Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

Microsoft Active Directory Certificate Services (AD CS) in the Windows Server 2008 provides customizable services for creating and managing public key (PKI) certificates. You can use AD CS to enhance and implement security by binding the identity of a person, device, computers or services to a corresponding private key. AD CS also includes features that allow you to manage certificates enrolment and revocation if necessary. Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Standard hardware works for windows 2008 AD CS server. Depending on individual needs and capacity of spending, you may virtualise or use separate AD CS server. If you have more then one domain controller, you can configure one of them as CS server. It doesn’t hurt anybody. AD CS requires Windows Server 2008/2003 and Active Directory 2008/2003 Domain Services (AD DS). Here, I am going to talk about Windows 2008 AD CS. Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals.  Creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment. Microsoft Windows XP, Windows 7 and Apple Mac OSX 10.5.x (Key Chain) can request and enrol in Microsoft Enterprise certificates.

 

Features in AD CS

By using Administrative Tool>Server Manager in windows server 2008, you can set up the following components of AD CS:

Certification authorities (CA) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

Web Enrollment Web enrolment (http://servername/certsrv) allows users to connect to a CA by means of a Web browser in order to request certificates.

Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.

Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.

 

What’s new in Windows Server 2008 AD CS:

Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.

Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.

Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

 

Fresh Installation of Windows 2008 AD CS

 

Upgrading or Migrating Active Directory Certificate Services

Individual will have different situation while upgrading or migrating certificate services to existing server or new server respectively. But there are common tasks involve during this process. they are:

CA backup

CA configuration backup

Uninstall services

Install CA

CA restore

Active Directory cleanup (If you change host name)upgrading Active Directory CS in existing server. Steps required:

Version/Edition upgrade

Upgrade templates in Active Directory Domain Services (perform this operation if you are upgrading from 2008 standard to 2008 enterprise otherwise not)DC+CA situation. If you intend to demote your domain controller, however existing Certificate Authority is installed in DC. you want to move CA in separate domain member. Steps required:

CA backup

CA configuration backup

Uninstall services

Demote domain controller

Install CA

CA restorePerforming a CA BackupTo use the Certification Authority snap-in to create a backup of the CA database and, optionally, the CA certificate and private key

Choose a backup location and attach media, if necessary.

Log on with local administrative credentials to the CA computer.

Open the Certification Authority snap-in.

Right-click the node with the CA name, point to All Tasks, and then click Back Up CA.

On the Welcome page of the CA Backup wizard, click Next.

On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log check boxes, enter the backup location, and then click Next.

On the Select a Password page, enter a password to protect the CA private key, and click Next.

On the Completing the Backup Wizard page, click Finish.

Exporting Registry Configuration

Click Start, point to Run, and type regedit to open the Registry Editor.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.

Enter a location and file name, and then click Save. This creates a .reg file with the registry configuration information for your CA.Migrating CA to a Windows  2008 Server

Log on with local or enterprise administrator permissions to the CA computer.

Click Start, click Run, type servermanager.msc, and then press ENTER to open Server Manager.

In the console tree, click Roles.

On the Action menu, click Add Roles.

If the Before you Begin wizard appears, click Next.

In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.

Make sure that Certification Authority is selected, and click Next.

Choose if you are migrating to an enterprise or stand-alone CA, and click Next.

Specify either Root or Subordinate CA, depending on the source CA, and click Next.

At this stage, you have a choice between creating a new private key or using an existing private key. Use the second option for a migration.

• To create a new CA certificate and key, select Create a new private key.
• For a migration, on the Set Up Private Key page, select Use existing private key.
• 
•  

Click Select a certificate and use its associated private key, and click Next.

If the CA certificate has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.

Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.

Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK.

Complete the rest of the installation wizard to finish installing AD CS.

Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)

If the CA is installed on a workgroup computer or an existing private key was reused, optionally set the distinguished name suffix, and click Next.

If the CA is a new root CA, set the validity period for the certificate generated on the CA, and click Next. Otherwise, skip this step.

If required, configure the database location paths, and click Next.

If you are installing a subordinate CA, select whether to save the certificate request or submit it directly to the CA, and click Next.

To install AD CS, click Install.

Restoring the CA Database

To import the CA database from the source CA to the target CA by using the Certification Authority snap-in

Log on with administrative credentials to the target CA computer.

Open the Certification Authority snap-in.

Right-click the node with the CA name, point to All Tasks, and then click Restore CA. Click OK to confirm stopping the CA service.

In the CA Restore wizard, on the Welcome page, click Next.

On the Items to Restore page, select Certificate database and certificate database log. Click Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.

Enter the password you used to export the CA database from the source CA, if a password is requested.

Click Finish, and then click Yes to confirm restarting the CA.

To import the registry settings from the .reg file to the target CA

On the target CA, use the Certification Authority snap-in to stop the CA service.

Double-click the .reg file previously edited to open the Registry Editor.

Confirm that the registry keys were imported, and close the Registry Editor.

Restart the CA.

Use the Registry Editor to verify any settings that were changed or edited in the .reg file in the previous steps

Additionally, use the Certification Authority snap-in to verify the following settings. Right-click the node with the CA name, and click Properties.

Managing AD CS

AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.

· To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.

· To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.

· To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.

· To manage an Online Responder, use the Online Responder snap-in. To open Online Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.

Certificate Services Command References

To run all these you must log on to CA as administrator and open command prompt

Backup Cert database certutil –backupdbBackupDirectory

backup private key certutil -f –backupkeyBackupDirectory

determine the CSP and hash algorithm certutil -getreg ca\csp\*

Query the list of serial numbers of all certificates that have an archived key associated with them.

certutil -view -restrict “KeyRecoveryHashes>0” -outSerialNumber | findstr /C:”SerialNumber: ” >sn.txt

To convert the binary large object files created in the step above into .pfx files

for %i in (*.bin) do certutil -p YourPassword -recoverkey %i %i.pfx

Disable web enrolment after uninstalling cert srv

certutil -vroot delete

Shutdown CA    certutil –shutdown

Find Database location certutil -databaselocations

restore db certutil –F –restoredbBackupDirectory

Assign templete certutil –setcatemplates +templatelist

enable the use of version 2 and version 3 certificates on an upgraded enterprise CA

certutil -setreg ca\setupstatus +512

net stop certsvc

net start certsvc

Resetting the CRL Publishing Period

certutil –delreg CA\CRLNextPublish

certutil –delreg CA\CRLDeltaNextPublish

restore encryption keys

certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN

Certificate database and log file location

%WINDIR%\system32\certlog and %WINDIR%\system32\certsrv

References:

Microsoft Public Key Infrastructure

Microsoft Certificate Services

Windows Server® 2008 PKI and Certificate Security