1. Install AD CS roles
    • Install-WindowsFeature -Name ADCS-Cert-Authority,ADCS-Web-Enrollment -IncludeManagementTools
  2. Create PKI A record
    • Add-DnsServerResourceRecordA -Name pki -IPv4Address 172.20.1.101 -ZoneName lab.dev.ajf8729.com
  3. Configure enterprise subordinate certificate authority
  4. Configure CDP
    • http://pki.lab.dev.ajf8729.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
    • Include in CRL
    • Include in CDP extension
  5. Configure AIA
    • http://pki.lab.dev.ajf8729.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
    • Include in AIA extension
  6. Import root CA cert into domain root GPO
  7. Unpublish all currently published templates
  8. Configure “Kerberos Authentication” template
    • Clone “Kerberos Authentication” template as “AJF8729 LAB Kerberos Authentication”
    • Raise compatibility settings to maximum
    • Cryptography settings:
      • Provider category: KSP
      • Algorithm: RSA
      • Minimum key size: 2048 bit
      • Cryptographic provider: Software KSP
      • Hashing: SHA256
      • Subject name: Fully distinguished name
      • SAN: DNS name
  9. Configure “Workstation Authentication” template
    • Clone “Workstation Authentication” template as “AJF8729 LAB Workstation Authentication”
    • Raise compatibility settings to maximum
    • Cryptography settings:
      • Provider category: KSP
      • Algorithm: RSA
      • Minimum key size: 2048 bit
      • Cryptographic provider: Software KSP
      • Hashing: SHA256
      • Subject name: DNS name
      • SAN: DNS name
      • Security: Domain Computers -> Add Autoenroll
  10. Configure “Web Server” template
    • Clone “Web Server” template as “AJF8729 LAB Web Server”
    • Raise compatibility settings to maximum
    • Cryptography settings:
      • Provider category: KSP
      • Algorithm: RSA
      • Minimum key size: 2048 bit
      • Cryptographic provider: Software KSP
      • Hashing: SHA256
      • Subject name: DNS name
      • SAN: DNS name
      • Security: Cert_WebServer -> Add Enroll, Autoenroll
  11. Enable new templates for enrollment
  12. Configure certificate autoenrollment settings in domain root GPO