I have noticed that not so many people know and use Microsoft Active directory certificate services .Microsoft had gone a great length to make our life much easier but more secure . this post will provide you with overview and how to install it in a test environment or small environment .
This Post is the steps taken from Microsoft TechNet but with rearranging the topics to seem a bit logical for someone that does not know the technology (there is no point in reinventing the wheel). I also added my personal experience into it .
The soul purposes of this guide is to give some idea about the technology .you can use it to deploy your own Solution but I don’t recommended it as every infrastructure is a bit different than the other . Please remember the golden rules “60% planning 30% deployment 10% maintenance “. this rule saved me a lot of pain and grief .
What is ADCS ?
Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.
The Main Parts in AD CS
- Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
- CA Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
- Online Responder. The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
- Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.
- Certificate Enrollment Web Service. The Certificate Enrollment Web Service enables users and computers to perform certificate enrollment that uses the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
- Certificate Enrollment Policy Web Service. The Certificate Enrollment Policy Web Service enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.
Benefits of AD CS
Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.
Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
The new features of AD CS in Windows Server 2008 R2 include:
- Certificate enrollment that uses the HTTPS protocol.
- Certificate enrollment across Active Directory Domain Services (AD DS) forest boundaries.
- Improved support for high-volume certificate issuance.
- Support for CAs on a Server Core installation of Windows Server 2008 R2.
Hardware and software considerations
Although AD CS can be deployed on a single server, many deployments will include multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals. CAs can be installed on servers running a variety of operating systems, including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment.
Installing AD CS
we will be installing the CA in this Post on a domain controller as enterprise CA . this is not recommended as if you need to move to higher or bigger design you will face a lot of issues . I will be posting later on about how to install PKI
the two types of CA is Enterprise and standalone
- Enterprise CA is active directory integrated MUST be installed on a member server and has a template customization ,auto enrollment features and more
- Stand alone CA can be installed on workgroup machine usually we use it in a special scenarios
the CA key is the most important key of ALL try to make it 2048 or more if this key compromised any key issued by this CA will be also compromised
I am using a easy name but under no circumstances you use a generic name like CA or ROOTCA try to use something like "ROOT CA for Contoso HQ LTD" , the longer the better
don’t go above 20 year
now we create a GPO to enable the computers auto enrollment this is not requirement of the CA but this will greatly enhance your network security
now every machine will restart will obtain a certificate for the machine name
you can do the same for users but I found this to be unnecessary load on the CA so unless you have a good reason to enroll your users .