4.12.2 WNES Configuration
The WNES and CSRES−SCEP infrastructure hosted by JPL will have the following characteristics and configuration:
1. The WNES and CSRES−SCEP components will be deployed on the JPL operation network on a secure VLAN.
2. These services will be deployed at the primary site X. Additional instances of are to be deployed at the X data center to allow for high−availability.
3. One WNES server can only issue certificates to computers member of the same AD forest. Additional WNES servers will need to be deployed if computers are members of more than one AD forest.
4. There is no need to develop a custom DN builder in support of the user and computer certificates. The default WNES DN builder capabilities will be leveraged.
The…show more content… 5. WNES will not require PKI administrators to approve auto−enrollment requests. Certificates will automatically be issued to the devices and computers upon successful Windows authentication. Automatic certificate renewal will be enabled.
6. A custom AD domain group will be created to automatically enroll the computers.
7. Automatic certificate renewal will be enabled. This will be configured using an AD policy setting.
8. The Windows computers will be issued a certificate with a lifetime of 12 months. The policy will be configured to allow this certificate type to be automatically renewed 45 days before expiration.
9. The Windows computers will be issued a single verification certificate.
10. The computer certificate template will be set to NOT allow private key export. These settings are configured in the Microsoft certificate templates.
11. Note to MSO: Microsoft will add some proprietary extensions (i.e. Application Policies and Certificate Template Information) to these certificates. These extensions are required for auto−renewal and must not be removed.
12. The following certificates will be required by the WNES and CSRES−SCEP server:
a. CSRES Approver to be configured on the servers;