READ this first: KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
On the server where you want to install the Certificate Authority role:
open PowerShell (as Administrator):
Get-WindowsFeature | Out-GridView -PassThru | Add-WindowsFeature -Verbose
*Did you know:
You can highlight specific text to execute, then press F8. This will execute only the highlighted text.
You can place the curser anywhere on any line, press F8, and the entire line will be executed.
Your results should look similar to below.
Verify that the features appear as below:
Get-WindowsFeature | Where Name -Like *adcs*
You will be prompted to configure the Certificate Services
Open Certification Authority from Server Manager
Test the web enrollment site…
Make sure you have an appropriate template for use with SCOM clients
Find the Computer template, right click it and select Duplicate Template.
(I borrowed a few of these screenshots and text from BILLY YORK. Saved me a bit of copy/paste.)
In the Properties of New Template on the Compatibility make sure Show Resulting changes is checked, Certification Authority is Windows Server 2003 and Certificate Recipient is Windows XP/Server 2003.
Note: at the time that this screenshot was taken, these operating system versions were basically the lowest common denominator in my lab environment. Do what is appropriate for your environment.
Under the General tab, give the Template a Name and set the Validity period to something appropriate for your use.
On the Request Handling tab, make sure Purpose is set to Signature and encryption and check Allow private keys to be exported.
*Why “allow private keys to be exported”? The target machine will likely not have access to the certificate server because it’s not trusted which is likely why you need to create a certificate in the first place. This procedure is meant to be performed on a trusted machine with access to the certificate request site/URL (which is likely not possible from the intended target machine), then exported, then imported on the intended target machine.
If you don’t want to allow the private key to be exportable, the alternative is to allow the untrusted intended target server access to the certificate authority request website to download and import the client certificate directly.
On the Cryptography tab check Microsoft Enhanced Cryptographic Provider 1.0 and Microsoft RSA SChannel Cryptographic Provider.
On the Authentication tab, give Authenticated Users Enroll.
On the Extensions tab, under Application Policies make sure Client Authentication and Server Authentication are there.
On Key Usage make sure Digital Signature is checked.
On the Subject Name tab, select Supply in the request.
Click Apply and OK to save the template.
Next, right click on the Certificate Template and select New -> Certificate Template to Issue
Then select our newly created SCOM Client Cert.
Template now appears in the web enrollment dropdown list.
One Reply on “Install Root Certificate Authority (Standalone) Windows Server 2016, Create SCOM Certificate Template”