Create a certificate using a certificate signing request

A certificate signing request (CSR) is generated by Advanced Server Access and contains information needed to create a subordinate Certificate Authority (CA) within an Active Directory (AD) domain. After the certificate is created and imported into an authorization store, teams must upload the signed certificate to Advanced Server Access where it can be added to one or more AD connections. Some of the steps outlined below may differ depending on your specific AD environment.

Okta recommends placing Advanced Server Access-protected servers in a separate Organizational Unit (OU) from other resources on the domain. Teams should apply any Group Policy Object (GPO) from this process to servers within the separated OU.

  1. Create a CSR in Advanced Server Access.
    1. Open the Advanced Server Access dashboard.
    2. In the user menu, click Team Settings.
    3. Go to the Passwordless Certificates tab. 
    4. Click Create > Certificate Signing Request.
    5. In the Create Certificate Signing Request window, configure the certificate settings.
    6. Click Create Certificate Signing Request.
      The CSR is downloaded to your local device. You will need to move this file to an AD domain controller.
  2. Create a certificate template on an AD Certificate Services (CS) server. 
    1. Open the Certification Authority.
    2. Right-click Certificate Templates and select Manage. The Certificate Templates Console window opens.
    3. Right-click Subordinate Certification Authority and select Duplicate Template. A properties window opens.
    4. In the General tab, under Template Display Name, enter ADPasswordless.
    5. In the Extensions tab, select Application Policy and then click Edit. The Edit Application Policies Extension window opens.
    6. Click Add. The Add Application Policy window opens.
    7. Select Smart Card Logon and Client Authentication, then click OK.
    8. In the Edit Application Policies Extension window, click OK.
  3. Issue a certificate. 
     Note: You must adjust the following commands to use the name of your CSR.
    1. Return to the Certification Authority.
    2. Right-click Certificate Templates and go to New > Certificate Template to Issue.
    3. From the Enable Certificate Templates window, select the certificate template you created and click OK.r
    4. Open a command prompt as an administrator.
    5. Navigate to the directory where you stored the CSR and enter the following command:
      certreq -attrib "CertificateTemplate:ADPasswordless" -submit "YOUR_TEAM_CSR" "YOUR_SAVED_CERT"
    6. From the confirmation window, select the related CA and click OK.
      The AD CS service issues a certificate and saves a certificate file with Base-64 encoding.
  4. Import the certificate to the Trusted Root Certification Authorities store.
    1. Double-click the issued certificate.
    2. From the certificate window, click Install Certificate.
    3. From the Certificate Import Wizard window, click Next
    4. Select Place all certificates in the following store and click Browse.
    5. From the browse window, select Trusted Root Certification Authorities and click OK.
    6. Click Next
    7. Review the information and click Finish.
      AD imports the certificate.
  5. Import the certificate into AD.
    Note: You must adjust the following commands to use the name of the saved certificate file.
    1. Return to the command prompt and navigate to the directory where you saved the certificate.
    2. Publish the certificate to the DS Enterprise store with the following command:
      certutil -dspublish -f YOUR_SAVED_CERT NTAuthCA
  6. Distribute the certificate to client servers using Group Policy.
    1. Start the Group Policy Management snap-in.
    2. Create a new GPO for the Advanced Server Access OU.
    3. Right-click the GPO and click Edit.
    4. In the console tree, go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
    5. Right-click Trusted Root Certification Authorities and click Import.
    6. In the Welcome to the Certificate Import Wizard, click Next.
    7. Specify the path to the saved certificate file and click Next.
    8. Click Place all certificates in the following store and click Next.
    9. Verify the information and click Finish.
  7. Disable Network Level Authentication using Group Policy.
    This step is not required if your Advanced Server Access gateway is on the same subnet as your servers.
    1. From the Group Policy Management snap-in locate the Advanced Server Access GPO you created previously.
    2. Right-click the GPO and click Edit.
    3. In the console tree, go to Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.
    4. Double-click Require user authentication for remove connections by using Network Level Authentication and click Edit.
    5. In the properties window, select Disabled.
    6. Click Apply and then click OK.
  8. Upload the signed certificate to Advanced Server Access.
    1. Return to the Passwordless Certificates tab in Advanced Server Access dashboard.
    2. Identify the created certificate record.
    3. Click gear icon > Upload certificate.
    4. In the Upload Certificate window, click Browse files.
    5. In the file explorer window, locate the issued certificate file.
    6. In the Upload Certificate window, click Upload.
  9. Optional. Require smart card authentication for accounts.
    Important: Teams should only apply this policy to Advanced Server Access-protected servers. If your Okta org uses Active Directory delegated authentication, applying this policy to user accounts will make them unable to access the Okta dashboard.
    1. From the Group Policy Management snap-in locate the Advanced Server Access GPO you created previously.
      Note: Do not apply this setting to the default domain GPO.
    2. Right-click the GPO and click Edit.
    3. In the console tree, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
    4. Double-click Interactive logon: Require Windows Hello for Business or smart card.
      Note: In some Windows versions, this setting may be located at a different location and named Interactive logon: Require smart card.
    5. In the properties window, select Define this policy setting.
    6. Select Enabled.
    7. Click Apply and then click OK.

After the certificate is uploaded, Advanced Server Access checks the validity of the certificate file. If the certificate is valid, teams can add the certificate to new or existing AD connections.

Related topics