==== Using Dogtag CA ====
Note: CSR from Windows for domain controller steps, then submit request in dogtag Web UI under Server (double check and make note of editing profile to increase validity period):
Run -> MMC -> Add snap-in -> Certificates -> Local Machine
Personal -> All Tasks -> Advanced Operations -> Create Custom Request -> Proceed without enrollment policy
(No template) Legacy Key | PKCS#10 !!!OR!!! (No Template) CNG + PKCS#10 -> this is needed for SHA256
Details -> Properties
Friendly Name: SRV01.domain.local
Subject ->
Subject name: Common Name = SRV01.domain.local
Alternative name: DNS = SRV01.domain.local
Extensions ->
Key Usage: Key encipherment, Digital signature, (check box) Make these key usages critical
Extended Key Usage: Server Authentication, Client Authentication
Include Symmetric algorithm: (check box) Enable this extension
Private Key ->
Key type: Exchange
Cryptographic Service Provider: (check box) Microsoft RSA SChannel Cryptographic Provider (Encryption)
Key options: Keys size = 4096
!!!!OR!!!!
If you used (No Template) CNG
then
Key options: Keys size = 4096
Select Hash Algorithm: Hash Algorithm: sha512
Cryptographic Service Provider: RSA, Microsoft Software Key Storage Provider
Before submitting the request to the Dogtag CA edit the profile /var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg on the Dogtag CA server. Change the 720 on the following lines to the period in days you want the certificate to be valid (I'm using 8 years or 2920 days since it's just me but make it shorter than the subordinate CA validity period).
policyset.serverCertSet.2.constraint.params.range=720
policyset.serverCertSet.2.default.params.range=720
Then restart the PKI instance:
systemctl restart pki-tomcatd@pki-tomcat.service
Submit the request using the "Manual Server Certificate Enrollment". You can manually set the validity period here to less than the default period specified (but not more).
Copy the Base64 pkcs7 certificate block and paste it into an appropriately named txt file on the Windows server, rename the extension to p7b.
Go back to cert interface on Windows MMC console, right click on Personal and import.
When key is imported into Personal->Certificates it will import the whole chain. Export the root certificate and import it into "Trusted Root Certification...", export the sub-ca certificate and import it into "Intermediate Certification...", then delete the certificates you just exported/imported into the other stores leaving on the 1 certificate with the FQDN.
Note: if you delete the certificate in the Personal store you can't just reimport the same certificate you had stored elsewhere. You need to submit a new CSR and install a brand new certificate in this case otherwise LDAPS won't work.
Note: Test LDAPS using LDP.exe. Enable SSL and port 636 and use the FQDN of the Windows Domain controllers. If you're testing from another domain controller, you'll need to install the ROOT and Intermediate certificates on that one before it will connect to your LDAPS enabled DC via LDP.
Note: to install the trusted root and sub/intermediate certificates on Rocky Linux 8 (so they'll trust the Windows DC LDAPs certificate), export both root and sub from the DC in BASE64 format, copy to /etc/pki/ca-trust/source/anchors and run update-ca-trust.
====Using Windows CA====
Ths is used to allow external non-domain joined servers/computers that bind to Active Directory to do so securely (e.g. for use with Zimbra and AD authentication, Openfire, Dokuwiki, Kanboard, etc)
1.) Setup PKI by creating a root CA that will be kept offline (reference)
2.) Setup Windows subordinate CA that will issue certificates (reference)
3.) Create certificates for domain controllers (see below)
4.)
5.) Open Group Policy on a domain controller, create a new policy named "Certificate Enrollment Domain Controllers" or similar in the OU that houses the domain controllers.
Log into a Domain Controller server as a member of the Enterprise Administrators group.
Open the GPMC: gpmc.msc
Within the appropriate GPO applied to the Domain Controllers, go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\
Configure Certificate Services Client – Auto-Enrollment with the following options:
Configuration Model:Enabled.
Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates: Check_all checkboxes.
Replicate the group policy. Use the command: gpupdate /force at the command line, or wait for the group policy to replicate based on your replication time and settings.
Open MMC.exe -> File -> Add/Remove Snap-in -> Certificates -> Computer account -> Local computer -> Personal and you should see the new certificate issued today...
6.) Export the root CA certificate from the CA created at step 1 in order to deploy it to domain joined computers via group policy.
6a) Go to the root CA via web browser https://domain.name.or.ip:8443/ca/agent/ca/ -> click on "List Certificates" -> Find -> Select the one with Serial number 0x1 (might be called CA Signing Certificate) -> highlight and copy the block below "Base 64 encoded certificate with CA certificate chain in pkcs7 format" -> create a text document on the desktop of a Windows domain controller -> paste the contents into the file -> rename the file root-ca.server.name.p7b
6c)
To distribute certificates to client computers by using Group Policy
On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.
Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
Right-click the GPO, and then click Edit.
In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, type the path to the appropriate certificate files (for example, \\fs1\c$\fs1.cer), and then click Next.
On the Certificate Store page, click Place all certificates in the following store, and then click Next.
On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.
Run a gpupdate /force to deploy it.