Active Directory 2008: Certificate Services Facts…

AD CS Facts

You can use Active Directory Certificate Services (AD CS) to create your own PKI. Servers running AD CS issue certificates to users and computers. When you install AD CS on a server, you choose one of the following CA types:

  • The      enterprise root CA is the first CA in the PKI hierarchy. The      enterprise CA is integrated with Active Directory, and can use information      in Active Directory to issue certificates, or it can store certificates in      Active Directory.
  • An      enterprise subordinate CA gets its authority to issue certificates      from a root CA. A subordinate enterprise CA can use information in Active      Directory for responding to certificate requests.
  • A      standalone root CA is the first CA in the PKI hierarchy. It is not      integrated with Active Directory.
  • A      standalone subordinate CA gets its authority from a root CA. It is      not integrated with Active Directory.

When you install AD CS on a server, you choose one (or more) of the following role services:

Role Service Description
Certification Authority Add the Certification Authority   role service to configure the server as a CA that can issue certificates to   other CAs or to users and computers. When you add this role service, you   configure the server as an enterprise or standalone and a root or subordinate   CA.
Certification Authority Web Enrollment Add the Certification Authority   Web Enrollment role service to allow users to connect to a CA through a Web   browser and perform common tasks, such as:

  • Requesting certificates
  • Requesting the CA’s        certificate
  • Submitting a certificate        request
  • Retrieving the CA’s CRL
  • Performing smart card        certificate enrollment
Online Responder The Microsoft Online Responder   service makes it possible to configure and manage Online Certificate Status   Protocol (OCSP) validation and revocation checking in Windows-based networks.   OCSP allows a relying party (i.e., a client) to submit a certificate status   request to an online responder (also called an OCSP responder). The   OCSP responder returns to the client a definitive, digitally signed response   indicating the certificate status. Use the Online Responder service to:

  • Create a central location for        certificate revocations. The online responder can maintain revocation        lists for multiple CAs, giving clients a single location to check for        the status of a certificate.
  • Allow clients to check the        status of a single certificate. With OCSP, clients no longer need to        download the entire CRL.
  • Shorten the time that revoked        certificates are known by clients. Without OCSP, clients periodically        download the CRL and will not check for an updated CRL until the current        one expires. With OCSP, individual certificates are validated with the        online responder server.
Network Device Enrollment Service (NDES) The Network Device Enrollment   Service makes it possible for software running on network devices such as   routers and switches (which cannot otherwise be authenticated on the network)   to enroll for certificates from a CA. The following process is used to obtain   certificates for non-Microsoft devices:

  1. On the network device, run        the device’s utility to generate a certificate request.
  2. Submit the certificate        request to a Windows server running the Network Device Enrollment        Service. This server is called a registration authority (RA).
  3. The RA submits the        certificate request to a CA.
  4. The CA issues the certificate        and returns it to the RA.
  5. On the network device, import        the certificate received from the RA.

The registration authority must be   running the Windows Server 2008 Enterprise or Datacenter edition.

  • If you are using an        enterprise CA, it is recommended to install the NDES service on a server        other than the CA.
  • If you are using a standalone        CA, it is recommended to install the NDES service on the CA.
Certificate Enrollment Web Service and Certificate   Enrollment Policy Web Service The Certificate Enrollment Web services are new AD CS   role services in Windows Server 2008 R2. The services enable policy-based   certificate enrollment over HTTP by using existing methods. The Web services:

  • Act as a proxy between a        client computer and a CA, which makes direct communication between the        client computer and CA unnecessary.
  • Are beneficial in the        following scenarios:
    • In multiple-forest         deployments, client computers can enroll for certificates from CAs in a         different forest.
    • In extranet deployments,         mobile workers and business partners can enroll over the Internet.

The Certificate Enrollment Web services have the following   requirements:

  • An Active Directory forest        with Windows Server 2008 R2 schema.
  • An enterprise CA running        Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
  • Certificate enrollment across        forests requires an enterprise CA running the Enterprise or Datacenter        edition of Windows Server.
  • Client computers running        Windows 7.

Note: The   Certification Authority role service is automatically selected when the AD CS   role is added, but it cannot be installed at the same time as the Certificate   Enrollment Web Service or Certificate Enrollment Policy Web Service. If you   intend to install both the CA and the Certificate Enrollment Web Service or   Certificate Enrollment Policy Web Service, complete the CA installation   first.

The following table lists additional features available through Active Directory Certificate Services.

Feature Description
Certificate templates A certificate template identifies   a certificate type and describes the rules the CA follows when issuing a   certificate based on the template. Templates also give instructions to the   user on how to create and submit a certificate request.
Autoenrollment With autoenrollment, certificates   can be requested, issued, or renewed without user intervention.   Autoenrollment automatically downloads and manages certificates from Active   Directory into the local machine registry for all users who log on to   domain-joined machines. Autoenrollment also manages certificates for user   objects in Active Directory by deleting revoked and expired certificates.
Web enrollment Web enrollment allows users to   connect to a CA via a Web browser and perform common tasks, such as the   following:

  • Requesting certificates
  • Requesting the CA’s        certificate
  • Submitting a certificate        request
  • Retrieving the CA’s CRL
  • Performing smart card        certificate enrollment
Credential roaming Credential roaming allows a user   to store a single set of certificates and private keys in Active Directory.   This makes the certificates and keys available on multiple computers in a   manner that is extremely secure, easy to implement and manage, and transparent   to the user.
Certificate enrollment across forests Windows Server 2008 R2 CAs can   issue certificates across forests that have two-way trust relationships (with   the use of LDAP referrals). Before the introduction of enrollment across   forests, CAs could issue certificates only to members of the same forest, and   each forest had its own PKI.

Preparing for multiple-forest deployments of Active   Directory Certificate Services requires that you identify the account   forest (the forest that contain the user accounts that will be requesting   certificates) and the resource forest (the forest that will be   providing certificates to the account forest). You then need to take the   following steps:

  1. Create a two-way forest trust        between the resource forest and account forests.
  2. Establish a root CA in the        resource forest by deploying a new root CA or by designating an existing        standalone or enterprise root CA.
  3. Install or upgrade one or        more enterprise CAs running on Windows Server 2008 R2 in the resource        forest.
  4. Enable LDAP referral support        on enterprise CAs.
  5. Add enterprise CA computer        accounts to the Cert Publishers group in each account forest.
  6. Configure authority        information access and CRL distribution point locations.
  7. Publish the root CA        certificate from the resource forest to the account forests by using certutil.exe.
  8. Publish enterprise CA        certificates from the resource forest into the NTAuthCertificates and        AIA containers in each account forest.
High-volume CA support A CA supporting an environment   that requires Network Access Protection (NAP) with IPSec enforcement can   expect a high volume of certificate requests. There may be hundreds or even   thousands of certificates issued every day depending on the environment, all   of which have short validation periods. By default, CAs store a record of   each certificate request and issued certificate in the CA database.

High-volume CAs may experience rapid database growth which   can consume all available disk space. Enabling non-persistent certificate   processing causes the CA to process certificate requests and issue   certificates without storing those requests and certificates in the CA   database.

Note: Many of these features require an enterprise CA.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s