Certificate Auto Enrollment: Difference between revisions

From SambaWiki
m (Update headings to easily nest inside Group Policy page)
(Add link to the new Group Policy on Linux documentation for Cert Auto Enroll)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
[https://dmulder.github.io/group-policy-book/certautoenroll.html Certificate Auto Enrollment] allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.


=== Configuring Certificate Auto Enrollment on the Server ===
=== Configuring Certificate Auto Enrollment on the Server ===


The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', '''Certificate Enrollment Web Service''', '''Certification Authority Web Enrollment''', and '''Network Device Enrollment Service''' all must be installed and configured.
The Windows server roles '''Certification Authority''', '''Certificate Enrollment Policy Web Service''', and '''Certificate Enrollment Web Service''' all must be installed and configured. Optionally the role '''Network Device Enrollment Service''' can be installed to simplify the fetching of the root certificate chain.


Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here].
Configure Group Policy auto enrollment as described [https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment#configure-server-certificate-auto-enrollment in the documentation here].
Line 9: Line 9:
=== Enable Certificate Auto Enrollment on the Client ===
=== Enable Certificate Auto Enrollment on the Client ===
To setup Certificate Auto Enrollment:
To setup Certificate Auto Enrollment:
# Install [https://fedorahosted.org/certmonger certmonger], [https://github.com/openSUSE/cepces cepces], and [https://github.com/certnanny/sscep sscep]. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
# Install [https://fedorahosted.org/certmonger certmonger], and [https://github.com/openSUSE/cepces cepces]. Optionally also install [https://github.com/certnanny/sscep sscep] to simplify fetching of the certificate root chain. Samba uses certmonger paired with cepces to monitor the host certificate templates.
# Join to an Active Directory domain (one where the CA has been previously configured as explained above). <pre>Note: Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically.</pre>
# Join to an Active Directory domain (one where the CA has been previously configured as explained above).
{{Imbox
| type = note
| text = Samba's gpupdate will work with SSSD, but will require the [https://github.com/openSUSE/oddjob-gpupdate oddjob-gpupdate] package in order to apply policies automatically.
}}
# Enable group policy apply:
# Enable group policy apply:
#* For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
#* For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
#* For a SSSD joined machine by installing the oddjob-gpupdate package.
#* For a SSSD joined machine by installing the [https://github.com/openSUSE/oddjob-gpupdate oddjob-gpupdate] package.
# To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
# To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
<pre>
<pre>

Latest revision as of 20:31, 14 December 2022

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.

Configuring Certificate Auto Enrollment on the Server

The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured. Optionally the role Network Device Enrollment Service can be installed to simplify the fetching of the root certificate chain.

Configure Group Policy auto enrollment as described in the documentation here.

Enable Certificate Auto Enrollment on the Client

To setup Certificate Auto Enrollment:

  1. Install certmonger, and cepces. Optionally also install sscep to simplify fetching of the certificate root chain. Samba uses certmonger paired with cepces to monitor the host certificate templates.
  2. Join to an Active Directory domain (one where the CA has been previously configured as explained above).
  1. Enable group policy apply:
    • For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
    • For a SSSD joined machine by installing the oddjob-gpupdate package.
  2. To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
Resultant Set of Policy
Computer Policy

 GPO: Default Domain Policy
======================================================================================================================
CSE: gp_cert_auto_enroll_ext
-----------------------------------------------------------
Policy Type: Auto Enrollment Policy
-----------------------------------------------------------
[ <REDACTED CA NAME> ] =
[ CA Certificate ] =
----BEGIN CERTIFICATE----
<REDACTED>
----END CERTIFICATE----
[ Auto Enrollment Server ] = <REDACTED DNS NAME>
[ Templates ] =
[ Machine ]
-----------------------------------------------------------
-----------------------------------------------------------
======================================================================================================================

Issuing the `getcert list` command will display the installed certificates: 

Number of certificates and requests being tracked: 1.
Request ID 'Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
        certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
        CA: <My CA>
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Certificates

Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.

Retrieved from "https://wiki.samba.org/index.php?title=Certificate_Auto_Enrollment&oldid=18483"