ads

Style3[OneLeft]

Style3[OneRight]

Style5[ImagesOnly]

Style2

Task: 

Prepare Windows CA certificate template for end-user enrollment.

Assumptions:  


  • These instructions are for situations that require minimal VPN support.
  • This solution only supports enrollment requests from the Windows certificate snap-in.
  • It enforces administrative approval for end-device enrollment -this is not a completely automated process.
  • Workplace Join is the preferred method for device enrollment.  It provides self-service automation.  It provides secure key management.  This walk-through is not for Workplace Join.

Steps:


  1. Open certificate templates.  From the Windows CA:  Start → MMC → File → Add Snap-In:  Add Certificate Templates.
  2. Step 2:  Duplicate User template:  Certificate Templates → Right-Click on User (Template) →  Duplicate Template.  
  3. Step 3:  Edit Properties of New Template (Table 1):


Table 1:  New Certificate Template Properties.
Field
General
Cryptography
Extensions
Security
Template Display Name
User Device Auth



Validity Period
3 Years



Publish in AD
Un-check



Minimum key size

2048 or 3072


Providers

Microsoft RSA


Applications Policies


Client Authentication

Authenticated Users



Allow Read
Allow Enroll
Note:  3072 key size increases security strength for IKEv2 VPNs.  Choose validity to fit needs of organization.  Use short validity period for automated self-service (e.g., Workplace Join).  Disable certificate exports for automated self-service.   

The template becomes available for user enrollment requests from any Windows certificate snap-in.

About Steven M. Jordan

Steven Jordan is an infrastructure and process management specialist. Steven holds a Master of Science degree in ICT from the University of Wisconsin Stout. Steven is also a Cisco Certified Network Professional (CCNP) and Master Gardener.
«
Next
Newer Post
»
Previous
Older Post

No comments:

Post a Comment