Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2
Microsoft Active Directory Certificate Services (AD CS) in the Windows Server 2008 provides customizable services for creating and managing public key (PKI) certificates. You can use AD CS to enhance and implement security by binding the identity of a person, device, computers or services to a corresponding private key. AD CS also includes features that allow you to manage certificates enrolment and revocation if necessary. Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
Standard hardware works for windows 2008 AD CS server. Depending on individual needs and capacity of spending, you may virtualise or use separate AD CS server. If you have more then one domain controller, you can configure one of them as CS server. It doesn’t hurt anybody. AD CS requires Windows Server 2008/2003 and Active Directory 2008/2003 Domain Services (AD DS). Here, I am going to talk about Windows 2008 AD CS. Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals. Creating an optimal design will require careful planning and testing before you deploy AD CS in a
production environment. Microsoft Windows XP, Windows 7 and Apple Mac OSX 10.5.x (Key Chain) can request and enrol in Microsoft Enterprise certificates.
Features in AD CS
By using Administrative Tool>Server Manager in windows server 2008, you can set up the following components of AD CS:
Certification authorities (CA) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
Web Enrollment Web enrolment (http://servername/certsrv) allows users to connect to a CA by means of a Web browser in order to request certificates.
Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.
.
Upgrading or Migrating Active Directory Certificate Services
Individual will have different situation while upgrading or migrating certificate services to existing server or new server respectively. But there are common tasks involve during this process. they are:
ry cleanup (If you change host name)upgrading Active Directory CS in existing server.
Steps required:
from 2008 standard to 2008 enterprise otherwise not)DC+CA situation. If you intend to demote your domain controller, however existing Certificate Authority is installed in DC. you want to move CA in separate domain member. Steps required:
p
Performing a CA BackupTo use the Certification Authority snap-in to create a backup of the CA database and, optionally, the CA certificate and private key
p location and attach media, if necessary.
-in.
-click the node with the CA name, point to All Tasks, and then click Back Up CA.
he Welcome page of the CA Backup wizard, click Next.
certificate database log check boxes, enter the backup location, and then click Next.
elect a Password page, enter a password to protect the CA private key, and click Next.
Exporting Registry Configuration
\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.
configuration information for your CA.Migrating CA to a Windows 2008 Server
Start, click Run, type servermanager.msc, and then press ENTER to open Server Manager.
Roles.
On the Action menu, click Add Roles.
Next.
Active Directory Certificate Services check box, and click Next twice.
Certification Authority is selected, and click Next.
-alone CA, and click Next.
Root or Subordinate CA, depending on the source CA, and click Next.
Use the second option for a migration.
To create a new CA certificate and key, select Create a new private key.
For a migration, on the Set Up Private Key page, select Use existing private key.
Select a certificate and use its associated private key, and click Next.
Certificates box.
Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.
Browse, and locate and select the file containing the certificate and private key exported from the source CA.
password you selected when exporting the CA certificate and key from the source CA, and click OK.
Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)
the distinguished name suffix, and click Next.
ificate generated on the CA, and click Next. Otherwise, skip this step.
Next.
directly to the CA, and click Next.
Install.
Restoring the CA Database
To import the CA database from the source CA to the target CA by using the Certification Authority snap-in
-in.
-click the node with the CA name, point to All Tasks, and then click Restore CA. Click OK to confirm stopping the CA service.
Welcome page, click Next.
Items to Restore page, select Certificate database and certificate database log. Click Browse, and navigate to the location of the Database folder that contains the CA database export files created when you previously exported the CA database.
requested.
Finish, and then click Yes to confirm restarting the CA.
To import the registry settings from the .reg file to the target CA
-in to stop the CA service.
-click the .reg file previously edited to open the Registry Editor.
previous steps
tion Authority snap-in to verify the following settings. Right-click the node with the CA name, and click Properties.
Managing AD CS
AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.
· To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.
· To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.
· To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.
· To manage an Online Responder, use the Online Responder snap-in. To open Online
Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.
Certificate Services Command References
To run all these you must log on to CA as administrator and open command prompt Backup Cert database certutil –backupdbBackupDirectory
backup private key certutil -f –backupkeyBackupDirectory determine the CSP and hash algorithm certutil -getreg ca\csp\*
Query the list of serial numbers of all certificates that have an archived key associated with them.
certutil -view -restrict “KeyRecoveryHashes>0″ -outSerialNumber | findstr /C:”SerialNumber:
” >sn.txt
To convert the binary large object files created in the step above into .pfx files for %i in (*.bin) do certutil -p YourPassword -recoverkey %i %i.pfx
Disable web enrolment after uninstalling cert srv certutil -vroot delete
Shutdown CA certutil –shutdown
Find Database location certutil -databaselocations restore db certutil –F –restoredbBackupDirectory Assign templete certutil –setcatemplates +templatelist
enable the use of version 2 and version 3 certificates on an upgraded enterprise CA certutil -setreg ca\setupstatus +512
net stop certsvc net start certsvc
Resetting the CRL Publishing Period certutil –delreg CA\CRLNextPublish certutil –delreg CA\CRLDeltaNextPublish restore encryption keys
certutil –setreg ca\KRAFlags +KRAF_ENABLEFOREIGN Certificate database and log file location
%WINDIR%\system32\certlog and %WINDIR%\system32\certsrv