Microsoft Active Directory Certificate Services (AD CS) in the Windows Server 2008 provides customizable services for creating and managing public key (PKI) certificates. You can use AD CS to enhance and implement security by binding the identity of a person, device, computers or services to a corresponding private key. AD CS also includes features that allow you to manage certificates enrolment and revocation if necessary. Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
Standard hardware works for windows 2008 AD CS server. Depending on individual needs and capacity of spending, you may virtualise or use separate AD CS server. If you have more then one domain controller, you can configure one of them as CS server. It doesn’t hurt anybody. AD CS requires Windows Server 2008/2003 and Active Directory 2008/2003 Domain Services (AD DS). Here, I am going to talk about Windows 2008 AD CS. Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals. Creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment. Microsoft Windows XP, Windows 7 and Apple Mac OSX 10.5.x (Key Chain) can request and enrol in Microsoft Enterprise certificates.
Features in AD CS
By using Administrative Tool>Server Manager in windows server 2008, you can set up the following components of AD CS:
Certification authorities (CA) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
Web Enrollment Web enrolment (http://servername/certsrv) allows users to connect to a CA by means of a Web browser in order to request certificates.
Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.
What’s new in Windows Server 2008 AD CS:
Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.
Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.
Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.
Fresh Installation of Windows 2008 AD CS
Upgrading or Migrating Active Directory Certificate Services
Individual will have different situation while upgrading or migrating certificate services to existing server or new server respectively. But there are common tasks involve during this process. they are:
Exporting Registry Configuration
Restoring the CA Database
To import the CA database from the source CA to the target CA by using the Certification Authority snap-in
To import the registry settings from the .reg file to the target CA
Managing AD CS
AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.
· To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.
· To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.
· To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.
· To manage an Online Responder, use the Online Responder snap-in. To open Online Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.
Certificate Services Command References
To run all these you must log on to CA as administrator and open command prompt
Backup Cert database certutil –backupdbBackupDirectory
backup private key certutil -f –backupkeyBackupDirectory
determine the CSP and hash algorithm certutil -getreg ca\csp\*
Query the list of serial numbers of all certificates that have an archived key associated with them.
certutil -view -restrict “KeyRecoveryHashes>0” -outSerialNumber | findstr /C:”SerialNumber: ” >sn.txt
To convert the binary large object files created in the step above into .pfx files
for %i in (*.bin) do certutil -p YourPassword -recoverkey %i %i.pfx
Disable web enrolment after uninstalling cert srv
certutil -vroot delete
Shutdown CA certutil –shutdown
Find Database location certutil -databaselocations
restore db certutil –F –restoredbBackupDirectory
Assign templete certutil –setcatemplates +templatelist
enable the use of version 2 and version 3 certificates on an upgraded enterprise CA
certutil -setreg ca\setupstatus +512
net stop certsvc
net start certsvc
Resetting the CRL Publishing Period
certutil –delreg CA\CRLNextPublish
certutil –delreg CA\CRLDeltaNextPublish
restore encryption keys
certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN
Certificate database and log file location
%WINDIR%\system32\certlog and %WINDIR%\system32\certsrv
References:
Microsoft Public Key Infrastructure
Microsoft Certificate Services
Pingback: Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server « Information Technology Blog
Hello. I was following your steps for instaling the Cisco WLC and setting up the different roles and services. Are some of your procedures for Windows 2008 R2? I ask because I have windows 2008 standard and I can not get to the same screens.
LikeLike
where you stuck? Which screen shot?
LikeLike
I can not get this: thishttps://araihan.files.wordpress.com/2009/10/21.jpg
My screen just shows:
Request Certificates
Administrator STATUS:Available
Basic EFS STATUS:Available
EFS Recovery Agent STATUS:Available
User STATUS:Available
LikeLike
Open AD CS Management console>Right CLick on Cert Templete>Click on Manage
Select preferred certificate Templete>Right Click>Click on Property>Security Tab>Enrol Checked
Request Cert from CLient>Welcome screen Click next>Expand AD CS Cert>Select Cert and enrol
LikeLike
Thank you for your reply. Thank you patience and please forgive me for not having your level of expertise. Which preferred certificate should I click on? I have uninstalled and tried your procedure from scratch and keep getting to the same impass. I have a screenshot of what I am talking about on my open posted question on Experts-Exchange.com. It is frustrating to know that the answer is right in front of me and I can not see it. I am using Windows 2008 Standard 64 bit. Thank you for your assistance.
LikeLike
I have a screenshot on posted question in Experts-Exchange.com
LikeLike
Thank you for your patience and please forgive me for not having your level of expertise. Which preferred certificate should I click on? I have uninstalled and tried your procedure from scratch and keep getting to the same impass. I have a screenshot of what I am talking about on my open posted question on Experts-Exchange.com. It is frustrating to know that the answer is right in front of me and I can not see it. I am using Windows 2008 Standard 64 bit. Thank you for your assistance.
LikeLike
Pingback: An Overview and Deployment of Active Directory Certificate Services | MicrosoftGURU
Pingback: How to configure L2TP IPSec VPN using ISA Server | Blog by Raihan Al-Beruni
I am wondering what the difference is between screens 18 & 19 (User Properties dialog, with Security tab shown)? I’m not seeing a difference.
LikeLike
Curious if the screen shots are for situation where AD CS are going to be installed on a computer that is also running Active Directory Domain Services (AD DS), and where computer is also the primary domain controller.
LikeLike
Nice artical but i am stuck on image 25. How to import it in to wlc. please explain step by step for me.
LikeLike