今日长缨在手,何时缚住苍龙。这篇文章主要讲述Windows Server Core 2022--安装AD DS和AD CS证书服务相关的知识,希望能为你提供帮助。
1.安装AD DS:
Install-WindowsFeature -Name AD-Domain-Services
Install-ADDSForest -CreateDnsDelegation:$false -DomainMode WinThreshold -DomainName afd.ink
-DomainNetbiosName a -ForestMode WinThreshold -InstallDns:$true -NoRebootOnCompletion:$true -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -Force:$true
Restart-Computer
set-ADUser administrator -PasswordNeverExpires
$true
New-ADUser -Name gazh -SamAccountName gazh -DisplayName gazh -Enabled $True
-PasswordNeverExpires $True -UserPrincipalName gazh@afd.ink -AccountPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -PassThru
$SUG = @()
$SUG = (Get-ADUser -Identity "Administrator" -Properties * ).MemberOf
ForEach ($Group in $SUG )Add-ADGroupMember -Identity $Group -Members "gazh"
(Get-ADUser -Identity gazh -Properties *).MemberOf
2.安装ADCS:
Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment
Install-AdcsCertificationAuthority
-ValidityPeriod
Years
-ValidityPeriodUnits 50 -CACommonName A-CA
配置 Certificate Authority Web Enrollment:
Install-AdcsWebEnrollment
certutil -getreg ca\\ValidityPeriod
certutil -getreg ca\\ValidityPeriodUnits
certutil -setreg ca\\ValidityPeriodUnits 20
Restart-Service -name certsvc
dnscmd . /RecordAdd afd.ink ca A 192.168.111.10
Get-CACrlDistributionPoint | ?$_.uri -like "http*" -or $_.uri -like "ldap*"
Add-CACrlDistributionPoint -Uri "http://ca.afd.ink/CertEnroll/<
CAName>
<
CRLNameSuffix>
<
DeltaCRLAllowed>
.crl" -AddToCrlIdp:$false -AddToFreshestCrl:$true -AddToCertificateCdp:$true -Confirm -Force
Get-CAAuthorityInformationAccess | fl
Add-CAAuthorityInformationAccess -AddToCertificateOcsp:$true
-Uri "http://ca.afd.ink/CertEnroll/<
ServerDNSName>
_<
CAName>
<
CertificateName>
.crt" -Confirm -Force
Get-CAAuthorityInformationAccess | fl
Remove-CAAuthorityInformationAccess -Uri "http://<
ServerDNSName>
/CertEnroll/<
ServerDNSName>
_<
CAName>
<
CertificateName>
.crt"
Add-CAAuthorityInformationAccess -AddToCertificateAia -Uri "http://<
ServerDNSName>
/CertEnroll/<
ServerDNSName>
_<
CAName>
<
CertificateName>
.crt"
Add-CAAuthorityInformationAccess -AddToCertificateOcsp -Uri "http://<
ServerDNSName>
/CertEnroll/<
ServerDNSName>
_<
CAName>
<
CertificateName>
.crt"
Get-CACrlDistributionPoint | fl
Remove-CACrlDistributionPoint -URI "http://<
ServerDNSName>
/CertEnroll/<
CAName>
<
CRLNameSuffix>
<
DeltaCRLAllowed>
.crl"
Add-CACRLDistributionPoint -Uri "http://<
ServerDNSName>
/CertEnroll/<
CAName>
<
CRLNameSuffix>
<
DeltaCRLAllowed>
.crl" -AddToCertificateCdp -AddToCrlIdp -AddToFreshestCrl
Restart-Service -name certsvc
新增和管理模板:
Install-Module -Name ADCSTemplate
Get-ADCSTemplate | select displayname
Export-ADCSTemplate -DisplayName "Web 服务器" >
.\\webserver_template.json
Export-ADCSTemplate -DisplayName "Web Server" >
.\\webserver_template.json
notepad .\\webserver_template.json
替换pKIExpirationPeriod的值为Validity period时间由默认的2年改为20年:
将
"pKIExpirationPeriod":
[
0,
128,
114,
14,
93,
194,
253,
255
],
替换为:
"pKIExpirationPeriod":
[
0,
0,
121,
144,
162,
151,
233,
255
],
保存。
New-ADCSTemplate -DisplayName "Web20" -JSON (Get-Content .\\webserver_template.json -Raw) -Publish
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity a\\Domain Users -Enroll
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity a\\Domain Computers -Enroll
申请证书:
创建CSR工具:https://www.digicert.com/StaticFiles/DigiCertUtil.zip
1)To create a policy file (.inf) in Notepad and save it as requestconfig.inf:
[Version]
Signature="$Windows NT$"
[NewRequest]
;
Change to your,country code, company name and common name
Subject = "CN=afd.ink"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
FriendlyName = "afd-ca"
[Extensions]
2.5.29.17 = "text"
_continue_ = "dns=afd.ink&
"
_continue_ = "dns=*.afd.ink&
"
_continue_ = "dns=nipit.cn&
"
_continue_ = "dns=*.nipit.cn&
"
_continue_ = "dns=ykx.ai&
"
_continue_ = "dns=*.ykx.ai&
"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ;
this is for Server Authentication / Token Signing
[RequestAttributes]
CertificateTemplate = Web20
SAN = "dns=afd.ink&
dns=*.afd.ink&
dns=nipit.cn&
dns=*.nipit.cn&
dns=ykx.ai&
dns=*.ykx.ai"
2)On the computer for which you are requesting a certificate:
certreq –new requestconfig.inf certrequest.req
certreq -submit certrequest.req certnew.cer
3)导入导出证书:
Import-Certificate -FilePath .\\afd-wildcard.cer -CertStoreLocation Cert:\\LocalMachine\\My
Get-ChildItem -Path Cert:\\LocalMachine\\My
Get-ChildItem -Path cert:\\localMachine\\my\\266FBD875596D7029690CA907AA2977D35341788 | Export-PfxCertificate -FilePath .\\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
Set-Location -Path cert:\\localMachine\\my
PS Cert:\\localMachine\\my>
Import-PfxCertificate -FilePath c:\\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
3.启用远程管理IIS--Enabling IIS Remote Management
Install-WindowsFeature
Web-Mgmt-Service
Set-ItemProperty -Path
HKLM:\\SOFTWARE\\Microsoft\\WebManagement\\Server -Name EnableRemoteManagement
-Value 1
Set-Service -name WMSVC
-StartupType Automatic -Status Running
New-NetFirewallRule -DisplayName "IIS Remote Management" -Direction Inbound
-Action Allow -Service
WMSVC
Copy-Item -Path C:\\afd.ink.pfx
-Destination "\\\\$_\\c$"
certutil -p P@$$w0rd1 -importpfx c:\\afd.ink.pfx
Remove-Item -Path "\\\\$_\\c$\\afd.ink.pfx
Import-Module WebAdministration
Get-ChildItem -Path
Cert:\\LocalMachine\\My
Remove-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
$cert = Get-ChildItem -Path
Cert:\\LocalMachine\\My | Where $_.subject -like "*afd.ink*" |
Select-Object -ExpandProperty Thumbprint
Get-Item -Path
"cert:\\localmachine\\my\\$cert" | New-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
Remove-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
Get-Item -Path
"cert:\\localmachine\\my\\$cert" | New-Item -Path IIS:\\SslBindings\\0.0.0.0!8172
【Windows Server Core 2022--安装AD DS和AD CS证书服务】
推荐阅读
- 如何合并在wordpress中单独管理的两个菜单以在前端主题中显示为一个()
- #私藏项目实操分享#Vue中如何合理地使用watch
- 拉勾Linux运维实战训练营
- Gitlab做java的docker CI
- #yyds干货盘点#异或操作
- #yyds干货盘点#Spring源码三千问为什么要用三级缓存来解决循环依赖问题(二级缓存行不行?一级缓存行不行?)
- 测试服务器带宽的几种常用方法
- Spring Boot + Redis 实现各种操作 #yyds干货盘点#
- java版gRPC实战之二(服务发布和调用)