For Geeks @nd the not so Geeky

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) Explained

Windows Server 2008 R2 uses Active Directory Certificate Services to build and control a Public Key Infrastructure (PKI) within an organization. AD CS in a Microsoft AD DS environment consists of the following components.

Certificate Authorities (CAs) such as root and child CAs which get their certificates from the root CA. Child CAs usually request a renewal of their certificate from the root CA as soon as their certificate expires. This is also the reason why root certificate durations are normally much longer than the subordinate CAs.

Certificate Revocation Lists (CRLs)

CA Web enrollment enables users to connect to a CA via a web browser and request certificates and Certificate Revocation Lists (CRLs) which is a list of certificates that have been revoked by your organization. A certificate on this list will consequently be refused. Active Directory Certificate Services

Online Responder (OR)

The Online Responder service replaces the need to download a full CRL list as it responds to specific  certificate validation requests through the Online Certificate Status Protocol (ACSP).

ORs – which are a new feature in Windows Server R2 – are therefore much faster and more efficient than using CRLs.

Network Device Enrollment Service (NDES)

The Network Device Enrollment Service allows devices like routers and switches – that are typically not part of the AD DS system – to participate in the PKI system through the Network Device Enrollment Service (NDES) by using the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco Systems. This protocol allows these low level network devices to be integrated and managed in the PKI hierarchy maintained by the AD CS.

Microsoft Active Directory Certificate Services – Stand-Alone and Enterprise CAs

A Stand-Alone CA can either be running as a member server or a stand-alone server in a workgroup. It is therefore also not necessary to be integrated in an AD DS. Stand-Alone CAs can run on Windows Server 2008 R2 Standard, Enterprise and Data Center editions.

They are used as internal root CAs in a multi-tier environment where the stand-alone CA generates certificates for the child CAs based on standard templates which cannot be modified. A Stand-Alone CA should be taken offline for security purposes after they have generated their certificates for the child CAs. Remember that AD DS directory membership is not a requirement for a Stand-Alone CA.

Enterprise CAs on the other hand must be integrated in an AD DS directory service as they automatically issue and approve certificates when requested by clients or endpoint devices. They are usually member servers in an AD DS domain that hold the role of child CAs. Their certificates are based on templates which can be edited to support specific requirements.

Install Active Directory Certificate Services – Final Configuration of an Issuing CA

  • Configure a certificate revocation policy. This should be completed before starting to issue certificates and includes specifying the Certificate Revocation Lists (CRLs) distribution points as well as the CRL and Delta CRL overlaps and the scheduling of CRL publication. A delta CRL contains only the changes made since the last base CRL update
  • Configure certificate templates for EFS, wireless networks, smart card certificates and web server certificates as needed
  • Configure enrollment and issuance options

When using Online Responders you need to configure and install an Online Certificate Status Protocol (OCSP) Response Signing certificate and an Authority Information Access (AIA) extension to support it. The final step is to assign this template to a CA and enroll the system to obtain the certificate.

Active Directory Certificate Services 2008 New Features

  • Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service to enable certificate enrollment over HTTP
  • Certificate Enrollment across forests allowing for consolidation in multi-forest deployments
  • Better support for high-Volume CAs such as Network Access Protection (NAP) and other high-volume CAs.

AD DS Management Tools for controlling AD CS can be accessed through server manager in Windows Server 2008. To manage a CA, certificates, certificate templates or an Online Responder use the appropriate Microsoft Management Console (MMC) snap-ins. The AD DS tools to add to an MMC in order to manage Active Directory Certificate Services are Certification Authority, Certificates, Certificate Templates and Online Responder.

Leave a Response