AD CS in Windows Server

Active Directory Certificate Services implements PKI in your Active Directory and Windows Server 2008 environment. Windows clients that participate in an AD domain or forest are configured to trust internal Windows CAs by default. A Windows-based CA is said to be internal, because by default, external clients will not be able to use it, unless your CA is configured as a trusted root CA on the external clients. While it is possible to establish such a trust network with partner companies, it is not feasible to implement it on the Internet-facing applications/ servers (for such uses, a public CA is the best choice). AD CS allows you to issue any number of certificates at no cost beyond the OS and hardware that run AD CS. With AD CS, you can implement the following technologies on your internal network:

■ Smart card logon (authentication)

■ IPsec communication security

■ Encrypted File System (EFS)

■ Secure Multipurpose Internet Mail Extensions (S/MIME)

■ Secure web sites using Secure Sockets Layer (SSL) or Transport Layer Security (TLS)

■ Digital signatures to ensure non-repudiation in any of the preceding technologies

■ Secure wireless communication

■ Network Access Protection (NAP)

Issuing Certificates

You can issue digital certificates in Windows Server 2008 either manually (using the Certificates MMC snap-in or Web Enrollment feature), or automatically (using group policy autoenrollment). Besides these functions, the Certificates snap-in allows you to perform the following:

■ Request a certificate to be reissued.

■ Renew certificates, generating new keys or using existing ones.

■ Configure automatic enrollment.

■ Import or export certificates into a file (including backing up a private key).

■ Search, delete, and edit certificates.

You can also use a web interface to request new certificates. This may be a valuable option if you need to request a certificate from a Windows CA located outside your Active Directory structure. By default, Certificate Services create an Internet Information Server virtual directory called "certsrv," and you can request your certificates by going to http://servername/certsrv/ using your Internet browser. This feature is called Web Enrollment. Web Enrollment also provides CRL download services in AD CS.

Online Responder Service

The Online Responder Service implements the Online Certificate Status Protocol (OCSP), which is based on RFC 2560. OCSP differs from CRL lists in that it runs as a service that is capable of accepting validity queries related to specific certificates. The service processes these requests and issues a digitally signed response, containing the status of the certificate in question.

CRL, on the other hand, is a file that contains all revoked certificates. While this file is also signed, the issue becomes its manageability and size, as it can grow quite large in sizeable deployments.

Network Device Enrollment Service

The Network Device Enrollment Service (NDES) allows network devices to request certificates and enroll with a Windows CA, just as any other Windows client would. NDES implements SCEP, or the Simple Certificate Enrollment Protocol, which was developed by Cisco. Using NDES, you can extend your internal CA coverage to include network gear. This would be handy in IPsec or NAP implementations.

NDES cannot be installed before or during CA installation (it must be installed once a fully functional CA is accessible on the network). This has to do with the fact that, in order for NDES to perform its enrollment functions successfully and securely, it needs to enroll itself with the associated CA.

Registration Authority

Registration Authority is another name for Certification Authority that is used in the context of NDES service setup and configuration. During installation of NDES services, you will be prompted to provide Registration Authority information. Since NDES does not need to be deployed on the same set of computers as the rest of the CA infrastructure, the installation process simply needs to identify where to submit certificate enrollment requests. In the SCEP protocol, this point of service is called Registration Authority.

Automatic Enrollment

Starting with Windows Server 2003, it is possible to register users and computers with a CA automatically. This is especially useful in environments that contain significant numbers of users and computers.

To enroll your users automatically, you need to make sure that the following conditions are met:

■ All domain controllers must be running at least Windows 2000 Server SP3. Windows Server 2003/2008 is highly recommended.

■ Clients must be running Windows XP/Vista, or Windows Server 2003/2008.

■ You need to install the Enterprise CA service on a Windows Server 2003 Enterprise Edition or Datacenter Edition server.

Root and Subordinate (Issuing) CA

In any chain of CA trust, there is always the first system at the very beginning that serves as the beginning of the trust chain—this is no different from DNS and its "." root. This system is referred to as the root CA. The root CA creates the new instance of a certification authority, much as the first domain controller creates a new instance of an AD DS. If a client trusts the root CA, it will trust all certificates issued by any entity that "chains up" to the same root CA (that is, assuming the certificates are not invalidated by other factors, such as validity timestamp or revocation status).

The issuing CA, or subordinate CA, is a CA system that participates in the existing CA system; it is a descendant of the root CA, or another intermediary/ subordinate CA. There can be many level of subordination.

Imagine a scenario where an organization deploys a single root CA system and issues 10,000 certificates to all domain-based computers. A month later, they discover that their root system had a Trojan on it, and they decide that the root CA can no longer be trusted (i.e., its private key may have been compromised). Reinstalling that CA would be a little bit of a problem, since you would need to revoke all existing certificates, ensure that the CRL information is published somewhere before destroying the compromised system, then install a new root CA, configure clients to trust the new system, and finally, issue all certificates again. That would be a bit of a challenge, and the more partner relationships your organization chooses to engage in, the more complex and embarrassing this process will become.

The solution is to have a single root CA system, which is deployed as a standalone root CA, use it to issue several subordinate CA certificates, and take it offline on a semipermanent basis. Subordinate (or issuing) CAs would then be deployed as enterprise CAs and used to issue certificates. Should any of the online CAs be compromised, the root CA can be brought back to life in order to revoke the issuing CA's certificate and create another issuing CA. Then, all existing user/computer certificates that were issued by the fallen subordinate CA would automatically lose their validity, because their trust path no longer "chains up" to a valid CA. The main beauty of this design is that you won't need to reinstall your entire PKI infrastructure, won't need to reconfigure clients to trust the new root CA, and won't need to exchange new root CA certificates with partnering organizations.

Standalone CA vs. Enterprise CA

The difference between standalone and enterprise CAs is that, as the name implies, a standalone CA can be deployed on a non-domain member, or on a domain member machine, without integration with AD DS, whereas an Enterprise CA can be deployed only in an AD DS-integrated scenario.

Needless to say, a standalone CA is the more limited of the two deployment versions. You cannot use a standalone CA to autoenroll users. Standalone also does not support enterprise-level features such as key archival or V2 / V3 certificate templates (more about this later).

In order to deploy a CA, you can use the Standard, Enterprise, or Datacenter Edition of the Windows Server 2008 operating system. If you wish to take advantage of all AD CS features, such as NDES and OSCP, you will need to use the Enterprise or Datacenter Edition.


Installing Active Directory Certificate Services

To install a CA, we need to first add the Active Directory Certificate Services role to our lab domain controller. As mentioned previously, the best design is to use more than one server to implement a CA, but for simplicity we will use our existing domain controller to install the CA as an enterprise root CA, running on the only domain controller in our lab. Note: this is not recommended, but for this exercise we will also add the IIS role on the same domain controller, in order to deploy Web Enrollment.

1. Log on using administrative account, and access the Server Manager Access Roles node; then click Add Roles.

2. On the list of available roles, select Active Directory Certificate Services, and click Next twice.

3. On the Select Role Services page, select the top three roles: Certification Authority, Certification Authority Web Enrollment, and Online Responder. In selecting the Web Enrollment role, you will be prompted to add the IIS role with a specific list of components; accept this request and click Next.

4. On the Specify Setup Type page, select Enterprise and click Next to continue.

5. On the Specify CA Type page, select Root CA and click Next to continue.

6. On the Setup Private Key page, select the option to generate a new private key. This private key is the most important cryptographic key in the entire internal PKI system we are about to deploy. Click Next.

7. Leave the Cryptographic Service Provider selection at its default value. Increase the key length to the maximum, 4096. In the hash algorithm, select either MD5 or SHA512. Note that NIST considers SHA1 as successfully attacked, even though practical applications are still remote. Nonetheless, it is now mandated that the U.S. Federal Government discontinue the use of SHA1 completely by 2010. MD2 and MD4 have been found to have serious flaws. MD5 is known to have computable hash collisions, but at present, a multimillion-dollar hash crunching system may take about a month to find a collision in MD5. SHA256 or higher, or MD5 will be sufficient for vast majority of organizations.

8. On the Configure CA Name page, we will leave default name and click Next.

9. On the Set Validity Period page, raise the validity to 20 years and click Next. 10. On the Configure Certificate Database page, leave the defaults and click Next. 1 1. On the Web Server (IIS) page, click Next (twice). Then click Install to proceed with the role installation. When installation is done, click Close.

12. Next, let's create a service account for NDES service. We will call it [email protected] This service account needs to be added to IIS_IUSRS security group, and it needs permission to enroll with a CA to obtain an IPsec certificate (you will need to obtain a duplicate IPsec certificate template, add permissions for the service account to enroll, and assign the customized template to the CA—steps on how to do this are in the next exercise).

13. To add the NDES service to an existing CA, in the Server Manager, expand the Active Directory Certificate Services section and click Add Role Services. You will go through a similar wizard, where you need to check Network Device Enrollment Service for it to be added.

14. On the User Account page, select the service account we just created.

15. On the Registration Authority page, indicate which country the RA is in, and click Next.

16. Increase the signature and encryption key lengths to 4096 and click Next. Then click Install.

Certificate Authority is now installed. You can review its configuration using Certification Authority console, shown in Figure 10-1.


Certification Authority console certsrv - [Certificate Authority (Local]\flexecom-TORI}CO:l-CA\CertificEteTeniplate£]

File Action View Help

J Certification Authority [Local) E flexecom-TORDCOl-CA j Revoked Certificates Issued Certificates Pending Requests Failed Requests

Certificate Templates


Intended Purpose

Flexecom User CEP Encryption

Exchange Eni ollment Agent [Offline req,, I^Sec {Offline request) . Directory Email Replication Domain Controller Authentication EFS Recovery Agent 1 Basic EFS

Domain Controller ] Web Server ] Computer

! Subordinate Certification Authority ) Administrator

Client Authentication, Secure Email, Entry...

Certificate Request Agent

Certificate Request Agent

IP security IKE intermediate

Directory Service Email Replication

Client Authentication, Server Authenticate,..

File Recovery

Encrypting Fie System

Client Authentication, Server Authentication

Server Authentication

Client Authentication, Server Authentication

Microsoft Trust List Signing, Encrypting File..,

Certificate Templates

Certificate templates are to digital certificates what schema classes are to objects in AD DS: a certificate template defines common rules that will apply to all certificates of a certain type, which are issued based on the same master template. For certain specific applications, such as issuing new subordinate CA certificates, your AD CS

is already configured (if you followed the steps in Exercise 10-1). In other cases, you will want to modify existing templates, configure them with common rules that apply to your infrastructure, and then enable certificate issuance for the newly configured templates.

There are multiple versions of certificate templates. Version 1 certificates are the most limited and support only the most basic functionality, but they are compatible with the widest array of devices and other certification authorities that may be interacting with your system. Version 2 certificate templates can be used for automatic enrollment, and many of the values in these templates can be adjusted. Some Version 2 certificate templates are preconfigured right from the point of installation of a new CA. Version 2 certificate templates allow the following types of user autoenrollment:

■ Enroll the subject without requiring any user input. This will enroll users automatically without notifying them.

■ Prompt the user during enrollment. This will inform users when the new certificate is requested and then install it. It is possible that some information will be requested—for example, users will be prompted for a PIN number if this certificate is to be used with a smart card.

■ Prompt the user during enrollment and require user input when the private key is used. This option will also notify users when the certificate is installed and notify them every time their private key is used.

Version 3 certificate templates are new to Windows Server 2008, and they allow the more advanced manipulation of cryptographic functions, such as selecting hash and cryptographic algorithms. Version 3 certificates are compatible with Windows Server 2008 CAs and Windows Server 2008 / Windows Vista clients only. You can review existing templates using Certificate Templates snap-in, shown in Figure 10-2.

Once the certificate template is duplicated and reconfigured, it needs to be set up with a CA for issuance. You will also need to ensure that the certificate template has been permissioned for autoenrollment, where automatic enrollment is the intended distribution method for certificates in question. Let's walk through the following exercise to see how it is done.


Certificate Templates console


Certificate Templates console


Configuring a Certificate Template, Key Archival, and Automatic Enrollment

You will want to change some settings of the existing templates, and in some cases that will require creating a certificate template duplicate. For the purpose of this exercise, we will create a custom "user" certificate template and configure it with stronger cryptographic algorithms.

1. Open the Certification Authority console by clicking on Start I Administrative Tools I Certification Authority.

2. Expand your CA node, then right-click the Certificate Templates node and click Manage.

3. In the Certificate Templates console, find User template, right-click, and click Duplicate Template. You will be prompted to indicate which version the CA should use to duplicate the template. Select Windows Server 2008 (shown in Figure 10-3).


Selecting a certificate template version


Enabling Key Archival

Duplicate Template

You can create certificate templates with advanced properties However, not all Windows CAs support all certificate template proper ties, Select tine version of Windows Server [minimum supported CAs) for tine duplicate certificate template.

^ Windows 2003 Server, Enterprise Edition Windows Server Z008, Enterprise Edition Learn more about Certificate Terr=p!ate Versions.


4. On the General tab, type in Flexecom User as the certificate template name, or another name of your choice. On the same tab you can enable certificate publishing in Active Directory. Optionally, you can also enable "Do not automatically re-enroll if a duplicate certificate exists" in the Active Directory option. Select this option to prevent certificate duplication when users without a roaming profile log on from different machines.

5. On the Request Handling tab, select Archive Subject's Encryption Private Key. Also make sure that template is allowing autoenrollment without user input (see Figure 10-4).

Properties of New Template xj

Issuance Requirements ] Superseded Templates | Extensions | Security General Request Handling | Cryptography | Subject Name

Purpose: | Signature and encryption


r" Delete revoked or expired certificates (do not archive) W Include symmetric algorithms allowed by the subject P Archive subject's encryption private key p Use advanced Symmetric algorithm to send the key 1 totheCA.

p- Add Read permissions to Network Service-on the private key. (enable for machine templates only)-W Allow private key to be exported

Do the following when the subject is enrolled and when the private key associated with this certificate is used:

(* Enroll subject -Athout requiring any user input C Prompt the user during enrollment

P Prompt the user during enrollment arid require user input when the private key is used



6. On the Subject Name tab, ensure that the user's e-mail and UPN logon names are included in the alternate subject name (see Figure 10-5). Alternate subject names can be used to allow various ways of presenting a user identity to work with a single certificate (for example, you use an e-mail address when sending e-mail, and a UPN logon name to access the network).

7. On the Cryptography tab, change the Hash Algorithm to MD5 (see Figure 10-6).

8. On the Security tab, ensure that Authenticated Users are allowed to Autoenroll using this template (see Figure 10-7).

9. Commit this certificate template duplicate and switch back to the Certification Authority console. Click the Certificate Templates node. Find the User template, right-click it, and click Delete. This will disable the standard user certificate template that was preconfigured.

10. Now right-click the Certificate Templates node, and click New | Certificate Template To Issue. On the list that is presented, select the template that you just created (Flexecom User), and okay the changes (see Figure 10-8).

Constructing an alternate subject name

Issuance Requirements | Superseded Templates | Extensions | Security I General | Request Handling j Cryptography Subject Name

Constructing an alternate subject name

Issuance Requirements | Superseded Templates | Extensions | Security I General | Request Handling j Cryptography Subject Name

Supply In the request

Select this option to allow a variety of subject name formats or If you do not have access to the domain of which the subject Is a member. Autoenrollment Is not allowed If you choose this option.

(* Build from this Active Directory Information ■

Select this option to enforce consistency among subject names and to simplify certificate administration.

Subject name format:

J Fully distinguished name

Include e-mail name In subject name name

Include this information in alternate subject name:

E-mail name r DNS name

User prinicipal name (UPN) Service principal name {SPN)

OK Cancel Apply Help


Selecting cryptographic options

Write Distinguished Name Permission

Flexecorn User Properties


Autoenrolling permissions

Flexecorn User Properties


General | Request Handling | Cryptography | Subject Name Issuance Requirements ] Superseded Templates j Extensions Security

Group or user names:

"^.Authenticated Users ^ Administrator

' •r^ Domain Admins {FLEXECOMXDomain Admins) Domain Users {FLEXECOMXDomain Users) Enterprise Admins (FLEXECOMNEnterprise Admins)



permissions for Authenticated Users



Full Control







For special permissions or advanced settings, click Advanced.

Leam about access control and permissions





List of certificate templates available for distribution

[S Enable Certificate Templates

Select one Certificate Template to enable on this Certification Authority.

Note: If a certificate template that was recently created does not appear on this list, you may need to wait until information about this template has been replicated to all domain controllers.

All of the certificate templates in the organization may not be available to your CA.

For more information, see Certificate Template Concepts.


Intended Rapóse

Ml Enrollment Agent Certificate Request Agent

Ü3 Enrollment Agent (Computer) Certificate Request Agent

Eg Exchange Signature Only Secure Email

1 Exchange User Secure Email

Flexecom User


1 Kerberos Authentication M Key Recovery Agent M QCSP Response Signing RAS and IAS Server

Client Authentication. Secure Email, Encrypting File System

IP security IKE intermediate

Client Authentication, Server Authentication, Smart Card Logon, KDCAuthent Key Recovery Agent OCSP Signing

Client Authentication. Server Authentication

Cancel on the


The key archiving system is not functional yet, because we have not designated any key recovery agents. In order to do so, we need to enroll one or more administrative accounts (or special service accounts) using the Key Recovery Agent certificate template. First, you need to add the Key Recovery Agent certificate template to the list of certificate templates issued by the CA. Next, you need to use Administrator (or another service account) to enroll with that CA as a key recovery agent; this can be done manually by using the Certificates MMC snap-in. Next, this request to enroll needs to be manually processed and issued a corresponding certificate, using the Certification Authority console. Then, we need to register this key recovery agent with the CA; this can be done using the Certification Authority console, in the CA's properties, on the Recovery Agents tab (select Archive The Key and add the key recovery agent's certificate to the list of registered recovery agents). Finally, you will need to ensure that your certificate templates are configured to archive keys (we already did this in Exercise 10-2).

Key archival is vital to configure before deploying any sort of EFS encryption to users. In case users lose their private keys, encrypted information will be rendered irretrievable, unless key archival is implemented. Keep in mind that key archival is only available in Enterprise CA systems, running integrated with AD DS.

, e If you configure key archival in certificate templates, as per Exercise 10-2, but

(job fail to set up key recovery agents as described in the preceding paragraph, certificates will not be issued successfully. Ensure that you are comfortable setting up key archival for the exam and for real-life PKI deployments.

The new user certificate template is ready for distribution with key archival. Next, we will configure a domain-based group policy to enable automatic enrollment for users.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


  • Martino Padovesi
    What is the minimum supported ca setting for the builtin user certificate template?
    7 years ago
  • Malva Gammidge
    Does ad cs includes time stampt authority?
    7 years ago

Post a comment