Professional Documents
Culture Documents
Windows Server 2008 Active Directory Certificate Services Step-By-step Guide
Windows Server 2008 Active Directory Certificate Services Step-By-step Guide
Microsoft Corporation Published: April 2007 Author: Roland Winkler Editor: Debbie S anson
Abstract
!his step"b#"step $uide describes the steps needed to set up a basic confi$uration of Acti%e Director#& Certificate Ser%ices 'AD CS( in a lab en%iron)ent* AD CS in Windo s Ser%er& 200+ pro%ides custo)i,able ser%ices for creatin$ and )ana$in$ public ke# certificates used in soft are securit# s#ste)s e)plo#in$ public ke# technolo$ies*
Copyright nfor!ation
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including !" and other Internet #eb site references, is sub$ect to change without notice. The entire risk of the use or the results from the use of this document remains with the user. nless otherwise noted, the example companies, organi%ations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organi%ation, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. #ithout limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means &electronic, mechanical, photocopying, recording, or otherwise', or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering sub$ect matter in this document. (xcept as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ) *++, Microsoft Corporation. -ll rights reserved. Microsoft, -ctive .irectory, M/-.0/, 1isual 2asic, 1isual /tudio, #indows, #indows 3T, and #indows /erver are either registered trademarks or trademarks of Microsoft Corporation in the nited /tates and4or other countries. -ll other trademarks are property of their respective owners.
Contents
Windo s Ser%er 200+ Acti%e Director# Certificate Ser%ices Step"-#"Step .uide***************************/ Abstract************************************************************************************************************************************ / Cop#ri$ht 0nfor)ation********************************************************************************************************************** 2 Contents****************************************************************************************************************************************** 1 Windo s Ser%er Acti%e Director# Certificate Ser%ices Step"b#"Step .uide************************************2 AD CS !echnolo$# Re%ie ********************************************************************************************************** 2 Re3uire)ents for 4sin$ AD CS*************************************************************************************************** 5 AD CS -asic 6ab Scenario********************************************************************************************************** 7 Steps for Settin$ up a -asic 6ab************************************************************************************************* 7 Step /: Settin$ 4p an Enterprise Root CA*******************************************************************************+ Step 2: 0nstallin$ the 7nline Responder***********************************************************************************8 Step 1: Confi$urin$ the CA to 0ssue 7CSP Response Si$nin$ Certificates******************************8 Step 9: Creatin$ a Re%ocation Confi$uration**************************************************************************// Step 2: :erif#in$ that the AD CS 6ab Setup ;unctions Properl#*********************************************/2 AD CS Ad%anced 6ab Scenario************************************************************************************************* /1 Steps for Settin$ 4p an Ad%anced 6ab**************************************************************************************/9 Step /: Settin$ 4p the Stand"Alone Root CA*************************************************************************/2 Step 2: Settin$ 4p the Enterprise Subordinate 0ssuin$ CA****************************************************/2 Step 1: 0nstallin$ and Confi$urin$ the 7nline Responder*******************************************************/5 Step 9: Confi$urin$ the 0ssuin$ CA to 0ssue 7CSP Response Si$nin$ Certificates***************/7 Step 2: Confi$urin$ the Authorit# 0nfor)ation Access E<tension to Support the 7nline Responder************************************************************************************************************************** /7 Step 5: Assi$nin$ the 7CSP Response Si$nin$ !e)plate to a CA****************************************/+ Step 7: Enrollin$ for an 7CSP Response Si$nin$ Certificate*************************************************/+ Step +: Creatin$ a Re%ocation Confi$uration*************************************************************************/8 Step 8: Settin$ 4p and Confi$urin$ the =et ork De%ice Enroll)ent Ser%ice*************************20 Step /0: :erif#in$ that the Ad%anced AD CS !est Setup ;unctions Properl#*************************2/
Procedures for an ad%anced lab setup to test AD CS on a lar$er nu)ber of co)puters to )ore realisticall# si)ulate real" orld confi$urations
AD CS "echno#ogy $eview
4sin$ the Active Directory Certificate Services option of the Add Roles Wi,ard> #ou can set up the follo in$ co)ponents of AD CS: Certification authorities %CAs&* Root and subordinate CAs are used to issue certificates to users> co)puters> and ser%ices> and to )ana$e their %alidit#* CA Web enro##!ent* Web enroll)ent allo s users to connect to a CA b# )eans of a Web bro ser in order to: Re3uest certificates and re%ie certificate re3uests* Retrie%e certificate re%ocation lists 'CR6s(* Perfor) s)art card certificate enroll)ent*
'n#ine $esponder service* !he 7nline Responder ser%ice i)ple)ents the 7nline Certificate Status Protocol '7CSP( b# decodin$ re%ocation status re3uests for specific certificates> e%aluatin$ the status of these certificates> and sendin$ back a si$ned response containin$ the re3uested certificate status infor)ation* !portant 7nline Responders can be used as an alternati%e to or an e<tension of CR6s to pro%ide certificate re%ocation data to clients* Microsoft 7nline Responders are based on and co)pl# ith R;C 2250 for 7CSP* ;or )ore infor)ation about R;C 2250> see the 0nternet En$ineerin$ !ask ;orce Web site 'http:??$o*)icrosoft*co)?f link?@ 6ink0DA570+2(*
5
(etwor) Device *nro##!ent Service* !he =et ork De%ice Enroll)ent Ser%ice allo s routers and other net ork de%ices to obtain certificates based on the Si)ple Certificate Enroll)ent Protocol 'SCEP( fro) Cisco S#ste)s 0nc* (ote SCEP as de%eloped to support the secure> scalable issuance of certificates to net ork de%ices b# usin$ e<istin$ CAs* !he protocol supports CA and re$istration authorit# public ke# distribution> certificate enroll)ent> certificate re%ocation> certificate 3ueries> and certificate re%ocation 3ueries*
=o =o =o
Ces =o =o
!he follo in$ features are a%ailable on ser%ers runnin$ Windo s Ser%er 200+ that ha%e been confi$ured as CAs*
AD CS features Web Standard *nterprise Datacenter
=o
Ces
Ces
AD CS features
Web
Standard
*nterprise
Datacenter
te)plates De# archi%al Role separation Certificate Mana$er restrictions Dele$ated enroll)ent a$ent restrictions =o =o =o =o =o =o Ces Ces Ces Ces Ces Ces
=o
=o
Ces
Ces
(ote Enterprise CAs and 7nline Responders can onl# be installed on ser%ers runnin$ Windo s Ser%er 200+ Enterprise or Windo s Ser%er 200+ Datacenter* 6BEC60/: !his client co)puter runnin$ Windo s :ista ill autoenroll for certificates fro) 6BEPD0/ and %erif# certificate status fro) 6BE PD0/* !o confi$ure the basic lab setup for AD CS> #ou need to co)plete the follo in$ prere3uisite steps: Set up a do)ain controller on 6BEDC/ for contoso*co)> includin$ so)e or$ani,ational units '74s( to contain one or )ore users for the client co)puter> client co)puters in the do)ain> and for the ser%ers hostin$ CAs and 7nline Responders* 0nstall Windo s Ser%er 200+ on 6BEPD0/> and Foin 6BEPD0/ to the do)ain*
7
After #ou ha%e co)pleted these preli)inar# setup procedures> #ou can be$in to co)plete the follo in$ steps: Step /: Settin$ 4p an Enterprise Root CA Step 2: 0nstallin$ the 7nline Responder Step 1: Confi$urin$ the CA to 0ssue 7CSP Response Si$nin$ Certificates Step 9: Creatin$ a Re%ocation Confi$uration Step 2: :erif#in$ that the AD CS 6ab Setup ;unctions Properl#
then click (e1t* /2* After %erif#in$ the infor)ation on the Confir! nsta##ation 'ptions pa$e> click nsta##* /1* Re%ie the infor)ation on the confir)ation screen to %erif# that the installation as successful*
"o configure certificate te!p#ates for your test environ!ent /* 6o$ on to 6BEPD0/ as a CA ad)inistrator* 2* 7pen the Certificate !e)plates snap"in* 1* Ri$ht"click the 'CS2 $esponse Signing te)plate> and then click Dup#icate "e!p#ate* 9* !#pe a ne na)e for the duplicated te)plate> such as 'CS2 $esponse Signing62* 2* Ri$ht"click the 'CS2 $esponse Signing62 certificate te)plate> and then click 2roperties* 5* Click the Security tab* 4nder Group or user na!e> click Add> and then t#pe the na)e or bro se to select the co)puter hostin$ the 7nline Responder ser%ice* 7* Click the co)puter na)e> -7623 .> and in the 2er!issions dialo$ bo<> select the $ead and Autoenro## check bo<es* +* While #ou ha%e the Certificate !e)plates snap"in open> #ou can confi$ure certificate te)plates for users and co)puters b# substitutin$ the desired te)plates in step 1> and repeatin$ steps 9 throu$h 7 to confi$ure per)issions for 6BEC60/ and #our test user accounts* !o confi$ure the CA to support 7nline Responders> #ou need to use the Certification Authorit# snap"in to co)plete t o ke# steps: Add the location of the 7nline Responder to the authorit# infor)ation access e<tension of issued certificates* Enable the certificate te)plates that #ou confi$ured in the pre%ious procedure for the CA*
"o configure a CA to support the 'n#ine $esponder service /* 7pen the Certification Authorit# snap"in* 2* 0n the console tree> click the na)e of the CA* 1* 7n the Action )enu> click 2roperties* 9* Click the *1tensions tab* 0n the Se#ect e1tension list> click Authority nfor!ation Access %A A&* 2* Select the nc#ude in the A A e1tension of issue certificates and nc#ude in the on#ine certificate status protoco# %'CS2& e1tension check bo<es* 5* Specif# the locations fro) hich users can obtain certificate re%ocation dataG for this setup> the location is http:??6BEPD0/?ocsp* 7* 0n the console tree of the Certification Authorit# snap"in> ri$ht"click Certificate "e!p#ates> and then click (ew Certificate "e!p#ates to ssue* +* 0n *nab#e Certificate "e!p#ates> select the 'CS2 $esponse Signing te)plate and an# other certificate te)plates that #ou confi$ured pre%iousl#> and then click '3* 8* 7pen Certificate "e!p#ates> and %erif# that the )odified certificate te)plates
10
Select a re%ocation pro%ider> the co)ponent responsible for retrie%in$ and cachin$ the re%ocation infor)ation used b# the 7nline Responder* "o create a revocation configuration /* 7pen the 7nline Responder snap"in* 2* 0n the Actions pane> click Add $evocation Configuration to start the Add Re%ocation Confi$uration i,ard> and then click (e1t* 1* 7n the (a!e the $evocation Configuration pa$e> t#pe a na)e for the re%ocation
11
confi$uration> such as -76$C.> and then click (e1t* 9* 7n the Se#ect CA certificate -ocation pa$e> click Se#ect a certificate fro! an e1isting enterprise CA> and then click (e1t* 2* 7n the follo in$ pa$e> the na)e of the CA> 6BEPD0/> should appear in the Browse CA certificates pub#ished in Active Directory bo<* 0f it appears> click the na)e of the CA that #ou ant to associate re%ocation confi$uration> and then click (e1t* ith #our
0f it does not appear> click Browse for CA Co!puter and t#pe the na)e of the co)puter hostin$ 6BEPD0/ or click Browse to locate this co)puter* When #ou ha%e located the co)puter> click (e1t* (ote Cou )i$ht also be able to link to the CA certificate fro) the local certificate store> or b# i)portin$ it fro) re)o%able )edia in step 9* 5* :ie the certificate and cop# the CR6 distribution point for the parent root CA> RootCA/* !o do this: a* 7pen the Certificate Ser%ices snap"in* Select an issued certificate* b* Double"click the certificate> and then click the Detai#s tab* c* Scroll do n and select the C$- Distribution 2oints field* d* Select and cop# the 4R6 for the CR6 distribution point that #ou ant to use* e* Click '3* 7* 7n the Se#ect Signing Certificate pa$e> accept the default option> Auto!atica##y se#ect signing certificate> and then click (e1t* +* 7n the $evocation 2rovider pa$e> click 2rovider* 8* 7n the $evocation 2rovider 2roperties pa$e> click Add> enter the 4R6 of the CR6 distribution point> and then click '3* /0* Click 9inish* //* 4sin$ the 7nline Responder snap"in> select the re%ocation confi$uration> and then e<a)ine the status infor)ation to %erif# that it is functionin$ properl#* Cou should also be able to e<a)ine the properties of the si$nin$ certificate to %erif# that the 7nline Responder is confi$ured properl#*
"o verify that the AD CS test setup functions proper#y /* 7n the CA> confi$ure se%eral certificate te)plates to autoenroll certificates for 6BEC60/ and users on this co)puter* 2* When infor)ation about the ne certificates has been published to AD DS> open a co))and pro)pt on the client co)puter and enter the follo in$ co))and to start certificate autoenroll)ent:
certutil -pulse
1* 7n 6BEC60/> use the Certificates snap"in to %erif# that the certificates ha%e been issued to the user and to the co)puter> as appropriate* 9* 7n the CA> use the Certification Authorit# snap"in to %ie and re%oke one or )ore of the issued certificates b# clickin$ Certification Authority %Co!puter&;CA na!e; ssued Certificates and selectin$ the certificate #ou ant to re%oke* 7n the Action )enu> point to A## "as)s> and then click $evo)e Certificate* Select the reason for re%okin$ the certificate> and click <es* 2* 0n the Certification Authorit# snap"in> publish a ne CR6 b# clickin$ Certification Authority %Co!puter&;CA na!e;$evo)ed Certificates in the console tree* !hen> on the Action )enu> point to A## "as)s> and click 2ub#ish* 5* Re)o%e all CR6 distribution point e<tensions fro) the issuin$ CA b# openin$ the Certification Authorit# snap"in and then selectin$ the CA* 7n the Action )enu> click 2roperties* 7* 7n the *1tensions tab> confir) that Se#ect e1tension is set to C$- Distribution 2oint %CD2&* +* Click an# CR6 distribution points that are listed> click $e!ove> and then click '3* 8* Stop and restart AD CS* /0* Repeat steps / and 2 abo%e> and then %erif# that clients can still obtain re%ocation data* !o do this> use the Certificates snap"in to e<port the certificate to a file 'H*cer(* At a co))and pro)pt> t#pe:
certutil -url <exportedcert.cer>
//* 0n the 4erify and $etrieve dialo$ bo< that appears> click 9ro! CD2 and 9ro! 'CS2 and co)pare the results*
13
6BECAE0SS4E/: !his enterprise CA ill be subordinate to 6BECAER77!/ and issue client certificates for the 7nline Responder and client co)puters* (ote Enterprise CAs and 7nline Responders can onl# be installed on ser%ers runnin$ Windo s Ser%er 200+ Enterprise or Windo s Ser%er 200+ Datacenter* 6BE7RS/* !his ser%er ill host the 7nline Responder* 6BE=DES* !his ser%er ill host the =et ork De%ice Enroll)ent Ser%icethat )akes it possible to issue and )ana$e certificates for routers and other net ork de%ices* 6BEC60/: !his client co)puter runnin$ Windo s :ista ill autoenroll for certificates fro) 6BECAE0SS4E/ and %erif# certificate status fro) 6BE7RS/* !o confi$ure the ad%anced lab setup for AD CS> #ou need to co)plete the follo in$ prere3uisite steps: /* Set up a do)ain controller on 6BEDC/ for contoso*co)> includin$ so)e 74s to contain one or )ore users for 6BEC60/> client co)puters in the do)ain> and for the ser%ers hostin$ CAs and 7nline Responders* 2* 0nstall Windo s Ser%er 200+ on the other ser%ers in the test confi$uration and Foin the) to the do)ain* 1* 0nstall Windo s :ista on 6BEC60/> and Foin 6BEC60/ to contoso*co)* After #ou ha%e co)pleted these preli)inar# setup procedures> #ou can be$in to co)plete the follo in$ steps: Step /: Settin$ 4p the Stand"Alone Root CA Step 2: Settin$ 4p the Enterprise Subordinate 0ssuin$ CA Step 1: 0nstallin$ and Confi$urin$ the 7nline Responder Step 9: Confi$urin$ the 0ssuin$ CA to 0ssue 7CSP Response Si$nin$ Certificates Step 2: Confi$urin$ the Authorit# 0nfor)ation Access E<tension to Support the 7nline Responder Step 5: Assi$nin$ the 7CSP Response Si$nin$ !e)plate to a CA Step 7: Enrollin$ for an 7CSP Response Si$nin$ Certificate Step +: Creatin$ a Re%ocation Confi$uration Step 8: Settin$ 4p and Confi$urin$ the =et ork De%ice Enroll)ent Ser%ice Step /0: :erif#in$ that the Ad%anced AD CS !est Setup ;unctions Properl#
14
and then click (e1t* 9* 7n the Specify Setup "ype pa$e> click *nterprise> and then click (e1t* 2* 7n the Specify CA "ype pa$e> click Subordinate CA> and then click (e1t* 5* 7n the Set ,p 2rivate 3ey and Configure Cryptography for CA pa$es> #ou can confi$ure optional settin$s> includin$ cr#pto$raphic ser%ice pro%iders* Bo e%er> for basic testin$ purposes> accept the default %alues b# clickin$ (e1t t ice* 7* 7n the $e+uest Certificate pa$e> bro se to locate 6BECAER77!/> or if> the root CA is not connected to the net ork> sa%e the certificate re3uest to a file so that it can be processed later* Click (e1t* !he subordinate CA setup ill not be usable until it has been issued a root CA certificate and this certificate has been used to co)plete the installation of the subordinate CA* +* 0n the Co!!on na!e for this CA bo<> t#pe the co))on na)e of the CA> -76CA6 SS,*.* 8* 7n the Set the Certificate 4a#idity 2eriod pa$e> accept the default %alidit# duration for the CA> and then click (e1t* /0* 7n the Configure Certificate Database pa$e> accept the default %alues or specif# other stora$e locations for the certificate database and the certificate database lo$> and then click (e1t* //* After %erif#in$ the infor)ation on the Confir! nsta##ation 'ptions pa$e> click nsta##*
1* 7n the Se#ect $o#e Services pa$e> clear the Certification Authority check bo<> select the 'n#ine $esponder check bo<> and then click (e1t* Cou are pro)pted to install 00S and Windo s Acti%ation Ser%ice* 9* Click Add $e+uired $o#e Services> and then click (e1t three ti)es* 2* 7n the Confir! nsta##ation 'ptions pa$e> click nsta##* 5* When the installation is co)plete> re%ie as successful* the status pa$e to %erif# that the installation
Step :/ Configuring the Authority nfor!ation Access *1tension to Support the 'n#ine $esponder
Cou need to confi$ure the CAs to include the 4R6 for the 7nline Responder as part of the authorit# infor)ation access e<tension of the issued certificate* !his 4R6 is used b# the 7nline Responder client to %alidate the certificate status*
17
"o configure the authority infor!ation access e1tension to support the 'n#ine $esponder /* 6o$ on to 6BECAE0SS4E/ as a CA ad)inistrator* 2* 7pen the Certification Authorit# snap"in* 1* 0n the console tree> click the na)e of the CA* 9* 7n the Action )enu> click 2roperties* 2* 7n the *1tensions tab> click Se#ect e1tension> and then click Authority nfor!ation Access %A A&* 5* Select the nc#ude in the A A e1tension of issue certificates and nc#ude in the on#ine certificate status protoco# %'CS2& e1tension check bo<es* 7* Specif# the locations fro) hich users can obtain certificate re%ocation dataG for this setup> the location is http:??6BE7RS/?ocsp* +* 0n the console tree of the Certification Authorit# snap"in> ri$ht"click Certificate "e!p#ates> and then click (ew Certificate "e!p#ates to ssue* 8* 0n *nab#e Certificate "e!p#ates> select the 'CS2 $esponse Signing te)plate and an# other certificate te)plates that #ou confi$ured pre%iousl#> and then click '3* /0* 7pen Certificate "e!p#ates> and %erif# that the )odified certificate te)plates appear in the list*
18
"o verify that the signing certificate is proper#y configured /* Start or restart 6BE7RS/ to enroll for the certificates* 2* 6o$ on as a CA ad)inistrator* 1* 7pen the Certificates snap"in for the co)puter* 7pen the Personal certificate store for the co)puter> and then %erif# that it contains a certificate titled 'CS2 $esponse Signing62* 9* Ri$ht"click this certificate> and then click 0anage 2rivate 3eys* 2* Click the Security tab* 0n the ,ser Group or user na!e dialo$ bo<> click Add to t#pe in and add =et ork Ser%ice to the Group or user na!e list> and then click '3* 5* Click (etwor) Service> and in the 2er!issions dialo$ bo<> select the 9u## Contro# check bo<* Click '3 t ice*
Select a re%ocation pro%ider> the co)ponent responsible for retrie%in$ and cachin$ the re%ocation infor)ation used b# the 7nline Responder* "o create a revocation configuration /* 6o$ on to 6BE7RS/ as a do)ain ad)inistrator* 2* 7pen the 7nline Responder snap"in* 1* 0n the Actions pane> click Add $evocation Configuration to start the Add Re%ocation Confi$uration i,ard> and then click (e1t* 9* 7n the (a!e the $evocation Configuration pa$e> t#pe a na)e for the re%ocation confi$uration> such as -76$C.> and then click (e1t* 2* 7n the Se#ect CA Certificate -ocation pa$e> click Se#ect a certificate for an e1isting enterprise CA> and then click (e1t* 5* 7n the follo in$ pa$e> the na)e of the CA> 6BECAE0SS4E/> should appear in the Browse CA certificates pub#ished in Active Directory bo<* 0f it appears> click the na)e of the CA that #ou ant to associate re%ocation confi$uration> and then click (e1t* ith #our
0f it does not appear> click Browse for CA Co!puter and t#pe the na)e of the co)puter hostin$ 6BECAE0SS4E/ or click Browse to locate this co)puter* When #ou ha%e located the co)puter> click (e1t*
19
(ote Cou )i$ht also be able to link to the CA certificate fro) the local certificate store> or b# i)portin$ it fro) re)o%able )edia in step 2* 7* :ie the certificate and cop# the CR6 distribution point for the parent root CA> RootCA/* !o do this: a* 7pen the Certificate Ser%ices snap"in> and then select an issued certificate* b* Double"click the certificate> and then click the Detai#s tab* c* Scroll do n and select the C$- Distribution 2oints field* d* Select and cop# the 4R6 for the CR6 distribution point that #ou ant to use* e* Click '3* +* 7n the Se#ect Signing Certificate pa$e> accept the default> Auto!atica##y se#ect signing certificate> and then click (e1t* 8* 7n the $evocation 2rovider pa$e> click 2rovider* /0* 7n the $evocation 2rovider 2roperties pa$e> click Add> enter the 4R6 of the CR6 distribution point> and then click '3* //* Click 9inish* /2* 4sin$ the 7nline Responder snap"in> select the re%ocation confi$uration> and then e<a)ine the status infor)ation to %erif# that it is functionin$ properl#* Cou should also be able to e<a)ine the properties of the si$nin$ certificate to %erif# that the 7nline Responder is confi$ured properl#*
SCEP as de%eloped as an e<tension to e<istin$ B!!P> PDCS I/0> PDCS I7> R;C 2928> and other standards to enable net ork de%ice and application certificate enroll)ent ith CAs* SCEP is identified and docu)ented on the 0nternet En$ineerin$ !ask ;orce Web site 'http:??$o*)icrosoft*co)?f link?@6ink0dA7/022(*
20
-efore #ou be$in this procedure> create a user ndesEuser/ and add this user to the 00S user $roup* !hen> use the Certificate !e)plates snap"in to confi$ure Read and Enroll per)issions for this user on the 0PSEC '7ffline Re3uest( certificate te)plate* "o set up and configure the (etwor) Device *nro##!ent Service /* 6o$ on to 6BE=DES as an enterprise ad)inistrator* 2* Start the Add RolesWi,ard* 7n the Se#ect Server $o#es pa$e> select the Active Directory Certificate Services check bo<> and then click (e1t t o ti)es* 1* 7n the Se#ect $o#e Services pa$e> clear the Certification Authority check bo<> and then select (etwor) Device *nro##!ent Service* Cou are pro)pted to install 00S and Windo s Acti%ation Ser%ice* 9* Click Add $e+uired $o#e Services> and then click (e1t three ti)es* 2* 7n the Confir! nsta##ation 'ptions pa$e> click nsta##* 5* When the installation is co)plete> re%ie as successful* the status pa$e to %erif# that the installation
7* -ecause this is a ne installation and there are no pendin$ SCEP certificate re3uests> click $ep#ace e1isting $egistration Authority %$A& certificates > and then click (e1t* When the =et ork De%ice Enroll)ent Ser%ice is installed on a co)puter here a re$istration authorit# alread# e<ists> the e<istin$ re$istration authorit# and an# pendin$ certificate re3uests are deleted* +* 7n the Specify ,ser Account pa$e> click Se#ect ,ser> and t#pe the user na)e ndes6user. and pass ord for this account> hich the =et ork De%ice Enroll)ent Ser%ice ill use to authori,e certificate re3uests* Click '3> and then click (e1t* 8* 7n the Specify CA pa$e> select either the CA na!e or Co!puter na!e check bo<> click Browse to locate the CA that ill issue the =et ork De%ice Enroll)ent Ser%ice certificates> 6BECAE0SS4E/> and then click (e1t* /0* 7n the Specify $egistry Authority nfor!ation pa$e> t#pe ndes6. in the $A na!e bo<* 4nder Country;region>select the check bo< for the countr#?re$ion #ou are in> and then click (e1t* //* 7n the Configure Cryptography pa$e> accept the default %alues for the si$nature and encr#ption ke#s> and then click (e1t* /2* Re%ie the su))ar# of confi$uration options> and then click nsta##*
Step .0/ 4erifying that the Advanced AD CS "est Setup 9unctions 2roper#y
Cou can %erif# the setup steps described pre%iousl# as #ou perfor) the)*
21
After the installation is co)plete> #ou should %erif# that #our ad%anced test setup is functionin$ properl#* "o verify that the advanced AD CS test setup functions proper#y /* 7n the CA> confi$ure se%eral certificate te)plates to autoenroll certificates for 6BEC60/ and users on this co)puter* 2* When infor)ation about the ne certificates has been published to AD DS> open a co))and pro)pt on the client co)puter and enter the follo in$ co))and to start certificate autoenroll)ent:
certutil -pulse
1* 7n the client co)puter> use the Certificates snap"in to %erif# that the certificates ha%e been issued to the user and to the co)puter> as appropriate* 9* 7n the CA> use the Certification Authorit# snap"in to %ie and re%oke one or )ore of the issued certificates b# clickin$ Certification Authority %Co!puter&;CA na!e; ssued Certificates and selectin$ the certificate #ou ant to re%oke* 7n the Action )enu> point to A## "as)s> and then click $evo)e Certificate* Select the reason for re%okin$ the certificate> and click <es* 2* 0n the Certification Authorit# snap"in> publish a ne CR6 b# clickin$ Certification Authority %Co!puter&;CA na!e;$evo)ed Certificates in the console tree* !hen> on the Action )enu> point to A## "as)s> and click 2ub#ish* 5* Re)o%e all CR6 distribution point e<tensions fro) the issuin$ CA b# openin$ the Certification Authorit# snap"in and then selectin$ the CA* 7n the Action )enu> click 2roperties* 7* 7n the *1tensions tab> confir) that Se#ect e1tension is set to C$- Distribution 2oint %CD2&* +* Click an# CR6 distribution points that are listed> click $e!ove> and click '3* 8* Stop and restart AD CS* /0* Repeat steps / and 2 abo%e> and then %erif# that clients can still obtain re%ocation data* !o do this> use the Certificates snap"in to e<port the certificate to a file 'H*cer(* At a co))and pro)pt> t#pe:
certutil -url <exportedcert.cer>
//* 0n the 4erify and $etrieve dialo$ bo< that appears> click 9ro! CD2 and 9ro! 'CS2 and co)pare the results*
22