Task:
Prepare Windows CA certificate template for end-user enrollment.Assumptions:
- These instructions are for situations that require minimal VPN support.
- This solution only supports enrollment requests from the Windows certificate snap-in.
- It enforces administrative approval for end-device enrollment -this is not a completely automated process.
- Workplace Join is the preferred method for device enrollment. It provides self-service automation. It provides secure key management. This walk-through is not for Workplace Join.
Steps:
- Open certificate templates. From the Windows CA: Start → MMC → File → Add Snap-In: Add Certificate Templates.
- Step 2: Duplicate User template: Certificate Templates → Right-Click on User (Template) → Duplicate Template.
- Step 3: Edit Properties of New Template (Table 1):
Table 1: New Certificate Template Properties.
|
Field
|
General
|
Cryptography
|
Extensions
|
Security
|
|
Template Display
Name
|
User Device Auth
|
|
|
|
|
Validity Period
|
3 Years
|
|
|
|
|
Publish in AD
|
Un-check
|
|
|
|
|
Minimum key size
|
|
2048 or 3072
|
|
|
|
Providers
|
|
Microsoft RSA
|
|
|
|
Applications
Policies
|
|
|
Client
Authentication
|
|
|
Authenticated
Users
|
|
|
|
Allow Read
Allow Enroll |
Note: 3072 key size increases security strength for IKEv2 VPNs. Choose validity to fit needs of organization. Use short validity period for automated self-service (e.g., Workplace Join). Disable certificate exports for automated self-service.
The template becomes available for user enrollment requests from any Windows certificate snap-in.
No comments:
Post a Comment