Information Technology Reference
In-Depth Information
3. Right-click
CertAutoGPO
and click
Edit
. In Group Policy Management Editor (GPME),
click to expand
User Configuration
,
Policies
,
Windows Settings
,
Security Settings
, and
Public Key Policies
. Click
Public Key Policies
in the left pane. In the right pane, double-
click
Certificate Services Client - Auto-Enrollment
.
4. In the Define Policy Settings tab, click the
Configuration Model
list arrow and click
Enabled
. Click the
Renew expired certificates, update pending certificates, and remove
revoked certificates
check box and the
Update certificates that use certificate templates
check box. Click
OK
.
5. Close GPME. In GPMC, right-click the domain node and click
Link an Existing GPO
. In the
Select GPO list box, click
CertAutoGPO
, and then click
OK
. Close GPMC.
6. Log on to
Server1XX
as Administrator and open Server Manager.
7. In the left pane, click to expand the
Roles
node and the
Active Directory Certificate Services
node. Click
Certificate Templates
to list the available templates in the right pane.
8. Double-click
EFS-2008
to open its Properties dialog box, and then click the
Security
tab.
Click
Domain Users
, click the
Autoenroll
permission in the Allow column, and then
click
OK
.
9. In the left pane of Server Manager, right-click the CA server node (
w2k8adXX-Server1XX-CA
),
and click
Properties
.
10. Click the
Policy Module
tab, and then click
Properties
. In the Request Handling tab, verify
that the
Follow the settings in the certificate template, if applicable
option button is selected.
Click
Cancel
twice.
11. Click the CA server node, and then double-click the
Certificate Templates
folder. The listed
templates represent the certificates this CA can issue. Right-click the
Certificate Templates
folder, point to
New
, and click
Certificate Template to Issue
.
12. In the Enable Certificate Templates dialog box, click
EFS-2008
, and then click
OK
. Your CA
is now ready to issue EFS certificates through autoenrollment.
13. Stay logged on and leave Server Manager open.
11
Activity 11-5: Testing EFS Certificate Autoenrollment
Time Required:
20 minutes
Objective:
Test EFS certificate autoenrollment.
Description:
You have configured a certificate template to autoenroll Domain Users with an EFS
certificate. You test the configuration by logging on to the domain from your Vista computer,
and then verifying that a new certificate has been issued. (
Note
: Your domain controller and CA
server as well as your Vista computer must be running. If you're using virtual machines and can't
accommodate three running simultaneously, you can log on to the domain controller instead of
the Vista computer.)
1. Log on to the domain from your Vista computer as
salesperson1
.
2. When you log on, autoenrollment of user certificates takes place. To verify that the EFS-
2008 certificate has been issued, you can view your certificates. Click
Start
, type
MMC
in
the Start Search text box, and press
Enter
.
3. Click
File
,
Add/Remove Snap-in
from the MMC menu. In the Available snap-ins list box,
click
Certificates
, and then click
Add
. Click
OK
.
4. In the left pane, click to expand
Certificates - Current User
and
Personal
, and then click
Certificates
. The issued EFS-2008 certificate is displayed in the right pane (see Figure 11-11).
5. In the left pane, click to expand
Trusted Root Certification Authorities
and click the
Certificates
folder to view certificates of CAs your computer trusts. Your CA should be listed
at the bottom.
Search WWH ::
Custom Search