Configuring the Certificate Framework

  1. On your Windows server, navigate to Start > Windows Administrative Tools > Certification Authority.

  2. In the "Certification Authority (Local)" list, expand your domain address, and then click Certificate Templates.

  3. To manage templates or view their configuration properties, right-click Certificate Templates, and choose Manage.
    The Certificate Templates Console will open.

    Note: Building the 802.1X certificate template from a RAS and IAS certificate template ensures that the resulting certificate is created correctly. When creating your 802.1X certificate template, you can duplicate the RAS and IAS Server certificate template that is available with all Windows server installations.

  4. Double-click the certificate template to open the Properties window.

  5. On the General tab, ensure the following:

    • The Template display name and Template name fields match.

    • The Publish Certificate in Active Directory checkbox is selected.

  6. On the Subject Name tab, ensure the following:

    • The Subject name format field is set to "Common Name"

    • User principal name (UPN) is the only checkbox selected in the Include this information in alternate subject name list of options

  7. Click the Security tab and do the following:

    1. In the Group or user names list, click RAS and IAS Servers.

    2. Ensure the Allow checkboxes are selected for Enroll and Autoenroll.

    3. In the Group or user names list, click Authenticated Users.

    4. Ensure the Allow checkboxes are selected for Read, Enroll, and Autoenroll.

  8. (Optional) If you plan on using SCEP to issue certificates, you must complete the following additional steps:

    1. Click the General tab in the Properties window.

    2. Right-click the default template that SCEP uses, "IPSec (Offline Request)", and choose Duplicate Template.

    3. Enter a name for the new template.

    4. Ensure the Validity period field is set to 2 years.

    5. Select the Publish certificate in Active Directory checkbox.

    6. Click the Cryptography tab.

    7. In the Minimum key size field, enter "2048".

    8. Select the Microsoft RSA SChannel Cryptographic Provider checkbox.

    9. Click the Extensions tab.

    10. Select Application Policies, and then click Edit.

    11. Ensure only Client Authentication is displayed for the policies.

    12. If an IKE policy exists, remove it.

    13. Click the Security tab.

    14. Select the Administrator group, and then select the Allow checkbox for the Enroll permission.

    15. Select the svc_ndes group, and then select the Allow checkbox for the Enroll permission.

    16. Click the Subject Name tab.

    17. Ensure the Supply in the request option is selected since no Active Directory information is available to use with SCEP.

    18. Close the Properties window.

The certificate framework should now be configured, and you should now be able to issue certificates based on the configured templates. You are now ready to create a certificate for the RADIUS server to present to the client machine.

Note: If a template needs to be re-created, close the Certificate Templates Console, and look for the template in the Certificate Templates folder in the certsrv window. If it is not there, right-click Certificate Templates, and choose New > Certificate Template to Issue. You can then select the template from a list, and then add it to the CA. When done, close the Certificate Templates Console.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.