Trust me, you are in the right way because security is something we must do extra implementations, in virtual test labs as well as in the production environment; otherwise, you may create holes in your AD network accidentally, or do troubles for yourself in connections, authentications, etc.
And the whole PKI system will remain useless.
[00:03] We've been investing AD CS theories for a long time via series: Installing and Configuring Active Directory Certificate Services Server Role and Publishing the Certificate Revocation List.
AD CS is a Server Role of Windows Server. It helps to build PKI infrastructure in Microsoft Active Directory network by building Windows CAs with associated certificates, keys, types, scopes for further creating PKI's objects such as digital certificates, public keys, hierarchies, etc.
Let's take a look at AD CS and PKI again.
Recall about PKI, we must know: this is an infrastructure; a system help protected data, traffic inside/outside network by implementing strong encryptions/decryptions, authentications, integrity checking mechanisms via digital certificates.
A well-known protocol is HTTPS, which is based on PKI to secure web browsing on a daily basis.
More about PKI:
Certificates or Digital certificate/Public-Key Key Certificate.
In cryptography, a public-key certificate (or identity certificate) is a certificate which uses a digital signature to bind together a public key with an identity – information such as the name of a person or an organization, their address, and so forth.
The certificate can be used to verify that a public key belongs to an individual.
Now, in this very first series about Configuring Active Directory Certificate Services Certificates.
We will see the real application of AD CS as well as the main object: certificates.
We early have a 2-Tier PKI with 2 CAs: Standalone Root and Enterprise Subordinate are taken place.
[00:41] "Certificate Templates Overview" – technet.microsoft.com
[00:43] And CAs on Windows Server 2008 R2 machines are where we define certificate templates so that clients can request through the Web Enrollment app or via the Certificate MMC snap-in.
Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as auto-enrollment, enrollment only with authorized signatures, and manual enrollment.
[00:58] Open the Certificate Authority certsrv snap-in from the Start Menu.
[01:12] Oops, this is a Standalone Root CA, so Certificate Templates are not used, though this type of CA should be only used to issue certificates to its Subordinate CAs.
[01:33] "Public Key Infrastructure Part 6 – Manage certificate templates" – tech-coffee.net
[02:01] "Stand-Alone Certification Authorities" – technet.microsoft.com
Certificate Template: a pre-configured list of certificate settings that allows users and computers to enroll for certificates without having to create complex certificate requests.
So that we just need to know the desired functions of the certificate which almost be described explicitly in its name.
Select the Certificate Templates section from its CA console.
\pard There are 10 default loaded Certificate Templates: Directory Email Replication, Domain Controller Authentication, EFS Recovery Agent, Basic EFS, Domain Controller, Web Server, Computer, User, Subordinate Certificate Authority, Administrator.
[02:31] Open the Certificate Templates Console repository via the Manage menu to see available templates.
In this demo, I will make a CT which based on the User template available with some customizations.
So I will duplicate this Template rather than edit the existing one so that we can re-utilize this basic template later.
You can create certificate templates with advanced properties. However, not all Windows CAs support all certificate template properties. Select the version of Windows Server (minimum supported CAs) for the duplicate certificate template.
[03:22] Since Windows Server 2003, 2008 R2, there are 2 versions of CTs, which offer compatibility reasons, of course, the higher the version number, the more advanced in its functions.
With Windows Server 2003- based CAs, the Certificate Templates snap-in allowed you to define specific attributes for certificates that meet your organization's business needs. For example, you could define:
Whether the private key associated with a certificate can be exported.
Whether the certificate request must be approved by a certificate manager, and define how many managers must approve a request before the certificate is issued.
Which cryptographic service providers (CSPs) are supported by a certificate template.
Issuance and application policy for issued certificates.
Windows Server 2008 introduced version 3 certificate templates. These certificate templates have been updated to support new features available in the Windows Server 2008- based CA, including CNG, which introduces support for Suite B cryptographic algorithms such as ECC.
Let's specify these settings in the General tab:
Template display name.
Publish certificate in Active Directory.
Do not automatically reenroll if a duplicate certificate exists in Active Directory.
For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
In the Request Handling we can tweak:
– Purpose: Signature and encryption
Include symmetric algorithms allowed by the subject.
Archive subject's encryption private key
– Allow private key to be exported
– Do the following when the subject is enrolled and when the private key associated with this certificate is used:
Enroll subject without requiring any user input
Prompt the user during enrollment
Prompt the user during enrollment and require user input when the private key is used.
Algorithm name: RSA
Minimum key size: 2048
Choose which cryptographic providers can be used for requests
– Requests can use any provider available on the subject's computer
– Requests must use one of the following providers:
Microsoft Software Key Storage Provider
Request hash: SHA1
Use alternate signature format.
For more information about restrictions and compatibility:
– Supply in the request
Use subject information from existing certificates for auto-enrolment
– Build from this Active Directory information
Select this option to enforce consistency among subject names and to
simplify certificate administration.
Subject name format: Fully distinguished name
Include-mail name in the subject name
+ Include this information in the alternate subject name:
User principal name (UPN)
Service principal name (SPN)
[05:02] "Securing PKI: Planning Certificate Algorithms and Usages" – technet.microsoft.com
[05:20] Now, to allow Domain Users to Enroll through this Certificate Template, configure this permission from the Security tab.
When a certificate template is defined, the definition of the certificate template must be available to all CAs in the forest. This is accomplished by storing the certificate template information in the Configuration naming context (CN=Configuration, DC=ForestRootName).
Not all of CAs need this CT, so administrators (the Administrator user or members of the Domain Admins/Enterprise Admins group) must assign it into appropriate CAs through New, Certificate Template to Issue.
Select one Certificate Template to enable on this Certification Authority.
Note: If a certificate template that was recently created does not appear on this list, you may need to wait until
information about this template has been replicated to all domain controllers.
All the certificate templates in the organization may not be available to your CA.
[06:59] Now users can request a certificate for themselves to do: Client Authentication, Secure Email, Encrypting File System with this SnoOpy-User certificate template.
[07:25] It is a domain user who is running the Windows 7 machine.
There are 2 options for clients who want to request certificates: the Certificate MMC snap-in and via the Web Enrollment app.
Let's add this console through the Add or Remove Snap-ins dialog of the Console Root.
The Certificate snap-in allows you to browse through the contents of the certificate stores for yourself, a service, or a computer.
– Personal is the store which contains obtained certificates of this Current User.
Other ones hold CAs certificates:
– Trusted Root Certification Authority
– Enterprise Trust
– Intermediate Certification Authority
– Active Directory User Object
– Trusted Publishers
– Untrusted Certificates
– Third-Party Root Certification Authority
– Trusted People
– Smart Card Trusted Roots
You can select snap-ins for this console from those available on your computer and configure the selected set of snap-ins. For extensible snap-ins, you can configure which extensions are enabled.
[08:26] Do the certificate issuance through All Tasks, Request New Certificate menu of the Personal store.
Before You Begin
The following steps will help you install certificates, which are digital credentials used to connect to wireless networks,
protect content, establish identity, and do other security-related tasks.
Before requesting a certificate, verify the following:
Your computer is connected to the network
You have credentials that can be used to verify your right to obtain the certificate
Select Certificate Enrollment Policy
Certificate enrollment policy enables enrollment for certificates based on predefined certificate templates. Certificate enrollment policy may already be configured for you.
Configured by your administrator: Active Directory Enrollment Policy
Configured by you (Add New only for special cases).
You can request the following types of certificates. Select the certificates you want to request, and then click Enroll.
There are 2 CTs are assigned for domain users by default, plus the SnoOpy-User template which we just published with proper permissions.
[09:19] Requesting certificates. Please wait…
The enrollment server is being contacted to obtain the certificates you have requested.
After a couple of seconds, the certificate will be ready to be used by this User!
You can see that with Certificate and the AD Enrollment Policy service, the certificate issuance process can be simplified dramatically for both office users as well as advanced clients.
Check out my YOUTUBE channel to see other applications of AD CS, the next episode will be about: Create, duplicate, and supersede the local user template by using a new template that includes smart card logon.