Sign in Subscribe
Authentik

Authentik Security, Part Six

David Buhlman

2 min read
Authentik Security, Part Six
Photo by Adi Goldstein / Unsplash

Configure Authentik

I'm finally coming back to this after working through setting up Firefly III. So the Virtual Geek blog breaks down their walkthrough into four parts.

Enable LDAPS

Part 1. Install and Configure Certificate Authority CA on Server with Group Policy

I quickly spin up an extra domain controller DC-04 to use for the CA.
Steps performed on desktop via Server Manager

  • Right click on DC-04
  • Click on Add Roles and Features
  • Click on Next
  • Role-based or feature-based installation
  • Select a server from the server pool: DC-04
  • Click on Next
  • Roles: Active Directory Certificate Services
  • Click on Next
  • Click on Next
  • AD CS Role Services:
    • Certificate Authority
    • Certification Authority Web Enrollment
  • Click on Install

Installation completed successfully! Now it's time to configure Active Directory Certificate Services on the destination.

  • I set the installation credentials
  • Select Role Services to configure:
    • Certification Authority
    • Certification Authority Web Enrollment
  • Specify the setup type of the CA
    • Enterprise CA
  • Specify the type of the CA
    • Root CA
  • Specify the type of the private key
    • Create a new private key
  • Specify the cryptographic options
    • RSA#Microsoft Software Key Storage Provider
    • Key Length: 4096
    • SHA512
  • Specify the name of the CA
    • DC-04-CA
    • DC=domain,DC=local
    • CN=DC-04-CA,DC=domain,DC=local
  • Specify the validity period:
    • 5 Years
  • Specify the database locations:
    • C:\Windows\system32\CertLog
    • C:\Windows\system32\CertLog
  • I click on Configure
  • Verify and test
    • http://10.10.10.XXX/certsrv/Default.asp
    • http://dc-04.domain.local/certsrv/Default.asp

Well the page does prompt like credentials like it should so I think I'm good to go. Next step is to distribute and deploy CA root chain certificate on computer clients in the domain.

On the CA webpage:

  • I click on Download a CA Certificate, certificate chain, or CRL
  • I select Download CA Certificate

Steps performed on DC-02 via Group Policy Management

  • I open the domain domain.local
  • I right click on Group Policy Objects
  • I click on New
    • CA_Chain_Cert_Deployment
    • (none)
  • I right click on CA_Chain_Cert_Deployment
  • Click on Edit
    • Computer Configuration
    • Policies
    • Windows Settings
    • Security Settings
    • Public Key Policies
  • I right click Trusted Root Certification Authorities
  • I click on Import
  • I begin the Certificate Import Wizard
    • I click on Next
    • I browse to download CA cert
    • I click on Next
    • I place all certificates in the store Trusted Root Certification
    • I click on Finish
  • I navigate back up the domain domain.local
  • I right click and select Link an Existing GPO
  • I select CA_Chain_Cert_Deployment

It looks like this will take about 90 minutes to reach my client computers. Since this is the end of part one I think this should be a good place to end for today.