This IT Pro Challenges virtual lab teaches learners how to implement automatic certificate creation, in a Windows environment, using a public key infrastructure (PKI). First, you customize a PKI certificate template. Then you use Microsoft Group Policy to configure certificate auto-enrollment. Finally, you test that a new certificate generates from the custom template you created in this lab.
This virtual lab will guide beginning learners with some familiarity with a Windows Server environment. It would be best for users to plan on a full forty-five minutes to complete the lab exercises. Participants cannot return to lab activities in progress. However, learners may take the lab more than once. This lab provides virtual access to a Windows 2016 active directory server with a private enterprise root certificate authority, validating the domain authority.
Hands-on experience in the lab provides learners an understanding of PKI. Learners following System Administrator, Network Engineer, Security Architect, Security Control Assessor, Security Software Assessor, Software Developer Penetration Tester, Security Engineer, or SOC Analyst career paths gain critical experience securing data and digital assets. Also, learners master certificate configuration and deployment. Knowledge gained from this lab on using Microsoft's Certification Authority and Group Policy Management furthers comprehension of the PKI infrastructure.
Understanding the Scenario:
You are a system administrator for a company that uses a private-public key infrastructure (PKI) to secure data systems and digital assets. You need to enable automatic certificate creation and deployment for trusted users. First, you configure a custom PKI certificate template, and then you set certificate auto-enrollment using Microsoft Group Policy.
Configure a Custom PKI Certificate Template:
In this lab exercise, learners use Windows Certificate Authority services through the Microsoft Management Console to configure a custom PKI certificate template. Participants duplicate an existing template and specify its settings. Then learners give permissions to authenticated users to enroll or auto-enroll. When an authorized user on a different machine obtains a certificate, it establishes trust between it and another computer.
Once you finish setting up the certificate properties, you issue and enable the certificate. The Certificate Templates console, on the server, makes the configured certificate available. When another machine requests a certificate, the certificate authority services will issue one according to the properties you have set.
Configure Certificate Autoenrollment Using Group Policy:
In this section, you open Group Policy Management and initiate auto-enrollment for computer and user accounts to access devices. You then refresh the Group Policy with the new settings. You can do this through the command console or PowerShell. Most of the time, users who have permission do not need to interact with the Certificate Authority, after configuring auto-enrollment.
In this virtual lab, the same server configures certificate enrollment tests that the certificate issues in production. Other client systems in the domain could also test that the certificate issued. However, Active directory domain-joined computers take about 90 minutes to update their Group Policy settings after a refresh.
To keep within the lab's time frame, you test successful enrollment on the same machine you used to create the certificate. Using the MMC (Microsoft Management Console), you verify that your customized certificate appears on the machine.
You will learn in this lab how to set up a private-public key infrastructure (PKI) by enabling an automated certificate to be issued to permitted users and computers. You will master:
- Configuring and issuing a custom certificate template.
- Configuring a Group Policy certificate auto-enrollment.
- Acquiring a computer certificate through auto-enrollment.
You also will know how to test that a trusted user can get a custom certificate.