Lesson 1: Understanding and Installing Active Directory Certificate Services 751 ■ Devices that use low-level operating systems, such as routers and switches, can also par- ticipate in a PKI through the NDES by using the SCEP, a protocol developed by Cisco Systems, Inc. These devices usually do not participate in an AD DS directory and, there- fore, do not have AD DS accounts. However, through the NDES and the SCEP, they can also become part of the PKI hierarchy that is maintained and managed by your AD CS installation. ■ CA server types are tied to the version of Windows Server 2008 you use. Standalone CAs can be created with Windows Server 2008 Standard Edition, Windows Server 2008 Enterprise Edition, or Windows Server 2008 Datacenter Edition. Enterprise CAs can be created with Windows Server 2008 Enterprise Edition or Windows Server 2008 Data- center Edition only. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Understanding and Installing Active Directory Certificate Services.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE Answers Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 1. You are an administrator for the Contoso domain. Your boss has decided to deploy Active Directory Certificate Services, and he wants it done today. You tell him that you investigated AD CS and, from what you’ve learned, deploying a public key infrastructure is not usually done in one day. After some discussion, your boss agrees that perhaps you should install this role in a laboratory first, but he wants to be there to see how it works. He wants you to install an enterprise certificate authority. You make sure that the server you are using is running Windows Server 2008 Enterprise Edition, and you launch the installation through Server Manager. When you get to the Specify Setup Type page of the Add Roles Wizard, the Enterprise CA option is not available. (See Figure 15-7.) What could be the problem? (Choose all that apply.) 752 Chapter 15 Active Directory Certificate Services and Public Key Infrastructures Figure 15-7 The Specify Setup Type page of the AD CS Installation Wizard A. Your server is not running Windows Server 2008 Enterprise Edition. B. You are logged on with an account that is not part of the domain. C. Your server is not a member of an AD DS domain. D. You cannot install an enterprise CA with Server Manager. Lesson 2: Configuring and Using Active Directory Certificate Services 753 Lesson 2: Configuring and Using Active Directory Certificate Services After you have deployed your servers, you still need to complete several configurations to begin using them to issue and manage certificates to users and devices. Several activities are required: ■ To issue and maintain certificates, you must finalize the configuration of your issuing CAs. ■ For your online responder to issue responses to requests, you must finalize the configu- ration of the online responder. ■ To support network device enrollments, you must finish the configuration of the NDES on an issuing CA. ■ After all of these configurations are completed, you must test your CA operations to ensure that everything is working correctly. After this lesson, you will be able to: ■ Create a revocation configuration. ■ Work with CA server configuration settings. ■ Work with certificate templates. ■ Configure the CA to issue OCSP response signing certificates. ■ Manage certificate enrollments. ■ Manage certificate revocations. Estimated lesson time: 40 minutes Finalizing the Configuration of an Issuing CA Finalizing the configuration of an issuing CA includes the following actions: ■ Creating a certificate revocation configuration ■ Configuring and personalizing certificate templates with specific attention to the follow- ing factors: ❑ If you want to use the EFS to protect data, you must configure certificates for use with EFS. This also involves planning for the recovery agent or the agent that will be able to recover data if a user’s EFS key is lost. ❑ If you want to protect your wireless networks with certificates, you must configure wireless network certificates. This will enforce strong authentication and encrypt all communications between wireless devices. ❑ If you want to use smart cards to support two-factor authentication, you must con- figure smart card certificates. 754 Chapter 15 Active Directory Certificate Services and Public Key Infrastructures ❑ If you want to protect Web sites and enable e-commerce, you must configure Web server certificates. You can also use this certificate type to protect DCs and encrypt all communications to and from them. ■ Configuring enrollment and issuance options You perform each of these actions on the issuing CA itself or remotely through a workstation, using the Remote Server Administration Tools (RSAT). Creating a Revocation Configuration for a CA Revocation is one of the only vehicles available to you to control certificates when they are mis- used or when you need to cancel deployed certificates. This is one reason your revocation con- figuration should be completed before you begin to issue certificates. To create a revocation configuration, perform the following actions: ■ Specify Certificate Revocation List (CRL) distribution points. ■ Configure CRL and Delta CRL overlap periods. ■ Schedule the publication of CRLs. Begin with the CRL distribution point. Revocation configurations are performed in the Certi- fication Authority console. 1. Log on to an issuing CA with a domain account that has local administrative rights. 2. Launch the Certification Authority console from the Administrative Tools program group. 3. Right-click the issuing CA name and select Properties. 4. In the Properties dialog box, click the Extensions tab and verify that the Select Extension drop-down list is set to CRL Distribution Point (CDP). Also make sure that the Publish CRLs To This Location and the Publish Delta CRLs To This Location check boxes are selected. 5. Click OK. If you made any changes to the CAs configuration, you will be prompted to stop and restart the AD CS service. Click Yes to do so. Now, move on to configuring CRL and Delta CRL overlap periods. This is performed with the Certutil.exe command. 1. On the issuing CA, open an elevated command prompt and execute the following commands: certutil Ðsetreg ca\CRLOverlapUnits value certutil Ðsetreg ca\CRLOverlapPeriod units certutil Ðsetreg ca\CRLDeltaOverlapUnits value certutil Ðsetreg ca\CRLDeltaOverlapPeriod units Value is the value you want to use to set the overlap period, and units is in minutes, hours, or days. For example, you could set the CRL overlap period to 24 hours and the Delta CRL publication period to 12 hours. For this, you would use the following commands: Lesson 2: Configuring and Using Active Directory Certificate Services 755 certutil Ðsetreg ca\CRLOverlapUnits 24 certutil Ðsetreg ca\CRLOverlapPeriod hours certutil Ðsetreg ca\CRLDeltaOverlapUnits 12 certutil Ðsetreg ca\CRLDeltaOverlapPeriod hours 2. Go to the Certification Authority console and right-click the issuing CA server name to stop and restart the service. Finally, configure the publication of the CRLs. 1. In the Certification Authority console, expand the console tree below the issuing CA server name. 2. Right-click Revoked Certificates and select Properties. 3. On the CRL Publishing Parameters tab, configure the CRL and Delta CRL publication periods. By default, both values are set to one week and one day, respectively. If you expect to have a high throughput of certificates and need to ensure high availability of the CRLs, decrease both values. If not, keep the default values. You can also view existing CRLs on the View CRLs tab. 4. Click OK. Your revocation configuration is complete. Configuring and Personalizing Certificate Templates Certificate templates are used to generate the certificates you will use in your AD CS configu- ration. Enterprise CAs use version 2 and 3 templates. These templates are configurable and enable you to personalize them. To prepare templates for various uses, you must first config- ure each template you intend to use and, after each is configured, deploy each to your CAs. After templates are deployed, you can use them to issue certificates. Begin by identifying which templates you want to use, and then move on to the procedure. 1. Log on to an issuing CA, using domain administrative credentials. 2. Launch Server Manager from the Administrative Tools program group. 3. Expand Roles\Active Directory Certificate Services\Certificate Templates (servername). 4. Note that all the existing templates are listed in the details pane. IMPORTANT Upgrading certificate authorities If you are upgrading an existing CA infrastructure to Windows Server 2008, the first time you log on to a new server running AD CS, you will be prompted to update the existing certificate templates. Answer Yes to do so. This upgrades all templates to Windows Server 2008 versions. 5. Note that you are connected to a DC by default. To work with templates, you must be connected to a DC so that the templates can be published to AD DS. 756 Chapter 15 Active Directory Certificate Services and Public Key Infrastructures 6. If you are not connected, use the Connect To Another Writable Domain Controller com- mand in the Action pane to do so. You are ready to create the templates you require. 7. Select the source template, right-click the template to select Duplicate Template, and select the version of Windows Server to support. This should always be Windows Server 2008 unless you are running in a mixed PKI hierarchy. 8. Name the new template, customize it, and save the customizations. Customize templates according to the following guidelines: ❑ To create an EFS template, select the Basic EFS template as the source, duplicate it for Windows Server 2008, and name it. Use a valid name, for example, Basic EFS WS08, and then move through the property tabs to customize its content. Pay par- ticular attention to key archival on the Request Handling tab and make sure you select the Archive Subject Encryption Private Key check box. Also, use encryption to send the key to the CA. Archival storage of the private key enables you to protect it if the user ever loses it. You can also use the Subject Name tab to add information such as Alternate Subject Name values. Click OK. ❑ If you plan to use EFS, you must also create an EFS Recovery Agent template. Duplicate it for Windows Server 2008. Name it with a valid name such as EFS Recovery Agent WS08. Publish the recovery agent certificate in Active Directory. Note that the recovery agent certificate is valid for a much longer period than the EFS certificate itself. Also, use the same settings on the other property tabs as you assigned to the Basic EFS duplicate. MORE INFO Using EFS For more information on the implementation of EFS, look up the “Working with the Encrypting File System” white paper at http://www.reso-net.com/articles.asp?m=8 under the Advanced Public Key Infrastructures section. ❑ If you plan to use wireless networks, create a Network Policy Server (NPS) tem- plate for use with your systems. Basically, you create the template and configure it for autoenrollment. Then, the next time the NPS servers in your network update their Group Policy settings, they will be assigned new certificates. Use the RAS and IAS Server templates as the sources for your new NPS template. Duplicate it for Windows Server 2008. Name it appropriately, for example, NPS Server WS08. Publish it in Active Directory. Move to the Security tab to select the RAS and IAS Servers group to assign the Autoenroll as well as the Enroll permissions. Review other tabs as needed and save the new template. Lesson 2: Configuring and Using Active Directory Certificate Services 757 ❑ If you want to use smart card logons, create duplicates of the Smartcard Logon and Smartcard User templates. Set the duplicates for Windows Server 2008. Name them appropriately and publish them in Active Directory. You do not use Autoen- rollment for these certificates because you need to use smart card enrollment sta- tions to distribute the smart cards themselves to the users. ❑ If you want to protect Web servers or DCs, create duplicates of the Web Server and Domain Controller Authentication templates. Do not use the Domain Controller template; it is designed for earlier versions of the operating system. Duplicate them for Windows Server 2008, publish them in Active Directory, and verify their other properties. NOTE Configuring duplicate templates The configuration of each template type often includes additional activities that are not nec- essarily tied to AD CS. Make sure you view the AD CS online help to review the activities associated with the publication of each certificate type. Now that your templates are ready, you must issue the template to enable the CA to issue certificates based on these personalized templates. 9. In Server Manager, expand Roles\Active Directory Certificate Services\Issuing CA Name \Certificate Templates. 10. To issue a template, right-click Certificate Templates, choose New, and then select Cer- tificate Template To Issue. 11. In the Enable Certificate Templates dialog box, use Ctrl + click to select all the templates you want to issue, and then click OK. (See Figure 15-8.) Figure 15-8 Enable Certificate Templates dialog box 758 Chapter 15 Active Directory Certificate Services and Public Key Infrastructures Now you’re ready to configure enrollment. This is done through Group Policy. You can choose either to create a new Group Policy for this purpose or to modify an existing Group Policy object. This policy must be assigned to all members of the domain; therefore, the Default Domain Policy might be your best choice or, if you do not want to modify this policy, create a new policy and assign it to the entire domain. You use the Group Policy Management Console (GPMC) to do so. 1. Log on to a DC, and then launch Group Policy Management from the Administrative Tools program group. 2. Locate or create the appropriate policy and right-click it to choose Edit. 3. To assign autoenrollment for computers, expand Computer Configuration\Policies \Windows Settings\Security Settings\Public Key Policies. 4. Double-click Certificate Services Client – Auto-Enrollment. 5. Enable the policy and select the Renew Expired Certificates, Update Pending Certifi- cates, And Remove Revoked Certificates check box. 6. Select the Update Certificates That Use Certificate Templates check box if you have already issued some certificates manually for this purpose. Click OK to assign these settings. 7. To assign autoenrollment for users, expand User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. 8. Enable the policy and select the same options as for computers. 9. Notice that you can enable Expiration Notification for users. Enable it and set an appro- priate value. This will notify users when their certificates are about to expire. 10. Click OK to assign these settings. IMPORTANT Computer and User Group Policy settings Normally, you should not apply both user and computer settings in the same Group Policy object. This is done here only to illustrate the settings you need to apply to enable autoenrollment. 11. Close the GPMC. 12. Return to the issuing CA and move to Server Manager to set the default action your issu- ing CA will use when it receives certificate requests. 13. Right-click the issuing CA server name under AD CS and choose Properties. 14. Click the Policy Module tab and click the Properties button. 15. To have certificates issued automatically, select Follow The Settings In The Certificate Template, If Applicable. Otherwise, Automatically Issue The Certificate. Click OK. 16. Click OK once again to close the Properties dialog box. Lesson 2: Configuring and Using Active Directory Certificate Services 759 Your issuing CA is now ready for production and will begin to issue certificates automatically when they are requested either by devices or by users. Finalizing the Configuration of an Online Responder If you decided to use online responders, you will need to finalize their configuration. Online responders can create an array of systems to provide high availability for the service. An array can be as simple as two CAs acting as ORs, or it can include many more servers. To finalize the configuration of an online responder, you must configure and install an OCSP Response Signing certificate and configure an Authority Information Access extension to sup- port it. After this is done, you must assign the template to a CA and then enroll the system to obtain the certificate. Use the following procedure to configure the OCSP Response Signing Certificate. 1. Log on to an issuing CA server, using a domain account with local administrative access rights. 2. In Server Manager, expand Roles\Active Directory Certificate Services\ Certificate Tem- plates(servername). 3. Right-click the OCSP Response Signing template and click Duplicate Template. Select a Windows Server 2008 Enterprise Edition template and click OK. 4. Type a valid name for the new template, for example, OCSP Response Signing WS08. 5. Select the Publish Certificate in Active Directory check box. 6. On the Security tab, under Group Or User Names, click Add, click Object Types to enable the Computer object type, and click OK. 7. Type the name and click Check Names or browse to find the computer that hosts the online responder. Click OK. 8. Click the computer name and then, in the Permissions section of the dialog box, select the Allow: Read, Enroll, and Autoenroll options. 9. Click OK to create the duplicate template. Your certificate template is ready. Now you must configure the Authority Information Access (AIA) Extension to support the OR. IMPORTANT Assigning access rights Normally, you should assign access rights to groups and not to individual objects in an AD DS directory. Because you will have several ORs, using a group makes sense. Ideally, you will create a group in AD DS, name it appropriately—for example, Online Responders—and add the computer accounts of each OR to this group. After you do that, you will assign the access rights of the OCSP Response Signing template to the group instead of to the individual systems. This way, you will have to do it only once. 760 Chapter 15 Active Directory Certificate Services and Public Key Infrastructures 1. Log on to an issuing CA, using a domain account with local administrative credentials. 2. Launch Server Manager from the Administrative Tools program group. 3. Expand Roles\Active Directory Certificate Services\Issuing CA servername. 4. In the Actions pane, select Properties. 5. Click the Extensions tab, click the Select Extension drop-down list, and then click Authority Information Access (AIA). 6. Specify the locations to obtain certificate revocation data. In this case, select the location beginning with HTTP://. 7. Select the Include In The AIA Extension Of Issued Certificates and the Include In The Online Certificate Status Protocol (OCSP) Extension check boxes. 8. Click OK to apply the changes. Note that you must stop and restart the AD CS service because of the change. 9. Click Yes at the suggested dialog box. 10. Now move to the Certificate Templates node under the issuing CA name and right-click it, select New, and then choose Certificate Template To Issue. 11. In the Enable Certificate Templates dialog box, select the new OCSP Response Signing template you created earlier and click OK. The new template should appear in the details pane. 12. To assign the template to the server, reboot it. You now need to verify that the OCSP certificate has been assigned to the server. You do so with the Certificates snap-in. By default, this snap-in is not in a console. You must cre- ate a new console to use it. 13. Open the Start menu, type mmc in the search box, and press Enter. 14. In the MMC, select Add/Remove Snap-in from the File menu to open the Add Or Remove Snap-ins dialog box. 15. Select the Certificates snap-in and click Add. 16. Select Computer Account and click Next. 17. Select Local Computer and click Finish. 18. Click OK to close the Add Or Remove Snap-ins dialog box. 19. Select Save from the File menu to save the console and place it in your Documents folder. Name the console Computer Certificates and click Save. 20. Expand Certificates\Personal\Certificates and verify that it contains the new OCSP certificate. 21. If the certificate is not there, install it manually by right-clicking Certificates under Personal, choosing All Tasks, and then selecting Request New Certificate. 22. On the Certificate Enrollment page, click Next. 23. Select the new OCSP certificate and click Enroll. [...]... PKI 1 Make sure that SERVER0 1, SERVER0 3, and SERVER0 4 are running 2 Log on to SERVER0 4, using the domain Administrator account 3 Launch Server Manager from the Administrative Tools program group 4 Expand Roles \Active Directory Certificate Services\Enterprise PKI\Contoso-Root-CA \Contoso-Issuing-CA Click Contoso-Issuing-CA and note the errors (See Figure 1 5-1 0.) 768 Chapter 15 Active Directory Certificate... 27, 29, 31, 33, 34, 35 Related to Online Responder service dependencies Rely on the contents of Table 1 5-5 to identify quickly the area an issue relates to so that you can resolve it faster MORE INFO AD CS event IDs To find more information on event types, read the information at http://technet2 .microsoft. com /windowsserver2008/en/library/688d144 9- 3 08 6-4 a7 9- 9 5e 6-5 a7f620681731033.mspx Lesson 2: Configuring. .. chapter: ■ Configuring Additional Active Directory Server Roles ❑ Configure Active Directory Rights Management Services (AD RMS) Lessons in this chapter: ■ Lesson 1: Understanding and Installing Active Directory Rights Management Services 786 ■ Lesson 2: Configuring and Using Active Directory Rights Management Services 8 09 784 Chapter 16 Active Directory. .. /archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx Now many record labels have decided to sell their music in MP3 format without data protection When you buy the song, you become responsible for protecting it; however, you can play it on any device It might or might not be related to Mark’s story with Sony BMG, but the move displays just how complex DRM can become 781 782 Chapter 16 Active Directory. .. as well as PKI implementations with Windows Server 2003 The Microsoft TechNet Web site includes much more information on PKI in Windows Server 2003 than in Windows Server 2008 Take a Practice Test The practice tests on this book’s companion CD offer many options For example, you can test yourself on just one exam objective, or you can test yourself on all the 7 0- 640 certification exam content You can... are ready to correct the errors in the issuing CA 1 Right-click Contoso-Issuing-CA under AD CS in Server Manager and select Properties In this case, you can use Server Manager because Contoso-Issuing-CA is the local computer 2 Click the Extensions tab and verify that CRL Distribution Point (CDP) is selected in the drop-down list 3 Select http:///CertEnroll/.crl... the system data 1 Make sure SERVER0 1 and SERVER0 4 are both running 2 Log on to SERVER0 4, using the domain Administrator account 3 Launch Server Manager from the Administrative Tools program group 4 Expand Roles \Active Directory Certificate Services\Certificate Templates (servername) Note that all the existing templates are listed in the details pane 772 Chapter 15 Active Directory Certificate Services... the E-mail Name and User Principal Name (UPN) check boxes 8 Click OK 9 Right-click the EFS Recovery Agent template and choose Duplicate 10 Select the version of Windows Server to support—in this case, Windows Server 2008 and click OK 11 Name the template EFS Recovery Agent WS08 and set the following options Leave all other options as is ❑ On the General tab, select the Publish certificate in the Active. .. because they are part of the Lesson 2: Configuring and Using Active Directory Certificate Services 763 Considerations for the Use and Management of AD CS Active Directory Certificate Services role services are managed by using MMC snap-ins Table 1 5-4 lists the tools you have used throughout this chapter, most of which are available from within Server Manager Table 1 5-4 AD CS Management Tools Tool Usage... to support the use of the Encrypting File System to protect data, the use of smart cards to provide two-factor authentication, or the use of the Secure Sockets Layer to protect server- to -server or server- to-client communications or even to issue certificates to end users so that they can encrypt e-mail data through S/MIME 2 Enterprise CAs support version 2 and 3 templates These templates can be duplicated . http://technet2 .microsoft. com /windowsserver2008/en/library/688d144 9- 3 08 6-4 a7 9- 9 5e 6-5 a7f620681731033.mspx. AD CS Certification Authority Upgrade 111, 112, 113, 114, 115, 116, 117, 118, 1 19, 120, 121,. go to http://technet2 .microsoft. com/windowsserver2008/en /library/045d2a9 7-1 bff-43bd-8dea-f2df7e270e1f1033.mspx?mfr=true. You’ll note that the Online Responder node in Server Manager also includes. CA server types are tied to the version of Windows Server 2008 you use. Standalone CAs can be created with Windows Server 2008 Standard Edition, Windows Server 2008 Enterprise Edition, or Windows