Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Configuring and Using Active Directory Certificate Services (part 1) - Finalizing the Configuration of an Issuing CA

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
11/16/2011 3:26:40 PM

1. Finalizing the Configuration of an Issuing CA

Finalizing the configuration of an issuing CA includes the following actions:

  • Creating a certificate revocation configuration

  • Configuring and personalizing certificate templates with specific attention to the following factors:

    • If you want to use the EFS to protect data, you must configure certificates for use with EFS. This also involves planning for the recovery agent or the agent that will be able to recover data if a user’s EFS key is lost.

    • If you want to protect your wireless networks with certificates, you must configure wireless network certificates. This enforces strong authentication and encrypts all communication between wireless devices.

    • If you want to use smart cards to support two-factor authentication, you must configure smart card certificates.

    • If you want to protect websites and enable e-commerce, you must configure web server certificates. You can also use this certificate type to protect DCs and encrypt all communication to and from them.

  • Configuring enrollment and issuance options

You perform each of these actions on the issuing CA itself or remotely through a workstation, using the Remote Server Administration Tools (RSAT).

1.1. Creating a Revocation Configuration for a CA

Revocation is one of the only methods available to you for controlling certificates when they are misused or when you need to cancel deployed certificates. This is one reason your revocation configuration should be completed before you begin to issue certificates.

To create a revocation configuration, perform the following actions:

  • Specify Certificate Revocation List (CRL) distribution points.

  • Configure CRL and Delta CRL overlap periods.

  • Schedule the publication of CRLs.

Begin with the CRL distribution point. Revocation configurations are performed in the Certification Authority console.

  1. Log on to an issuing CA with a domain account that has local administrative rights.

  2. Launch the Certification Authority console from the Administrative Tools program group.

  3. Right-click the issuing CA name and click Properties.

  4. In the Properties dialog box, click the Extensions tab and verify that the Select Extension drop-down list is set to CRL Distribution Point (CDP). Also make sure that the Publish CRLs To This Location and the Publish Delta CRLs To This Location check boxes are selected.

  5. Click OK.

    If you made any changes to the CA’s configuration, you are prompted to stop and restart the AD CS service. Click Yes to do so.

Now configure CRL and Delta CRL overlap periods, using the Certutil.exe command.

  1. On the issuing CA, open an elevated command prompt and execute the following commands:

    certutil -setreg ca\CRLOverlapUnits value
    certutil -setreg ca\CRLOverlapPeriod units
    certutil -setreg ca\CRLDeltaOverlapUnits value
    certutil -setreg ca\CRLDeltaOverlapPeriod units

    Value is the value you want to use to set the overlap period, and units is minutes, hours, or days. For example, you could set the CRL overlap period to 24 hours and the Delta CRL publication period to 12 hours. For this, you would use the following commands:

    certutil -setreg ca\CRLOverlapUnits 24
    certutil -setreg ca\CRLOverlapPeriod hours
    certutil -setreg ca\CRLDeltaOverlapUnits 12
    certutil -setreg ca\CRLDeltaOverlapPeriod hours

  2. Go to the Certification Authority console and right-click the issuing CA server name to stop and restart the service.

Finally, configure the publication of the CRLs.

  1. In the Certification Authority console, expand the console tree below the issuing CA server name.

  2. Right-click Revoked Certificates and click Properties.

  3. On the CRL Publishing Parameters tab, configure the CRL and Delta CRL publication periods.

    By default, both values are set to one week and one day, respectively. If you expect to have a high throughput of certificates and need to ensure high availability of the CRLs, decrease both values. If not, keep the default values.

    You can also view existing CRLs on the View CRLs tab.

  4. Click OK.

Your revocation configuration is complete.

1.2. Configuring and Personalizing Certificate Templates

Certificate templates are used to generate the certificates you use in your AD CS configuration. Enterprise CAs use version 2 and 3 templates. You can configure and personalize these templates. To prepare templates for various uses, you must first configure each template you intend to use and, after each is configured, deploy each to your CAs. After templates are deployed, you can use them to issue certificates. Begin by identifying which templates you want to use, and then move on to the following procedure.

  1. Log on to an issuing CA, using domain administrative credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Certificate Services and select Certificate Templates (servername).

  4. Note that all the existing templates are listed in the details pane.


    Warning:

    IMPORTANT UPGRADING CERTIFICATE AUTHORITIES

    If you are upgrading an existing CA infrastructure to Windows Server 2008 R2, the first time you log on to a new server running AD CS, you are prompted to update the existing certificate templates. Answer Yes. This upgrades all templates to Windows Server 2008 R2 versions.


  5. Note that you are connected to a DC by default.

    To work with templates, you must be connected to a DC so that the templates can be published to AD DS.

  6. If you are not connected, use the More Actions\Connect To Another Writable Domain Controller command in the Action pane to connect to a DC.

    You are ready to create the templates you require.

  7. Select the source template, right-click the template, click Duplicate Template, and then select the version of Windows Server to support.

    This should always be Windows Server 2008 unless you are running in a mixed PKI hierarchy.

  8. Name the new template, customize it, and save the customizations.

    Customize templates according to the following guidelines:

    • To create an EFS template, select the Basic EFS template as the source, duplicate it for Windows Server 2008, and name it. Use a valid name, such as Basic EFS WS08, and then move through the property tabs to customize its content. Pay particular attention to key archival on the Request Handling tab, and make sure you select the Archive Subject’s Encryption Private Key check box. Also, use encryption to send the key to the CA. Archival storage of the private key allows you to protect it if the user ever loses it. You can also use the Subject Name tab to add information such as Alternate Subject Name values. Click OK.

    • If you plan to use EFS, you must also create an EFS Recovery Agent template. Duplicate it for Windows Server 2008. Name it with a valid name such as EFS Recovery Agent WS08. Publish the recovery agent certificate in Active Directory by selecting the Publish Certificate In Active Directory checkbox. Note that the recovery agent certificate is valid for a much longer period than the EFS certificate itself. Also, use the same settings on the other property tabs as you assigned to the Basic EFS duplicate.

    • If you plan to use wireless networks, create a Network Policy Server (NPS) template for use with your systems. Basically, you create the template and configure it for autoenrollment. Then, the next time the NPS servers in your network update their Group Policy settings, they will be assigned new certificates. Use the RAS and IAS Server templates as the sources for your new NPS template. Duplicate it for Windows Server 2008. Name it appropriately, such as NPS Server WS08. Publish it in Active Directory. On the Security tab, select the RAS and IAS Servers group to assign the Autoenroll and Enroll permissions. Review other tabs as needed and save the new template.

    • If you want to use smart card logons, create duplicates of the Smartcard Logon and Smartcard User templates. Set the duplicates for Windows Server 2008. Name them appropriately and publish them in Active Directory. You do not use Autoenrollment for these certificates because you need to use smart card enrollment stations to distribute the smart cards to the users.

    • If you want to protect web servers or DCs, create duplicates of the Web Server and Domain Controller Authentication templates. Do not use the Domain Controller template; it is designed for earlier versions of the operating system. Duplicate them for Windows Server 2008, publish them in Active Directory, and verify their other properties.


    Note:

    CONFIGURING DUPLICATE TEMPLATES

    The configuration of each template type often includes additional activities that are not necessarily tied to AD CS. Make sure you view the AD CS online help to review the activities associated with the publication of each certificate type.


    Now that your templates are ready, you must issue the template to enable the CA to issue certificates based on these customized templates.

  9. In Server Manager, expand Roles\Active Directory Certificate Services\Issuing CA Name and select Certificate Templates.

  10. To issue a template, right-click Certificate Templates, point to New, and then click Certificate Template To Issue.

  11. In the Enable Certificate Templates dialog box, shown in Figure 1, hold down the Ctrl key and click to select all the templates you want to issue, and then click OK.

Figure 1. Enable Certificate Templates dialog box


Now you’re ready to configure enrollment. This is done through Group Policy. You can choose either to create a new Group Policy for this purpose or modify an existing Group Policy object. This policy must be assigned to all members of the domain; therefore, the Default Domain Policy might be your best choice; if you do not want to modify this policy, create a new policy and assign it to the entire domain by using the Group Policy Management Console (GPMC).

  1. Log on to a DC, and then launch Group Policy Management from the Administrative Tools program group.

  2. Locate or create the appropriate policy, right-click it, and then click Edit.

  3. To assign autoenrollment for computers, expand Computer Configuration\Policies\Windows Settings\Security Settings and select Public Key Policies.

  4. Double-click Certificate Services Client – Auto-Enrollment.

  5. Enable the policy and select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates check box.

  6. Select the Update Certificates That Use Certificate Templates check box if you have already issued some certificates manually. Click OK to assign these settings.

  7. To assign autoenrollment for users, expand User Configuration\Policies\Windows Settings\Security Settings and select Public Key Policies.

  8. Enable the Certificate Services Client – Auto-Enrollment policy and select the same options as for computers.

  9. Notice that you can enable Expiration Notification for users. Enable it and set an appropriate value.

    Users will be notified when their certificates are about to expire.

  10. Click OK to assign these settings.


    Warning:

    IMPORTANT COMPUTER AND USER GROUP POLICY SETTINGS

    Normally, you should not apply both user and computer settings in the same Group Policy object. This is done here only to illustrate the settings you need to apply to enable autoenrollment.


  11. Close the GPMC.

  12. Return to the issuing CA and move to Server Manager to set the default action that your issuing CA will use when it receives certificate requests.

  13. Right-click the issuing CA server name under AD CS and click Properties.

  14. On the Policy Module tab, click Properties.

  15. To have certificates issued automatically, select Follow The Settings In The Certificate Template, If Applicable. Otherwise, Automatically Issue The Certificate. Click OK.

  16. Click OK again to close the Properties dialog box.

Your issuing CA is now ready for production and will begin to issue certificates automatically when they are requested either by devices or by users.

Other -----------------
- Windows Server 2003 : The Security Configuration Wizard
- Windows Server 2003 : Understanding Security Considerations
- Microsoft Content Management Server : Moving Postings
- Microsoft Content Management Server : Copying Postings
- Upgrading to Systems Management Server 2003 - Upgrading a Primary Site & Upgrading a Secondary Site
- Exchange Server 2007 : Securing Access to ActiveSync Using Internet Security and Acceleration (ISA) Server 2006
- Exchange Server 2007 : Working with ActiveSync Policies
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 3)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 2)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 1) - Create Web Listener
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server