1
00:00:02,240 --> 00:00:03,290
So in our environment here,

2
00:00:03,290 --> 00:00:06,370
we have just these four certificate templates published.

3
00:00:06,370 --> 00:00:09,540
And as I mentioned before, this is a brand‑new clean lab build.

4
00:00:09,540 --> 00:00:13,040
So, these are the only templates that we've created and published.

5
00:00:13,040 --> 00:00:15,340
But in the real world, you may have, you know,

6
00:00:15,340 --> 00:00:18,160
dozens of templates here that are already published.

7
00:00:18,160 --> 00:00:23,370
Specifically, a certificate that's called Domain Controller or Domain

8
00:00:23,370 --> 00:00:27,240
Controller Authentication may already exist here.

9
00:00:27,240 --> 00:00:33,040
Also, you might even see a Kerberos Authentication certificate that's here.

10
00:00:33,040 --> 00:00:34,950
The Kerberos Authentication is the one we want.

11
00:00:34,950 --> 00:00:37,350
That's the latest certificate, and that's the one we

12
00:00:37,350 --> 00:00:39,130
really want to ensure that's deployed.

13
00:00:39,130 --> 00:00:42,350
And we have to make sure that that certificate is deployed to all

14
00:00:42,350 --> 00:00:45,450
domain controllers in the organization to support client

15
00:00:45,450 --> 00:00:48,280
certificate authentication for VPN access.

16
00:00:48,280 --> 00:00:51,570
At a minimum, we have to have either Domain Controller

17
00:00:51,570 --> 00:00:53,710
or Domain Controller Authentication.

18
00:00:53,710 --> 00:01:00,310
So again, if if somebody's built the PKI and deployed all the default templates,

19
00:01:00,310 --> 00:01:03,560
it's already going to be there because those are published by default.

20
00:01:03,560 --> 00:01:07,960
So in that scenario, you may or may not need to perform these tasks.

21
00:01:07,960 --> 00:01:11,840
So specifically, if we go to our Certificate Templates console,

22
00:01:11,840 --> 00:01:15,600
there are two certificate templates, Domain Controller, Domain Controller

23
00:01:15,600 --> 00:01:19,620
Authentication that sound very similar. Essentially, the Domain Controller

24
00:01:19,620 --> 00:01:22,220
template is one of the earliest or oldest templates.

25
00:01:22,220 --> 00:01:23,930
It's a version 1 template.

26
00:01:23,930 --> 00:01:26,380
The Domain Controller Authentication template superseded that.

27
00:01:26,380 --> 00:01:28,900
It's a version 2 template. And then finally,

28
00:01:28,900 --> 00:01:32,770
Microsoft eventually came out with something called the Kerberos

29
00:01:32,770 --> 00:01:36,210
Authentication template. By default, it is a version 2 template, but

30
00:01:36,210 --> 00:01:40,440
ultimately it includes some additional capabilities to support modern

31
00:01:40,440 --> 00:01:42,250
authentication and things like that.

32
00:01:42,250 --> 00:01:47,600
This is the certificate template that we want to use. In this case, you'll

33
00:01:47,600 --> 00:01:51,240
see that I have no published certificate template there for Domain

34
00:01:51,240 --> 00:01:54,670
Controller, Domain Controller Authentication or Kerberos Authentication, so

35
00:01:54,670 --> 00:01:57,510
I'm going to do that in my lab here, but just be aware that you may or may

36
00:01:57,510 --> 00:02:00,140
not need to do this in your environment.

37
00:02:00,140 --> 00:02:00,850
So to do that,

38
00:02:00,850 --> 00:02:04,320
I'm going to right‑click and choose Duplicate Template on

39
00:02:04,320 --> 00:02:07,840
the Kerberos Authentication template.

40
00:02:07,840 --> 00:02:12,140
And here, I'm going to uncheck Show resulting changes, select

41
00:02:12,140 --> 00:02:16,220
Windows Server 2016, and of course, I'm going to choose Server

42
00:02:16,220 --> 00:02:19,200
2016 for the certificate recipient.

43
00:02:19,200 --> 00:02:22,090
This is really critical that if you do have older

44
00:02:22,090 --> 00:02:23,810
domain controllers in your environment,

45
00:02:23,810 --> 00:02:26,790
you'll need to select kind of the least common denominator.

46
00:02:26,790 --> 00:02:28,860
So if you have, you know, a dozen,

47
00:02:28,860 --> 00:02:35,940
2016, 2019 or 2022 servers and you have one 2008 R2 server out there somewhere,

48
00:02:35,940 --> 00:02:40,120
then you'll need to select Server 2008 R2. So remember, least common

49
00:02:40,120 --> 00:02:44,340
denominator here, and 2016 is the latest. And, by the way,

50
00:02:44,340 --> 00:02:50,610
this is a Windows Server 2022 PKI. This issuing CA is Windows Server 2022.

51
00:02:50,610 --> 00:02:53,720
Server 2016 is still the latest you can choose here.

52
00:02:53,720 --> 00:02:55,240
So I'm going to choose that.

53
00:02:55,240 --> 00:02:58,200
Then I'll go to the General tab, and I'm going to

54
00:02:58,200 --> 00:03:09,140
provide a descriptive name here.

55
00:03:09,140 --> 00:03:11,530
Once again, validity period, one year is fine.

56
00:03:11,530 --> 00:03:15,260
Don't publish in Active Directory. We'll go to the Cryptography tab.

57
00:03:15,260 --> 00:03:21,140
From the Provider Category, I want to select Key Storage Provider.

58
00:03:21,140 --> 00:03:24,800
And since this is an internal server, not a portable device,

59
00:03:24,800 --> 00:03:26,640
I can choose any provider.

60
00:03:26,640 --> 00:03:28,730
I really don't care if this is tied to a TPM because

61
00:03:28,730 --> 00:03:31,000
this is within my physical control.

62
00:03:31,000 --> 00:03:35,340
And then I'm going to bump up the Request hash to SHA256.

63
00:03:35,340 --> 00:03:39,100
We'll go to the Subject Name, and by default, there is no Subject name

64
00:03:39,100 --> 00:03:43,980
format, and honestly this isn't really crucial other than I like to see

65
00:03:43,980 --> 00:03:49,060
the DNS name when I'm looking at this certificate in the certificate

66
00:03:49,060 --> 00:03:51,590
store on the domain controller.

67
00:03:51,590 --> 00:03:55,490
So I'm going to go ahead and select DNS name here and ensure the DNS

68
00:03:55,490 --> 00:03:58,810
name is in the subject alternative name field here,

69
00:03:58,810 --> 00:04:04,840
meaning that the DNS name is also included there as well.

70
00:04:04,840 --> 00:04:07,400
So we'll go to the Extensions tab.

71
00:04:07,400 --> 00:04:08,630
I don't need to do anything here.

72
00:04:08,630 --> 00:04:13,240
All of the extensions that we need are already included.

73
00:04:13,240 --> 00:04:17,860
Then I'll go to the Security tab, and I really honestly don't need to do

74
00:04:17,860 --> 00:04:22,430
anything here either because our enterprise domain controllers are already

75
00:04:22,430 --> 00:04:25,470
set for enroll and autoenroll permissions.

76
00:04:25,470 --> 00:04:26,610
So that's fantastic.

77
00:04:26,610 --> 00:04:29,240
I don't have to do anything other than that.

78
00:04:29,240 --> 00:04:33,230
As I mentioned before, you may already have a Domain Controller or

79
00:04:33,230 --> 00:04:38,060
Domain Controller Authentication certificate published. This certificate

80
00:04:38,060 --> 00:04:41,980
template, the Kerberos Authentication template is recommended and should

81
00:04:41,980 --> 00:04:44,680
supersede any of those templates.

82
00:04:44,680 --> 00:04:48,340
If you want to replace any existing Domain Controller or

83
00:04:48,340 --> 00:04:50,680
Domain Controller Authentication template,

84
00:04:50,680 --> 00:04:53,940
you can certainly do so using supersedence.

85
00:04:53,940 --> 00:04:58,660
Select the Superseded Templates tab, click Add, and we'll add the

86
00:04:58,660 --> 00:05:04,470
Domain Controller, as well as the Domain Controller Authentication

87
00:05:04,470 --> 00:05:08,840
template to the superseded templates.

88
00:05:08,840 --> 00:05:12,640
What that means is that when this certificate template gets published,

89
00:05:12,640 --> 00:05:15,210
if either of these templates are in place,

90
00:05:15,210 --> 00:05:18,310
it will remove them from the certificate store on those domain controllers and

91
00:05:18,310 --> 00:05:23,240
replace them with the most modern version of this template.

92
00:05:23,240 --> 00:05:43,000
So we'll click OK, and now we'll jump back over to the Certification Authority Management Console, and we'll publish this template.