Certificate Auto Enrollment: Difference between revisions
(Created page with "Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate co...") |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above. |
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above. |
||
= Configuring Certificate Auto Enrollment on the Server = |
=== Configuring Certificate Auto Enrollment on the Server === |
||
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', '''Certificate Enrollment Web Service''', '''Certification Authority Web Enrollment''', and '''Network Device Enrollment Service''' all must be installed and configured. |
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', '''Certificate Enrollment Web Service''', '''Certification Authority Web Enrollment''', and '''Network Device Enrollment Service''' all must be installed and configured. |
||
Line 7: | Line 7: | ||
Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here]. |
Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here]. |
||
= Enable Certificate Auto Enrollment on the Client = |
=== Enable Certificate Auto Enrollment on the Client === |
||
To setup Certificate Auto Enrollment: |
To setup Certificate Auto Enrollment: |
||
# Install certmonger, cepces, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. |
# Install [https://fedorahosted.org/certmonger certmonger], [https://github.com/openSUSE/cepces cepces], and [https://github.com/certnanny/sscep sscep]. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. |
||
# Join to an Active Directory domain (one where the CA has been previously configured as explained above). |
# Join to an Active Directory domain (one where the CA has been previously configured as explained above). |
||
{{Imbox |
|||
| type = note |
|||
| text = Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically. |
|||
}} |
|||
# Enable group policy apply: |
# Enable group policy apply: |
||
#* For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'. |
#* For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'. |
||
Line 38: | Line 42: | ||
</pre> |
</pre> |
||
Issuing the `getcert list` command will display the installed certificates: |
|||
⚫ | |||
<pre> |
|||
Number of certificates and requests being tracked: 1. |
|||
Request ID 'Machine': |
|||
status: MONITORING |
|||
stuck: no |
|||
key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key' |
|||
certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt' |
|||
CA: <My CA> |
|||
issuer: CN=<My CA> |
|||
subject: CN=<my hostname> |
|||
expires: 2017-08-15 17:37:02 UTC |
|||
dns: <my hostname> |
|||
key usage: digitalSignature,keyEncipherment |
|||
eku: id-kp-clientAuth,id-kp-serverAuth |
|||
certificate template/profile: Machine |
|||
pre-save command: |
|||
post-save command: |
|||
track: yes |
|||
auto-renew: yes |
|||
</pre> |
|||
⚫ | |||
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. |
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. |
Revision as of 15:16, 5 October 2021
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
Configuring Certificate Auto Enrollment on the Server
The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, Certification Authority Web Enrollment, and Network Device Enrollment Service all must be installed and configured.
Configure Group Policy auto enrollment as described in the documentation here.
Enable Certificate Auto Enrollment on the Client
To setup Certificate Auto Enrollment:
- Install certmonger, cepces, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
- Join to an Active Directory domain (one where the CA has been previously configured as explained above).
Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically. |
- Enable group policy apply:
- For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
- For a SSSD joined machine by installing the oddjob-gpupdate package.
- To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
Resultant Set of Policy Computer Policy GPO: Default Domain Policy ====================================================================================================================== CSE: gp_cert_auto_enroll_ext ----------------------------------------------------------- Policy Type: Auto Enrollment Policy ----------------------------------------------------------- [ <REDACTED CA NAME> ] = [ CA Certificate ] = ----BEGIN CERTIFICATE---- <REDACTED> ----END CERTIFICATE---- [ Auto Enrollment Server ] = <REDACTED DNS NAME> [ Templates ] = [ Machine ] ----------------------------------------------------------- ----------------------------------------------------------- ======================================================================================================================
Issuing the `getcert list` command will display the installed certificates:
Number of certificates and requests being tracked: 1. Request ID 'Machine': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key' certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt' CA: <My CA> issuer: CN=<My CA> subject: CN=<my hostname> expires: 2017-08-15 17:37:02 UTC dns: <my hostname> key usage: digitalSignature,keyEncipherment eku: id-kp-clientAuth,id-kp-serverAuth certificate template/profile: Machine pre-save command: post-save command: track: yes auto-renew: yes
Certificates
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.