Does A Domain Controller Need A Computer Template Certificate?
Advertizement CS in Windows Server
Active Directory Certificate Services implements PKI in your Active Directory and Windows Server 2008 surround. Windows clients that participate in an Advertisement domain or forest are configured to trust internal Windows CAs by default. A Windows-based CA is said to be internal, because by default, external clients will not exist able to utilize it, unless your CA is configured every bit a trusted root CA on the external clients. While it is possible to plant such a trust network with partner companies, information technology is not viable to implement it on the Internet-facing applications/ servers (for such uses, a public CA is the best option). Advert CS allows you lot to issue any number of certificates at no cost beyond the OS and hardware that run AD CS. With AD CS, you lot can implement the following technologies on your internal network:
■ Smart carte du jour logon (hallmark)
■ IPsec communication security
■ Encrypted File System (EFS)
■ Secure Multipurpose Net Mail Extensions (S/MIME)
■ Secure web sites using Secure Sockets Layer (SSL) or Ship Layer Security (TLS)
■ Digital signatures to ensure non-repudiation in any of the preceding technologies
■ Secure wireless communication
■ Network Access Protection (NAP)
Issuing Certificates
You can issue digital certificates in Windows Server 2008 either manually (using the Certificates MMC snap-in or Web Enrollment feature), or automatically (using group policy autoenrollment). Besides these functions, the Certificates snap-in allows you to perform the following:
■ Asking a document to be reissued.
■ Renew certificates, generating new keys or using existing ones.
■ Configure automated enrollment.
■ Import or export certificates into a file (including backing upwards a private key).
■ Search, delete, and edit certificates.
Y'all can too use a web interface to request new certificates. This may be a valuable option if yous need to request a certificate from a Windows CA located outside your Agile Directory structure. Past default, Certificate Services create an Cyberspace Information Server virtual directory called "certsrv," and you can asking your certificates by going to http://servername/certsrv/ using your Internet browser. This characteristic is called Web Enrollment. Web Enrollment as well provides CRL download services in AD CS.
Online Responder Service
The Online Responder Service implements the Online Document Condition Protocol (OCSP), which is based on RFC 2560. OCSP differs from CRL lists in that it runs equally a service that is capable of accepting validity queries related to specific certificates. The service processes these requests and problems a digitally signed response, containing the status of the certificate in question.
CRL, on the other mitt, is a file that contains all revoked certificates. While this file is also signed, the issue becomes its manageability and size, every bit it tin grow quite large in sizeable deployments.
Network Device Enrollment Service
The Network Device Enrollment Service (NDES) allows network devices to request certificates and enroll with a Windows CA, just as any other Windows client would. NDES implements SCEP, or the Simple Certificate Enrollment Protocol, which was developed by Cisco. Using NDES, you can extend your internal CA coverage to include network gear. This would exist handy in IPsec or NAP implementations.
NDES cannot be installed before or during CA installation (information technology must be installed once a fully functional CA is accessible on the network). This has to practice with the fact that, in order for NDES to perform its enrollment functions successfully and securely, information technology needs to enroll itself with the associated CA.
Registration Authority
Registration Potency is another name for Certification Authority that is used in the context of NDES service setup and configuration. During installation of NDES services, y'all volition be prompted to provide Registration Authority data. Since NDES does not demand to be deployed on the same set of computers as the rest of the CA infrastructure, the installation procedure simply needs to identify where to submit certificate enrollment requests. In the SCEP protocol, this signal of service is called Registration Authority.
Automatic Enrollment
Starting with Windows Server 2003, information technology is possible to register users and computers with a CA automatically. This is especially useful in environments that incorporate significant numbers of users and computers.
To enroll your users automatically, you lot demand to brand sure that the following weather are met:
■ All domain controllers must be running at least Windows 2000 Server SP3. Windows Server 2003/2008 is highly recommended.
■ Clients must be running Windows XP/Vista, or Windows Server 2003/2008.
■ You need to install the Enterprise CA service on a Windows Server 2003 Enterprise Edition or Datacenter Edition server.
Root and Subordinate (Issuing) CA
In any chain of CA trust, in that location is always the get-go organisation at the very showtime that serves as the beginning of the trust chain—this is no different from DNS and its "." root. This organization is referred to as the root CA. The root CA creates the new instance of a certification authority, much equally the outset domain controller creates a new instance of an Ad DS. If a client trusts the root CA, it will trust all certificates issued by any entity that "chains up" to the same root CA (that is, assuming the certificates are not invalidated by other factors, such as validity timestamp or revocation condition).
The issuing CA, or subordinate CA, is a CA system that participates in the existing CA system; information technology is a descendant of the root CA, or another intermediary/ subordinate CA. At that place can exist many level of subordination.
Imagine a scenario where an organization deploys a single root CA system and bug 10,000 certificates to all domain-based computers. A month afterward, they find that their root system had a Trojan on information technology, and they decide that the root CA can no longer be trusted (i.east., its private key may accept been compromised). Reinstalling that CA would exist a little fleck of a problem, since you lot would need to revoke all existing certificates, ensure that the CRL data is published somewhere before destroying the compromised organization, then install a new root CA, configure clients to trust the new organization, and finally, consequence all certificates again. That would exist a flake of a challenge, and the more than partner relationships your organization chooses to engage in, the more complex and embarrassing this process will get.
The solution is to take a single root CA arrangement, which is deployed as a standalone root CA, use it to issue several subordinate CA certificates, and take information technology offline on a semipermanent basis. Subordinate (or issuing) CAs would then be deployed every bit enterprise CAs and used to issue certificates. Should whatever of the online CAs be compromised, the root CA can be brought back to life in order to revoke the issuing CA's certificate and create another issuing CA. And then, all existing user/computer certificates that were issued past the fallen subordinate CA would automatically lose their validity, considering their trust path no longer "chains upwardly" to a valid CA. The main beauty of this pattern is that y'all won't need to reinstall your unabridged PKI infrastructure, won't need to reconfigure clients to trust the new root CA, and won't need to exchange new root CA certificates with partnering organizations.
Standalone CA vs. Enterprise CA
The divergence between standalone and enterprise CAs is that, as the name implies, a standalone CA can be deployed on a non-domain fellow member, or on a domain member machine, without integration with AD DS, whereas an Enterprise CA can be deployed but in an Advertising DS-integrated scenario.
Needless to say, a standalone CA is the more limited of the two deployment versions. You cannot use a standalone CA to autoenroll users. Standalone also does not support enterprise-level features such every bit key archival or V2 / V3 certificate templates (more virtually this subsequently).
In club to deploy a CA, you can use the Standard, Enterprise, or Datacenter Edition of the Windows Server 2008 operating system. If you wish to take advantage of all Advertisement CS features, such every bit NDES and OSCP, you will need to employ the Enterprise or Datacenter Edition.
EXERCISE 10-i
Installing Active Directory Certificate Services
To install a CA, nosotros need to first add together the Active Directory Certificate Services function to our lab domain controller. Equally mentioned previously, the all-time design is to employ more than than 1 server to implement a CA, but for simplicity we will use our existing domain controller to install the CA every bit an enterprise root CA, running on the only domain controller in our lab. Annotation: this is not recommended, but for this exercise we volition also add the IIS role on the same domain controller, in gild to deploy Web Enrollment.
1. Log on using administrative business relationship, and admission the Server Manager Access Roles node; then click Add Roles.
2. On the list of available roles, select Active Directory Certificate Services, and click Next twice.
three. On the Select Role Services page, select the top 3 roles: Certification Authority, Certification Authority Spider web Enrollment, and Online Responder. In selecting the Spider web Enrollment part, you lot will be prompted to add the IIS function with a specific list of components; accept this request and click Next.
4. On the Specify Setup Type folio, select Enterprise and click Next to continue.
5. On the Specify CA Type page, select Root CA and click Next to proceed.
6. On the Setup Individual Key page, select the option to generate a new private key. This private primal is the nearly important cryptographic key in the unabridged internal PKI system we are about to deploy. Click Next.
7. Leave the Cryptographic Service Provider choice at its default value. Increment the fundamental length to the maximum, 4096. In the hash algorithm, select either MD5 or SHA512. Note that NIST considers SHA1 as successfully attacked, even though practical applications are still remote. Nonetheless, it is now mandated that the U.S. Federal Authorities discontinue the apply of SHA1 completely past 2010. MD2 and MD4 have been found to have serious flaws. MD5 is known to have computable hash collisions, but now, a multimillion-dollar hash crunching system may take nigh a month to find a collision in MD5. SHA256 or higher, or MD5 will be sufficient for vast bulk of organizations.
viii. On the Configure CA Name folio, we will go out default proper noun and click Next.
9. On the Fix Validity Period page, raise the validity to 20 years and click Next. 10. On the Configure Certificate Database page, leave the defaults and click Adjacent. 1 i. On the Web Server (IIS) page, click Side by side (twice). So click Install to proceed with the role installation. When installation is done, click Close.
12. Side by side, let'due south create a service account for NDES service. We will call information technology [email protected] This service account needs to be added to IIS_IUSRS security group, and it needs permission to enroll with a CA to obtain an IPsec certificate (you will need to obtain a duplicate IPsec certificate template, add together permissions for the service business relationship to enroll, and assign the customized template to the CA—steps on how to practice this are in the next practice).
13. To add the NDES service to an existing CA, in the Server Manager, expand the Active Directory Certificate Services department and click Add Role Services. You will go through a similar wizard, where you need to check Network Device Enrollment Service for information technology to be added.
14. On the User Account folio, select the service account nosotros just created.
15. On the Registration Authority page, betoken which country the RA is in, and click Next.
16. Increase the signature and encryption key lengths to 4096 and click Side by side. Then click Install.
Certificate Authority is now installed. You can review its configuration using Certification Potency console, shown in Figure 10-1.
FIGURE 10-i
Certification Authority console certsrv - [Certificate Authority (Local]\flexecom-TORI}CO:fifty-CA\CertificEteTeniplate£]
File Action View Help
J Certification Authorisation [Local) East flexecom-TORDCOl-CA j Revoked Certificates Issued Certificates Pending Requests Failed Requests
Document Templates
Name
Intended Purpose
Flexecom User CEP Encryption
Exchange Eni ollment Amanuensis [Offline req,, I^Sec {Offline asking) . Directory E-mail Replication Domain Controller Hallmark EFS Recovery Agent ane Basic EFS
Domain Controller ] Web Server ] Computer
! Subordinate Certification Authority ) Administrator
Client Hallmark, Secure E-mail, Entry...
Certificate Asking Amanuensis
Certificate Asking Amanuensis
IP security IKE intermediate
Directory Service Email Replication
Client Authentication, Server Authenticate,..
File Recovery
Encrypting Fie System
Client Authentication, Server Authentication
Server Authentication
Customer Authentication, Server Authentication
Microsoft Trust Listing Signing, Encrypting File..,
Certificate Templates
Document templates are to digital certificates what schema classes are to objects in Advertisement DS: a certificate template defines mutual rules that will utilise to all certificates of a certain blazon, which are issued based on the aforementioned primary template. For certain specific applications, such as issuing new subordinate CA certificates, your Advertisement CS
is already configured (if yous followed the steps in Exercise 10-1). In other cases, you will want to alter existing templates, configure them with common rules that apply to your infrastructure, and and then enable certificate issuance for the newly configured templates.
There are multiple versions of certificate templates. Version i certificates are the most limited and back up but the most basic functionality, only they are uniform with the widest array of devices and other certification authorities that may be interacting with your organization. Version two certificate templates can be used for automatic enrollment, and many of the values in these templates tin can be adjusted. Some Version 2 certificate templates are preconfigured right from the point of installation of a new CA. Version 2 certificate templates allow the following types of user autoenrollment:
■ Enroll the subject area without requiring any user input. This will enroll users automatically without notifying them.
■ Prompt the user during enrollment. This will inform users when the new certificate is requested and then install it. It is possible that some information volition exist requested—for example, users will be prompted for a PIN number if this certificate is to be used with a smart card.
■ Prompt the user during enrollment and require user input when the private fundamental is used. This option volition also notify users when the document is installed and notify them every time their private key is used.
Version 3 certificate templates are new to Windows Server 2008, and they let the more advanced manipulation of cryptographic functions, such as selecting hash and cryptographic algorithms. Version iii certificates are compatible with Windows Server 2008 CAs and Windows Server 2008 / Windows Vista clients simply. You lot can review existing templates using Certificate Templates snap-in, shown in Figure 10-two.
One time the certificate template is duplicated and reconfigured, it needs to be prepare with a CA for issuance. Y'all will also need to ensure that the document template has been permissioned for autoenrollment, where automated enrollment is the intended distribution method for certificates in question. Allow'due south walk through the following exercise to meet how it is done.
FIGURE 10-two
Document Templates console
Figure 10-ii
Certificate Templates panel
Exercise x-ii
Configuring a Certificate Template, Fundamental Archival, and Automatic Enrollment
You will want to change some settings of the existing templates, and in some cases that will require creating a certificate template duplicate. For the purpose of this exercise, we will create a custom "user" certificate template and configure it with stronger cryptographic algorithms.
1. Open the Certification Authority console by clicking on Start I Authoritative Tools I Certification Dominance.
2. Expand your CA node, then right-click the Document Templates node and click Manage.
3. In the Certificate Templates panel, discover User template, right-click, and click Duplicate Template. You will be prompted to bespeak which version the CA should utilize to indistinguishable the template. Select Windows Server 2008 (shown in Effigy 10-three).
Figure 10-iii
Selecting a certificate template version
FIGURE 10-iv
Enabling Key Archival
Duplicate Template
You can create certificate templates with advanced backdrop Yet, not all Windows CAs back up all document template proper ties, Select tine version of Windows Server [minimum supported CAs) for tine duplicate certificate template.
^ Windows 2003 Server, Enterprise Edition Windows Server Z008, Enterprise Edition Learn more than about Document Terr=p!ate Versions.
Cancel
four. On the Full general tab, type in Flexecom User as the document template name, or some other name of your choice. On the same tab yous can enable document publishing in Active Directory. Optionally, you can besides enable "Do not automatically re-enroll if a indistinguishable certificate exists" in the Active Directory option. Select this option to prevent document duplication when users without a roaming profile log on from different machines.
5. On the Request Handling tab, select Archive Subject's Encryption Private Key. Also make sure that template is assuasive autoenrollment without user input (encounter Figure 10-4).
Properties of New Template xj
Issuance Requirements ] Superseded Templates | Extensions | Security General Request Handling | Cryptography | Discipline Name
Purpose: | Signature and encryption
"3
r" Delete revoked or expired certificates (do not annal) W Include symmetric algorithms allowed by the subject P Archive subject's encryption private cardinal p Use advanced Symmetric algorithm to send the cardinal 1 totheCA.
p- Add Read permissions to Network Service-on the individual key. (enable for machine templates only)-W Allow private key to be exported
Do the following when the subject field is enrolled and when the private key associated with this certificate is used:
(* Enroll discipline -Athout requiring any user input C Prompt the user during enrollment
P Prompt the user during enrollment arid crave user input when the private primal is used
Apply
Assist
6. On the Field of study Name tab, ensure that the user's electronic mail and UPN logon names are included in the alternating subject name (come across Figure 10-5). Alternate subject names tin can be used to let various ways of presenting a user identity to work with a single certificate (for instance, you utilise an e-postal service accost when sending due east-post, and a UPN logon name to admission the network).
7. On the Cryptography tab, change the Hash Algorithm to MD5 (meet Figure 10-vi).
8. On the Security tab, ensure that Authenticated Users are allowed to Autoenroll using this template (see Figure ten-7).
9. Commit this certificate template duplicate and switch dorsum to the Certification Authority console. Click the Certificate Templates node. Find the User template, right-click it, and click Delete. This will disable the standard user certificate template that was preconfigured.
10. At present right-click the Certificate Templates node, and click New | Certificate Template To Issue. On the listing that is presented, select the template that you only created (Flexecom User), and okay the changes (run into Figure 10-8).
Amalgam an alternate subject proper name
Issuance Requirements | Superseded Templates | Extensions | Security I General | Request Handling j Cryptography Subject area Name
Constructing an alternate subject name
Issuance Requirements | Superseded Templates | Extensions | Security I Full general | Request Handling j Cryptography Subject Name
Supply In the asking
Select this selection to allow a diversity of subject proper noun formats or If you practise non have admission to the domain of which the subject Is a member. Autoenrollment Is not allowed If y'all choose this choice.
(* Build from this Active Directory Information ■
Select this option to enforce consistency amid subject names and to simplify certificate administration.
Subject name format:
J Fully distinguished name
Include e-mail proper noun In subject name name
Include this information in alternate subject name:
E-post name r DNS name
User prinicipal proper noun (UPN) Service master proper noun {SPN)
OK Cancel Apply Assistance
Figure 10-6
Selecting cryptographic options
Flexecorn User Properties
Figure 10-7
Autoenrolling permissions
Flexecorn User Backdrop
Jjxj
General | Asking Handling | Cryptography | Field of study Name Issuance Requirements ] Superseded Templates j Extensions Security
Group or user names:
"^.Authenticated Users ^ Administrator
' •r^ Domain Admins {FLEXECOMXDomain Admins) Domain Users {FLEXECOMXDomain Users) Enterprise Admins (FLEXECOMNEnterprise Admins)
Remove
Remove
| permissions for Authenticated Users | Allow | Deny |
| Total Control | □ | □ |
| Read | El | □ |
| Write | □ | □ |
| Enroll | □ | □ |
| Autoenroll | m | □ |
For special permissions or advanced settings, click Advanced.
Leam virtually access control and permissions
Cancel
Utilize
Help
FIGURE 10-8
List of document templates available for distribution
[S Enable Document Templates
Select one Certificate Template to enable on this Certification Authority.
Annotation: If a document template that was recently created does non appear on this list, you may need to look until data about this template has been replicated to all domain controllers.
All of the document templates in the system may non be available to your CA.
For more than information, see Certificate Template Concepts.
Name
Intended Rapóse
Ml Enrollment Amanuensis Certificate Request Amanuensis
Ü3 Enrollment Agent (Reckoner) Certificate Request Agent
Eg Exchange Signature Merely Secure Email
1 Exchange User Secure Electronic mail
Flexecom User
K IPSec
1 Kerberos Authentication Thousand Primal Recovery Agent M QCSP Response Signing RAS and IAS Server
Client Authentication. Secure Email, Encrypting File System
IP security IKE intermediate
Customer Authentication, Server Hallmark, Smart Carte du jour Logon, KDCAuthent Fundamental Recovery Agent OCSP Signing
Client Authentication. Server Authentication
Cancel on the
(Task
The central archiving system is not functional yet, because we have not designated any key recovery agents. In order to do and so, we demand to enroll 1 or more than administrative accounts (or special service accounts) using the Fundamental Recovery Agent certificate template. Outset, you demand to add the Fundamental Recovery Amanuensis certificate template to the listing of document templates issued past the CA. Next, you demand to utilize Administrator (or another service account) to enroll with that CA as a key recovery agent; this tin can exist washed manually by using the Certificates MMC snap-in. Side by side, this asking to enroll needs to be manually candy and issued a corresponding document, using the Certification Authority console. Then, we need to register this key recovery agent with the CA; this can exist done using the Certification Authority console, in the CA's properties, on the Recovery Agents tab (select Archive The Key and add the fundamental recovery amanuensis's certificate to the listing of registered recovery agents). Finally, you will need to ensure that your certificate templates are configured to archive keys (we already did this in Exercise ten-2).
Primal archival is vital to configure earlier deploying any sort of EFS encryption to users. In case users lose their private keys, encrypted data volition be rendered irretrievable, unless central archival is implemented. Go along in mind that key archival is only bachelor in Enterprise CA systems, running integrated with AD DS.
, e If y'all configure primal archival in certificate templates, as per Practise x-2, merely
(job fail to set up key recovery agents as described in the preceding paragraph, certificates will not be issued successfully. Ensure that you are comfortable setting upwardly fundamental archival for the examination and for real-life PKI deployments.
The new user certificate template is ready for distribution with key archival. Next, we will configure a domain-based grouping policy to enable automatic enrollment for users.
Continue reading here: Performing Autoenrollment
Was this commodity helpful?
Does A Domain Controller Need A Computer Template Certificate?,
Source: https://www.serverbrain.org/active-directory-2008/ad-cs-in-windows-server.html
Posted by: fungunpleted.blogspot.com
0 Response to "Does A Domain Controller Need A Computer Template Certificate?"
Post a Comment