Onboard devices using your own root certificate authority and Group Policy
In this topic, you will learn how to create your own certificate authority in Windows Server, generate user certificates using Group Policy, and then use these certificates to onboard devices.
Create a Certification Authority
In this section, you will learn how to configure Windows Server with an Active Directory Certificate Services role, and create and configure the Certification Authority (CA).
-
In the Server Manager > Dashboard window, click on the
Manage top menu and select the Add Roles and Features option to
open the Add Roles and Features Wizard.
Result: The Active Directory Certificate Services will be installed in the background.
-
In the Server Manager > Dashboard window, click on the AD CS option
in the left-hand side menu, and then click on the More link in the warning
notification.
-
In the All Servers Task Details and Notifications window, click on the Configure
Active Directory Certificate Services link to open the AD CS Configuration
wizard.
Create a certificate template
In this section, you will learn how to create a certificate template, which you will later distribute via GPO to client devices so they can request certificates from the CA.
-
In the Windows search bar, start typing certification authority and then click on the
Certification Authority app icon.
-
In the Certification Authority app window, expand your CA node, right-click on the
Certificate Templates entry, and from the context menu, select the
Manage option.
-
In the Certificate Templates Console window, scroll down to the User
entry, right-click on it, and from the context menu, select the Duplicate Template
option.
-
In the Properties of New Template window, in the General tab, enter a
name for the new user template.
If you change the Template display name, the Template name field changes accordingly.
In this example, we used the name Vorlon but you can use any name you like.
-
In the Subject Name tab, make sure that the Build from this Active Directory
information option is selected and that the Include e-mail name in subject
name checkbox is active.
Important: All users that you want to automatically enroll with a certificate need to have an email address specified in their Active Directory. If there is no email specified for a given user, enrollment will fail.
-
In the Security tab, make sure that any users that you want to automatically enroll with a
certificate have an active checkbox in the Autoenroll row in the Allow
column.
- Click on the OK button to close the Properties of New Template window and close the Certificate Templates Console window.
-
In the Certificate Authority app window, expand your CA node, right-click on the
Certificate Templates entry, and from the context menu, select the option.
-
In the Enable Certificate Templates window, scroll to the newly created template, select it,
and then click on the OK button.
Configure certificate enrollment via Group Policy
In this section, you will learn how to configure the Group Policy to automatically enroll client devices with user certificates.
-
In the Windows search bar, start typing group policy management and then click on the
Group Policy Management app icon.
-
In the Group Policy Management app window, expand: , then right-click on the Group Policy Objects entry, and from the context
menu, select the New option.
-
In the New GPO window, enter the name for the new group policy object, and then click on the
OK button.
In this example, we used the name Certificate policy but you can use any name you like.
-
Right-click on the newly created group policy object, and from the context menu, select the
Edit option.
-
In the Group Policy Management Editor window, expand , click on the Public Key Policies option, and in the right-hand side pane,
right-click on the Certificate Services Client - Auto-Enrollment entry and from the context
menu, select the Properties option.
-
In the Certificate Services Client - Auto-Enrollment Properties window, in the
Configuration Model section, select the Enabled option, activate
the checkboxes Renew expired certificates, update pending certificates, and remove revoked
certificates and Update certificates that use certificate templates, and then
click on the OK button.
- Close the Group Policy Management Editor window.
-
In the Group Policy Management window, right-click on your domain name, and from the context
menu, select the Link an Existing GPO option.
-
In the Select GPO window, select the GPO you just created, and then click on the
OK button.
Export the root CA certificate
In this section, you will export the root CA certificate so that you can upload this certificate to Portnox™ Cloud. This will let Cloud verify the validity of certificates issued by your CA.
-
In the Windows search bar, start typing certification authority and then click on the
Certification Authority app icon.
-
In the Certification Authority app window, right-click on your CA node, and select the
Properties option to open the Properties window.
-
In the Properties window, in the General tab, click on the
View Certificate button to open the Certificate window.
-
In the Certificate window, go to the Details tab, and then click on
the Copy to File button to open the Certificate Export Wizard.
-
In the Certificate Export Wizard window, click on the Next button to go
to the Export File Format step, and select DER encoded binary X.509
(.CER) format, then click on the Next button.
- In the next step, select a file to export to, click on the Next button, and then click on the Finish button to finish exporting the certificate.
Result: Your root CA certificate will be exported to a file with a cer extension, in the DER encoded binary X.509 format.
Upload the root CA certificate to Cloud
In this section, you will upload the exported root CA certificate as a tenant CA certificate to Portnox™ Cloud. This will let Cloud recognize and authenticate your devices that have user certificates, which you generated using your own root CA.
- Open the Portnox Cloud portal.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
-
In the TRUSTED ROOT CERTIFICATES section, click on the Upload trusted root
certificate generated by “Your tenant name” link. Then, select the file using the ↥ button and click on the Save button to upload the
file.
Create a GPO for wired network authentication
If you want to control your wired network configuration using a GPO, you can create a GPO object to configure the wired network.
-
In the Windows search bar, start typing group policy management and then click on the
Group Policy Management app icon.
-
Create a GPO for wired network configuration.
-
Configure the new wired network configuration GPO:
-
Link the wired network configuration GPO to an organizational unit or domain:
Create a GPO for wireless network authentication
If you want to control your wireless network configuration using a GPO, you can create a GPO object to configure the wireless network.
-
In the Windows search bar, start typing group policy management and then click on the
Group Policy Management app icon.
-
Create a GPO for wireless network configuration.
-
Configure the new wireless network configuration GPO:
-
Link the wireless network configuration GPO to an organizational unit or domain: