1
00:00:02,940 --> 00:00:07,640
So let's move on and deploy a PKCS certificate using Intune.

2
00:00:07,640 --> 00:00:08,400
So to begin,

3
00:00:08,400 --> 00:00:11,300
what we're going to do is create a certificate template that we're

4
00:00:11,300 --> 00:00:15,130
going to use for Intune to enroll our certificates for.

5
00:00:15,130 --> 00:00:20,550
So I'm going to open the Certification Authority Management console snap‑in,

6
00:00:20,550 --> 00:00:23,880
and again, you can do this on a CA or a management workstation,

7
00:00:23,880 --> 00:00:24,860
it really doesn't matter.

8
00:00:24,860 --> 00:00:31,840
I'm going to right‑click on Certificate Templates and then choose Manage.

9
00:00:31,840 --> 00:00:34,690
Now I'll find the User authentication certificate template.

10
00:00:34,690 --> 00:00:37,280
I'm going to right‑click, choose Duplicate Template,

11
00:00:37,280 --> 00:00:41,900
and then here, I'm going to uncheck Show resulting changes and in for the CA,

12
00:00:41,900 --> 00:00:46,090
I'm going to select 2008 R2 and for the recipient,

13
00:00:46,090 --> 00:00:48,840
Windows 7 2008 R2.

14
00:00:48,840 --> 00:00:52,240
This is critical because if you choose a version later,

15
00:00:52,240 --> 00:00:56,890
this will basically make this template unusable for PKCS.

16
00:00:56,890 --> 00:01:00,020
So if it sounds like I'm choosing an older certificate,

17
00:01:00,020 --> 00:01:01,780
I'm actually doing that by design.

18
00:01:01,780 --> 00:01:05,780
PKCS does not support anything newer than version 3

19
00:01:05,780 --> 00:01:09,050
templates, and this is the latest server version and client

20
00:01:09,050 --> 00:01:11,120
version for a version 3 template.

21
00:01:11,120 --> 00:01:16,840
So we'll click General, and now I'm going to give this a descriptive name,

22
00:01:16,840 --> 00:01:20,240
and I'm going to uncheck Publish in Active Directory,

23
00:01:20,240 --> 00:01:22,140
that's not required here.

24
00:01:22,140 --> 00:01:25,670
Then I will go to the Request Handling tab and want to ensure that

25
00:01:25,670 --> 00:01:29,140
Allow private key to be exported is selected,

26
00:01:29,140 --> 00:01:31,050
and this is critical because, again,

27
00:01:31,050 --> 00:01:34,230
the PKCS server where we installed the connector on

28
00:01:34,230 --> 00:01:36,120
is going to generate the key pair.

29
00:01:36,120 --> 00:01:37,840
So we'll select that.

30
00:01:37,840 --> 00:01:39,800
So we'll go to the Cryptography tab, and here,

31
00:01:39,800 --> 00:01:46,400
we'll select Key Storage Provider, we'll leave the RSA algorithm as the default,

32
00:01:46,400 --> 00:01:49,970
2048‑bit is the standard key size for RSA,

33
00:01:49,970 --> 00:01:55,740
and then you can select SHA256 for the request hash size.

34
00:01:55,740 --> 00:01:57,640
We'll go to the Subject Name,

35
00:01:57,640 --> 00:02:00,400
and here we're going to check Supply in the request.

36
00:02:00,400 --> 00:02:02,860
Now it's going to give us a bit of a scary warning

37
00:02:02,860 --> 00:02:05,250
here telling us that this is a risk.

38
00:02:05,250 --> 00:02:10,420
Indeed it is because anytime you allow a principle to

39
00:02:10,420 --> 00:02:13,730
supply the subject name in the request, that is,

40
00:02:13,730 --> 00:02:18,050
again, inherent security risk here, but it's a necessary evil,

41
00:02:18,050 --> 00:02:21,740
it's one that we need to kind of accept in order to use this technology.

42
00:02:21,740 --> 00:02:25,040
So moving on, we'll go to the Extensions tab.

43
00:02:25,040 --> 00:02:28,280
Here, we're going to click Edit, and we're going to remove everything,

44
00:02:28,280 --> 00:02:30,040
except Client Authentication.

45
00:02:30,040 --> 00:02:34,400
The only thing we need on this certificate template is Client Authentication,

46
00:02:34,400 --> 00:02:36,170
that's the only requirement there.

47
00:02:36,170 --> 00:02:39,340
And then finally, we're going to go to the Security tab,

48
00:02:39,340 --> 00:02:42,540
and here I'm going to remove Domain Users,

49
00:02:42,540 --> 00:02:45,710
and then I'm going to add, in this case,

50
00:02:45,710 --> 00:02:51,540
the server name of the the server where I've installed the PKCS connector.

51
00:02:51,540 --> 00:02:53,230
We're going to do that in a little bit here,

52
00:02:53,230 --> 00:02:55,710
but in this case, I already have a server prepared.

53
00:02:55,710 --> 00:02:58,120
It's just a domain join member server,

54
00:02:58,120 --> 00:03:02,140
so I'll go ahead and enter that information here.

55
00:03:02,140 --> 00:03:08,140
And then I'm going to grant that Read and Enroll.

56
00:03:08,140 --> 00:03:09,310
So then we'll click OK.

57
00:03:09,310 --> 00:03:12,280
And next, I'm going to go ahead and publish this template.

58
00:03:12,280 --> 00:03:14,170
So I'm going to actually come back to the Certificate

59
00:03:14,170 --> 00:03:18,640
Template folders and choose New, Certificate Template to Issue,

60
00:03:18,640 --> 00:03:22,740
and hopefully this shows up.

61
00:03:22,740 --> 00:03:23,730
And if it does not,

62
00:03:23,730 --> 00:03:28,160
you may have to wait for Active Directory replication in your environment,

63
00:03:28,160 --> 00:03:30,170
but here, we just have a single domain controller,

64
00:03:30,170 --> 00:03:37,000
so we'll just click OK. And now we have published this certificate.