Certificate Templates play the major role in the PKI, with very first episodes of Configuring Active Directory Certificate Services Certificates series; we know how to create, duplicate, as well as to supersede the local user template by using a new template that includes Smart Card Logon.
And again, in this part, we will use a CT to serve for another kind of the CA issuance, as well as to fortify our AD CS PKI system.
That’s “Implement TLS/SSL for the Web Enrollment app.”
Basically, Web Enrollment is designed to provide an enrollment mechanism for organizations that need to issue and renew certificates for users and computers that are not joined to the domain or not connected directly to the network, and for users of non-Microsoft operating systems.
Instead of relying on the auto-enrollment mechanism of a certification authority (CA) or using the Certificate Request Wizard, the Web enrollment support provided by a Windows-based CA allow these users to request and obtain new and renewed certificates over an Internet or intranet connection.
It is one of 4 alternatives in the certificate deployment.
-- Auto-enrollment, in which many types of certificates can be distributed without the client even being aware that enrollment is taking place.
-- Another method is enrollment through the Automatically Enroll and Retrieve Certificates from the certmgr.msc console.
-- CNG Application Programming Interface (API) in Windows Server 2008/R2/2012, and CryptoAPI in previous versions of Windows Server.
-Then there quote s Web Enrollment, which I quote ll specifically present about in this video.
[00:19] “Certification Authority Web Enrollment Guidance” -- technet.microsoft.com
By utilizing a web app in a secure system, we must ensure it is reliable too; there are no excuses to let a single component ruin this complex PKI collapse.
It’s also a spirit of the HTTPS which leverages advantages of TLS/SSL technologies; a web app must be protected, encrypted in all of its pieces.
So that we must configure the IIS service on the server which is designated to provide Web Enrollment app to end users, to deploy SSL in conjunction with HTTP servicing, that is HTTPS.
That’s one of the best practices in the PKI architect because MITM attacks are popular, silently under-the-hood, and the consequences are worst.
[00:31] Moreover, since Windows Server 2008 R2, this is a mandatory process: “In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.”
As always, let’s configure the Certificate Template, Web Server in this case on the Enterprise Subordinate CA so that Web Enrollment server (the Sub CA itself in this virtual lab) can request a certificate which contains the Server Authentication object identifier (OID): 220.127.116.11.18.104.22.168.1.
[00:31] Active Directory Certificate Services (AD CS): Error: “In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication” -- social.technet.microsoft.com
Open up Certificate Authority certsrv console from the Subordinate Enterprise CA Windows Server 2008 then Certificate Templates Console by select Manage on the right click menu of the Certificate Templates section.
[00:39] “Enabling HTTPS on Windows Server 2008/2012 Certificate Authority for Web Enrollment” -- petri.com
[00:40] In this case, we will utilize the default template Web Server directly instead of a duplicate to get another one as we did in previous examples.
Because I want to remark that default templates may have only basic options/features/security policies for their specific functions that advanced demonstrations need more on: extra Application Policies, AD DS-integrated information, etc.
Secondly, by design, this Web Server template requires further user’s inputs so that custom SAN can be implemented.
TechNet: “because user input can be abused by persons with malicious intent, precautions should be taken to mitigate the risks associated with the use of user-defined SANs and protect the integrity of your public key infrastructure (PKI).”
That’s why held certificates and administrative reviewing procedures are two of the best practices in implementing these kinds of certificate issuances.
[00:53] “How to Request a Certificate With a Custom Subject Alternative Name” -- technet.microsoft.com
By using the default template, almost options are greyed out in that Web Server Properties dialog, General tab.
Template display name.
Publish certificate in Active Directory.
Do not automatically reenroll if a duplicate certificate exists in Active Directory.
Fortunately, what we need is a permission setup on the Security tab.
Make sure you choose a Computer principal instead of a User one because the IIS web server needs this type of account to work.
[01:06] “Securing PKI: Planning Certificate Algorithms and Usages” -- technet.microsoft.com
Group or user names
Domain Admins (SNOOPY\Domain Admins)
Enterprise Admins (SNOOPY\Enterprise Admins)
Permissions for Authenticated Users
Full Control/Read /Write/Enroll
For special permissions or advanced settings, click Advanced.
Go to the Security tab. Add computers in your domain that will be requesting Web Server certificates from your Certification Authority. Beware, not users, but the computers. You may get out of this one easy by adding <DOMAIN NAME>\Domain Computers to the list which will grant all computers in your Active Directory domain access to request Web Server certificates from your certificate authority.
[01:27] For example, a Computer account/group can be select via that Check Names tool by “Enter the object names to select”
This isn’t the most secure option obviously. Provide the computer(s) you add to the list with access to Read, Write and Enroll.
In fact, certificates should be allocated to granular principals: OUs, groups;
Multiple Names Found
More than one object matched the name “Domain”. Select one or more names
from this list. or. reenter the name.
Name (RDN)/Logon Name
[01:54] Well done, this Certificate Template is ready to be requested, make sure you do remember to open the Certificate MMC snap-in with Computer account.
[01:59] “Administering Certificate Templates” -- technet.microsoft.com
By default, Threat Management Gateway does not allow the required DCOM over RPC communication. If you’re not requesting the certificates on an ISA or TMG server, skip this step and proceed with the next one. To verify if RPC calls are being blocked, open up a Command Prompt window and enter:
certutil -ping -config <name of your certificate authority server>
If you get a response like Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722), the requests are being blocked.
[02:09] Certificate Enrollment wizard can be found on the menu All Tasks, Request New Certificate… of the Personal store.
Before You Begin
The following steps will help you install certificates, which are digital credentials used to connect to wireless networks,
protect content, establish identity, and do other security-related tasks.
Before requesting a certificate, verify the following:
Your computer is connected to the network
You have credentials that can be used to verify your right to obtain the certificate
Select Certificate Enrollment Policy
Certificate enrollment policy enables enrollment for certificates based on predefined certificate templates. Certificate
enrollment policy may already be configured for you.
Configured by your administrator
Active Directory Enrollment Policy
In case the Web Server template is not displayed, click the Cancel button. Thereafter, right-click the Certificates node in the left pane, and then select Refresh. Perform this periodically for at least five minutes.
“More information is required to enroll for this certificate. Click here to configure settings.”
This link will launch Certificate Properties dialog so that we can specify: Subject/Alternative name, Friendly name, Extensions, Private Key options as well as which Certificate Authority will be queried.
The subject of a certificate is the user or computer to which the certificate is issued. You can enter information about the types of subject name and alternative name values that can be used
in a certificate.
Subject of certificate
The user or computer that is receiving the certificate
[02:41] Common name CN for Type is a basic element to identify the Subject.
[02:48] A friendly name and description will make it easier to identify and use a certificate.
The following are the certificate extensions for this certificate type.
Extended Key Usage (application policies)
Include Symmetric algorithm
Custom extension definition
An enrollment server is needed to issue and renew certificates. The system will connect to enrollment servers in the following list to process certificate requests.
Not all certificate templates are available for each enrollment server. For diagnostic purposes, it may be helpful to identify all available enrollment servers.
[03:10] Certificate Installation Results
The following certificates have been enrolled and installed on this computer.
This kind of certificate can be easily to deploy; however, there are some points you must take care of:
-- Have a detailed plan about permissions on certificate templates.
-- Further user’s inputs on certificate enrollments should be restricted.
-- The advantage of a SAN certificate is that it allows multiple FQDNs to be specified within one certificate and avoids having to use a wildcard certificate which is less secure.
The use of SANs in server authentication certificates enables a single certificate to be bound to multiple names on a single computer; for example, a Web server might be identified by multiple DNS names. Also, multiple computers might host a Web site and each computer can request a certificate with the site’s DNS name in the SAN.
[03:21] “Create a Subject Alternative Name certificate” -- knowledge.zomers.eu
[03:30] Our Certificate Authority now has a certificate to set Internet Information Services up!
Follow the next part about “Implement SSL for Web Enrollment on IIS.”
[03:26] “AD CS: Web Enrollment” -- technet.microsoft.com
Claim your own AD CS fundamentals with series “Configuring Active Directory Certificate Services Certificates” on my YOUTUBE channel :3