AD CS Step-By-Step Guide

Microsoft Corporation
Published: April 2007
Author: Roland Winkler
Editor: Debbie Sanson
Abstract
!his step"b#"step $uide describes the steps needed to set up a basic confi$uration of Acti%e
Director#& Certificate Ser%ices 'AD CS( in a lab en%iron)ent*
AD CS in Windos Ser%er& 200+ pro%ides custo)i,able ser%ices for creatin$ and )ana$in$
public ke# certificates used in softare securit# s#ste)s e)plo#in$ public ke# technolo$ies*
1
Copyright Information
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including !" and other Internet #eb site references, is sub$ect to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. nless
otherwise noted, the example companies, organi%ations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organi%ation, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. #ithout limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or
by any means &electronic, mechanical, photocopying, recording, or otherwise', or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering sub$ect matter in this document. (xcept as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
) *++, Microsoft Corporation. -ll rights reserved.
Microsoft, -ctive .irectory, M/-.0/, 1isual 2asic, 1isual /tudio, #indows, #indows 3T, and
#indows /erver are either registered trademarks or trademarks of Microsoft Corporation in the
nited /tates and4or other countries.
-ll other trademarks are property of their respective owners.
2
Contents
Windos Ser%er Acti%e Director# Certificate Ser%ices Step"b#"Step -uide************************************.
AD CS !echnolo$# Re%ie********************************************************************************************************** .
Re/uire)ents for 0sin$ AD CS*************************************************************************************************** 1
AD CS 2asic 3ab Scenario********************************************************************************************************** 7
Steps for Settin$ up a 2asic 3ab************************************************************************************************* 7
Step 4: Settin$ 0p an Enterprise Root CA******************************************************************************* +
Step 2: 5nstallin$ the 6nline Responder*********************************************************************************** 7
Step 8: Confi$urin$ the CA to 5ssue 6CSP Response Si$nin$ Certificates*****************************7
Step 9: Creatin$ a Re%ocation Confi$uration************************************************************************* 44
Step .: :erif#in$ that the AD CS 3ab Setup ;unctions Properl#********************************************42
AD CS Ad%anced 3ab Scenario************************************************************************************************* 48
Steps for Settin$ 0p an Ad%anced 3ab************************************************************************************** 49
Step 4: Settin$ 0p the Stand"Alone Root CA*************************************************************************4.
Step 2: Settin$ 0p the Enterprise Subordinate 5ssuin$ CA****************************************************4.
Step 8: 5nstallin$ and Confi$urin$ the 6nline Responder*******************************************************41
Step 9: Confi$urin$ the 5ssuin$ CA to 5ssue 6CSP Response Si$nin$ Certificates***************47
Step .: Confi$urin$ the Authorit# 5nfor)ation Access E<tension to Support the 6nline
Responder************************************************************************************************************************** 47
Step 1: Assi$nin$ the 6CSP Response Si$nin$ !e)plate to a CA****************************************4+
Step 7: Enrollin$ for an 6CSP Response Si$nin$ Certificate*************************************************4+
Step +: Creatin$ a Re%ocation Confi$uration************************************************************************* 47
Step 7: Settin$ 0p and Confi$urin$ the =etork De%ice Enroll)ent Ser%ice*************************20
Step 40: :erif#in$ that the Ad%anced AD CS !est Setup ;unctions Properl#*************************24
Windows Server Active Directory Certificate
Services Step-by-Step Guide
!his step"b#"step $uide describes the steps needed to set up a basic confi$uration of Acti%e
Director#& Certificate Ser%ices 'AD CS( in a lab en%iron)ent*
AD CS in Windos Ser%er& 200+ pro%ides custo)i,able ser%ices for creatin$ and )ana$in$
public ke# certificates used in softare securit# s#ste)s that e)plo# public ke# technolo$ies*
!his docu)ent includes:
A re%ie of AD CS features
Re/uire)ents for usin$ AD CS
Procedures for a basic lab setup to test AD CS on a )ini)u) nu)ber of co)puters
Procedures for an ad%anced lab setup to test AD CS on a lar$er nu)ber of co)puters to
)ore realisticall# si)ulate real"orld confi$urations
AD CS Technoogy !eview
0sin$ the Active Directory Certificate Services option of the Add Roles Wi,ard> #ou can set up
the folloin$ co)ponents of AD CS:
Certification authorities "CAs#* Root and subordinate CAs are used to issue certificates to
users> co)puters> and ser%ices> and to )ana$e their %alidit#*
CA Web enroment* Web enroll)ent allos users to connect to a CA b# )eans of a Web
broser in order to:
Re/uest certificates and re%ie certificate re/uests*
Retrie%e certificate re%ocation lists 'CR3s(*
Perfor) s)art card certificate enroll)ent*
$nine !esponder service* !he 6nline Responder ser%ice i)ple)ents the 6nline Certificate
Status Protocol '6CSP( b# decodin$ re%ocation status re/uests for specific certificates>
e%aluatin$ the status of these certificates> and sendin$ back a si$ned response containin$ the
re/uested certificate status infor)ation*
Important
6nline Responders can be used as an alternati%e to or an e<tension of CR3s to
pro%ide certificate re%ocation data to clients* Microsoft 6nline Responders are based
on and co)pl# ith R;C 2.10 for 6CSP* ;or )ore infor)ation about R;C 2.10> see
the 5nternet En$ineerin$ !ask ;orce Web site 'http:??$o*)icrosoft*co)?flink?@
3ink5DA170+2(*
5
%etwor& Device 'nroment Service* !he =etork De%ice Enroll)ent Ser%ice allos
routers and other netork de%ices to obtain certificates based on the Si)ple Certificate
Enroll)ent Protocol 'SCEP( fro) Cisco S#ste)s 5nc*
%ote
SCEP as de%eloped to support the secure> scalable issuance of certificates to
netork de%ices b# usin$ e<istin$ CAs* !he protocol supports CA and re$istration
authorit# public ke# distribution> certificate enroll)ent> certificate re%ocation>
certificate /ueries> and certificate re%ocation /ueries*
!e(uirements for )sing AD CS
CAs can be set up on ser%ers runnin$ a %ariet# of operatin$ s#ste)s> includin$ Windos& 2000
Ser%er> Windos Ser%er& 2008> and Windos Ser%er 200+* Boe%er> not all operatin$ s#ste)s
support all features or desi$n re/uire)ents> and creatin$ an opti)al desi$n re/uires careful
plannin$ and lab testin$ before #ou deplo# AD CS in a production en%iron)ent* Althou$h #ou can
deplo# AD CS ith as little hardare as a sin$le ser%er for a sin$le CA> )an# deplo#)ents
in%ol%e )ultiple ser%ers confi$ured as root> polic#> and issuin$ CAs> and other ser%ers confi$ured
as 6nline Responders*
%ote
A li)ited set of ser%er roles is a%ailable for a Ser%er Core installation of Windos
Ser%er 200+ and for Windos Ser%er 200+ for 5taniu)"based S#ste)s*
!he folloin$ table lists the AD CS co)ponents that can be confi$ured on different editions of
Windos Ser%er 200+*
Components Web Standard 'nterprise Datacenter
CA =o Ces Ces Ces
=etork De%ice
Enroll)ent Ser%ice
=o =o Ces Ces
6nline Responder
ser%ice
=o =o Ces Ces
!he folloin$ features are a%ailable on ser%ers runnin$ Windos Ser%er 200+ that ha%e been
confi$ured as CAs*
AD CS features Web Standard 'nterprise Datacenter
:ersion 2 and
%ersion 8 certificate
=o =o Ces Ces
6
AD CS features Web Standard 'nterprise Datacenter
te)plates
De# archi%al =o =o Ces Ces
Role separation =o =o Ces Ces
Certificate
Mana$er
restrictions
=o =o Ces Ces
Dele$ated
enroll)ent a$ent
restrictions
=o =o Ces Ces
AD CS Basic *ab Scenario
!he folloin$ sections describe ho #ou can set up a lab to be$in e%aluatin$ AD CS*
We reco))end that #ou first use the steps pro%ided in this $uide in a test lab en%iron)ent* Step"
b#"step $uides are not necessaril# )eant to be used to deplo# Windos Ser%er features ithout
acco)pan#in$ docu)entation and should be used ith discretion as a stand"alone docu)ent*
Steps for Setting up a Basic *ab
Cou can be$in testin$ )an# features of AD CS in a lab en%iron)ent b# usin$ as fe as to
ser%ers runnin$ Windos Ser%er 200+ and one client co)puter runnin$ Windos :ista&* !he
co)puters for this $uide are na)ed as follos:
3BEDC4: !his co)puter ill be the do)ain controller for #our test en%iron)ent*
3BEPD54: !his co)puter ill host an enterprise root CA for the test en%iron)ent* !his CA ill
issue client certificates for the 6nline Responder and client co)puters*
%ote
Enterprise CAs and 6nline Responders can onl# be installed on ser%ers runnin$
Windos Ser%er 200+ Enterprise or Windos Ser%er 200+ Datacenter*
3BEC354: !his client co)puter runnin$ Windos :ista ill autoenroll for certificates fro)
3BEPD54 and %erif# certificate status fro) 3BE PD54*
!o confi$ure the basic lab setup for AD CS> #ou need to co)plete the folloin$ prere/uisite steps:
Set up a do)ain controller on 3BEDC4 for contoso*co)> includin$ so)e or$ani,ational units
'60s( to contain one or )ore users for the client co)puter> client co)puters in the do)ain>
and for the ser%ers hostin$ CAs and 6nline Responders*
5nstall Windos Ser%er 200+ on 3BEPD54> and Foin 3BEPD54 to the do)ain*
7
5nstall Windos :ista on 3BEC354> and Foin 3BEC354 to contoso*co)*
After #ou ha%e co)pleted these preli)inar# setup procedures> #ou can be$in to co)plete the
folloin$ steps:
Step 4: Settin$ 0p an Enterprise Root CA
Step 2: 5nstallin$ the 6nline Responder
Step 8: Confi$urin$ the CA to 5ssue 6CSP Response Si$nin$ Certificates
Step 9: Creatin$ a Re%ocation Confi$uration
Step .: :erif#in$ that the AD CS 3ab Setup ;unctions Properl#
Step +, Setting )p an 'nterprise !oot CA
An enterprise root CA is the anchor of trust for the basic lab setup* 5t ill be used to issue
certificates to the 6nline Responder and client co)puter> and to publish certificate infor)ation to
Acti%e Director# Do)ain Ser%ices 'AD DS(*
%ote
Enterprise CAs and 6nline Responders can onl# be installed on ser%ers runnin$
Windos Ser%er 200+ Enterprise or Windos Ser%er 200+ Datacenter*
To set up an enterprise root CA
4* 3o$ on to 3BEPD54 as a do)ain ad)inistrator*
2* Click Start> point to Administrative Toos>and then click Server -anager*
8* 5n the !oes Summary section> click Add roes*
9* 6n the Seect Server !oes pa$e> select the Active Directory Certificate Services
check bo<* Click %e.tto ti)es*
.* 6n the Seect !oe Services pa$e> select the Certification Authority check
bo<>andthen click %e.t*
1* 6n the Specify Setup Type pa$e> click 'nterprise>and then click %e.t*
7* 6n the Specify CA Type pa$e> click !oot CA> and then click %e.t*
+* 6n the Set )p /rivate 0ey and Configure Cryptography for CA pa$es> #ou can
confi$ure optional confi$uration settin$s> includin$ cr#pto$raphic ser%ice pro%iders*
Boe%er> for basic testin$ purposes> accept the default %alues b# clickin$ %e.t tice*
7* 5n the Common name for this CA bo<> t#pe the co))on na)e of the CA> !ootCA+>
and then click %e.t*
40* 6n the Set the Certificate 1aidity /eriod pa$e> accept the default %alidit# duration for
the root CA> and then click %e.t*
44* 6n the Configure Certificate Database pa$e> accept the default %alues or specif# other
stora$e locations for the certificate database and the certificate database lo$> and then
8
click %e.t*
42* After %erif#in$ the infor)ation on the Confirm Instaation $ptions pa$e> click Insta*
48* Re%ie the infor)ation on the confir)ation screen to %erif# that the installation as
successful*
Step 2, Instaing the $nine !esponder
An 6nline Responder can be installed on an# co)puter runnin$ Windos Ser%er 200+ Enterprise
or Windos Ser%er 200+ Datacenter* !he certificate re%ocation data can co)e fro) a CA on a
co)puter runnin$ Windos Ser%er 200+> a CA on a co)puter runnin$ Windos Ser%er 2008> or
fro) a non"Microsoft CA*
%ote
55S )ust also be installed on this co)puter before the 6nline Responder can be installed*
To insta the $nine !esponder
4* 3o$ on to 3BEPD54 as a do)ain ad)inistrator*
2* Click Start> point to Administrative Toos>and then click Server -anager*
8* Click -anage !oes* 5n the Active Directory Certificate Services section> click Add
roe services*
9* 6n the Seect !oe Services pa$e> select the $nine !esponder check bo<*
Cou are pro)pted to install 55S and Windos Acti%ation Ser%ice*
.* Click Add !e(uired !oe Services> and then click %e.t three ti)es*
1* 6n the Confirm Instaation $ptions pa$e> click Insta*
7* When the installation is co)plete> re%ie the status pa$e to %erif# that the installation
as successful*
Step 3, Configuring the CA to Issue $CS/ !esponse Signing
Certificates
Confi$urin$ a CA to support 6nline Responder ser%ices in%ol%es confi$urin$ certificate te)plates
and issuance properties for 6CSP Response Si$nin$ certificates and then co)pletin$ additional
steps on the CA to support the 6nline Responder and certificate issuance*
%ote
!hese certificate te)plate and autoenroll)ent steps can also be used to confi$ure
certificates that #ou ant to issue to a client co)puter or client co)puter users*
To configure certificate tempates for your test environment
4* 3o$ on to 3BEPD54 as a CA ad)inistrator*
9
2* 6pen the Certificate !e)plates snap"in*
8* Ri$ht"click the $CS/ !esponse Signing te)plate> and then click Dupicate Tempate*
9* !#pe a ne na)e for the duplicated te)plate> such as $CS/ !esponse Signing42*
.* Ri$ht"click the $CS/ !esponse Signing42 certificate te)plate> and then click
/roperties*
1* Click the Security tab* 0nder Group or user name> click Add> and then t#pe the na)e
or brose to select the co)puter hostin$ the 6nline Responder ser%ice*
7* Click the co)puter na)e> *54/0I+> and in the /ermissions dialo$ bo<> select the !ead
and Autoenro check bo<es*
+* While #ou ha%e the Certificate !e)plates snap"in open> #ou can confi$ure certificate
te)plates for users and co)puters b# substitutin$ the desired te)plates in step 8> and
repeatin$ steps 9 throu$h 7 to confi$ure per)issions for 3BEC354 and #our test user
accounts*
!o confi$ure the CA to support 6nline Responders> #ou need to use the Certification Authorit#
snap"in to co)plete to ke# steps:
Add the location of the 6nline Responder to the authorit# infor)ation access e<tension of
issued certificates*
Enable the certificate te)plates that #ou confi$ured in the pre%ious procedure for the CA*
To configure a CA to support the $nine !esponder service
4* 6pen the Certification Authorit# snap"in*
2* 5n the console tree> click the na)e of the CA*
8* 6n the Action )enu> click /roperties*
9* Click the '.tensions tab* 5n the Seect e.tension list> click Authority Information
Access "AIA#*
.* Select the Incude in the AIA e.tension of issue certificates and Incude in the onine
certificate status protoco "$CS/# e.tension check bo<es*
1* Specif# the locations fro) hich users can obtain certificate re%ocation dataG for this
setup> the location is http:??3BEPD54?ocsp*
7* 5n the console tree of the Certification Authorit# snap"in> ri$ht"click Certificate
Tempates> and then click %ew Certificate Tempates to Issue*
+* 5n 'nabe Certificate Tempates> select the $CS/ !esponse Signing te)plate and an#
other certificate te)plates that #ou confi$ured pre%iousl#> and then click $0*
7* 6pen Certificate Tempates> and %erif# that the )odified certificate te)plates appear in
the list*
10
Step 6, Creating a !evocation Configuration
A re%ocation confi$uration includes all of the settin$s that are needed to respond to status
re/uests re$ardin$ certificates that ha%e been issued b# usin$ a specific CA ke#*
!hese confi$uration settin$s include the CA certificate> the si$nin$ certificate for the 6nline
Responder> and the locations to hich clients are directed to send their status re/uests*
Important
2efore #ou create a re%ocation confi$uration> ensure that certificate enroll)ent has taken
place so that a si$nin$ certificate e<ists on the co)puter and adFust the per)issions on
the si$nin$ certificate to allo the 6nline Responder to use it*
To verify that the signing certificate is propery configured
4* Start or restart 3BEPD54 to enroll for certificates*
2* 3o$ on as a CA ad)inistrator*
8* 6pen the Certificates snap"in for the co)puter account* 6pen the Personal certificate
store for the co)puter> and %erif# that it contains a certificate titled $CS/ !esponse
Signing*
9* Ri$ht"click this certificate> and then click -anage /rivate 0eys*
.* Click the Security tab* 5n the )ser Group or user name dialo$ bo<> click Add> enter
=etork Ser%ice to the Group or user name list> and then click $0*
1* Click %etwor& Service> and in the /ermissions dialo$ bo<> select the 7u Contro
check bo<*
7* Click $0 tice*
Creatin$ a re%ocation confi$uration in%ol%es the folloin$ tasks:
5dentif# the CA certificate for the CA that supports the 6nline Responder*
5dentif# the CR3 distribution point for the CA*
Select a si$nin$ certificate that ill be used to si$n re%ocation status responses*
Select a re%ocation pro%ider> the co)ponent responsible for retrie%in$ and cachin$ the
re%ocation infor)ation used b# the 6nline Responder*
To create a revocation configuration
4* 6pen the 6nline Responder snap"in*
2* 5n the Actions pane> click Add !evocation Configuration to start the Add Re%ocation
Confi$urationi,ard> and then click %e.t*
8* 6n the %ame the !evocation Configuration pa$e> t#pe a na)e for the re%ocation
confi$uration> such as *54!C+> and then click %e.t*
9* 6n the Seect CA certificate *ocation pa$e> click Seect a certificate from an e.isting
11
enterprise CA> and then click %e.t*
.* 6n the folloin$ pa$e> the na)e of the CA> 3BEPD54> should appear in the Browse CA
certificates pubished in Active Directory bo<*
5f it appears> click the na)e of the CA that #ou ant to associate ith #our re%ocation
confi$uration> and then click %e.t*
5f it does not appear> click Browse for CA Computer and t#pe the na)e of the
co)puter hostin$ 3BEPD54 or click Browse to locate this co)puter* When #ou ha%e
located the co)puter> click %e.t*
%ote
Cou )i$ht also be able to link to the CA certificate fro) the local certificate
store> or b# i)portin$ it fro) re)o%able )edia in step 9*
1* :ie the certificate and cop# the CR3 distribution point for the parent root CA> RootCA4*
!o do this:
a* 6pen the Certificate Ser%ices snap"in* Select an issued certificate*
b* Double"click the certificate> and then click the Detais tab*
c* Scroll don and select the C!* Distribution /oints field*
d* Select and cop# the 0R3 for the CR3 distribution point that #ou ant to use*
e* Click $0*
7* 6n the Seect Signing Certificate pa$e> accept the default option> Automaticay seect
signing certificate> and then click %e.t*
+* 6n the !evocation /rovider pa$e> click /rovider*
7* 6n the !evocation /rovider /roperties pa$e> click Add> enter the 0R3 of the CR3
distribution point> and then click $0*
40* Click 7inish*
44* 0sin$ the 6nline Responder snap"in> select the re%ocation confi$uration> and then
e<a)ine the status infor)ation to %erif# that it is functionin$ properl#* Cou should also be
able to e<a)ine the properties of the si$nin$ certificate to %erif# that the 6nline
Responder is confi$ured properl#*
Step 8, 1erifying that the AD CS *ab Setup 7unctions /ropery
Cou can %erif# the setup steps described pre%iousl# as #ou perfor) the)*
After the installation is co)plete> #ou should %erif# that #our basic test setup is functionin$
properl# b# confir)in$ that #ou can autoenroll certificates> re%oke certificates> and )ake accurate
re%ocation data a%ailable fro) the 6nlline responder*
12
To verify that the AD CS test setup functions propery
4* 6n the CA> confi$ure se%eral certificate te)plates to autoenroll certificates for 3BEC354
and users on this co)puter*
2* When infor)ation about the ne certificates has been published to AD DS> open a
co))and pro)pt on the client co)puter and enter the folloin$ co))and to start
certificate autoenroll)ent:
certutil -pulse
8* 6n 3BEC354> use the Certificates snap"in to %erif# that the certificates ha%e been issued
to the user and to the co)puter> as appropriate*
9* 6n the CA> use the Certification Authorit# snap"in to %ie and re%oke one or )ore of the
issued certificates b# clickin$ Certification Authority "Computer#9CA name9Issued
Certificates and selectin$ the certificate #ou ant to re%oke* 6n the Action )enu> point
to A Tas&s> and then click !evo&e Certificate* Select the reason for re%okin$ the
certificate> and click :es*
.* 5n the Certification Authorit# snap"in> publish a ne CR3 b# clickin$ Certification
Authority "Computer#9CA name9!evo&ed Certificates in the console tree* !hen> on the
Action )enu> point to A Tas&s> and click /ubish*
1* Re)o%e all CR3 distribution point e<tensions fro) the issuin$ CA b# openin$ the
Certification Authorit# snap"in and then selectin$ the CA* 6n the Action )enu> click
/roperties*
7* 6n the '.tensions tab> confir) that Seect e.tension is set to C!* Distribution /oint
"CD/#*
+* Click an# CR3 distribution points that are listed> click !emove> and then click $0*
7* Stop and restart AD CS*
40* Repeat steps 4 and 2 abo%e> and then %erif# that clients can still obtain re%ocation data*
!o do this> use the Certificates snap"in to e<port the certificate to a file 'H*cer(* At a
co))and pro)pt> t#pe:
certutil -url <exportedcert.cer>
44* 5n the 1erify and !etrieve dialo$ bo< that appears> click 7rom CD/ and 7rom $CS/
and co)pare the results*
AD CS Advanced *ab Scenario
!he folloin$ sections describe ho #ou can set up a lab to e%aluate )ore features of AD CS
than in the basic lab setup*
13
Steps for Setting )p an Advanced *ab
!o test additional features of AD CS in a lab en%iron)ent> #ou ill need fi%e co)puters runnin$
Windos Ser%er 200+ and one client co)puter runnin$ Windos :ista* !he co)puters for this
$uide are na)ed as follos:
3BEDC4: !his co)puter ill be the do)ain controller for #our test en%iron)ent*
3BECAER66!4: !his co)puter ill host a stand"alone root CA for the test en%iron)ent*
3BECAE5SS0E4: !his enterprise CA ill be subordinate to 3BECAER66!4 and issue client
certificates for the 6nline Responder and client co)puters*
%ote
Enterprise CAs and 6nline Responders can onl# be installed on ser%ers runnin$
Windos Ser%er 200+ Enterprise or Windos Ser%er 200+ Datacenter*
3BE6RS4* !his ser%er ill host the 6nline Responder*
3BE=DES* !his ser%er ill host the =etork De%ice Enroll)ent Ser%icethat )akes it possible
to issue and )ana$e certificates for routers and other netork de%ices*
3BEC354: !his client co)puter runnin$ Windos :ista ill autoenroll for certificates fro)
3BECAE5SS0E4 and %erif# certificate status fro) 3BE6RS4*
!o confi$ure the ad%anced lab setup for AD CS> #ou need to co)plete the folloin$ prere/uisite
steps:
4* Set up a do)ain controller on 3BEDC4 for contoso*co)> includin$ so)e 60s to contain one
or )ore users for 3BEC354> client co)puters in the do)ain> and for the ser%ers hostin$ CAs
and 6nline Responders*
2* 5nstall Windos Ser%er 200+ on the other ser%ers in the test confi$uration and Foin the) to
the do)ain*
8* 5nstall Windos :ista on 3BEC354> and Foin 3BEC354 to contoso*co)*
After #ou ha%e co)pleted these preli)inar# setup procedures> #ou can be$in to co)plete the
folloin$ steps:
Step 4: Settin$ 0p the Stand"Alone Root CA
Step 2: Settin$ 0p the Enterprise Subordinate 5ssuin$ CA
Step 8: 5nstallin$ and Confi$urin$ the 6nline Responder
Step 9: Confi$urin$ the 5ssuin$ CA to 5ssue 6CSP Response Si$nin$ Certificates
Step .: Confi$urin$ the Authorit# 5nfor)ation Access E<tension to Support the 6nline Responder
Step 1: Assi$nin$ the 6CSP Response Si$nin$ !e)plate to a CA
Step 7: Enrollin$ for an 6CSP Response Si$nin$ Certificate
Step +: Creatin$ a Re%ocation Confi$uration
Step 7: Settin$ 0p and Confi$urin$ the =etork De%ice Enroll)ent Ser%ice
Step 40: :erif#in$ that the Ad%anced AD CS !est Setup ;unctions Properl#
14
Step +, Setting )p the Stand-Aone !oot CA
A stand"alone root CA is the anchor of trust for the basic lab setup* 5t ill be used to issue
certificates to the subordinate issuin$ CA* 2ecause it is critical to the securit# of the public ke#
infrastructure 'PD5(> this CA is online in )an# PD5s onl# hen needed to issue certificates to
subordinate CAs*
To set up a stand-aone root CA
4* 3o$ on to 3BECAER66!4 as an ad)inistrator*
2* Start the Add RolesWi,ard* 6n the Seect Server !oes pa$e> select the Active
Directory Certificate Services check bo<> and then click %e.t to ti)es*
8* 6n the Seect !oe Services pa$e> select the Certification Authority check bo<> and
then click %e.t*
9* 6n the Specify Setup Type pa$e> click Standaone> and then click %e.t*
.* 6n the Specify CA Type pa$e> click !oot CA> and then click %e.t*
1* 6n the Set )p /rivate 0ey and Configure Cryptography for CA pa$es> #ou can
confi$ure optional settin$s> includin$ cr#pto$raphic ser%ice pro%iders* Boe%er> for basic
testin$ purposes> accept the default %alues b# clickin$ %e.t tice*
7* 5n the Common name for this CA bo<> t#pe the co))on na)e of the CA> !ootCA+>
and then click %e.t*
+* 6n the Set the Certificate 1aidity /eriod pa$e> accept the default %alidit# duration for
the root CA> and then click %e.t*
7* 6n the Configure Certificate Database pa$e> accept the default %alues or specif# other
stora$e locations for the certificate database and the certificate database lo$> and then
click %e.t*
40* After %erif#in$ the infor)ation on the Confirm Instaation $ptions pa$e> click Insta*
Step 2, Setting )p the 'nterprise Subordinate Issuing CA
Most or$ani,ations use at least one subordinate CA to protect the root CA fro) unnecessar#
e<posure* An enterprise CA also allos #ou to use certificate te)plates and to use AD DS for
enroll)ent and publishin$ certificates*
To set up an enterprise subordinate issuing CA
4* 3o$ on to 3BECAE5SS0E4 as a do)ain ad)inistrator*
2* Start the Add RolesWi,ard* 6n the Seect Server !oes pa$e> select the Active
Directory Certificate Services check bo<> and then click %e.tto ti)es*
8* 6n the Seect !oe Services pa$e> select the Certification Authority check bo<> and
then click %e.t*
15
9* 6n the Specify Setup Type pa$e> click 'nterprise> and then click %e.t*
.* 6n the Specify CA Type pa$e> click Subordinate CA> and then click %e.t*
1* 6n the Set )p /rivate 0ey and Configure Cryptography for CA pa$es> #ou can
confi$ure optional settin$s> includin$ cr#pto$raphic ser%ice pro%iders* Boe%er> for basic
testin$ purposes> accept the default %alues b# clickin$ %e.t tice*
7* 6n the !e(uest Certificate pa$e> brose to locate 3BECAER66!4> or if> the root CA is
not connected to the netork> sa%e the certificate re/uest to a file so that it can be
processed later* Click %e.t*
!he subordinate CA setup ill not be usable until it has been issued a root CA certificate
and this certificate has been used to co)plete the installation of the subordinate CA*
+* 5n the Common name for this CA bo<> t#pe the co))on na)e of the CA>
*54CA4ISS)'+*
7* 6n the Set the Certificate 1aidity /eriod pa$e> accept the default %alidit# duration for
the CA> and then click %e.t*
40* 6n the Configure Certificate Database pa$e> accept the default %alues or specif# other
stora$e locations for the certificate database and the certificate database lo$> and then
click %e.t*
44* After %erif#in$ the infor)ation on the Confirm Instaation $ptions pa$e> click Insta*
Step 3, Instaing and Configuring the $nine !esponder
An 6nline Responder can be installed on an# co)puter runnin$ Windos Ser%er 200+ Enterprise
or Windos Ser%er 200+ Datacenter* !he certificate re%ocation data can co)e fro) a CA on a
co)puter runnin$ Windos Ser%er 200+> a CA on a co)puter runnin$ Windos Ser%er 2008> or
fro) a non"Microsoft CA* An 6nline Responder ill t#picall# not be installed on the sa)e
co)puter as a CA*
%ote
55S )ust also be installed on this co)puter before the 6nline Responder can be installed*
As part of the setup process a %irtual director# na)ed 6CSP is created in 55S and the
Web pro<# is re$istered as an 5nternet Ser%er Application Pro$ra))in$ 5nterface '5SAP5(
e<tension*
To insta the $nine !esponder service
4* 3o$ on to 3BE6RS4 as an ad)inistrator*
2* Start the Add Roles Wi,ard* 6n the Seect Server !oespa$e> select the Active
DirectoryCertificate Services check bo<> and then click %e.t to ti)es*
8* 6n the Seect !oe Services pa$e> clear the Certification Authority check bo<> select
the $nine !esponder check bo<> and then click %e.t*
16
Cou are pro)pted to install 55S and Windos Acti%ation Ser%ice*
9* Click Add !e(uired !oe Services> and then click %e.t three ti)es*
.* 6n the Confirm Instaation $ptions pa$e> click Insta*
1* When the installation is co)plete> re%ie the status pa$e to %erif# that the installation
as successful*
Step 6, Configuring the Issuing CA to Issue $CS/ !esponse
Signing Certificates
As ith an# certificate te)plate> the 6CSP Response Si$nin$ te)plate )ust be confi$ured ith
the enroll)ent per)issions for Read> Enroll> Autoenroll> and Write before an# certificates can be
issued based on the te)plate*
To configure certificate tempates for your test environment
4* 3o$ on to 3BECAE5SS0E4 as a CA ad)inistrator*
2* 6pen the Certificate !e)plates snap"in*
8* Ri$ht"click the $CS/ !esponse Signing te)plate> and then click Dupicate Tempate*
9* !#pe a ne na)e for the duplicated te)plate> such as $CS/ !esponse Signing42*
.* Ri$ht"click the $CS/ !esponse Signing42 certificate te)plate> and then click
/roperties*
1* Click the Security tab* 0nder Group or user name> click Add and t#pe the na)e or
brose to select the co)puter hostin$ the 6nline Responder ser%ice*
7* Click the co)puter na)e> *54$!S+> and in the /ermissions dialo$ bo<> select the
!ead and Autoenro check bo<es*
+* While #ou ha%e the Certificate !e)plates snap"in open> #ou can confi$ure certificate
te)plates for users and co)puters b# substitutin$ the desired te)plates in step 8> and
repeatin$ steps 9 throu$h 7 to confi$ure per)issions for 3BEC354 and #our test user
accounts*
Step 8, Configuring the Authority Information Access '.tension
to Support the $nine !esponder
Cou need to confi$ure the CAs to include the 0R3 for the 6nline Responder as part of the
authorit# infor)ation access e<tension of the issued certificate* !his 0R3 is used b# the 6nline
Responder client to %alidate the certificate status*
To configure the authority information access e.tension to support the $nine
!esponder
4* 3o$ on to 3BECAE5SS0E4 as a CA ad)inistrator*
17
2* 6pen the Certification Authorit# snap"in*
8* 5n the console tree> click the na)e of the CA*
9* 6n the Action )enu> click /roperties*
.* 6n the '.tensions tab> click Seect e.tension> and then click Authority Information
Access "AIA#*
1* Select the Incude in the AIA e.tension of issue certificates and Incude in the onine
certificate status protoco "$CS/# e.tension check bo<es*
7* Specif# the locations fro) hich users can obtain certificate re%ocation dataG for this
setup> the location is http:??3BE6RS4?ocsp*
+* 5n the console tree of the Certification Authorit# snap"in> ri$ht"click Certificate
Tempates> and then click %ew Certificate Tempates to Issue*
7* 5n 'nabe Certificate Tempates> select the $CS/ !esponse Signing te)plate and an#
other certificate te)plates that #ou confi$ured pre%iousl#> and then click $0*
40* 6pen Certificate Tempates> and %erif# that the )odified certificate te)plates appear in
the list*
Step ;, Assigning the $CS/ !esponse Signing Tempate to a CA
6nce the te)plates are properl# confi$ured> the CA needs to be confi$ured to issue that
te)plate*
To configure the CA to issue certificates based on the newy created $CS/ !esponse
Signing tempate
4* 6pen the Certification Authorit# snap"in*
2* Ri$ht"click Certificate Tempates> and then click Certificate Tempate to Issue*
8* Select the $CS/ !esponse Signing42 te)plate fro) the list of a%ailable te)plates> and
then click $0*
Step <, 'nroing for an $CS/ !esponse Signing Certificate
Enroll)ent )i$ht not take place ri$ht aa#* !herefore> before #ou proceed to the ne<t step>
confir) that certificate enroll)ent has taken place so that a si$nin$ certificate e<ists on the
co)puter> and %erif# that the per)issions on the si$nin$ certificate allo the 6nline Responder to
use it*
To verify that the signing certificate is propery configured
4* Start or restart 3BE6RS4 to enroll for the certificates*
2* 3o$ on as a CA ad)inistrator*
8* 6pen the Certificates snap"in for the co)puter* 6pen the Personal certificate store for the
18
co)puter> and then %erif# that it contains a certificate titled $CS/ !esponse Signing42*
9* Ri$ht"click this certificate> and then click -anage /rivate 0eys*
.* Click the Security tab* 5n the )ser Group or user name dialo$ bo<> click Add to t#pe in
and add =etork Ser%ice to the Group or user name list> and then click $0*
1* Click %etwor& Service> and in the /ermissions dialo$ bo<> select the 7u Contro
check bo<* Click $0 tice*
Step =, Creating a !evocation Configuration
Creatin$ a re%ocation confi$uration in%ol%es the folloin$ tasks:
5dentif# the CA certificate for the CA that supports the 6nline Responder*
5dentif# the CR3 distribution point for the CA*
Select a si$nin$ certificate that ill be used to si$n re%ocation status responses*
Select a re%ocation pro%ider> the co)ponent responsible for retrie%in$ and cachin$ the
re%ocation infor)ation used b# the 6nline Responder*
To create a revocation configuration
4* 3o$ on to 3BE6RS4 as a do)ain ad)inistrator*
2* 6pen the 6nline Responder snap"in*
8* 5n the Actions pane> click Add !evocation Configuration to start the Add Re%ocation
Confi$uration i,ard> and then click %e.t*
9* 6n the %ame the !evocation Configuration pa$e> t#pe a na)e for the re%ocation
confi$uration> such as *54!C+> and then click %e.t*
.* 6n the Seect CA Certificate *ocation pa$e> click Seect a certificate for an e.isting
enterprise CA> and then click %e.t*
1* 6n the folloin$ pa$e> the na)e of the CA> 3BECAE5SS0E4> should appear in the
Browse CA certificates pubished in Active Directory bo<*
5f it appears> click the na)e of the CA that #ou ant to associate ith #our re%ocation
confi$uration> and then click %e.t*
5f it does not appear> click Browse for CA Computer and t#pe the na)e of the
co)puter hostin$ 3BECAE5SS0E4 or click Browse to locate this co)puter* When
#ou ha%e located the co)puter> click %e.t*
%ote
Cou )i$ht also be able to link to the CA certificate fro) the local certificate
store> or b# i)portin$ it fro) re)o%able )edia in step .*
7* :ie the certificate and cop# the CR3 distribution point for the parent root CA> RootCA4*
!o do this:
19
a* 6pen the Certificate Ser%ices snap"in> and then select an issued certificate*
b* Double"click the certificate> and then click the Detais tab*
c* Scroll don and select the C!* Distribution /oints field*
d* Select and cop# the 0R3 for the CR3 distribution point that #ou ant to use*
e* Click $0*
+* 6n the Seect Signing Certificate pa$e> accept the default> Automaticay seect
signing certificate> and then click %e.t*
7* 6n the !evocation /rovider pa$e> click /rovider*
40* 6n the !evocation /rovider /roperties pa$e> click Add> enter the 0R3 of the CR3
distribution point> and then click $0*
44* Click 7inish*
42* 0sin$ the 6nline Responder snap"in> select the re%ocation confi$uration> and then
e<a)ine the status infor)ation to %erif# that it is functionin$ properl#* Cou should also be
able to e<a)ine the properties of the si$nin$ certificate to %erif# that the 6nline
Responder is confi$ured properl#*
Step >, Setting )p and Configuring the %etwor& Device
'nroment Service
!he =etork De%ice Enroll)ent Ser%ice allos softare on routers and other netork de%ices
runnin$ ithout do)ain credentials to obtain certificates*
!he =etork De%ice Enroll)ent Ser%ice operates as an 5SAP5 filter on 55S that perfor)s the
folloin$ functions:
-enerates and pro%ides one"ti)e enroll)ent passords to ad)inistrators
Processes SCEP enroll)ent re/uests
Retrie%es pendin$ re/uests fro) the CA
SCEP as de%eloped as an e<tension to e<istin$ B!!P> PDCS I40> PDCS I7> R;C 29.7> and
other standards to enable netork de%ice and application certificate enroll)ent ith CAs* SCEP
is identified and docu)ented on the 5nternet En$ineerin$ !ask ;orce Web site
'http:??$o*)icrosoft*co)?flink?@3ink5dA740..(*
2efore #ou be$in this procedure> create a user ndesEuser4 and add this user to the 55S user
$roup* !hen> use the Certificate !e)plates snap"in to confi$ure Read and Enroll per)issions for
this user on the 5PSEC '6ffline Re/uest( certificate te)plate*
To set up and configure the %etwor& Device 'nroment Service
4* 3o$ on to 3BE=DES as an enterprise ad)inistrator*
2* Start the Add RolesWi,ard* 6n the Seect Server !oes pa$e> select the Active
Directory Certificate Services check bo<> and then click %e.t to ti)es*
20
8* 6n the Seect !oe Services pa$e> clear the Certification Authority check bo<> and
then select %etwor& Device 'nroment Service*
Cou are pro)pted to install 55S and Windos Acti%ation Ser%ice*
9* Click Add !e(uired !oe Services> and then click %e.t three ti)es*
.* 6n the Confirm Instaation $ptions pa$e> click Insta*
1* When the installation is co)plete> re%ie the status pa$e to %erif# that the installation
as successful*
7* 2ecause this is a ne installation and there are no pendin$ SCEP certificate re/uests>
click !epace e.isting !egistration Authority "!A# certificates> and then click %e.t*
When the =etork De%ice Enroll)ent Ser%ice is installed on a co)puter here a
re$istration authorit# alread# e<ists> the e<istin$ re$istration authorit# and an# pendin$
certificate re/uests are deleted*
+* 6n the Specify )ser Account pa$e> click Seect )ser> and t#pe the user na)e
ndes4user+ and passord for this account> hich the =etork De%ice Enroll)ent
Ser%ice ill use to authori,e certificate re/uests* Click $0> and then click %e.t*
7* 6n the Specify CA pa$e> select either the CA name or Computer name check bo<> click
Browse to locate the CA that ill issue the =etork De%ice Enroll)ent Ser%ice
certificates> 3BECAE5SS0E4> and then click %e.t*
40* 6n the Specify !egistry Authority Information pa$e> t#pe ndes4+ in the !A name
bo<* 0nder Country9region>select the check bo< for the countr#?re$ion #ou are in> and
then click %e.t*
44* 6n the Configure Cryptography pa$e> accept the default %alues for the si$nature and
encr#ption ke#s> and then click %e.t*
42* Re%ie the su))ar# of confi$uration options> and then click Insta*
Step +?, 1erifying that the Advanced AD CS Test Setup
7unctions /ropery
Cou can %erif# the setup steps described pre%iousl# as #ou perfor) the)*
After the installation is co)plete> #ou should %erif# that #our ad%anced test setup is functionin$
properl#*
To verify that the advanced AD CS test setup functions propery
4* 6n the CA> confi$ure se%eral certificate te)plates to autoenroll certificates for 3BEC354
and users on this co)puter*
2* When infor)ation about the ne certificates has been published to AD DS> open a
co))and pro)pt on the client co)puter and enter the folloin$ co))and to start
certificate autoenroll)ent:
21
certutil -pulse
8* 6n the client co)puter> use the Certificates snap"in to %erif# that the certificates ha%e
been issued to the user and to the co)puter> as appropriate*
9* 6n the CA> use the Certification Authorit# snap"in to %ie and re%oke one or )ore of the
issued certificates b# clickin$ Certification Authority "Computer#9CA name9Issued
Certificates and selectin$ the certificate #ou ant to re%oke* 6n the Action )enu> point
to A Tas&s> and then click !evo&e Certificate* Select the reason for re%okin$ the
certificate> and click :es*
.* 5n the Certification Authorit# snap"in> publish a ne CR3 b# clickin$ Certification
Authority "Computer#9CA name9!evo&ed Certificates in the console tree* !hen> on the
Action )enu> point to A Tas&s> and click /ubish*
1* Re)o%e all CR3 distribution point e<tensions fro) the issuin$ CA b# openin$ the
Certification Authorit# snap"in and then selectin$ the CA* 6n the Action )enu> click
/roperties*
7* 6n the '.tensions tab> confir) that Seect e.tension is set to C!* Distribution /oint
"CD/#*
+* Click an# CR3 distribution points that are listed> click !emove> and click $0*
7* Stop and restart AD CS*
40* Repeat steps 4 and 2 abo%e> and then %erif# that clients can still obtain re%ocation data*
!o do this> use the Certificates snap"in to e<port the certificate to a file 'H*cer(* At a
co))and pro)pt> t#pe:
certutil -url <exportedcert.cer>
44* 5n the 1erify and !etrieve dialo$ bo< that appears> click 7rom CD/ and 7rom $CS/
and co)pare the results*
22