FIGUre 7-9 Backing up the CA .
You can restore a private key and CA certificate by using the CA console or the certutil
command . To restore using the CA console, right-click the CA, select All Tasks, and then select
Restore CA . This starts the Certification Authority Restore Wizard . You can choose to restore
the private key and CA certificate and the certificate database and database log . During
the restoration process, you are asked for the password that was supplied when the original
backup of the private key and CA certificate was taken . AD CS is stopped while you are performing the restoration process and restarts automatically after the restoration is successful .
If the restoration process is unsuccessful, you must restart AD CS manually . To restore AD CS
from the command line, issue the certutil –restore BackupDirectory command.
If you are restoring Certificate Services from scratch on a new computer with the same
name as the original CA, first import the CA certificate and private key to the local machine
store and verify that CAPolicy .inf is imported to the %Winddir% folder . Add the AD CS role,
selecting Use Existing Private Key and the original CA’s certificate .
MORE INFO
MOre ON Ca baCKUp aND reCOVerY
For more on archiving encryption keys, consult Chapter 14, “Planning and Implementing
Disaster Recovery,” in Windows Server 2008 PKI and Security
Security, by Brian Komar (Microsoft
Press, 2008).
360
CHAPTER 7
Active Directory Certificate Services
EXAM TIP
Remember which steps you must perform before you take a standalone root CA offline.
Pr acticE
Installing a Ca and assigning administrative roles
In this practice, you install an enterprise root CA in the contoso.internal domain and then
configure a key recovery agent .
E xErcisE 1
Install an Enterprise Root CA
In this exercise, you install Active Directory Certificate Services on server Glasgow . Glasgow
then functions as an enterprise root CA .
1.
Log on to server Glasgow, using the Kim_Akers user account .
2.
Open the Server Manager console . Right-click the Roles node, and then select Add
Roles .
This launches the Add Roles Wizard .
3.
On the Before You Begin page, click Next .
4.
On the Select Server Roles page, select the Active Directory Certificate Services check
box, and then click Next . Review the information on the Introduction To Active Directory Certificate Services page, and then click Next .
5.
On the Role Services page, select the Certification Authority and Certification Authority Web Enrollment check boxes .
6.
When you select the Certification Authority Web Enrollment items, you are prompted
by the Add Role Services dialog box . Click Add Required Role Services, and then click
Next .
7.
On the Specify Setup Type page, verify that Enterprise is selected, and then click Next .
8.
On the Specify CA Type page, select Root CA, and then click Next .
9.
On the Set Up Private Key page, select Create A New Private Key, and then click Next .
10.
On the Configure Cryptography For CA page, change the character length to 4096 and
select the Use Strong Private Key Protection Features Provided By The CSP check box,
as shown in Figure 7-10, and click Next .
Lesson 1: Managing and Maintaining Certificate Servers
CHAPTER 7
361
Figure 7-10 Configuring cryptography settings.
11. On the Configure CA Name page, verify that the common name is set to Contoso-
GLASGOW-CA and the distinguished name suffix is set to DC=Contoso,DC=internal,
and then click Next.
12. Verify that the validity period is set to 5 years, and then click Next.
13. Verify the certificate database location, and then click Next.
14. Review the information on the Confirm Installation Selections page, and then click
Next twice. Click Install to install Active Directory Certificate Services and support role
services from the Web Server (IIS) role. Click Close to dismiss the Add Roles Wizard
when the installation completes.
E xercise 2 Configure Enterprise Root CA Settings
In this exercise, you configure key archival settings and assign administrative roles.
1. Log on to Glasgow, using the Kim_Akers user account.
2. Open the Certification Authority console from the Administrative Tools menu. Click
Continue to dismiss the User Account Control dialog box.
3. Expand the Contoso-Glasgow-CA node, and then right-click the Certificate Templates
node. Select New, and then select Certificate Template To Issue.
4. From the list of available certificate templates, select Key Recovery Agent, as shown in
Figure 7-11, and then click OK.
362
CHAPTER 7
Active Directory Certificate Services
Figure 7-11 Enabling the KRA template.
5. From the Start menu, click Run, type mmc, and then click OK. Dismiss the UAC dialog
box and add the Certificates snap-in for your user account.
6. Expand the Certificates – Current User node.
7. Right-click the Personal store, select All Tasks, and then select Request New Certificate.
In the Certificate Enrollment Wizard, select the Key Recovery Agent check box and click
Enroll. Click Finish when the certificate installation completes.
8. Return to the Certificate Authority console and select the Pending Requests node. In
the details pane, right-click the pending certificate request, select All Tasks, and then
select Issue.
9. In the Certification Authority console, right-click Contoso-GLASGOW-CA, and then
select Properties.
10. On the Recovery Agents tab, select Archive The Key, and then click Add. Select the
certificate issued to Kim Akers, and then click OK. Click Apply. In the dialog box asking
whether you want to restart Active Directory Certificate Services, click Yes.
11. Open Active Directory Users And Computers. Create a new global security group
called KRA_CertManagers in the Users container. Close Active Directory Users And
Computers.
12. In the Certificate Authority console, right-click Contoso-GLASGOW-CA, and then select
Properties.
13. On the Security tab, click Add. Add the KRA_CertManagers group, as shown in Figure
7-12, and assign the group the Allow Issue And Manage Certificates permission. Click
Apply.
Lesson 1: Managing and Maintaining Certificate Servers
CHAPTER 7
363
Figure 7-12 Assigning the Cert Manager role.
14. On the Certificate Managers tab, select Restrict Certificate Managers. Verify that the
CONTOSO\KRA_CertManagers group is listed and, in the Certificate Templates area,
click Add.
15. In the Enable Certificate Templates dialog box, select the Key Recovery Agent tem-
plate, and then click OK.
16. In the Certificate Templates list, select <All>, and then click Remove. Verify that the CA
Properties dialog box matches Figure 7-13, and then click OK.
Figure 7-13 Certificate Managers configuration.
364
CHAPTER 7
Active Directory Certificate Services
Lesson Summary
n
Enterprise CAs are tightly integrated into AD DS . They can use custom certificate templates, and you can configure them to auto-enroll certificates . Standalone CAs cannot
use custom certificate templates, and certificate request data must be entered manually rather than automatically extracted from AD DS .
n
You can take a standalone root CA offline and physically secure it . You cannot take
an enterprise root CA offline . An enterprise CA can be a subordinate of a standalone
root CA .
n
You must configure key archiving on the CA and from within a certificate template .
You can configure a key recovery agent (KRA) by issuing a user a key recovery agent
certificate .
n
You can back up certificate services by using a normal system state backup, by using
the Certification Authority Console, or by using the certutil.exe command-line utility .
n
The Certificate Manager role allows users granted the role the ability to issue and manage certificates . The CA Administrator role allows users to start and stop Certificate
Services, configure extensions, assign roles, and define key recovery agents .
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing and Maintaining Certificate Servers .” The questions are also available on the companion DVD if you prefer to review them in electronic form .
NOTE
aNSWerS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1.
You are planning the deployment of Active Directory Certificate Services in your
Windows Server 2008 functional level forest . You want to be able to take the root CA
offline but also integrate Certificate Services fully with AD DS . Which of the following
deployments should you recommend for the first CA in your organization?
a. Enterprise root CA
b. Enterprise subordinate CA
C. Standalone root CA
D. Standalone subordinate CA
2.
On which of the following versions of Windows Server 2008 can you install an enterprise subordinate CA?
Lesson 1: Managing and Maintaining Certificate Servers
CHAPTER 7
365
A. Windows Web Server 2008
B. Windows Server 2008 Standard
C. Windows Server 2008 Enterprise
D. Windows Server 2008 Datacenter
3. You want to implement key archiving in your organization. Two users will have the
responsibility for restoring private keys from the certificate server’s database. Which
step must you take to ensure that these users will be able to restore archived keys?
A. Ensure that you issue the users a certificate with the Key Recovery Agent OID.
B. Ensure that you issue the users a certificate with the Enrollment Agent OID.
C. Ensure that you issue the users a certificate with the Subordinate Certification
Authority OID.
D. Ensure that you issue the users a certificate with the EFS Recovery Agent OID.
E. Ensure that you issue the users a certificate with the OCSP Response Signing OID.
4. Your CA hierarchy will involve an offline standalone root CA with three enterprise sub-
ordinate CAs. You have just installed AD CS on the standalone root CA. Which of the
following steps must you take prior to issuing signing certificates to the enterprise subordinate CAs? (Choose four. Each correct answer presents part of a complete solution.)
A. Change the CRL distribution point URL.
B. Change the AIA distribution point URL.
C. Add the standalone root CA certificate to the enterprise root store in AD DS.
D. Set the standalone root CA to offline mode.
E. Configure the AIA points in AD DS, using certutil.exe.
5. You want to ensure that the SSLCertManagers group is the only group able to issue
certificates based on the Web Server template from a specific issuing CA. When you
navigate to the Certificate Managers tab on the CA in question, the SSLCertManagers
group is not present in the Certificate Managers list. Which step should you take to
resolve this problem?
A. Assign the SSLCertManagers group the Request Certificates permission on the
Security tab of CA properties.
B. Assign the SSLCertManagers group the Manage CA permission on the Security tab
of CA properties.
C. Assign the SSLCertManagers group the Issue and Manage Certificates permission
on the Security tab of CA properties.
D. Edit the Web Server certificate template properties. Assign the SSLCertManagers
group the Read permission to this template.
E. Edit the Web Server certificate template properties. Assign the SSLCertManagers
group the Write permission to this template.
366
CHAPTER 7
Active Directory Certificate Services
Lesson 2: Managing and Maintaining Certificates and
templates
This lesson discusses managing certificate revocations, including publishing certificate revocation lists and configuring online responders, and the different methods of enrollment, such
as Web and automatic enrollment . The lesson also covers certificate templates, which enable
you to create advanced digital certificates that might be a better fit for your organization
than the default certificate templates that ship with Windows Server 2008 .
After this lesson, you will be able to:
n
Manage certificate revocations and configure online responders .
n
Manage certificate templates .
n
Manage and automate certificate enrollments .
Estimated lesson time: 40 minutes
Managing and Maintaining Certificate Revocation Lists
Certificate revocation lists are just what they sound like: lists of revoked certificates . You trust
a certificate issued by a CA because you trust the policies under which the CA issues certificates . If you did not trust the CA, you would not trust any certificates issued by that CA . A
certificate revocation list shows you which certificates issued by the CA are no longer trustworthy . There are many reasons a certificate might be placed on a CRL list, such as a signing
certificate issued to a subordinate CA being revoked because the subordinate CA has been
compromised, but the primary statement made by a certificate being placed on a CRL list is
“This certificate is no longer trustworthy .”
Each time a new certificate is encountered, or an existing certificate is used, a check is
made to see whether that certificate is listed on the issuing CA’s CRL list . If the CA is part of a
hierarchy, another check occurs to see whether the upstream CA that issued the signing certificate still trusts the CA that issued the certificate against which the check is occurring . This
is because you should not trust a certificate issued by an untrustworthy CA! The location of
the CRL is included with the certificate so that the software performing the CRL check knows
where to access this information . The name for the location of the CRL is the CRL distribution
point . It is possible for you to designate multiple CRL distribution points for a single CA .
CRL Distribution Points
You can configure the CRL distribution point for a specific certificate server by modifying
the properties listed on the Extensions tab of the issuing CA’s properties . To edit CRL distribution point information, you must assign the user the CA Administrator role as described
in Lesson 1 . As shown in Figure 7-14, you can specify CRL distribution points as HTTP, FTP, or
Lesson 2: Managing and Maintaining Certificates and Templates
CHAPTER 7
367
Lightweight Directory Access Protocol (LDAP) addresses or by file and folder location. Note
that any changes to a certificate server’s CRL distribution points do not apply retroactively.
This information is included in the certificate at the time of issue. If you change the CRL distribution point, clients checking previously issued certificates will be unable to locate the new
distribution point. If it becomes necessary to change a distribution point, develop a transition strategy that either keeps the old distribution point available over the lifetime of already
issued certificates or renews all existing certificates with the updated CRL distribution point
information.
Figure 7-14 Editing the CRL distribution point.
CRLs are a single file that, over time, can become very large. This size is important because
each time a client performs a check, it has to download the full CRL if it does not already
have a copy in its cache. If you frequently update your CRL, clients must always download the
entire CRL because it will not already be present in their cache. As a way of dealing with this
problem, it is possible for you to publish a smaller CRL, known as a delta CRL. The delta CRL
includes information only about certificates revoked since the publication of the CRL. The
client downloads the delta CRL and appends it to the CRL in its cache. Because delta CRLs are
smaller, you can publish them more often with less of an impact on the certificate server than
would occur if you published the full CRL by using a similar schedule.
To configure the CRL and delta CRL publication interval, open the Certificate Authority
console, right-click the Revoked Certificates node, and then select Properties. This displays the
Revoked Certificate Properties dialog box shown in Figure 7-15. The default CRL publication
interval is one week, and the default delta CRL publication interval is one day. Use the certutil
–CRL command to force the publication of a new CRL or delta CRL.
368
CHAPTER 7
Active Directory Certificate Services
FIGUre 7-15 Revoking a certificate .
Overlap periods describe the amount of time after the end of a published CRL’s lifetime
that the CRL is still considered valid . Consider increasing the overlap period if you are using
multiple CRL distribution points (CDPs) and replication of CRL data does not occur immediately, such as if you use a distributed file system (DFS) share as a CDP and it takes a significant
amount of time for replication to complete . You can configure overlap periods for both CRLs
and delta CRLs by using the certutil –setreg ca\CRLOverlapUnits command .
MORE INFO
CONFIGUrING CertIFICate reVOCatION
For more information on configuring certificate revocation, see the following TechNet
article: http://technet2.microsoft.com/windowsserver2008/en/library/336d3a6a-33c6-4083
-8606-c0a4fdca9a251033.mspx?mfr=true.
Authority Information Access
The authority information access (AIA) extension contains the URLs at which the issuing CA’s
certificate is published . The client uses these URLs when creating a certificate chain to retrieve
the CA certificate if it does not have a copy of this certificate in a copy of the client cache .
Modify the AIA extension to an alternate location if you want to take the CA offline . You must
also export the CA certificate and place it in this alternate location to support certificate chain
requests . The AIA also contains the URL of any online responders that you have configured to
support revocation checks . You learn more about online responders later in this lesson .
Revoking a Certificate
A user must hold the Certificate Manager role to be able to revoke certificates . Just as you
should not issue certificates in an arbitrary manner, you should not revoke certificates in an
arbitrary manner . If possible, your organization should develop a certificate revocation policy
Lesson 2: Managing and Maintaining Certificates and Templates
CHAPTER 7
369
that clearly details the reasons and situations for which issued certificates are revoked. These
policies are a necessity for organizations that might be legally liable for the consequences of
certificate revocation. For example, if a CA issues an SSL certificate to an e-commerce site,
revoking that certificate will have an impact on the function of that business. If the revocation cannot be justified, your organization can be legally liable for loss of income. To revoke
a certificate, right-click it in the list of issued certificates in the Certification Authority console
and, from All Tasks, select Revoke Certificate. As Figure 7-16 shows, a dialog box asks you to
provide a reason when you revoke a certificate. You can provide the following reasons:
n
Key Compromise Select this reason if you suspect that the private key associated
with the certificate has been compromised. Use this reason to revoke all keys related to
a laptop that had been lost or stolen, for instance.
n
CA Compromise Select this reason if you suspect that a subordinate CA has been
compromised and want to revoke that CA’s signing certificate. This invalidates all certificates issued by that CA, including the certificates of any CA below it in the hierarchy.
n
Change of Affiliation Select this reason when the person to whom you issued the
certificate leaves or changes his or her role within your organization.
n
Superseded Select this reason when an updated certificate has been issued, perhaps
with improvements to the certificate template, and you want to invalidate any previously issued certificates used for the same purpose.
n
Cease of Operation Select this reason when revoking a computer certificate assigned
to a computer that is being decommissioned. For example, your organization is
decommissioning an e-commerce Web site because of a brand-name change, and you
want to revoke the SSL certificate assigned to that site.
n
Certificate Hold Select this reason to place certificates on hold status. This means
that the certificate is not validated, but it also has not been fully revoked. It is possible
to undo this status by assigning the RemoveFromCRL status, which can be assigned
only to certificates placed on hold.
n
Unspecified This reason is assigned when a specific revocation code is not applicable.
The drawback of this category is that it does not allow auditors to determine why a
particular certificate has been revoked if that decision is queried later.
Figure 7-16 Certificate Revocation Wizard.
370
CHAPTER 7
Active Directory Certificate Services
Remember that a revocation does not take effect until you publish the CRL or delta CRL.
This does not mean that you should automatically force the publication of a new CRL every
time you revoke a certificate, but you should make the people responsible for revoking certificates aware that there is a delay before the revocation will propagate out to the CRL.
Managing and Maintaining Online Responders
When a CRL check occurs, and the CRL does not exist in the client’s cache, the entire CRL
must be downloaded as well as the most recent delta CRL. The longer a CA has been active,
the larger the CRL will be. During peak activity, for example, when a large number of users are
logging on using smart cards, significant delays can occur due to bandwidth limitations. By
implementing the Online Certificate Status Protocol (OCSP), you can deal with this problem.
A traditional revocation check involves accessing the entire CRL. An online responder
check responds directly to requests about the status of specific certificates. Rather than
transmitting all the data in the CRL across the network, only data about a specific certificate is
transmitted. A single CA’s revocation data can be distributed across multiple online responders in a responder array. Similarly, a single online responder or array can provide revocation
status data for certificates issued by multiple CAs. Implementing Online Responders significantly reduces delays that occur due to CRL checks.
You can install the Online Responder role service only on computers running Windows
Server 2008. Microsoft recommends that you not deploy the Online Responder role service
on the computer that hosts the CA, although it is possible do to so; this is the likely configuration in small AD CS deployments. Deploy the Online Responder role service after you have
deployed your initial CA infrastructure but prior to issuing any certificates. This ensures that
an online responder, rather than traditional CDPs, handles all revocation checks.
To deploy an online responder, ensure that you have configured and enabled an OCSP
response signing certificate template on the CA online responder servers. You must also use
auto-enrollment to issue OCSP response signing certificates to all computers that host the
Online Responder role service. An online responder that services multiple CAs needs OCSP
response signing certificates for each CA it services. You must also modify the CA’s AIA extension by adding the URL for the online responder.
You use the Online Responder management console, shown in Figure 7-17, to manage
the Online Responder role service. You can use this console to create revocation configurations for every CA and CA certificate serviced by the responder. A revocation configuration
includes all information necessary to reply to requests from clients about certificates issued
from a specific CA. It is necessary to ensure that an online responder has a key and signing
certificate for each CA it supports.
Lesson 2: Managing and Maintaining Certificates and Templates
CHAPTER 7
371
FIGUre 7-17 Online Responder management console .
MORE INFO
MOre ON CertIFICate reVOCatION aND ONLINe reSpONDerS
For a more detailed look at revoking certificates and the Online Responder role service,
consult Chapter 10, “Certificate Revocation,” in Windows Server 2008 PKI and Security,
Security by
Brian Komar (Microsoft Press, 2008).
quick Check
1 . What is the difference between a CRL and a delta CRL?
2. Which types of addresses can you use to specify CDPs?
quick Check answers
1 . A CRL contains a list of all revoked certificates. A delta CRL contains a list of certificates revoked since the publication of the last full CRL.
2. CDPs can be specified using HTTP, FTP, and LDAP addresses or by file and folder
location.
Managing Certificate Templates
Certificate templates define the format and content of certificates issued by enterprise
certificate authorities . A template determines which user or computer accounts can enroll
for a certificate, and it defines the enrollment process (automatic, manual, or enrollment
with authorized certificates) . A discretionary access control list (DACL) is associated with each
certificate template, which governs which users and groups have permission to access and
372
CHAPTER 7
Active Directory Certificate Services
configure the template. Certificate templates are stored within AD DS. A modification to
a template will replicate through the directory to all enterprise CAs in the forest. Only the
Enterprise and Datacenter editions of Microsoft Windows Server 2003 and Windows Server
2008 support customizable certificate templates.
Although Windows Server 2008 ships with a number of certificate templates that you can
deploy to meet a general set of needs, the settings on the default set of certificates might not
precisely suit your needs for digital certificates in your own environment. By creating your
own certificate templates, you can address your organization’s needs more directly.
There are three versions of the certificate template, two of which you can create for use
with Windows Server 2008 Enterprise. Version 1 templates are compatible with Windows
2000 Server, Windows Server 2003, and Windows Server 2008 CAs. You cannot modify
or remove a version 1 template. When you create a duplicate of a version 1 template, the
duplicate becomes a version 2 or 3 template to which you can make modifications. You can
customize version 2 templates, and they are compatible with Windows Server 2003 and
Windows Server 2008 Enterprise and Datacenter CAs. Version 3 certificate templates support Windows Server 2008 features such as Cryptography Next Generation (CNG) and Suite
B cryptographic algorithms such as elliptic curve cryptography. You can use only version 3
certificate templates with enterprise CAs installed on Windows Server 2008.
You create a new template by creating a duplicate of an existing template that best
matches the function of what you want to achieve with the new digital certificate type. For
example, if you want to create a more advanced type of EFS certificate, you duplicate the EFS
certificate template. When you duplicate the template, you are asked whether you want to
set the minimum supported CA as Windows Server 2003 Enterprise or Windows Server 2008
Enterprise, as shown in Figure 7-18.
Figure 7-18 Selecting template compatibility.
After you have selected the minimum supported CA, enter a name for the template.
After you have set this name, you will be unable to change it. The General tab of a certificate
template’s properties enables you to specify the certificate’s validity period, renewal period,
whether to publish certificates in AD DS, whether automatic reenrollment should occur if a
valid certificate exists in AD DS, and whether to use the existing key for smart card certificate
renewal if a new key cannot be created. Figure 7-19 shows these settings.
Lesson 2: Managing and Maintaining Certificates and Templates
CHAPTER 7
373
Figure 7-19 General tab of a certificate template’s properties.
On the Request Handling tab, shown in Figure 7-20, you can define the purpose of the
certificate. The available purposes are Signature and Encryption, Encryption, Signature, and
Signature and Smart Card Logon. If you want to use Key Recovery in your environment for
this certificate type, enable the Archive Subject’s Encryption Private Key option. This enables
designated key recovery agents to recover the private key if necessary. You learned about key
recovery agents in Lesson 1. You can also use the options on this tab to determine the level of
user input when the private key is used and whether the private key can be exported.
Figure 7-20 Certificate template request handling.
On the Cryptography tab, you can specify the algorithm and key size. You can also specify
whether any cryptographic provider on the subject’s computer, or a specific provider, is used
374
CHAPTER 7
Active Directory Certificate Services
for the certificate request. On the Subject Name tab, you can specify whether the CA extracts
the certificate’s subject name from Active Directory information or whether the subject supplies this information in the certificate request. On the Issuance Requirements tab, you can
specify whether a user who holds the Certificate Manager role must approve the certificate.
You can also configure whether more than one digital signature is required before enrollment
can occur. If more than one signature is required, auto-enrollment is not possible for this template. Use this setting when multiple people must authorize the issuing of a certificate.
On the Superseded Templates, you can specify existing templates that the new template
replaces. You must ensure that any templates specified perform the same function as the new
template. The Extensions tab, shown in Figure 7-21, enables you to configure the application
policies, certificate template information, issuance policies, and key usage. Application policies define the purposes for which the certificate can be used, certificate template information
provides data on the OID of the certificate, issuance policies describe the rules implemented
when issuing the certificate, and key usage is a restriction method that determines what a
certificate can be used for.
Figure 7-21 Certificate template extensions.
The Security tab, shown in Figure 7-22, enables you to specify the accounts and groups
that can enroll and auto-enroll certificates issued from the template. You can also use this
dialog box to block specific accounts and groups from enrolling or auto-enrolling. Finally, you
can use this dialog box to specify which accounts and groups are able to make modifications
or view the certificate template itself.
To configure a CA to issue a custom template or a template that it does not already issue
that is stored within AD DS, open the Certificate Authority console, right-click the Certificate
Templates node, select New, and then select Certificate Template To Issue. From the Enable
Certificate Templates dialog box, shown in Figure 7-23, select the templates you want the
CA to issue, and then click OK. You can also use the Templates node of the Certificate
Lesson 2: Managing and Maintaining Certificates and Templates
CHAPTER 7
375
Authority console to remove templates from a CA, stopping that CA from issuing certificates
of that type .
FIGUre 7-22 Certificate template security .
FIGUre 7-23 Select templates to issue .
MORE INFO
MOre ON CertIFICate teMpLateS
For more information on implementing and administering certificate templates, see
the following TechNet link: http://technet2.microsoft.com/windowsserver2008/en
/library/9354c9b0-f4da-440c-8b2c-fb84c534e0351033.mspx?mfr=true.
376
CHAPTER 7
Active Directory Certificate Services
Managing Enrollment
Enrollment is the process through which users or computers acquire certificates. Traditionally,
there have been two certificate enrollment methods: the Certificates console and Web enrollment. Through the Certificates console, you can run the Certificate Enrollment Wizard. The
wizard provides a list of all certificates for which the security principal is eligible, as shown in
Figure 7-24. You can run the Certificates console for your user account, a service account, or a
computer account with the list of available certificates reflecting the context in which you run
the wizard. You learn about Web enrollment later in this lesson.
Figure 7-24 Certificate Enrollment Wizard.
Auto-enrollment
Although you can implement enrollment by using the Certificates console, the enrollment
process is cumbersome to nontechnical users. Auto-enrollment enables you to deploy
certificates automatically to users, computers, and service accounts in your organization.
It minimizes the necessity for user interaction, greatly simplifying the process of certificate
deployment.
You must configure a certificate template to support auto-enrollment. Only level 2 and
level 3 certificate templates support auto-enrollment. Configure a template to support autoenrollment by modifying the permissions on the certificate template’s Security tab, giving
the desired user or group accounts the Autoenroll permission. Figure 7-25 shows that the
Accountants group has the Autoenroll permission to the Advanced User certificate template.
After configuring a certificate template’s permissions to support autoenrollment, you
must configure the Default Domain policy for all domains in your forest to support auto­enrollment. Do this by configuring the Certificate Services Client – Autoenrollment policy, as
shown in Figure 7-26. This policy setting is available in both the Computer Configuration and
User Configuration sections of a GPO and whether you enable the policy in either section
depends on the types of certificates you are attempting to deploy automatically. You can also
Lesson 2: Managing and Maintaining Certificates and Templates
CHAPTER 7
377
use the auto-enrollment policy to configure automatic renewal of expired certificates, updating certificates that use superseded templates. It is also possible, when configuring the policy
for User certificates, to display expiration notifications.
Figure 7-25 Configuring auto-enrollment in the template.
Figure 7-26 Auto-enrollment Group Policy.
378
CHAPTER 7
Active Directory Certificate Services
MORE INFO
MOre ON CONFIGUrING aUtO-eNrOLLMeNt
For more information on configuring autoenrollment, see the following TechNet document: http://technet.microsoft.com/en-us/library/cc731522.aspx.
http://technet.microsoft.com/en-us/library/cc731522.aspx
Web Enrollment
You can configure Web enrollment to enable users of Microsoft Internet Explorer 6 .x or later
to use a Web application to submit certificate requests . Web enrollment enables users to
request certificates and review the status of existing requests, gain access to the CRL and
delta CRL, and perform smart card enrollment . Web enrollment enables you to provide a
certificate enrollment mechanism for users and computers that are not part of an Active
Directory environment . Web enrollment also provides certificate enrollment functionality
to users of non-Microsoft operating systems . Users of alternative browsers must first create
a PKCS #10 certificate request and then submit that request through the Web enrollment
application . After a request has been processed, a user can reconnect to the Web enrollment
application and download and install the issued certificates .
You can configure a server to support Web enrollment by installing the Certification
Authority Web Enrollment role service . You can install this role service on the same computer as the CA or on a separate host . When you collocate Web enrollment with the CA, the
wizard automatically configures the role service to support the local CA . When installed on
a separate host, you must provide additional details to pair the Web application with a CA .
Although you can install Web enrollment on enterprise CAs, you cannot use it with version 3
certificate templates . Also, you cannot request computer certificates through Web enrollment
against a Windows Server 2008 CA .
MORE INFO
MOre ON CONFIGUrING Web eNrOLLMeNt
To learn more about configuring Web enrollment support for Windows Server 2008 CAs,
see the following TechNet link: http://technet.microsoft.com/en-us/library/cc732895.aspx.
http://technet.microsoft.com/en-us/library/cc732895.aspx
Enrollment Agents
Restricted enrollment agents are users who are able to enroll for a certificate on behalf of
another client . Restricted enrollment agents often enroll smart card certificates for other
users . For example, staff in the HR department might be designated enrollment agents
because they need to issue smart cards as part of the process of preparing all the resources
a new employee needs to start work . Enrollment agents can perform only enrollment
tasks; they cannot approve pending requests or revoke existing certificates . This means an
enrollment agent can be a normal user account, and you do not have to assign one of the
Certificate Services roles .
Lesson 2: Managing and Maintaining Certificates and Templates
CHAPTER 7
379