Create custom certificates through the creation of certificate templates. Manage expiration dates, issuance approval, and the security of your certificates. Learn how to publish your certificate templates so they can be requested for your users and comput
- [Narrator] In the last segment, we looked at the management of the Certification authority itself. Now we're going to dig down a little bit and look at the management of the certificates, especially through the management of the certificate templates. We've had a chance to look at several of these features before, but with a very specific intent. So we did pass over several tabs. And I wanna circle back and make sure we cover some of the other capabilities of these certificates that are managed through the templates themselves.
You'll recall that if we click on Certificate Templates, you'll see this relatively short list of certificate templates that we are prepared to issue. It's a good idea to keep this list paired down to what you actually intend to use in your environment. But what happens when you need something slightly different. A great example of this would be a user certificate. We have a user certificate here, and it can be used to encrypt files, secure email. And if you could see the rest of this line it would go on to say it can be used for client authentication.
But suppose Landon Cafe has decided to implement a new operation where instead of waiting for restaurant reviewers to come in and tell us what we're doing right and wrong. We've decided to work with a partner company to employ secret shoppers. These people brought in as secret shoppers will be users that need to access certain content on our network. And they're going to change frequently, so we've decided to use certificates to identify and verify who these people are.
We need certificates that will expire much quicker than our normal user certificate. So we need a different template to accomplish this. Because this is such a dynamic group of people that are not employees of Landon Cafe, we will need an extra level of approval before these certificates are issued. So let's take a look at how to create that. You've seen before that we can right-click on Certificate Templates, and select Manage. And that will bring us to all of the types of templates that are ready made and available for us to use.
And we could change the properties of any of these templates, and it would change the properties of any future certificates issued from that template. But in our situation, we need to have a different type of certificate altogether. So like we did with the ADFS certificate where we duplicated the web server, we are looking at a user certificate. We're going to duplicate the User Template. This brings us to all of the properties that we can define or change about this template before we publish it.
Right away, we're asked for the lowest version of the security template that we want to support. There are some that get very nervous about allowing certificate recipients of non-supported operating systems. And they want to step things up a bit. There are many more that need to serve a diverse pool of users that could be running on just about any platform, and so they feel the need to be as inclusive, also known as old, as possible. If you select one of the newer options, you're going to be notified of additional properties that will be added or changed because of your choice.
For example, if we upgrade the server side of the equation to Server 2008 R2 and newer, we'll be given the option of not storing certificates and requests in the certificate authority database. That wasn't an option prior to Server 2008 R2. But now we're occasionally using IPsec on very large networks, with thousands of very short-lived certificates being issued every day. We can now choose, in the template, to not overflow the database by putting all of these certificates in the database.
So now, onto some more commonly modified properties. On the General tab, and we've used this before, we can go ahead and give our template a name. Be descriptive here, so it's obvious what the certificate is for. We'll name it Secret Shopper Users. This will help later and it will be friendly to another admin that may share some of your tasks down the road. On this tab you can also set how long the certificate is valid. We mentioned before that one of our requirements was, this is a dynamic group of users, we need these certificates to not be available for as long.
So we're going to set our validity period down to just one week. And we're going to be reminded that the renewal is a lot longer than is allowed, especially for our short validity period. So we're going to reduce our renewal period down to three days. That way it won't stay open for weeks and months when we know that these users are going to have a high turnover. This next tab doesn't contain anything we need for this specific scenario, but it does include a check box that you'll want to remember.
Sometimes when exporting a certificate to be installed on another machine, the private key has to be included in the export. On the Request Handling tab is a check box to allow that. If this isn't selected, when you go to export the certificate, including the key in that export will not be an option. There are two other tabs that we'll definitely need to look at for this scenario. The Issuance Requirements tab has a check box for manager approval.
Remember we pointed out that these users are employees of another organization that will have the permission to request or enroll in a certificate. They're not our employees. And to protect access to our resources, we will want our IT staff to be able to verify and approve certificates before they're issued. This is handy for our situation because it gives us that extra check before just handing out certificates. It gives us that window of time to verify the user requesting the certificate is valid before we grant this certificate, and by extension, access to our resources.
And finally, and this is a tab that we've looked at before, the security tab. You'll notice the list of people that have access. You'll notice Sean Green, our currently logged in user, and a member of the group that we granted access, does have the ability to manage the certificate template. We do have these other users that have some access over the template. These are permissions over this specific template, and not over the server as a whole. That's why you see some of these administrative groups still represented.
We created a domain local group for secret shoppers. Through an enterprise trust, they have their users in their domain and we've made them members of our domain local group for access to these resources. And we need to make sure that members of that group have access to this certificate template. So object type is a group. And we're going to do a quick search for our secret shoppers group. Add them to the list. And as we've seen in previous examples, we need to allow them to enroll.
And we can apply those changes. So I'm going to go ahead and click OK. And then I'm going to exit the certificate templates console to get back to the certification authority tool. And once again, the final step to make this template available is to right-click on Certificate Templates, click on New, Certificate Template to Issue. Then we can scroll through and find our secret shopper users template, click OK.
And we now have a Secret Shopper Users template that is intended for the same purposes as a user template, but with properties that are more specific for our needs. Again, and this may sound redundant, keep this list of available templates to the templates for the types of certificates you actually plan to issue. If, as an organization, you decide that this secret shopper partnership is not worth while and you don't intend to use it going forward, don't forget to go into Issued Certificates and revoke the ones that have already been issued.
And then under Certificate Templates, select the template that you'd like to discontinue using. Right-click on it and delete it. Treat each line here like a shortcut to a file or other location in Windows. That template still exists back in the Template Management console, so you're not losing the properties that you've set. You're just removing this portal that would allow someone to request it. So we're going to say Yes, we want to disable this certificate template on the certification authority.
If we needed to bring it back, we could, once again, New, Certificate Template to Issue. Because the basic template is still there. But we have limited the number of types of certificates that can be issued by our server. Moving forward, in the next video we're going to take a look at using web enrollment as another method for people to request certificates based on these templates that we have available.
Note: The topics covered here map to the Configure Identity and Access Solutions domain for Microsoft Certified Solutions Associate (MCSA) Exam 70-412, Configuring Advanced Windows Server 2012 Services. Use these tutorials to study for the exam.
- Implementing Active Directory Federation Services (AD FS)
- Configuring AD FS authentication policies
- Configuring multifactor authentication
- Installing and configuring Active Directory Certificate Services (AD CS)
- Creating certificate templates
- Configuring certificate authority backup and recovery
- Managing certificates, including templates and renewal
- Installing and configuring Active Directory Rights Management Services (AD RMS)