deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
ab06f49bb33e70a5d304851b12d270189f85c3d1
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
Paolo Matarazzo 510419f1cb removed expandable sections
2023-01-23 05:45:38 -05:00

3.1 KiB
Raw Blame History

title, description, ms.date, appliesto, ms.topic
title description ms.date appliesto ms.topic
Configure and validate the Public Key Infrastructure in an on-premises key trust model Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model. 12/12/2022
<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
<a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
tutorial

Configure and validate the Public Key Infrastructure - on-premises key trust

[!INCLUDE hello-on-premises-key-trust]

Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the key trust or certificate trust models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.

[!INCLUDE lab-based-pki-deploy]

Configure the enterprise PKI

[!INCLUDE dc-certificate-template]

[!INCLUDE dc-certificate-template-supersede]

[!INCLUDE web-server-certificate-template]

[!INCLUDE unpublish-superseded-templates]

Publish certificate templates to the CA

A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.

Sign in to the CA or management workstations with Enterprise Admin equivalent credentials.

  1. Open the Certification Authority management console
  2. Expand the parent node from the navigation pane
  3. Select Certificate Templates in the navigation pane
  4. Right-click the Certificate Templates node. Select New > Certificate Template to issue
  5. In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos), and Internal Web Server templates you created in the previous steps. Select OK to publish the selected certificate templates to the certification authority
  6. If you published the Domain Controller Authentication (Kerberos) certificate template, then unpublish the certificate templates you included in the superseded templates list
    • To unpublish a certificate template, right-click the certificate template you want to unpublish and select Delete. Select Yes to confirm the operation
  7. Close the console

Configure and deploy certificates to domain controllers

[!INCLUDE dc-certificate-deployment]

Validate the configuration

[!INCLUDE dc-certificate-validate]

[!div class="nextstepaction"] Next: prepare and deploy AD FS >