Microsoft Active Directory Certificate Services (AD CS) in the Windows Server 2008 provides customizable services for creating and managing public key (PKI) certificates. You can use AD CS to enhance and implement security by binding the identity of a person, device, computers or services to a corresponding private key. AD CS also includes features that allow you to manage certificates enrolment and revocation if necessary. Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
Standard hardware works for windows 2008 AD CS server. Depending on individual needs and capacity of spending, you may virtualise or use separate AD CS server. If you have more then one domain controller, you can configure one of them as CS server. It doesn’t hurt anybody. AD CS requires Windows Server 2008/2003 and Active Directory 2008/2003 Domain Services (AD DS). Here, I am going to talk about Windows 2008 AD CS. Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals. Creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment. Microsoft Windows XP, Windows 7 and Apple Mac OSX 10.5.x (Key Chain) can request and enrol in Microsoft Enterprise certificates.
Features in AD CS
By using Administrative Tool>Server Manager in windows server 2008, you can set up the following components of AD CS:
Certification authorities (CA) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
Web Enrollment Web enrolment (http://servername/certsrv) allows users to connect to a CA by means of a Web browser in order to request certificates.
Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.
What’s new in Windows Server 2008 AD CS:
Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.
Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.
Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.
Fresh Installation of Windows 2008 AD CS
Upgrading or Migrating Active Directory Certificate Services
Individual will have different situation while upgrading or migrating certificate services to existing server or new server respectively. But there are common tasks involve during this process. they are:
Exporting Registry Configuration
Restoring the CA Database
To import the CA database from the source CA to the target CA by using the Certification Authority snap-in
To import the registry settings from the .reg file to the target CA
Managing AD CS
AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.
· To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.
· To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.
· To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.
· To manage an Online Responder, use the Online Responder snap-in. To open Online Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.
Certificate Services Command References
To run all these you must log on to CA as administrator and open command prompt
Backup Cert database certutil –backupdbBackupDirectory
backup private key certutil -f –backupkeyBackupDirectory
determine the CSP and hash algorithm certutil -getreg ca\csp\*
Query the list of serial numbers of all certificates that have an archived key associated with them.
certutil -view -restrict “KeyRecoveryHashes>0” -outSerialNumber | findstr /C:”SerialNumber: ” >sn.txt
To convert the binary large object files created in the step above into .pfx files
for %i in (*.bin) do certutil -p YourPassword -recoverkey %i %i.pfx
Disable web enrolment after uninstalling cert srv
certutil -vroot delete
Shutdown CA certutil –shutdown
Find Database location certutil -databaselocations
restore db certutil –F –restoredbBackupDirectory
Assign templete certutil –setcatemplates +templatelist
enable the use of version 2 and version 3 certificates on an upgraded enterprise CA
certutil -setreg ca\setupstatus +512
net stop certsvc
net start certsvc
Resetting the CRL Publishing Period
certutil –delreg CA\CRLNextPublish
certutil –delreg CA\CRLDeltaNextPublish
restore encryption keys
certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN
Certificate database and log file location
%WINDIR%\system32\certlog and %WINDIR%\system32\certsrv