Difference between revisions of "Certificate Auto Enrollment"

From SambaWiki
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
 
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
   
= Configuring Certificate Auto Enrollment on the Server =
+
=== Configuring Certificate Auto Enrollment on the Server ===
   
 
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', '''Certificate Enrollment Web Service''', '''Certification Authority Web Enrollment''', and '''Network Device Enrollment Service''' all must be installed and configured.
 
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', '''Certificate Enrollment Web Service''', '''Certification Authority Web Enrollment''', and '''Network Device Enrollment Service''' all must be installed and configured.
Line 7: Line 7:
 
Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here].
 
Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here].
   
= Enable Certificate Auto Enrollment on the Client =
+
=== Enable Certificate Auto Enrollment on the Client ===
 
To setup Certificate Auto Enrollment:
 
To setup Certificate Auto Enrollment:
 
# Install [https://fedorahosted.org/certmonger certmonger], [https://github.com/openSUSE/cepces cepces], and [https://github.com/certnanny/sscep sscep]. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
 
# Install [https://fedorahosted.org/certmonger certmonger], [https://github.com/openSUSE/cepces cepces], and [https://github.com/certnanny/sscep sscep]. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
# Join to an Active Directory domain (one where the CA has been previously configured as explained above). <pre>Note: Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically.</pre>
+
# Join to an Active Directory domain (one where the CA has been previously configured as explained above).
  +
{{Imbox
  +
| type = note
  +
| text = Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically.
  +
}}
 
# Enable group policy apply:
 
# Enable group policy apply:
 
#* For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
 
#* For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
Line 38: Line 42:
 
</pre>
 
</pre>
   
  +
Issuing the `getcert list` command will display the installed certificates:
= Certificates =
 
  +
<pre>
  +
Number of certificates and requests being tracked: 1.
  +
Request ID 'Machine':
  +
status: MONITORING
  +
stuck: no
  +
key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
  +
certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
  +
CA: <My CA>
  +
issuer: CN=<My CA>
  +
subject: CN=<my hostname>
  +
expires: 2017-08-15 17:37:02 UTC
  +
dns: <my hostname>
  +
key usage: digitalSignature,keyEncipherment
  +
eku: id-kp-clientAuth,id-kp-serverAuth
  +
certificate template/profile: Machine
  +
pre-save command:
  +
post-save command:
  +
track: yes
  +
auto-renew: yes
  +
</pre>
  +
 
=== Certificates ===
 
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.
 
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.

Latest revision as of 15:16, 5 October 2021

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.

Configuring Certificate Auto Enrollment on the Server

The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, Certification Authority Web Enrollment, and Network Device Enrollment Service all must be installed and configured.

Configure Group Policy auto enrollment as described in the documentation here.

Enable Certificate Auto Enrollment on the Client

To setup Certificate Auto Enrollment:

  1. Install certmonger, cepces, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
  2. Join to an Active Directory domain (one where the CA has been previously configured as explained above).
  1. Enable group policy apply:
    • For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
    • For a SSSD joined machine by installing the oddjob-gpupdate package.
  2. To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
Resultant Set of Policy
Computer Policy

 GPO: Default Domain Policy
======================================================================================================================
CSE: gp_cert_auto_enroll_ext
-----------------------------------------------------------
Policy Type: Auto Enrollment Policy
-----------------------------------------------------------
[ <REDACTED CA NAME> ] =
[ CA Certificate ] =
----BEGIN CERTIFICATE----
<REDACTED>
----END CERTIFICATE----
[ Auto Enrollment Server ] = <REDACTED DNS NAME>
[ Templates ] =
[ Machine ]
-----------------------------------------------------------
-----------------------------------------------------------
======================================================================================================================

Issuing the `getcert list` command will display the installed certificates:

Number of certificates and requests being tracked: 1.
Request ID 'Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
        certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
        CA: <My CA>
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Certificates

Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.