configuring active directory certificate services

Configuring Active Configuring Active Directory Certificate Directory Certificate

ServicesServicesLesson 13

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Installing Active Directory Certificate Services

Install Active Directory Certificate Services

6.1

Configuring CA Server Settings

Configure CA server settings

6.2

Configuring Certificate Templates

Manage certificate templates

6.3

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Managing Certificate Enrollments

Manage enrollments 6.4

Configuring Certificate Revocation

Manage certificate revocations

6.5

Lesson 13Lesson 13

Installing Active Directory Certificate Services

Log on to the CA member server as the default administrator of the lucernepublishing.com domain.

If the Server Manager console does not appear automatically, click the Start button.

Select Server Manager from the Start menu.

Lesson 13Lesson 13

Installing Active Directory Certificate Services (cont.)

Expand the Server Manager console to full screen, if necessary.

In the left pane, click the Roles node.

In the right pane, click Add Role.

Click Next to bypass the initial welcome screen.

Lesson 13Lesson 13


Place a checkmark next to Active Directory Certificate Services, and click Next.

Read the information presented, and click Next.

Place a checkmark next to Certification Authority, and click Next.

Select the Enterprise radio button, and click Next.

Lesson 13Lesson 13


Select the Root CA type radio button, and click Next.

Select the Create a new private key radio button, and click Next.

Accept the default values, and click Next.

Accept the default value, and click Next.

Lesson 13Lesson 13


Accept the default value of 5 years, and click Next.

Accept the default values, and click Next.

Verify that your selections are correct, and click Install.

Click Close to complete the installation.

Lesson 13Lesson 13

Configuring Certificate Revocation

Part A: Install the Online Responder

Log on to CA as the default administrator of the lucernepublishing.com domain.

Click the Start button, and then select Server Manager.

Drill down to RolesActive Directory Certificate Services.

Lesson 13Lesson 13

Configuring Certificate Revocation (cont.)

Right-click Active Directory Certificate Services, and select Add Role Services.

Place a checkmark next to Online Responder.

Click Add Required Role Services, and then click Next to continue.

Read the informational message concerning the installation of the Web Server role, and click Next.

Lesson 13Lesson 13


Accept the default IIS features to install, and click Next.

Click Install to install the Online Responder role service.

Click Close when prompted.

Lesson 13Lesson 13


Part B: Configure the CA to support the Online Responder

In the left pane within Server Manager, drill down to RolesActive Directory Certificate ServicesCertificate Templates.

Lesson 13Lesson 13


Right-click the OCSP Response Signing template.

Click Properties.

Click the Security tab, and click Add.

Click Object Types.

Lesson 13Lesson 13


Place a checkmark next to Computers, and then click OK.

Key CA, and then click OK.

Place a checkmark next to Enroll and Autoenroll in the Allow column, and then click OK.

Lesson 13Lesson 13


Drill down to RolesActive Directory Certificate Serviceslucernepublishing-CA-CACertificate Templates.

Right-click the Certificate Templates folder, and click NewCertificate Template to Issue.

Select the OCSP Response Signing certificate template, and click OK.

Lesson 13Lesson 13


Part C: Establish a revocation configuration for the Certification Authority

In the left pane of Server Manager, navigate to RolesActive Directory Certificate Services Online Responder: CARevocation Configuration.

Right-click Revocation Configuration, and click Add Revocation Configuration.

Lesson 13Lesson 13


Read the information on the Getting Started screen, and then click Next.

Key LUCERNEPUBLISHING-CA-REV, and click Next.

Verify that the Select a certificate for an Existing enterprise CA radio button is selected, and then click Next.

Lesson 13Lesson 13


Verify that the Browse CA certificates published in Active Directory screen option is selected, and then click Browse.

Confirm that the lucernepublishing-CA-CA certificate is selected, and then click OK.

Click Next to continue.

Lesson 13Lesson 13


Verify that the Automatically select a signing certificate radio button is selected.

Verify that a checkmark is next to Auto-enroll for an OCSP signing certificate.

Click Next, and then click Finish to configure the revocation configuration.

Lesson 13Lesson 13


Navigate to lucernepublishing-CA-CAIssued Certificates.

Confirm that an OCSP Response Signing Certificate has been issued to the certification authority.

Lesson 13Lesson 13

Configuring Certificate Templates


Click Start, and then select Server Manager.

In the left pane, expand the Roles node, the Active Directory Certificate Services node, and the Certificate Templates node.

Lesson 13Lesson 13

Configuring Certificate Templates (cont.)

To create a new certificate template to allow user autoenrollment, right-click the User template.

Click Duplicate Template.

Select Windows Server 2008, Enterprise Edition, and click OK.

Lesson 13Lesson 13


On the General tab, key LUCERNEPUBLISHING-User-Cert in the Template Display Name text box.

Verify that a checkmark is next to the Publish certificate in Active Directory option.

Lesson 13Lesson 13


Click the Security tab.

Click Domain Users, and then place a checkmark next to Read, Enroll, and Autoenroll.

Click the Subject Name tab.

Remove the checkmark next to the Include e-mail name in subject name option.

Lesson 13Lesson 13


In the Include this information in the alternate subject name section, remove the checkmark next to E-mail name.

Click the Superseded Templates tab, and click Add.

Select the built-in User certificate template, and then click OK twice to continue.

Lesson 13Lesson 13


Right-click the Computer template, and click Duplicate Template.


On the General tab, key LUCERNEPUBLISHING-Computer-Cert in the Template Display Name text box.

Lesson 13Lesson 13



Click the Security tab.

Click Domain Computers, and then place a checkmark next to Read, Enroll, and Autoenroll.

Lesson 13Lesson 13



Select the built-in Computer certificate template, and then click OK twice to continue.

Right-click the Web server template, and click Duplicate Template.

Lesson 13Lesson 13



On the General tab, key LUCERNEPUBLISHING-WebServer-Cert in the Template Display Name text box.


Lesson 13Lesson 13


Click the Security tab, and click Add.

Click Object Types.

Place a checkmark next to Computers, and then click OK.

Key CA, and then click OK.

Lesson 13Lesson 13


Place a checkmark next to Enroll and Autoenroll in the Allow column.


Select the built-in Web Server certificate template, and then click OK twice to continue.

Lesson 13Lesson 13


Drill down to RolesActive Directory Certificate Serviceslucernepublishing-CA-CACertificate Templates.

Right-click the Certificate Templates folder, and click NewCertificate Template to Issue.

Lesson 13Lesson 13


Click LUCERNEPUBLISHING-User-Cert, and click OK.

Repeat the previous two steps to configure the CA to issue the LUCERNEPUBLISHING-Computer-Cert and LUCERNEPUBLISHING-WebServer-Cert certificate templates.

Lesson 13Lesson 13

Managing Certificate Enrollment

Part A: Configure Certificate Autoenrollment in the LUCERNEPUBLISHING.COM domain

Log on to RWDC01 as the default administrator of the lucernepublishing.com domain.

Click the Start button, Administrative Tools, and then Group Policy Management.

Lesson 13Lesson 13

Managing Certificate Enrollment (cont.)

Drill down to Forest: lucernepublishing.comDomainsDomain: lucernepublishing.comGroup Policy ObjectsDefault Domain Policy.

Right-click the Default Domain Policy, and then click Edit.

Lesson 13Lesson 13


Drill down to the following node: User ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies.

In the right pane, double-click Certificate Services Client – Auto-Enrollment.

In the Configuration model dropdown box, select Enabled.

Lesson 13Lesson 13


Place a checkmark next to the following items: Renew expired certificates, update pending

certificates, and remove revoked certificates.

Update certificates that use certificate templates.

Click OK.

Lesson 13Lesson 13


Drill down to the following node: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies.

In the right pane, double-click Certificate Services Client – Auto-Enrollment.

In the Configuration model dropdown box, select Enabled.

Lesson 13Lesson 13


Place a checkmark next to the following items: Renew expired certificates, update pending

certificates, and remove revoked certificates.

Update certificates that use certificate templates.

Click OK, and then close the Group Policy Management Editor.

Lesson 13Lesson 13


Open a command-prompt window.

Key gpupdate/force, and then close the command-prompt window.


Lesson 13Lesson 13


Open a command-prompt window.

Key gpupdate/force, and then close the command-prompt window.

Reboot the CA computer to force both user and computer autoenrollment to take place.

Lesson 13Lesson 13


Part B: Install the Certification Authority Web Enrollment role service


Click the Start button, and then select Server Manager.

Lesson 13Lesson 13


Drill down to RolesActive Directory Certificate Services.

Right-click Active Directory Certificate Services, and select Add Role Services.

Place a checkmark next to Certification Authority Web Enrollment.

Lesson 13Lesson 13


Click Add Required Role Services.

Click Next to continue.

Read the informational message concerning the installation of the Web Server role, and click Next.

Lesson 13Lesson 13


Accept the default IIS features to install, and click Next.

Click Install to install the Certification Authority Web Enrollment role service.

Click Close when prompted.

Lesson 13Lesson 13


Part C: Request a Web Server Certificate for the CA IIS installation

Click the Start button.

Click Administrative tools, and then select Internet Information Services (IIS) Manager.

In the left pane, double-click the CA node.

Lesson 13Lesson 13


Scroll down to the IIS section, and double-click the Server Certificates icon.

In the right pane, click Create Domain Certificate.

Enter the appropriate information as prompted, and click Next.

Lesson 13Lesson 13


Click Select next to the Specify Online Certification Authority text box.

Click lucernepublishing-CA-CA, and click OK.

In the Friendly Name text box, key ca.lucernepublishing.com.

Click Finish.

Lesson 13Lesson 13


Part D: Enable Secure Connections to the CA IIS server

In the left pane of IIS Manager, expand the Sites node.

Right-click Default Web Site, and click Edit Bindings.

Click Add.

Lesson 13Lesson 13


In the Type dropdown box, select https.

In the SSL Certificate dropdown box, select ca.lucernepublishing.com.

Click OK, and then click Close.

Lesson 13Lesson 13


In the left pane of IIS Manager, drill down to the Default Web SiteCertSrv node.

Double-click CertSrv.

In the middle pane in the IIS section, double-click SSL Settings.

Place a checkmark next to Require SSL, and then click Apply in the Action pane.

Lesson 13Lesson 13

Maintaining a Windows Server 2008 CA

CA Administrator

Certificate Managers

Backup Operators

Auditors

Lesson 13Lesson 13

You Learned

The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows public key infrastructure (PKI) for authentication and authorization of users and devices.

Lesson 13Lesson 13

You Learned (cont.)

A PKI allows two parties to communicate securely, without any previous communication with each other, through the use of a mathematical algorithm called public key cryptography.

PKI certificates are managed through certificate authorities that are hierarchical, which means that many subordinate CAs within an organization can chain upward to a single root CA.

Lesson 13Lesson 13

You Learned (cont.)

Certificate templates are used by a certificate authority to simplify the administration and issuance of digital certificates.

A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.

Lesson 13Lesson 13

You Learned (cont.)

Autoenrollment is a feature of PKI that is supported by Windows Server 2003 and later, which allows users and computers to automatically enroll for certificates based on one or more certificate templates, as well as using Group Policy settings in Active Directory.

Key archival is the process by which private keys are maintained by the CA for retrieval by a recovery agent.

Lesson 13Lesson 13

You Learned (cont.)

Web enrollment enables users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date CRL.

The Network Device Enrollment Service (NDES) enables network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).

Lesson 13Lesson 13

You Learned (cont.)

When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs. A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.

Lesson 13Lesson 13

You Learned (cont.)

An enterprise CA integrates with Active Directory. It can use certificate templates as well as Group Policy Objects to allow autoenrollment of digital certificates, as well as storing digital certificates within the Active Directory database for easy retrieval by users and devices.

configuring active directory certificate services

Documents

certificate revocation

certificate revocationpart

ca member server

server manager console

required role services

web server role

key ca

default administrator