AD CS Linux Certificate Template Configuration
Step-by-step guide for creating an AD CS certificate template suitable for Linux workstation EAP-TLS authentication. Based on production experience with home-dc01.inside.domusdigitalis.dev.
|
For CHLA: This guide documents the exact template configuration Victor needs for |
1. Problem Statement
Linux workstations cannot use standard Windows certificate templates because:
-
Subject Name: Linux generates its own CSR with subject DN. Templates that auto-populate subject from AD won’t work.
-
Private Key Export: Linux needs the private key on the filesystem (
/etc/ssl/private/). Templates that prohibit export break Linux enrollment. -
Enrollment Method: Linux cannot auto-enroll via Group Policy. Manual CSR submission is required.
2. Template Requirements
| Setting | Value | Reason |
|---|---|---|
Template Name |
|
Clear identification |
Subject Name |
Supply in the request |
Linux CSR contains the subject |
Private Key Export |
Allow |
Linux stores key on filesystem |
Extended Key Usage |
Client Authentication (1.3.6.1.5.5.7.3.2) |
Required for EAP-TLS |
Key Size |
Minimum RSA 2048 (recommend 4096) |
Security baseline |
Validity Period |
1-2 years |
Balance security vs. renewal overhead |
Renewal Period |
6 weeks before expiry |
Time for manual renewal |
3. Step-by-Step: Create Template on AD CS
3.1. Prerequisites
-
Domain Admin or CA Admin rights
-
Access to CA server (home-dc01.inside.domusdigitalis.dev)
-
Certificate Templates MMC snap-in
3.2. 1. Open Certificate Templates Console
# On the CA server (home-dc01)
certtmpl.mscOr: Server Manager → Tools → Certification Authority → Certificate Templates → Manage
3.3. 2. Duplicate an Existing Template
-
Right-click Workstation Authentication template
-
Select Duplicate Template
-
Choose Windows Server 2012 R2 (or newer) for compatibility
3.4. 3. Configure General Tab
Template display name: Linux-Workstation-Auth
Template name: Linux-Workstation-Auth
Validity period: 1 year
Renewal period: 6 weeks
☑ Publish certificate in Active Directory3.5. 4. Configure Subject Name Tab (CRITICAL)
⚪ Build from this Active Directory information ← DO NOT SELECT
⦿ Supply in the request ← SELECT THIS|
This is the most common mistake. If "Build from Active Directory" is selected, Linux CSR subject names will be ignored and the certificate will have wrong CN. |
3.6. 5. Configure Request Handling Tab
Purpose: Signature and encryption
☑ Allow private key to be exported ← MUST CHECK
☐ Delete revoked or expired certificates
☐ Include symmetric algorithms allowed by subject
☑ Archive subject's encryption private key ← Optional for key recovery3.7. 6. Configure Cryptography Tab
Provider Category: Key Storage Provider
Algorithm name: RSA
Minimum key size: 2048 (recommend 4096)
☑ Requests must use one of the following providers:
- Microsoft Software Key Storage Provider3.8. 7. Configure Extensions Tab
Ensure Application Policies includes:
Client Authentication (1.3.6.1.5.5.7.3.2)Optionally remove Server Authentication if not needed.
4. Linux Certificate Enrollment
4.1. Generate Private Key and CSR
HOSTNAME=$(hostname -s)
DOMAIN="inside.domusdigitalis.dev"
# Generate 4096-bit private key
sudo openssl genrsa -out /etc/ssl/private/${HOSTNAME}-eaptls.key 4096
sudo chmod 600 /etc/ssl/private/${HOSTNAME}-eaptls.key
# Generate CSR
sudo openssl req -new \
-key /etc/ssl/private/${HOSTNAME}-eaptls.key \
-out /tmp/${HOSTNAME}.csr \
-subj "/CN=${HOSTNAME}.${DOMAIN}"
# Verify CSR
openssl req -in /tmp/${HOSTNAME}.csr -noout -text | head -204.2. Submit CSR to AD CS
Option A: Web Enrollment (certsrv)
-
Navigate to
home-dc01.inside.domusdigitalis.dev/certsrv -
Request a certificate → Advanced certificate request
-
Submit a certificate request using a base-64-encoded CMC or PKCS #10 file
-
Paste CSR content
-
Select Linux-Workstation-Auth template
-
Submit
Option B: certreq (PowerShell)
# On Windows machine with network access to CA
certreq -submit `
-config "{homedc-hostname}\{adcs-ca-name}" `
-attrib "CertificateTemplate:Linux-Workstation-Auth" `
"C:\Certs\modestus-p50.csr" "C:\Certs\modestus-p50.cer"4.3. Install Certificate on Linux
HOSTNAME=$(hostname -s)
# Copy signed certificate from CA
scp admin@{homedc-hostname}:C:/Certs/${HOSTNAME}.cer /tmp/
# Convert DER to PEM if needed
openssl x509 -in /tmp/${HOSTNAME}.cer -inform DER \
-out /etc/ssl/certs/${HOSTNAME}-eaptls.pem -outform PEM
# Verify certificate
openssl x509 -in /etc/ssl/certs/${HOSTNAME}-eaptls.pem -noout -text | head -30
# Verify key matches certificate
openssl x509 -in /etc/ssl/certs/${HOSTNAME}-eaptls.pem -noout -modulus | md5sum
sudo openssl rsa -in /etc/ssl/private/${HOSTNAME}-eaptls.key -noout -modulus | md5sum
# Both hashes MUST match5. Verification Checklist
-
Template published in CA
-
"Supply in the request" enabled
-
Private key export allowed
-
Client Authentication EKU present
-
Minimum 2048-bit RSA key
-
Linux security group has Enroll permission
-
Test enrollment with one workstation
-
Verify EAP-TLS authentication against ISE
6. Common Issues
| Issue | Resolution |
|---|---|
CSR subject ignored |
Template using "Build from AD" - switch to "Supply in request" |
Private key not exportable |
Enable "Allow private key to be exported" in Request Handling |
Certificate request denied |
Check security group membership and Enroll permission |
Wrong template in certreq |
Use exact template name (no spaces if defined without) |
Certificate has wrong EKU |
Verify Application Policies includes Client Authentication |
7. CHLA-Specific Notes
For CHLA deployment, Victor (Victor) should:
-
Create template
CHLA-Linux-Workstation-Authfollowing this guide -
Grant Enroll permission to
GRP-Linux-Computers -
Publish template on CHLA SubCA
-
Provide web enrollment URL or certreq access to Ben (Ben)
The existing ISE-Computer template confirmed NOT usable (no "Supply in request", no key export).