300w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/pki-150x150.jpg 150w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/pki.jpg 500w\" sizes=\"auto, (max-width: 187px) 100vw, 187px\"><\/a><span style=\"font-size:16px;\"><span style=\"font-family: trebuchet ms,helvetica,sans-serif;\">In today\u2019s article we will discuss implementing a PKI (Public Key Infrastructure) on a Windows Server 2008. The PKI will be used to authenticate wireless users. Note that the steps indicated here can also be applied to Windows Server 2012 versions. Before proceeding to the actual practice example, we\u2019ll have to get acquainted with the elements used in this process. I will be using a virtual machine on my ESXi node. It\u2019s easier to use a Virtual Machine since you can rollback changes much faster rather than using physical servers.<\/span><\/span>\n<\/p>\n<p>\n\t<span style=\"font-size:16px;\"><span style=\"font-family: trebuchet ms,helvetica,sans-serif;\">Windows Server supports several authentication methods and multiple wireless security standards. Among the well-known Wireless Security standards are <em>WEP, WPA <\/em>with its two methods <em>WPA-PSK<\/em> and <em>WPS-EAP<\/em>, <em>WPA2<\/em> and <em>no security<\/em>. Because <em>WPA-PSK <\/em>and <em>WEP<\/em> rely on the <em>pre-shared key<\/em> for <em>wireless authentication<\/em>, these two methods are not used within large enterprises. The reasons for not using these two wireless authentication methods are the fact that they are hard to scale and maintain but also pose a certain risk level because if the pre-shared key is cracked, then the whole network becomes vulnerable. To achieve better results in terms of network security and manageability, you\u2019ll need to install and configure WPA-EAP. To deploy a WPA-EAP infrastructure you\u2019ll need to configure a PKI and install certificates on all RADIUS servers and wireless clients. The RADIUS servers must trust the CA (Certificate Authority) that issued the user\/computer certificates for wireless clients and the clients must trust the CA that issued the computer certificates for the RADIUS servers.<\/span><\/span>\n<\/p>\n<p>\n\t<span style=\"font-size:16px;\"><span style=\"font-family: trebuchet ms,helvetica,sans-serif;\">For easier management you should install a PKI and set the auto-enrollment feature to provide wireless clients the necessary permissions for WPA-EAP wireless authentication. Using this feature, client computers will be able to request and renew certificates without user interaction. This means that there will be no application failures or authentication errors that are caused by expired certificates.<\/span><\/span>\n<\/p>\n<p>\n\t<span style=\"font-size:16px;\"><span style=\"font-family: trebuchet ms,helvetica,sans-serif;\">We\u2019ll need to add the <em>Certificate Services<\/em> role to one of your <em>Windows Servers<\/em>. Note that all network devices involved in the wireless authentication process must be part of the same domain. Open the <em>Server Manager <\/em>console, navigate to the <em>Roles <\/em>section and press the <em>Add Roles<\/em> button. Skip the welcome screen and select the <em>Active Directory Certificate Services<\/em>:<\/span><\/span>\n<\/p>\n<p align=\"center\">\n\t<a href=\"\/blog\/wp-content\/uploads\/2013\/12\/Select-Server-Roles.png\" rel=\"\" style=\"\" target=\"\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"Select Server Roles\" class=\"size-full wp-image-1200 alignnone\" height=\"572\" src=\"\/blog\/wp-content\/uploads\/2013\/12\/Select-Server-Roles.png\" style=\"\" title=\"\" width=\"779\" srcset=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/Select-Server-Roles.png 779w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/Select-Server-Roles-300x220.png 300w\" sizes=\"auto, (max-width: 779px) 100vw, 779px\"><\/a>\n<\/p>\n<p>\n\t<span style=\"font-size:16px;\"><span style=\"font-family: trebuchet ms,helvetica,sans-serif;\">In the <em>Role Services <\/em>section check the <em>Certification Authority <\/em>box and press <em>next<\/em>. The <em>Setup Type <\/em>used in our case is <em>Enterprise<\/em> because our server is part of an Active Directory domain. Because we are implementing a Public Key Infrastructure for the first time, we\u2019ll install a Root CA. Remember that the Root CA is responsible for issuing and managing certificates. To be able to generate and issue certificate for our clients, we\u2019ll need to create a new private key that will be used by our CA. In the <em>Configure Cryptography<\/em> <em>for CA<\/em> select <em>RSA#Microsoft Software Key Storage Provider<\/em>, use a <em>2048 character key length<\/em> and the <em>SHA1 hash algorithm<\/em>. Leave the CA name as indicated by the add roles wizard or change it as desired and set the <em>Validity Period<\/em> for 5 years. If desired, select a certificate database location if not, skip this section and proceed with the installation.<\/span><\/span>\n<\/p>\n<p>\n\t<span style=\"font-size:16px;\"><span style=\"font-family: trebuchet ms,helvetica,sans-serif;\">Now open the <em>Group Policy Management Console (GPMC.msc) <\/em>and edit the <em>Default Domain Policy<\/em>. Navigate to <em>Computer Configuration\/Policies\/Windows Settings\/Security Settings\/Public Key Policies<\/em> and open the <em>Certificate Services Client \u2013 Auto-Enrollment:<\/em><\/span><\/span>\n<\/p>\n<p align=\"center\">\n\t<a href=\"\/blog\/wp-content\/uploads\/2013\/12\/Group-Policy-Management-Console.png\"><img loading=\"lazy\" decoding=\"async\" alt=\"Group Policy Management Console\" class=\"alignnone size-full wp-image-1201\" height=\"705\" src=\"\/blog\/wp-content\/uploads\/2013\/12\/Group-Policy-Management-Console.png\" width=\"1026\" srcset=\"https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/Group-Policy-Management-Console.png 1026w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/Group-Policy-Management-Console-300x206.png 300w, https:\/\/www.poweradmin.com\/blog\/wp-content\/uploads\/2013\/12\/Group-Policy-Management-Console-1024x703.png 1024w\" sizes=\"auto, (max-width: 1026px) 100vw, 1026px\"><\/a>\n<\/p>\n<p align=\"center\">\n\t<strong><span style=\"color:#FF0000;\"><span style=\"font-size: 18px;\"><a href=\"\/blog\/part-2-how-to-configure-a-public-key-infrastructure-on-a-windows-server\/\" target=\"_self\">CLICK HERE <\/a>to continue to the last steps in the article<\/span><\/span><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In today\u2019s article we will discuss implementing a PKI (Public Key Infrastructure) on a Windows Server 2008. The PKI will be used to authenticate wireless users. Note that the steps indicated here can also be applied to Windows Server 2012 versions. Before proceeding to the actual practice example, we\u2019ll have to get acquainted with the [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":1223,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,13,9,8],"tags":[],"class_list":["post-1199","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","category-pc-security","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/1199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=1199"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/1199\/revisions"}],"predecessor-version":[{"id":3552,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/1199\/revisions\/3552"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/1223"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=1199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=1199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=1199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}