Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide

Microsoft Corporation Published: April 2007 Author: Roland Winkler Editor: Debbie S anson

Abstract
!his step"b#"step $uide describes the steps needed to set up a basic confi$uration of Acti%e Director#& Certificate Ser%ices 'AD CS( in a lab en%iron)ent* AD CS in Windo s Ser%er& 200+ pro%ides custo)i,able ser%ices for creatin$ and )ana$in$ public ke# certificates used in soft are securit# s#ste)s e)plo#in$ public ke# technolo$ies*

Copyright nfor!ation
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including !" and other Internet #eb site references, is sub$ect to change without notice. The entire risk of the use or the results from the use of this document remains with the user. nless otherwise noted, the example companies, organi%ations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organi%ation, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. #ithout limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means &electronic, mechanical, photocopying, recording, or otherwise', or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering sub$ect matter in this document. (xcept as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ) *++, Microsoft Corporation. -ll rights reserved. Microsoft, -ctive .irectory, M/-.0/, 1isual 2asic, 1isual /tudio, #indows, #indows 3T, and #indows /erver are either registered trademarks or trademarks of Microsoft Corporation in the nited /tates and4or other countries. -ll other trademarks are property of their respective owners.

Contents
Windo s Ser%er 200+ Acti%e Director# Certificate Ser%ices Step"-#"Step .uide***************************/ Abstract************************************************************************************************************************************ / Cop#ri$ht 0nfor)ation********************************************************************************************************************** 2 Contents****************************************************************************************************************************************** 1 Windo s Ser%er Acti%e Director# Certificate Ser%ices Step"b#"Step .uide************************************2 AD CS !echnolo$# Re%ie ********************************************************************************************************** 2 Re3uire)ents for 4sin$ AD CS*************************************************************************************************** 5 AD CS -asic 6ab Scenario********************************************************************************************************** 7 Steps for Settin$ up a -asic 6ab************************************************************************************************* 7 Step /: Settin$ 4p an Enterprise Root CA*******************************************************************************+ Step 2: 0nstallin$ the 7nline Responder***********************************************************************************8 Step 1: Confi$urin$ the CA to 0ssue 7CSP Response Si$nin$ Certificates******************************8 Step 9: Creatin$ a Re%ocation Confi$uration**************************************************************************// Step 2: :erif#in$ that the AD CS 6ab Setup ;unctions Properl#*********************************************/2 AD CS Ad%anced 6ab Scenario************************************************************************************************* /1 Steps for Settin$ 4p an Ad%anced 6ab**************************************************************************************/9 Step /: Settin$ 4p the Stand"Alone Root CA*************************************************************************/2 Step 2: Settin$ 4p the Enterprise Subordinate 0ssuin$ CA****************************************************/2 Step 1: 0nstallin$ and Confi$urin$ the 7nline Responder*******************************************************/5 Step 9: Confi$urin$ the 0ssuin$ CA to 0ssue 7CSP Response Si$nin$ Certificates***************/7 Step 2: Confi$urin$ the Authorit# 0nfor)ation Access E<tension to Support the 7nline Responder************************************************************************************************************************** /7 Step 5: Assi$nin$ the 7CSP Response Si$nin$ !e)plate to a CA****************************************/+ Step 7: Enrollin$ for an 7CSP Response Si$nin$ Certificate*************************************************/+ Step +: Creatin$ a Re%ocation Confi$uration*************************************************************************/8 Step 8: Settin$ 4p and Confi$urin$ the =et ork De%ice Enroll)ent Ser%ice*************************20 Step /0: :erif#in$ that the Ad%anced AD CS !est Setup ;unctions Properl#*************************2/

Windows Server Active Directory Certificate Services Step-by-Step Guide

!his step"b#"step $uide describes the steps needed to set up a basic confi$uration of Acti%e Director#& Certificate Ser%ices 'AD CS( in a lab en%iron)ent* AD CS in Windo s Ser%er& 200+ pro%ides custo)i,able ser%ices for creatin$ and )ana$in$ public ke# certificates used in soft are securit# s#ste)s that e)plo# public ke# technolo$ies* !his docu)ent includes: A re%ie of AD CS features Re3uire)ents for usin$ AD CS Procedures for a basic lab setup to test AD CS on a )ini)u) nu)ber of co)puters

Procedures for an ad%anced lab setup to test AD CS on a lar$er nu)ber of co)puters to )ore realisticall# si)ulate real" orld confi$urations

AD CS "echno#ogy $eview
4sin$ the Active Directory Certificate Services option of the Add Roles Wi,ard> #ou can set up the follo in$ co)ponents of AD CS: Certification authorities %CAs&* Root and subordinate CAs are used to issue certificates to users> co)puters> and ser%ices> and to )ana$e their %alidit#* CA Web enro##!ent* Web enroll)ent allo s users to connect to a CA b# )eans of a Web bro ser in order to: Re3uest certificates and re%ie certificate re3uests* Retrie%e certificate re%ocation lists 'CR6s(* Perfor) s)art card certificate enroll)ent*

'n#ine $esponder service* !he 7nline Responder ser%ice i)ple)ents the 7nline Certificate Status Protocol '7CSP( b# decodin$ re%ocation status re3uests for specific certificates> e%aluatin$ the status of these certificates> and sendin$ back a si$ned response containin$ the re3uested certificate status infor)ation* !portant 7nline Responders can be used as an alternati%e to or an e<tension of CR6s to pro%ide certificate re%ocation data to clients* Microsoft 7nline Responders are based on and co)pl# ith R;C 2250 for 7CSP* ;or )ore infor)ation about R;C 2250> see the 0nternet En$ineerin$ !ask ;orce Web site 'http:??$o*)icrosoft*co)?f link?@ 6ink0DA570+2(*
5

 (etwor) Device *nro##!ent Service* !he =et ork De%ice Enroll)ent Ser%ice allo s routers and other net ork de%ices to obtain certificates based on the Si)ple Certificate Enroll)ent Protocol 'SCEP( fro) Cisco S#ste)s 0nc* (ote SCEP as de%eloped to support the secure> scalable issuance of certificates to net ork de%ices b# usin$ e<istin$ CAs* !he protocol supports CA and re$istration authorit# public ke# distribution> certificate enroll)ent> certificate re%ocation> certificate 3ueries> and certificate re%ocation 3ueries*

$e+uire!ents for ,sing AD CS

CAs can be set up on ser%ers runnin$ a %ariet# of operatin$ s#ste)s> includin$ Windo s& 2000 Ser%er> Windo s Ser%er& 2001> and Windo s Ser%er 200+* Bo e%er> not all operatin$ s#ste)s support all features or desi$n re3uire)ents> and creatin$ an opti)al desi$n re3uires careful plannin$ and lab testin$ before #ou deplo# AD CS in a production en%iron)ent* Althou$h #ou can deplo# AD CS ith as little hard are as a sin$le ser%er for a sin$le CA> )an# deplo#)ents in%ol%e )ultiple ser%ers confi$ured as root> polic#> and issuin$ CAs> and other ser%ers confi$ured as 7nline Responders* (ote A li)ited set of ser%er roles is a%ailable for a Ser%er Core installation of Windo s Ser%er 200+ and for Windo s Ser%er 200+ for 0taniu)"based S#ste)s* !he follo in$ table lists the AD CS co)ponents that can be confi$ured on different editions of Windo s Ser%er 200+*
Co!ponents Web Standard *nterprise Datacenter

CA =et ork De%ice Enroll)ent Ser%ice 7nline Responder ser%ice

=o =o =o

Ces =o =o

Ces Ces Ces

Ces Ces Ces

!he follo in$ features are a%ailable on ser%ers runnin$ Windo s Ser%er 200+ that ha%e been confi$ured as CAs*
AD CS features Web Standard *nterprise Datacenter

:ersion 2 and =o %ersion 1 certificate

=o

Ces

Ces

AD CS features

Web

Standard

*nterprise

Datacenter

te)plates De# archi%al Role separation Certificate Mana$er restrictions Dele$ated enroll)ent a$ent restrictions =o =o =o =o =o =o Ces Ces Ces Ces Ces Ces

=o

=o

Ces

Ces

AD CS Basic -ab Scenario

!he follo in$ sections describe ho #ou can set up a lab to be$in e%aluatin$ AD CS* We reco))end that #ou first use the steps pro%ided in this $uide in a test lab en%iron)ent* Step" b#"step $uides are not necessaril# )eant to be used to deplo# Windo s Ser%er features ithout acco)pan#in$ docu)entation and should be used ith discretion as a stand"alone docu)ent*

Steps for Setting up a Basic -ab

Cou can be$in testin$ )an# features of AD CS in a lab en%iron)ent b# usin$ as fe as t o ser%ers runnin$ Windo s Ser%er 200+ and one client co)puter runnin$ Windo s :ista&* !he co)puters for this $uide are na)ed as follo s: 6BEDC/: !his co)puter ill be the do)ain controller for #our test en%iron)ent* 6BEPD0/: !his co)puter ill host an enterprise root CA for the test en%iron)ent* !his CA ill issue client certificates for the 7nline Responder and client co)puters*

(ote Enterprise CAs and 7nline Responders can onl# be installed on ser%ers runnin$ Windo s Ser%er 200+ Enterprise or Windo s Ser%er 200+ Datacenter* 6BEC60/: !his client co)puter runnin$ Windo s :ista ill autoenroll for certificates fro) 6BEPD0/ and %erif# certificate status fro) 6BE PD0/* !o confi$ure the basic lab setup for AD CS> #ou need to co)plete the follo in$ prere3uisite steps: Set up a do)ain controller on 6BEDC/ for contoso*co)> includin$ so)e or$ani,ational units '74s( to contain one or )ore users for the client co)puter> client co)puters in the do)ain> and for the ser%ers hostin$ CAs and 7nline Responders* 0nstall Windo s Ser%er 200+ on 6BEPD0/> and Foin 6BEPD0/ to the do)ain*
7

0nstall Windo s :ista on 6BEC60/> and Foin 6BEC60/ to contoso*co)*

After #ou ha%e co)pleted these preli)inar# setup procedures> #ou can be$in to co)plete the follo in$ steps: Step /: Settin$ 4p an Enterprise Root CA Step 2: 0nstallin$ the 7nline Responder Step 1: Confi$urin$ the CA to 0ssue 7CSP Response Si$nin$ Certificates Step 9: Creatin$ a Re%ocation Confi$uration Step 2: :erif#in$ that the AD CS 6ab Setup ;unctions Properl#

Step ./ Setting ,p an *nterprise $oot CA

An enterprise root CA is the anchor of trust for the basic lab setup* 0t ill be used to issue certificates to the 7nline Responder and client co)puter> and to publish certificate infor)ation to Acti%e Director# Do)ain Ser%ices 'AD DS(* (ote Enterprise CAs and 7nline Responders can onl# be installed on ser%ers runnin$ Windo s Ser%er 200+ Enterprise or Windo s Ser%er 200+ Datacenter* "o set up an enterprise root CA /* 6o$ on to 6BEPD0/ as a do)ain ad)inistrator* 2* Click Start> point to Ad!inistrative "oo#s>and then click Server 0anager* 1* 0n the $o#es Su!!ary section> click Add ro#es* 9* 7n the Se#ect Server $o#es pa$e> select the Active Directory Certificate Services check bo<* Click (e1tt o ti)es* 2* 7n the Se#ect $o#e Services pa$e> select the Certification Authority check bo<>andthen click (e1t* 5* 7n the Specify Setup "ype pa$e> click *nterprise>and then click (e1t* 7* 7n the Specify CA "ype pa$e> click $oot CA> and then click (e1t* +* 7n the Set ,p 2rivate 3ey and Configure Cryptography for CA pa$es> #ou can confi$ure optional confi$uration settin$s> includin$ cr#pto$raphic ser%ice pro%iders* Bo e%er> for basic testin$ purposes> accept the default %alues b# clickin$ (e1t t ice* 8* 0n the Co!!on na!e for this CA bo<> t#pe the co))on na)e of the CA> $ootCA.> and then click (e1t* /0* 7n the Set the Certificate 4a#idity 2eriod pa$e> accept the default %alidit# duration for the root CA> and then click (e1t* //* 7n the Configure Certificate Database pa$e> accept the default %alues or specif# other stora$e locations for the certificate database and the certificate database lo$> and
8

then click (e1t* /2* After %erif#in$ the infor)ation on the Confir! nsta##ation 'ptions pa$e> click nsta##* /1* Re%ie the infor)ation on the confir)ation screen to %erif# that the installation as successful*

Step 2/ nsta##ing the 'n#ine $esponder

An 7nline Responder can be installed on an# co)puter runnin$ Windo s Ser%er 200+ Enterprise or Windo s Ser%er 200+ Datacenter* !he certificate re%ocation data can co)e fro) a CA on a co)puter runnin$ Windo s Ser%er 200+> a CA on a co)puter runnin$ Windo s Ser%er 2001> or fro) a non"Microsoft CA* (ote 00S )ust also be installed on this co)puter before the 7nline Responder can be installed* "o insta## the 'n#ine $esponder /* 6o$ on to 6BEPD0/ as a do)ain ad)inistrator* 2* Click Start> point to Ad!inistrative "oo#s>and then click Server 0anager* 1* Click 0anage $o#es* 0n the Active Directory Certificate Services section> click Add ro#e services* 9* 7n the Se#ect $o#e Services pa$e> select the 'n#ine $esponder check bo<* Cou are pro)pted to install 00S and Windo s Acti%ation Ser%ice* 2* Click Add $e+uired $o#e Services> and then click (e1t three ti)es* 5* 7n the Confir! nsta##ation 'ptions pa$e> click nsta##* 7* When the installation is co)plete> re%ie as successful* the status pa$e to %erif# that the installation

Step 5/ Configuring the CA to ssue 'CS2 $esponse Signing Certificates

Confi$urin$ a CA to support 7nline Responder ser%ices in%ol%es confi$urin$ certificate te)plates and issuance properties for 7CSP Response Si$nin$ certificates and then co)pletin$ additional steps on the CA to support the 7nline Responder and certificate issuance* (ote !hese certificate te)plate and autoenroll)ent steps can also be used to confi$ure certificates that #ou ant to issue to a client co)puter or client co)puter users*

"o configure certificate te!p#ates for your test environ!ent /* 6o$ on to 6BEPD0/ as a CA ad)inistrator* 2* 7pen the Certificate !e)plates snap"in* 1* Ri$ht"click the 'CS2 $esponse Signing te)plate> and then click Dup#icate "e!p#ate* 9* !#pe a ne na)e for the duplicated te)plate> such as 'CS2 $esponse Signing62* 2* Ri$ht"click the 'CS2 $esponse Signing62 certificate te)plate> and then click 2roperties* 5* Click the Security tab* 4nder Group or user na!e> click Add> and then t#pe the na)e or bro se to select the co)puter hostin$ the 7nline Responder ser%ice* 7* Click the co)puter na)e> -7623 .> and in the 2er!issions dialo$ bo<> select the $ead and Autoenro## check bo<es* +* While #ou ha%e the Certificate !e)plates snap"in open> #ou can confi$ure certificate te)plates for users and co)puters b# substitutin$ the desired te)plates in step 1> and repeatin$ steps 9 throu$h 7 to confi$ure per)issions for 6BEC60/ and #our test user accounts* !o confi$ure the CA to support 7nline Responders> #ou need to use the Certification Authorit# snap"in to co)plete t o ke# steps: Add the location of the 7nline Responder to the authorit# infor)ation access e<tension of issued certificates* Enable the certificate te)plates that #ou confi$ured in the pre%ious procedure for the CA*

"o configure a CA to support the 'n#ine $esponder service /* 7pen the Certification Authorit# snap"in* 2* 0n the console tree> click the na)e of the CA* 1* 7n the Action )enu> click 2roperties* 9* Click the *1tensions tab* 0n the Se#ect e1tension list> click Authority nfor!ation Access %A A&* 2* Select the nc#ude in the A A e1tension of issue certificates and nc#ude in the on#ine certificate status protoco# %'CS2& e1tension check bo<es* 5* Specif# the locations fro) hich users can obtain certificate re%ocation dataG for this setup> the location is http:??6BEPD0/?ocsp* 7* 0n the console tree of the Certification Authorit# snap"in> ri$ht"click Certificate "e!p#ates> and then click (ew Certificate "e!p#ates to ssue* +* 0n *nab#e Certificate "e!p#ates> select the 'CS2 $esponse Signing te)plate and an# other certificate te)plates that #ou confi$ured pre%iousl#> and then click '3* 8* 7pen Certificate "e!p#ates> and %erif# that the )odified certificate te)plates
10

appear in the list*

Step 8/ Creating a $evocation Configuration

A re%ocation confi$uration includes all of the settin$s that are needed to respond to status re3uests re$ardin$ certificates that ha%e been issued b# usin$ a specific CA ke#* !hese confi$uration settin$s include the CA certificate> the si$nin$ certificate for the 7nline Responder> and the locations to hich clients are directed to send their status re3uests* !portant -efore #ou create a re%ocation confi$uration> ensure that certificate enroll)ent has taken place so that a si$nin$ certificate e<ists on the co)puter and adFust the per)issions on the si$nin$ certificate to allo the 7nline Responder to use it* "o verify that the signing certificate is proper#y configured /* Start or restart 6BEPD0/ to enroll for certificates* 2* 6o$ on as a CA ad)inistrator* 1* 7pen the Certificates snap"in for the co)puter account* 7pen the Personal certificate store for the co)puter> and %erif# that it contains a certificate titled 'CS2 $esponse Signing* 9* Ri$ht"click this certificate> and then click 0anage 2rivate 3eys* 2* Click the Security tab* 0n the ,ser Group or user na!e dialo$ bo<> click Add> enter =et ork Ser%ice to the Group or user na!e list> and then click '3* 5* Click (etwor) Service> and in the 2er!issions dialo$ bo<> select the 9u## Contro# check bo<* 7* Click '3 t ice* Creatin$ a re%ocation confi$uration in%ol%es the follo in$ tasks: 0dentif# the CA certificate for the CA that supports the 7nline Responder* 0dentif# the CR6 distribution point for the CA* Select a si$nin$ certificate that ill be used to si$n re%ocation status responses*

Select a re%ocation pro%ider> the co)ponent responsible for retrie%in$ and cachin$ the re%ocation infor)ation used b# the 7nline Responder* "o create a revocation configuration /* 7pen the 7nline Responder snap"in* 2* 0n the Actions pane> click Add $evocation Configuration to start the Add Re%ocation Confi$uration i,ard> and then click (e1t* 1* 7n the (a!e the $evocation Configuration pa$e> t#pe a na)e for the re%ocation
11

confi$uration> such as -76$C.> and then click (e1t* 9* 7n the Se#ect CA certificate -ocation pa$e> click Se#ect a certificate fro! an e1isting enterprise CA> and then click (e1t* 2* 7n the follo in$ pa$e> the na)e of the CA> 6BEPD0/> should appear in the Browse CA certificates pub#ished in Active Directory bo<* 0f it appears> click the na)e of the CA that #ou ant to associate re%ocation confi$uration> and then click (e1t* ith #our

0f it does not appear> click Browse for CA Co!puter and t#pe the na)e of the co)puter hostin$ 6BEPD0/ or click Browse to locate this co)puter* When #ou ha%e located the co)puter> click (e1t* (ote Cou )i$ht also be able to link to the CA certificate fro) the local certificate store> or b# i)portin$ it fro) re)o%able )edia in step 9* 5* :ie the certificate and cop# the CR6 distribution point for the parent root CA> RootCA/* !o do this: a* 7pen the Certificate Ser%ices snap"in* Select an issued certificate* b* Double"click the certificate> and then click the Detai#s tab* c* Scroll do n and select the C$- Distribution 2oints field* d* Select and cop# the 4R6 for the CR6 distribution point that #ou ant to use* e* Click '3* 7* 7n the Se#ect Signing Certificate pa$e> accept the default option> Auto!atica##y se#ect signing certificate> and then click (e1t* +* 7n the $evocation 2rovider pa$e> click 2rovider* 8* 7n the $evocation 2rovider 2roperties pa$e> click Add> enter the 4R6 of the CR6 distribution point> and then click '3* /0* Click 9inish* //* 4sin$ the 7nline Responder snap"in> select the re%ocation confi$uration> and then e<a)ine the status infor)ation to %erif# that it is functionin$ properl#* Cou should also be able to e<a)ine the properties of the si$nin$ certificate to %erif# that the 7nline Responder is confi$ured properl#*

Step :/ 4erifying that the AD CS -ab Setup 9unctions 2roper#y

Cou can %erif# the setup steps described pre%iousl# as #ou perfor) the)* After the installation is co)plete> #ou should %erif# that #our basic test setup is functionin$ properl# b# confir)in$ that #ou can autoenroll certificates> re%oke certificates> and )ake accurate re%ocation data a%ailable fro) the 7nlline responder*
12

"o verify that the AD CS test setup functions proper#y /* 7n the CA> confi$ure se%eral certificate te)plates to autoenroll certificates for 6BEC60/ and users on this co)puter* 2* When infor)ation about the ne certificates has been published to AD DS> open a co))and pro)pt on the client co)puter and enter the follo in$ co))and to start certificate autoenroll)ent:
certutil -pulse

1* 7n 6BEC60/> use the Certificates snap"in to %erif# that the certificates ha%e been issued to the user and to the co)puter> as appropriate* 9* 7n the CA> use the Certification Authorit# snap"in to %ie and re%oke one or )ore of the issued certificates b# clickin$ Certification Authority %Co!puter&;CA na!e; ssued Certificates and selectin$ the certificate #ou ant to re%oke* 7n the Action )enu> point to A## "as)s> and then click $evo)e Certificate* Select the reason for re%okin$ the certificate> and click <es* 2* 0n the Certification Authorit# snap"in> publish a ne CR6 b# clickin$ Certification Authority %Co!puter&;CA na!e;$evo)ed Certificates in the console tree* !hen> on the Action )enu> point to A## "as)s> and click 2ub#ish* 5* Re)o%e all CR6 distribution point e<tensions fro) the issuin$ CA b# openin$ the Certification Authorit# snap"in and then selectin$ the CA* 7n the Action )enu> click 2roperties* 7* 7n the *1tensions tab> confir) that Se#ect e1tension is set to C$- Distribution 2oint %CD2&* +* Click an# CR6 distribution points that are listed> click $e!ove> and then click '3* 8* Stop and restart AD CS* /0* Repeat steps / and 2 abo%e> and then %erif# that clients can still obtain re%ocation data* !o do this> use the Certificates snap"in to e<port the certificate to a file 'H*cer(* At a co))and pro)pt> t#pe:
certutil -url <exportedcert.cer>

//* 0n the 4erify and $etrieve dialo$ bo< that appears> click 9ro! CD2 and 9ro! 'CS2 and co)pare the results*

AD CS Advanced -ab Scenario

!he follo in$ sections describe ho #ou can set up a lab to e%aluate )ore features of AD CS than in the basic lab setup*

13

Steps for Setting ,p an Advanced -ab

!o test additional features of AD CS in a lab en%iron)ent> #ou ill need fi%e co)puters runnin$ Windo s Ser%er 200+ and one client co)puter runnin$ Windo s :ista* !he co)puters for this $uide are na)ed as follo s: 6BEDC/: !his co)puter ill be the do)ain controller for #our test en%iron)ent* 6BECAER77!/: !his co)puter ill host a stand"alone root CA for the test en%iron)ent*

6BECAE0SS4E/: !his enterprise CA ill be subordinate to 6BECAER77!/ and issue client certificates for the 7nline Responder and client co)puters* (ote Enterprise CAs and 7nline Responders can onl# be installed on ser%ers runnin$ Windo s Ser%er 200+ Enterprise or Windo s Ser%er 200+ Datacenter* 6BE7RS/* !his ser%er ill host the 7nline Responder* 6BE=DES* !his ser%er ill host the =et ork De%ice Enroll)ent Ser%icethat )akes it possible to issue and )ana$e certificates for routers and other net ork de%ices* 6BEC60/: !his client co)puter runnin$ Windo s :ista ill autoenroll for certificates fro) 6BECAE0SS4E/ and %erif# certificate status fro) 6BE7RS/* !o confi$ure the ad%anced lab setup for AD CS> #ou need to co)plete the follo in$ prere3uisite steps: /* Set up a do)ain controller on 6BEDC/ for contoso*co)> includin$ so)e 74s to contain one or )ore users for 6BEC60/> client co)puters in the do)ain> and for the ser%ers hostin$ CAs and 7nline Responders* 2* 0nstall Windo s Ser%er 200+ on the other ser%ers in the test confi$uration and Foin the) to the do)ain* 1* 0nstall Windo s :ista on 6BEC60/> and Foin 6BEC60/ to contoso*co)* After #ou ha%e co)pleted these preli)inar# setup procedures> #ou can be$in to co)plete the follo in$ steps: Step /: Settin$ 4p the Stand"Alone Root CA Step 2: Settin$ 4p the Enterprise Subordinate 0ssuin$ CA Step 1: 0nstallin$ and Confi$urin$ the 7nline Responder Step 9: Confi$urin$ the 0ssuin$ CA to 0ssue 7CSP Response Si$nin$ Certificates Step 2: Confi$urin$ the Authorit# 0nfor)ation Access E<tension to Support the 7nline Responder Step 5: Assi$nin$ the 7CSP Response Si$nin$ !e)plate to a CA Step 7: Enrollin$ for an 7CSP Response Si$nin$ Certificate Step +: Creatin$ a Re%ocation Confi$uration Step 8: Settin$ 4p and Confi$urin$ the =et ork De%ice Enroll)ent Ser%ice Step /0: :erif#in$ that the Ad%anced AD CS !est Setup ;unctions Properl#
14

Step ./ Setting ,p the Stand-A#one $oot CA

A stand"alone root CA is the anchor of trust for the basic lab setup* 0t ill be used to issue certificates to the subordinate issuin$ CA* -ecause it is critical to the securit# of the public ke# infrastructure 'PD0(> this CA is online in )an# PD0s onl# hen needed to issue certificates to subordinate CAs* "o set up a stand-a#one root CA /* 6o$ on to 6BECAER77!/ as an ad)inistrator* 2* Start the Add RolesWi,ard* 7n the Se#ect Server $o#es pa$e> select the Active Directory Certificate Services check bo<> and then click (e1t t o ti)es* 1* 7n the Se#ect $o#e Services pa$e> select the Certification Authority check bo<> and then click (e1t* 9* 7n the Specify Setup "ype pa$e> click Standa#one> and then click (e1t* 2* 7n the Specify CA "ype pa$e> click $oot CA> and then click (e1t* 5* 7n the Set ,p 2rivate 3ey and Configure Cryptography for CA pa$es> #ou can confi$ure optional settin$s> includin$ cr#pto$raphic ser%ice pro%iders* Bo e%er> for basic testin$ purposes> accept the default %alues b# clickin$ (e1t t ice* 7* 0n the Co!!on na!e for this CA bo<> t#pe the co))on na)e of the CA> $ootCA.> and then click (e1t* +* 7n the Set the Certificate 4a#idity 2eriod pa$e> accept the default %alidit# duration for the root CA> and then click (e1t* 8* 7n the Configure Certificate Database pa$e> accept the default %alues or specif# other stora$e locations for the certificate database and the certificate database lo$> and then click (e1t* /0* After %erif#in$ the infor)ation on the Confir! nsta##ation 'ptions pa$e> click nsta##*

Step 2/ Setting ,p the *nterprise Subordinate ssuing CA

Most or$ani,ations use at least one subordinate CA to protect the root CA fro) unnecessar# e<posure* An enterprise CA also allo s #ou to use certificate te)plates and to use AD DS for enroll)ent and publishin$ certificates* "o set up an enterprise subordinate issuing CA /* 6o$ on to 6BECAE0SS4E/ as a do)ain ad)inistrator* 2* Start the Add RolesWi,ard* 7n the Se#ect Server $o#es pa$e> select the Active Directory Certificate Services check bo<> and then click (e1tt o ti)es* 1* 7n the Se#ect $o#e Services pa$e> select the Certification Authority check bo<>
15

and then click (e1t* 9* 7n the Specify Setup "ype pa$e> click *nterprise> and then click (e1t* 2* 7n the Specify CA "ype pa$e> click Subordinate CA> and then click (e1t* 5* 7n the Set ,p 2rivate 3ey and Configure Cryptography for CA pa$es> #ou can confi$ure optional settin$s> includin$ cr#pto$raphic ser%ice pro%iders* Bo e%er> for basic testin$ purposes> accept the default %alues b# clickin$ (e1t t ice* 7* 7n the $e+uest Certificate pa$e> bro se to locate 6BECAER77!/> or if> the root CA is not connected to the net ork> sa%e the certificate re3uest to a file so that it can be processed later* Click (e1t* !he subordinate CA setup ill not be usable until it has been issued a root CA certificate and this certificate has been used to co)plete the installation of the subordinate CA* +* 0n the Co!!on na!e for this CA bo<> t#pe the co))on na)e of the CA> -76CA6 SS,*.* 8* 7n the Set the Certificate 4a#idity 2eriod pa$e> accept the default %alidit# duration for the CA> and then click (e1t* /0* 7n the Configure Certificate Database pa$e> accept the default %alues or specif# other stora$e locations for the certificate database and the certificate database lo$> and then click (e1t* //* After %erif#in$ the infor)ation on the Confir! nsta##ation 'ptions pa$e> click nsta##*

Step 5/ nsta##ing and Configuring the 'n#ine $esponder

An 7nline Responder can be installed on an# co)puter runnin$ Windo s Ser%er 200+ Enterprise or Windo s Ser%er 200+ Datacenter* !he certificate re%ocation data can co)e fro) a CA on a co)puter runnin$ Windo s Ser%er 200+> a CA on a co)puter runnin$ Windo s Ser%er 2001> or fro) a non"Microsoft CA* An 7nline Responder ill t#picall# not be installed on the sa)e co)puter as a CA* (ote 00S )ust also be installed on this co)puter before the 7nline Responder can be installed* As part of the setup process a %irtual director# na)ed 7CSP is created in 00S and the Web pro<# is re$istered as an 0nternet Ser%er Application Pro$ra))in$ 0nterface '0SAP0( e<tension* "o insta## the 'n#ine $esponder service /* 6o$ on to 6BE7RS/ as an ad)inistrator* 2* Start the Add Roles Wi,ard* 7n the Se#ect Server $o#espa$e> select the Active DirectoryCertificate Services check bo<> and then click (e1t t o ti)es*
16

1* 7n the Se#ect $o#e Services pa$e> clear the Certification Authority check bo<> select the 'n#ine $esponder check bo<> and then click (e1t* Cou are pro)pted to install 00S and Windo s Acti%ation Ser%ice* 9* Click Add $e+uired $o#e Services> and then click (e1t three ti)es* 2* 7n the Confir! nsta##ation 'ptions pa$e> click nsta##* 5* When the installation is co)plete> re%ie as successful* the status pa$e to %erif# that the installation

Step 8/ Configuring the ssuing CA to ssue 'CS2 $esponse Signing Certificates

As ith an# certificate te)plate> the 7CSP Response Si$nin$ te)plate )ust be confi$ured ith the enroll)ent per)issions for Read> Enroll> Autoenroll> and Write before an# certificates can be issued based on the te)plate* "o configure certificate te!p#ates for your test environ!ent /* 6o$ on to 6BECAE0SS4E/ as a CA ad)inistrator* 2* 7pen the Certificate !e)plates snap"in* 1* Ri$ht"click the 'CS2 $esponse Signing te)plate> and then click Dup#icate "e!p#ate* 9* !#pe a ne na)e for the duplicated te)plate> such as 'CS2 $esponse Signing62* 2* Ri$ht"click the 'CS2 $esponse Signing62 certificate te)plate> and then click 2roperties* 5* Click the Security tab* 4nder Group or user na!e> click Add and t#pe the na)e or bro se to select the co)puter hostin$ the 7nline Responder ser%ice* 7* Click the co)puter na)e> -76'$S.> and in the 2er!issions dialo$ bo<> select the $ead and Autoenro## check bo<es* +* While #ou ha%e the Certificate !e)plates snap"in open> #ou can confi$ure certificate te)plates for users and co)puters b# substitutin$ the desired te)plates in step 1> and repeatin$ steps 9 throu$h 7 to confi$ure per)issions for 6BEC60/ and #our test user accounts*

Step :/ Configuring the Authority nfor!ation Access *1tension to Support the 'n#ine $esponder
Cou need to confi$ure the CAs to include the 4R6 for the 7nline Responder as part of the authorit# infor)ation access e<tension of the issued certificate* !his 4R6 is used b# the 7nline Responder client to %alidate the certificate status*
17

"o configure the authority infor!ation access e1tension to support the 'n#ine $esponder /* 6o$ on to 6BECAE0SS4E/ as a CA ad)inistrator* 2* 7pen the Certification Authorit# snap"in* 1* 0n the console tree> click the na)e of the CA* 9* 7n the Action )enu> click 2roperties* 2* 7n the *1tensions tab> click Se#ect e1tension> and then click Authority nfor!ation Access %A A&* 5* Select the nc#ude in the A A e1tension of issue certificates and nc#ude in the on#ine certificate status protoco# %'CS2& e1tension check bo<es* 7* Specif# the locations fro) hich users can obtain certificate re%ocation dataG for this setup> the location is http:??6BE7RS/?ocsp* +* 0n the console tree of the Certification Authorit# snap"in> ri$ht"click Certificate "e!p#ates> and then click (ew Certificate "e!p#ates to ssue* 8* 0n *nab#e Certificate "e!p#ates> select the 'CS2 $esponse Signing te)plate and an# other certificate te)plates that #ou confi$ured pre%iousl#> and then click '3* /0* 7pen Certificate "e!p#ates> and %erif# that the )odified certificate te)plates appear in the list*

Step =/ Assigning the 'CS2 $esponse Signing "e!p#ate to a CA

7nce the te)plates are properl# confi$ured> the CA needs to be confi$ured to issue that te)plate* "o configure the CA to issue certificates based on the new#y created 'CS2 $esponse Signing te!p#ate /* 7pen the Certification Authorit# snap"in* 2* Ri$ht"click Certificate "e!p#ates> and then click Certificate "e!p#ate to ssue* 1* Select the 'CS2 $esponse Signing62 te)plate fro) the list of a%ailable te)plates> and then click '3*

Step >/ *nro##ing for an 'CS2 $esponse Signing Certificate

Enroll)ent )i$ht not take place ri$ht a a#* !herefore> before #ou proceed to the ne<t step> confir) that certificate enroll)ent has taken place so that a si$nin$ certificate e<ists on the co)puter> and %erif# that the per)issions on the si$nin$ certificate allo the 7nline Responder to use it*

18

"o verify that the signing certificate is proper#y configured /* Start or restart 6BE7RS/ to enroll for the certificates* 2* 6o$ on as a CA ad)inistrator* 1* 7pen the Certificates snap"in for the co)puter* 7pen the Personal certificate store for the co)puter> and then %erif# that it contains a certificate titled 'CS2 $esponse Signing62* 9* Ri$ht"click this certificate> and then click 0anage 2rivate 3eys* 2* Click the Security tab* 0n the ,ser Group or user na!e dialo$ bo<> click Add to t#pe in and add =et ork Ser%ice to the Group or user na!e list> and then click '3* 5* Click (etwor) Service> and in the 2er!issions dialo$ bo<> select the 9u## Contro# check bo<* Click '3 t ice*

Step 8/ Creating a $evocation Configuration

Creatin$ a re%ocation confi$uration in%ol%es the follo in$ tasks: 0dentif# the CA certificate for the CA that supports the 7nline Responder* 0dentif# the CR6 distribution point for the CA* Select a si$nin$ certificate that ill be used to si$n re%ocation status responses*

Select a re%ocation pro%ider> the co)ponent responsible for retrie%in$ and cachin$ the re%ocation infor)ation used b# the 7nline Responder* "o create a revocation configuration /* 6o$ on to 6BE7RS/ as a do)ain ad)inistrator* 2* 7pen the 7nline Responder snap"in* 1* 0n the Actions pane> click Add $evocation Configuration to start the Add Re%ocation Confi$uration i,ard> and then click (e1t* 9* 7n the (a!e the $evocation Configuration pa$e> t#pe a na)e for the re%ocation confi$uration> such as -76$C.> and then click (e1t* 2* 7n the Se#ect CA Certificate -ocation pa$e> click Se#ect a certificate for an e1isting enterprise CA> and then click (e1t* 5* 7n the follo in$ pa$e> the na)e of the CA> 6BECAE0SS4E/> should appear in the Browse CA certificates pub#ished in Active Directory bo<* 0f it appears> click the na)e of the CA that #ou ant to associate re%ocation confi$uration> and then click (e1t* ith #our

0f it does not appear> click Browse for CA Co!puter and t#pe the na)e of the co)puter hostin$ 6BECAE0SS4E/ or click Browse to locate this co)puter* When #ou ha%e located the co)puter> click (e1t*
19

(ote Cou )i$ht also be able to link to the CA certificate fro) the local certificate store> or b# i)portin$ it fro) re)o%able )edia in step 2* 7* :ie the certificate and cop# the CR6 distribution point for the parent root CA> RootCA/* !o do this: a* 7pen the Certificate Ser%ices snap"in> and then select an issued certificate* b* Double"click the certificate> and then click the Detai#s tab* c* Scroll do n and select the C$- Distribution 2oints field* d* Select and cop# the 4R6 for the CR6 distribution point that #ou ant to use* e* Click '3* +* 7n the Se#ect Signing Certificate pa$e> accept the default> Auto!atica##y se#ect signing certificate> and then click (e1t* 8* 7n the $evocation 2rovider pa$e> click 2rovider* /0* 7n the $evocation 2rovider 2roperties pa$e> click Add> enter the 4R6 of the CR6 distribution point> and then click '3* //* Click 9inish* /2* 4sin$ the 7nline Responder snap"in> select the re%ocation confi$uration> and then e<a)ine the status infor)ation to %erif# that it is functionin$ properl#* Cou should also be able to e<a)ine the properties of the si$nin$ certificate to %erif# that the 7nline Responder is confi$ured properl#*

Step ?/ Setting ,p and Configuring the (etwor) Device *nro##!ent Service

!he =et ork De%ice Enroll)ent Ser%ice allo s soft are on routers and other net ork de%ices runnin$ ithout do)ain credentials to obtain certificates* !he =et ork De%ice Enroll)ent Ser%ice operates as an 0SAP0 filter on 00S that perfor)s the follo in$ functions: .enerates and pro%ides one"ti)e enroll)ent pass ords to ad)inistrators Processes SCEP enroll)ent re3uests Retrie%es pendin$ re3uests fro) the CA

SCEP as de%eloped as an e<tension to e<istin$ B!!P> PDCS I/0> PDCS I7> R;C 2928> and other standards to enable net ork de%ice and application certificate enroll)ent ith CAs* SCEP is identified and docu)ented on the 0nternet En$ineerin$ !ask ;orce Web site 'http:??$o*)icrosoft*co)?f link?@6ink0dA7/022(*

20

-efore #ou be$in this procedure> create a user ndesEuser/ and add this user to the 00S user $roup* !hen> use the Certificate !e)plates snap"in to confi$ure Read and Enroll per)issions for this user on the 0PSEC '7ffline Re3uest( certificate te)plate* "o set up and configure the (etwor) Device *nro##!ent Service /* 6o$ on to 6BE=DES as an enterprise ad)inistrator* 2* Start the Add RolesWi,ard* 7n the Se#ect Server $o#es pa$e> select the Active Directory Certificate Services check bo<> and then click (e1t t o ti)es* 1* 7n the Se#ect $o#e Services pa$e> clear the Certification Authority check bo<> and then select (etwor) Device *nro##!ent Service* Cou are pro)pted to install 00S and Windo s Acti%ation Ser%ice* 9* Click Add $e+uired $o#e Services> and then click (e1t three ti)es* 2* 7n the Confir! nsta##ation 'ptions pa$e> click nsta##* 5* When the installation is co)plete> re%ie as successful* the status pa$e to %erif# that the installation

7* -ecause this is a ne installation and there are no pendin$ SCEP certificate re3uests> click $ep#ace e1isting $egistration Authority %$A& certificates > and then click (e1t* When the =et ork De%ice Enroll)ent Ser%ice is installed on a co)puter here a re$istration authorit# alread# e<ists> the e<istin$ re$istration authorit# and an# pendin$ certificate re3uests are deleted* +* 7n the Specify ,ser Account pa$e> click Se#ect ,ser> and t#pe the user na)e ndes6user. and pass ord for this account> hich the =et ork De%ice Enroll)ent Ser%ice ill use to authori,e certificate re3uests* Click '3> and then click (e1t* 8* 7n the Specify CA pa$e> select either the CA na!e or Co!puter na!e check bo<> click Browse to locate the CA that ill issue the =et ork De%ice Enroll)ent Ser%ice certificates> 6BECAE0SS4E/> and then click (e1t* /0* 7n the Specify $egistry Authority nfor!ation pa$e> t#pe ndes6. in the $A na!e bo<* 4nder Country;region>select the check bo< for the countr#?re$ion #ou are in> and then click (e1t* //* 7n the Configure Cryptography pa$e> accept the default %alues for the si$nature and encr#ption ke#s> and then click (e1t* /2* Re%ie the su))ar# of confi$uration options> and then click nsta##*

Step .0/ 4erifying that the Advanced AD CS "est Setup 9unctions 2roper#y
Cou can %erif# the setup steps described pre%iousl# as #ou perfor) the)*
21

After the installation is co)plete> #ou should %erif# that #our ad%anced test setup is functionin$ properl#* "o verify that the advanced AD CS test setup functions proper#y /* 7n the CA> confi$ure se%eral certificate te)plates to autoenroll certificates for 6BEC60/ and users on this co)puter* 2* When infor)ation about the ne certificates has been published to AD DS> open a co))and pro)pt on the client co)puter and enter the follo in$ co))and to start certificate autoenroll)ent:
certutil -pulse

1* 7n the client co)puter> use the Certificates snap"in to %erif# that the certificates ha%e been issued to the user and to the co)puter> as appropriate* 9* 7n the CA> use the Certification Authorit# snap"in to %ie and re%oke one or )ore of the issued certificates b# clickin$ Certification Authority %Co!puter&;CA na!e; ssued Certificates and selectin$ the certificate #ou ant to re%oke* 7n the Action )enu> point to A## "as)s> and then click $evo)e Certificate* Select the reason for re%okin$ the certificate> and click <es* 2* 0n the Certification Authorit# snap"in> publish a ne CR6 b# clickin$ Certification Authority %Co!puter&;CA na!e;$evo)ed Certificates in the console tree* !hen> on the Action )enu> point to A## "as)s> and click 2ub#ish* 5* Re)o%e all CR6 distribution point e<tensions fro) the issuin$ CA b# openin$ the Certification Authorit# snap"in and then selectin$ the CA* 7n the Action )enu> click 2roperties* 7* 7n the *1tensions tab> confir) that Se#ect e1tension is set to C$- Distribution 2oint %CD2&* +* Click an# CR6 distribution points that are listed> click $e!ove> and click '3* 8* Stop and restart AD CS* /0* Repeat steps / and 2 abo%e> and then %erif# that clients can still obtain re%ocation data* !o do this> use the Certificates snap"in to e<port the certificate to a file 'H*cer(* At a co))and pro)pt> t#pe:
certutil -url <exportedcert.cer>

//* 0n the 4erify and $etrieve dialo$ bo< that appears> click 9ro! CD2 and 9ro! 'CS2 and co)pare the results*

22