Professional Documents
Culture Documents
Page 10 of 39
Domain Membership
A Certification Authority does not need to run on the domain controller, but it
should be on a server that is a member of the domain.
This document uses Microsoft Windows Server 2008 R2 Enterprise for the examples, however most
Windows servers should also work with some possible differences. Installing Microsoft Windows is outside
2
Only Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. Other versions (except
Windows Server 2008 Web) support a more limited version called a Standalone CA For more information,
please see the appropriate Microsoft documentation.
April-2012-1
Page 11 of 39
April-2012-1
Page 12 of 39
Microsofts CA may be run on any Windows 2008 or 2003 server including domain controllers. There may
be some configuration differences.
April-2012-1
Page 13 of 39
4. Click Next
5. Click Next to begin the installation
April-2012-1
10. The next option is the type of CA. Unless there are other CAs in your
organization, you should always choose Root CA
April-2012-1
Page 14 of 39
Page 15 of 39
12. Select the Create a new private key in the next screen. This is the default
unless you are re-installing the CA and want to keep any existing certificates
13. Click Next
14. The default cryptography is fine, click Next to accept and continue
15. The next screen gives you a chance to enter the name for the CA. This should
be the hostname of the system as a client might see if via DNS. It is the name
that will show up as the certificate issuer in any certificates it creates
16. Click Next
April-2012-1
Page 16 of 39
17. Unless you have different requirements, accept the default validity period of 5
years for the certificate the CA will issue to itself.
18. Click Next
19. Click Next to accept the default location for the certificate database
20. If there are any components that the CA requires that are not already
installed, you will be prompted to install them next. E.g. web enrollment
requires IIS. You may accept the defaults for these components unless you
plan to use them for other applications
21. At the end, you will be presented with a summary screen listing the
installation and configuration options. Check this screen carefully before
clicking the Install button.
April-2012-1
Page 17 of 39
7. Click on Certificate Templates for this instance and verify the templates were
installed. At a minimum, you will need the Computer, User and Workstation
Authentication templates5
8. Next click on the plus sign next to the CA instance name to expand it
9. Click on Issued Certificates and verify at least one certificate has been issued
to the CA itself. There may be other certificates if the server has other roles
such as domain controller
If you are not issuing certificates to machines, only the User template is required
April-2012-1
Page 18 of 39
Configure RADIUS
Before a WLAN can be configured to support 802.1X, a RADIUS server must be
configured. All Windows servers include an optional RADIUS server component.
For more information on how to install and configure this for Wi-Fi
authentication, please refer to the Ruckus application notes for NPS or IAS,
depending on your installation.
For more information on how to configure a RADIUS server on Microsoft Windows, Ruckus offers step-bystep guides for NPS and IAS. Microsoft also has detailed documentation.
April-2012-1
Page 19 of 39
There are several different ways to install the root CA certificate on a client. The
easiest are:
April-2012-1
Page 20 of 39
April-2012-1
Page 21 of 39
April-2012-1
Page 22 of 39
6. Right click on Trusted Root Certification Authorities and select Import. This
will launch the Certificate Import Wizard
7. Click Next
8. When prompted, browse to the location of the root certificate file
9. Make sure the certificate will be imported into the Trusted Root Certification
Authorities store
April-2012-1
Page 23 of 39
13. You can make sure the group policy is updated immediately with the
gpupdate command. This is run from a command window with administrator
rights. The syntax is:
gpupdate /force
April-2012-1
Page 24 of 39
The group policy is now complete. Domain users should automatically download
the certificate the next time they login. You can test this by logging into a
domain machine. Open Internet Options and verify the certificate shows up in
the list of trusted root CAs.
3. Right click on Certificate Templates and choose Manage. This will open the
Certificate Templates Console
April-2012-1
Page 25 of 39
4. Right click the User template in the panel to the right and choose Duplicate
Template
5. In the next screen you are prompted to select the type of attributes
supported in the certificate: Windows Server 2003 or Windows Server 2008.
Choose whichever is most appropriate for you installation
6. Click Next
7. In the properties window, give the template a name. You may also adjust the
validity period and how re-enrollment is handled here
April-2012-1
April-2012-1
Page 26 of 39
Page 27 of 39
April-2012-1
Page 28 of 39
15. Click the name of your template and click the OK button
Next add this to a group policy object (GPO) on the AD server.
16. Open the Group Policy Management Console
17. Open the forest entry and click the plus sign next to your domain to expand it
18. Navigate down to Group Policy Objects->Default Domain Policy
April-2012-1
Page 29 of 39
23. Check the box next to Update certificates that user certificate templates
April-2012-1
Page 30 of 39
24. You may also wish to set other options on the screen regarding how expired
certificates are handled
25. Click the OK button to save your changes
26. Use the gpupdate command to force an immediate update and deploy the
new GPO for all new client logins to the domain
Test the new GPO by logging into a domain client. Verify a user certificate is
created an installed on the machine7.
Issue Device Certificates with Auto Enrollment (Windows)
The process to generate client certificates is the same as user certificates with a
few minor changes.
1. Open the Certification Authority program on the CA system
2. Click the plus sign next to the name of the CA instance
3. Right click on Certificate Templates and choose Manage. This will open the
Certificate Templates Console
At the time of this document, there is a known issue with user certificates not being issued if the user
account does not have an Email attribute in Active Directory. Adding an email address will fix this.
April-2012-1
Page 31 of 39
4. Right click the Workstation Authentication template in the panel to the right
and choose Duplicate Template
5. In the next screen you are prompted to select the type of attributes
supported in the certificate: Windows Server 2003 or Windows Server 2008.
Choose whichever is most appropriate for you installation
6. Click Next
7. In the properties window, give the template a name. You may also adjust the
validity period and how re-enrollment is handled here
April-2012-1
April-2012-1
Page 32 of 39
Page 33 of 39
April-2012-1
Page 34 of 39
15. Click the name of your template and click the OK button
Next we need to add this to a group policy object (GPO) on the AD server.
16. Open the Group Policy Management Console
17. Open the forest entry and click the plus sign next to your domain to expand it
18. Navigate down to Group Policy Objects->Default Domain Policy
April-2012-1
Page 35 of 39
23. Check the box next to Update certificates that user certificate templates
24. You may also wish to set other options on the screen regarding how expired
certificates are handled
25. Click the OK button to save your changes
April-2012-1
Page 36 of 39
26. Use the gpupdate command to force an immediate update and deploy the
new GPO for all new client logins to the domain
Test the new GPO by logging into a domain client. Verify a machine certificate is
created an installed on the machine8.
From here they can download the root CA certificate as well as request a new
personal certificate. To request a personal certificate:
1. Click the Request a certificate link
At the time of this document, there is a known issue with user certificates not being issued if the user
account does not have an Email attribute in Active Directory. Adding an email address will fix this.
April-2012-1
Page 37 of 39
4. Click the link on the next screen to download the certificate and install it
April-2012-1
Page 38 of 39
April-2012-1
Page 39 of 39
April-2012-1