Step 1 - Setup JQR-DC1 as the domain controller and certificate authority. First, let's review the available certificate services:
The Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service work allow non-domain joined computers and devices enroll for a certificate via HTTPS (e.g. cross forest scenarios).
The Certification Authority Web Enrollment lets you request certificates and more through a web interface instead of via the MMC snap-in. It's a convenient way to go.
The Network Device Enrollment Service allows devices to obtain a certificate from your CA using the Simple Certificate Enrollment Protocol. Sonicwall routers can do this - I'd like to try that out.
The Online Responder appears to be an alternative to the CRL (certificate revocation list) in that a computer can check via HTTP whether a cert is valid or not. I'm not entirely clear on the pros/cons of using it with smart cards.
Skimmed an overview of smart cards from Microsoft and this handy forum post. Got it working! Here are the steps:
- Duplicate the Enrollment Agent certificate template
- Duplicate the Smartcard Logon template.
- Under the "Request Handling" tab, set the purpose to "Signature and smartcard logon".
- Under the "Cryptography" tab, set the Provider to "Microsoft Base Smart Card Crypto Provider".
- Under "Issuance Requirements", set the number of authorized signatures to 1.
- Enable both certificate templates on the CA.
- Log into a domain-joined Windows 7 workstation as the domain Administrator; open certmgr.msc.
- Request an enrollment agent certificate.
- Connect the smart card reader and card. Drivers for Gemalto cards are installed automatically via Windows Update. That's the other nice thing about Gemalto cards - the middleware for them is baked right into Windows.
- Enroll in a smart card logon certificate on behalf of the chosen user account.
- It will prompt you for a PIN. The default Gemalto PIN is 0000. You can change this later by pressing Ctrl + Alt + Del, just like the password for your domain user account.
Now, the next annoyance that I noticed is that when I lock the console, I'm required to press Ctrl + Alt + Del to unlock it again (now that it's domain joined), so I enabled a group policy to disable this behavior so frequent console locks remain practical.
Instructions. Download link.
OK, pushing trusted root certificate authorities via group policy is super easy:
...and lastly, you can enable certificate auto-enrollment with two steps:
1) Enable it in group policy:
2) Duplicate the certificate template that you're interested in and enable auto-enrollment for the appropriate group of users.
Be aware that by default, certificates have a maximum lifetime of two years. How to change:
1. certutil -getreg ca\ValidityPeriod - this should show "Years"
2. certutil -getreg ca\ValidityPeriodUnits - this should show "2"
3. certutil -setreg ca\validityperiodunits 6 - this sets it to 6 years, or whatever you prefer