SlideShare a Scribd company logo

Set Up Active Directory Certificate Services Lab

•Download as DOC, PDF•
•
V
Valentín Sánchez de Movellán

This document provides step-by-step instructions for setting up basic and advanced Active Directory Certificate Services (AD CS) lab environments. The basic lab uses two servers - one as the domain controller and one to host an enterprise root CA. The root CA issues certificates to the Online Responder service and a client computer. The advanced lab adds a subordinate CA, network device enrollment, and additional configuration steps. Both labs configure certificate templates, the Online Responder, and revocation checking to test AD CS functionality.

Education
1 of 21
AD CS Step-By-Step Guide Microsoft Corporation Published: April 2007 Author: Roland Winkler Editor: Debbie Swanson Abstract This step-by-step guide describes the steps needed to set up a basic configuration of Active Directory® Certificate Services (AD CS) in a lab environment. AD CS in Windows Server® 2008 provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies. 1
Copyright Information This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. 2
Contents AD CS Step-By-Step Guide............................................................................................................1 Abstract....................................................................................................................................1 Copyright Information......................................................................................................................2 Contents.......................................................................................................................................... 3 Windows Server Active Directory Certificate Services Step-by-Step Guide....................................5 AD CS Technology Review..........................................................................................................5 Requirements for Using AD CS...................................................................................................6 AD CS Basic Lab Scenario..........................................................................................................7 Steps for Setting up a Basic Lab.................................................................................................7 Step 1: Setting Up an Enterprise Root CA...............................................................................8 Step 2: Installing the Online Responder...................................................................................9 Step 3: Configuring the CA to Issue OCSP Response Signing Certificates..............................9 Step 4: Creating a Revocation Configuration..........................................................................11 Step 5: Verifying that the AD CS Lab Setup Functions Properly.............................................12 AD CS Advanced Lab Scenario.................................................................................................13 Steps for Setting Up an Advanced Lab......................................................................................14 Step 1: Setting Up the Stand-Alone Root CA.........................................................................15 Step 2: Setting Up the Enterprise Subordinate Issuing CA....................................................15 Step 3: Installing and Configuring the Online Responder.......................................................16 Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates...............17 Step 5: Configuring the Authority Information Access Extension to Support the Online Responder..........................................................................................................................17 Step 6: Assigning the OCSP Response Signing Template to a CA........................................18 Step 7: Enrolling for an OCSP Response Signing Certificate.................................................18 Step 8: Creating a Revocation Configuration.........................................................................19 Step 9: Setting Up and Configuring the Network Device Enrollment Service.........................20 Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly.........................21 3
Windows Server Active Directory Certificate Services Step-by-Step Guide This step-by-step guide describes the steps needed to set up a basic configuration of Active Directory® Certificate Services (AD CS) in a lab environment. AD CS in Windows Server® 2008 provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. This document includes: • A review of AD CS features • Requirements for using AD CS • Procedures for a basic lab setup to test AD CS on a minimum number of computers • Procedures for an advanced lab setup to test AD CS on a larger number of computers to more realistically simulate real-world configurations AD CS Technology Review Using the Active Directory Certificate Services option of the Add Roles Wizard, you can set up the following components of AD CS: • Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage their validity. • CA Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to: • Request certificates and review certificate requests. • Retrieve certificate revocation lists (CRLs). • Perform smart card certificate enrollment. • Online Responder service. The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates, evaluating the status of these certificates, and sending back a signed response containing the requested certificate status information. Important Online Responders can be used as an alternative to or an extension of CRLs to provide certificate revocation data to clients. Microsoft Online Responders are based on and comply with RFC 2560 for OCSP. For more information about RFC 2560, see the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/? LinkID=67082). 5
• Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc. Note SCEP was developed to support the secure, scalable issuance of certificates to network devices by using existing CAs. The protocol supports CA and registration authority public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation queries. Requirements for Using AD CS CAs can be set up on servers running a variety of operating systems, including Windows® 2000 Server, Windows Server® 2003, and Windows Server 2008. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with as little hardware as a single server for a single CA, many deployments involve multiple servers configured as root, policy, and issuing CAs, and other servers configured as Online Responders. Note A limited set of server roles is available for a Server Core installation of Windows Server 2008 and for Windows Server 2008 for Itanium-based Systems. The following table lists the AD CS components that can be configured on different editions of Windows Server 2008. Components Web Standard Enterprise Datacenter CA No Yes Yes Yes Network Device Enrollment Service No No Yes Yes Online Responder service No No Yes Yes The following features are available on servers running Windows Server 2008 that have been configured as CAs. AD CS features Web Standard Enterprise Datacenter Version 2 and version 3 certificate No No Yes Yes 6
AD CS features Web Standard Enterprise Datacenter templates Key archival No No Yes Yes Role separation No No Yes Yes Certificate Manager restrictions No No Yes Yes Delegated enrollment agent restrictions No No Yes Yes AD CS Basic Lab Scenario The following sections describe how you can set up a lab to begin evaluating AD CS. We recommend that you first use the steps provided in this guide in a test lab environment. Step- by-step guides are not necessarily meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document. Steps for Setting up a Basic Lab You can begin testing many features of AD CS in a lab environment by using as few as two servers running Windows Server 2008 and one client computer running Windows Vista®. The computers for this guide are named as follows: • LH_DC1: This computer will be the domain controller for your test environment. • LH_PKI1: This computer will host an enterprise root CA for the test environment. This CA will issue client certificates for the Online Responder and client computers. Note Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. • LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from LH_PKI1 and verify certificate status from LH_ PKI1. To configure the basic lab setup for AD CS, you need to complete the following prerequisite steps: • Set up a domain controller on LH_DC1 for contoso.com, including some organizational units (OUs) to contain one or more users for the client computer, client computers in the domain, and for the servers hosting CAs and Online Responders. • Install Windows Server 2008 on LH_PKI1, and join LH_PKI1 to the domain. 7
• Install Windows Vista on LH_CLI1, and join LH_CLI1 to contoso.com. After you have completed these preliminary setup procedures, you can begin to complete the following steps: Step 1: Setting Up an Enterprise Root CA Step 2: Installing the Online Responder Step 3: Configuring the CA to Issue OCSP Response Signing Certificates Step 4: Creating a Revocation Configuration Step 5: Verifying that the AD CS Lab Setup Functions Properly Step 1: Setting Up an Enterprise Root CA An enterprise root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the Online Responder and client computer, and to publish certificate information to Active Directory Domain Services (AD DS). Note Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. To set up an enterprise root CA 1. Log on to LH_PKI1 as a domain administrator. 2. Click Start, point to Administrative Tools,and then click Server Manager. 3. In the Roles Summary section, click Add roles. 4. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Nexttwo times. 5. On the Select Role Services page, select the Certification Authority check box,andthen click Next. 6. On the Specify Setup Type page, click Enterprise,and then click Next. 7. On the Specify CA Type page, click Root CA, and then click Next. 8. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. 9. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next. 10. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next. 11. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and 8
then click Next. 12. After verifying the information on the Confirm Installation Options page, click Install. 13. Review the information on the confirmation screen to verify that the installation was successful. Step 2: Installing the Online Responder An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA. Note IIS must also be installed on this computer before the Online Responder can be installed. To install the Online Responder 1. Log on to LH_PKI1 as a domain administrator. 2. Click Start, point to Administrative Tools,and then click Server Manager. 3. Click Manage Roles. In the Active Directory Certificate Services section, click Add role services. 4. On the Select Role Services page, select the Online Responder check box. You are prompted to install IIS and Windows Activation Service. 5. Click Add Required Role Services, and then click Next three times. 6. On the Confirm Installation Options page, click Install. 7. When the installation is complete, review the status page to verify that the installation was successful. Step 3: Configuring the CA to Issue OCSP Response Signing Certificates Configuring a CA to support Online Responder services involves configuring certificate templates and issuance properties for OCSP Response Signing certificates and then completing additional steps on the CA to support the Online Responder and certificate issuance. Note These certificate template and autoenrollment steps can also be used to configure certificates that you want to issue to a client computer or client computer users. 9
To configure certificate templates for your test environment 1. Log on to LH_PKI1 as a CA administrator. 2. Open the Certificate Templates snap-in. 3. Right-click the OCSP Response Signing template, and then click Duplicate Template. 4. Type a new name for the duplicated template, such as OCSP Response Signing_2. 5. Right-click the OCSP Response Signing_2 certificate template, and then click Properties. 6. Click the Security tab. Under Group or user name, click Add, and then type the name or browse to select the computer hosting the Online Responder service. 7. Click the computer name, LH_PKI1, and in the Permissions dialog box, select the Read and Autoenroll check boxes. 8. While you have the Certificate Templates snap-in open, you can configure certificate templates for users and computers by substituting the desired templates in step 3, and repeating steps 4 through 7 to configure permissions for LH_CLI1 and your test user accounts. To configure the CA to support Online Responders, you need to use the Certification Authority snap-in to complete two key steps: • Add the location of the Online Responder to the authority information access extension of issued certificates. • Enable the certificate templates that you configured in the previous procedure for the CA. To configure a CA to support the Online Responder service 1. Open the Certification Authority snap-in. 2. In the console tree, click the name of the CA. 3. On the Action menu, click Properties. 4. Click the Extensions tab. In the Select extension list, click Authority Information Access (AIA). 5. Select the Include in the AIA extension of issue certificates and Include in the online certificate status protocol (OCSP) extension check boxes. 6. Specify the locations from which users can obtain certificate revocation data; for this setup, the location is http://LH_PKI1/ocsp. 7. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. 8. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK. 9. Open Certificate Templates, and verify that the modified certificate templates 10
appear in the list. Step 4: Creating a Revocation Configuration A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. These configuration settings include the CA certificate, the signing certificate for the Online Responder, and the locations to which clients are directed to send their status requests. Important Before you create a revocation configuration, ensure that certificate enrollment has taken place so that a signing certificate exists on the computer and adjust the permissions on the signing certificate to allow the Online Responder to use it. To verify that the signing certificate is properly configured 1. Start or restart LH_PKI1 to enroll for certificates. 2. Log on as a CA administrator. 3. Open the Certificates snap-in for the computer account. Open the Personal certificate store for the computer, and verify that it contains a certificate titled OCSP Response Signing. 4. Right-click this certificate, and then click Manage Private Keys. 5. Click the Security tab. In the User Group or user name dialog box, click Add, enter Network Service to the Group or user name list, and then click OK. 6. Click Network Service, and in the Permissions dialog box, select the Full Control check box. 7. Click OK twice. Creating a revocation configuration involves the following tasks: • Identify the CA certificate for the CA that supports the Online Responder. • Identify the CRL distribution point for the CA. • Select a signing certificate that will be used to sign revocation status responses. • Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder. To create a revocation configuration 1. Open the Online Responder snap-in. 2. In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configurationwizard, and then click Next. 3. On the Name the Revocation Configuration page, type a name for the revocation 11
configuration, such as LH_RC1, and then click Next. 4. On the Select CA certificate Location page, click Select a certificate from an existing enterprise CA, and then click Next. 5. On the following page, the name of the CA, LH_PKI1, should appear in the Browse CA certificates published in Active Directory box. • If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click Next. • If it does not appear, click Browse for CA Computer and type the name of the computer hosting LH_PKI1 or click Browse to locate this computer. When you have located the computer, click Next. Note You might also be able to link to the CA certificate from the local certificate store, or by importing it from removable media in step 4. 6. View the certificate and copy the CRL distribution point for the parent root CA, RootCA1. To do this: a. Open the Certificate Services snap-in. Select an issued certificate. b. Double-click the certificate, and then click the Details tab. c. Scroll down and select the CRL Distribution Points field. d. Select and copy the URL for the CRL distribution point that you want to use. e. Click OK. 7. On the Select Signing Certificate page, accept the default option, Automatically select signing certificate, and then click Next. 8. On the Revocation Provider page, click Provider. 9. On the Revocation Provider Properties page, click Add, enter the URL of the CRL distribution point, and then click OK. 10. Click Finish. 11. Using the Online Responder snap-in, select the revocation configuration, and then examine the status information to verify that it is functioning properly. You should also be able to examine the properties of the signing certificate to verify that the Online Responder is configured properly. Step 5: Verifying that the AD CS Lab Setup Functions Properly You can verify the setup steps described previously as you perform them. After the installation is complete, you should verify that your basic test setup is functioning properly by confirming that you can autoenroll certificates, revoke certificates, and make accurate revocation data available from the Onlline responder. 12
To verify that the AD CS test setup functions properly 1. On the CA, configure several certificate templates to autoenroll certificates for LH_CLI1 and users on this computer. 2. When information about the new certificates has been published to AD DS, open a command prompt on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse 3. On LH_CLI1, use the Certificates snap-in to verify that the certificates have been issued to the user and to the computer, as appropriate. 4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)/CA name/Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes. 5. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and click Publish. 6. Remove all CRL distribution point extensions from the issuing CA by opening the Certification Authority snap-in and then selecting the CA. On the Action menu, click Properties. 7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP). 8. Click any CRL distribution points that are listed, click Remove, and then click OK. 9. Stop and restart AD CS. 10. Repeat steps 1 and 2 above, and then verify that clients can still obtain revocation data. To do this, use the Certificates snap-in to export the certificate to a file (*.cer). At a command prompt, type: certutil -url <exportedcert.cer> 11. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP and compare the results. AD CS Advanced Lab Scenario The following sections describe how you can set up a lab to evaluate more features of AD CS than in the basic lab setup. 13
Steps for Setting Up an Advanced Lab To test additional features of AD CS in a lab environment, you will need five computers running Windows Server 2008 and one client computer running Windows Vista. The computers for this guide are named as follows: • LH_DC1: This computer will be the domain controller for your test environment. • LH_CA_ROOT1: This computer will host a stand-alone root CA for the test environment. • LH_CA_ISSUE1: This enterprise CA will be subordinate to LH_CA_ROOT1 and issue client certificates for the Online Responder and client computers. Note Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. • LH_ORS1. This server will host the Online Responder. • LH_NDES. This server will host the Network Device Enrollment Servicethat makes it possible to issue and manage certificates for routers and other network devices. • LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from LH_CA_ISSUE1 and verify certificate status from LH_ORS1. To configure the advanced lab setup for AD CS, you need to complete the following prerequisite steps: 1. Set up a domain controller on LH_DC1 for contoso.com, including some OUs to contain one or more users for LH_CLI1, client computers in the domain, and for the servers hosting CAs and Online Responders. 2. Install Windows Server 2008 on the other servers in the test configuration and join them to the domain. 3. Install Windows Vista on LH_CLI1, and join LH_CLI1 to contoso.com. After you have completed these preliminary setup procedures, you can begin to complete the following steps: Step 1: Setting Up the Stand-Alone Root CA Step 2: Setting Up the Enterprise Subordinate Issuing CA Step 3: Installing and Configuring the Online Responder Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates Step 5: Configuring the Authority Information Access Extension to Support the Online Responder Step 6: Assigning the OCSP Response Signing Template to a CA Step 7: Enrolling for an OCSP Response Signing Certificate Step 8: Creating a Revocation Configuration Step 9: Setting Up and Configuring the Network Device Enrollment Service Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly 14
Step 1: Setting Up the Stand-Alone Root CA A stand-alone root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the subordinate issuing CA. Because it is critical to the security of the public key infrastructure (PKI), this CA is online in many PKIs only when needed to issue certificates to subordinate CAs. To set up a stand-alone root CA 1. Log on to LH_CA_ROOT1 as an administrator. 2. Start the Add RolesWizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times. 3. On the Select Role Services page, select the Certification Authority check box, and then click Next. 4. On the Specify Setup Type page, click Standalone, and then click Next. 5. On the Specify CA Type page, click Root CA, and then click Next. 6. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. 7. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next. 8. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next. 9. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next. 10. After verifying the information on the Confirm Installation Options page, click Install. Step 2: Setting Up the Enterprise Subordinate Issuing CA Most organizations use at least one subordinate CA to protect the root CA from unnecessary exposure. An enterprise CA also allows you to use certificate templates and to use AD DS for enrollment and publishing certificates. To set up an enterprise subordinate issuing CA 1. Log on to LH_CA_ISSUE1 as a domain administrator. 2. Start the Add RolesWizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Nexttwo times. 3. On the Select Role Services page, select the Certification Authority check box, 15
and then click Next. 4. On the Specify Setup Type page, click Enterprise, and then click Next. 5. On the Specify CA Type page, click Subordinate CA, and then click Next. 6. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. 7. On the Request Certificate page, browse to locate LH_CA_ROOT1, or if, the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click Next. The subordinate CA setup will not be usable until it has been issued a root CA certificate and this certificate has been used to complete the installation of the subordinate CA. 8. In the Common name for this CA box, type the common name of the CA, LH_CA_ISSUE1. 9. On the Set the Certificate Validity Period page, accept the default validity duration for the CA, and then click Next. 10. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next. 11. After verifying the information on the Confirm Installation Options page, click Install. Step 3: Installing and Configuring the Online Responder An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA. An Online Responder will typically not be installed on the same computer as a CA. Note IIS must also be installed on this computer before the Online Responder can be installed. As part of the setup process a virtual directory named OCSP is created in IIS and the Web proxy is registered as an Internet Server Application Programming Interface (ISAPI) extension. To install the Online Responder service 1. Log on to LH_ORS1 as an administrator. 2. Start the Add Roles Wizard. On the Select Server Rolespage, select the Active DirectoryCertificate Services check box, and then click Next two times. 16
3. On the Select Role Services page, clear the Certification Authority check box, select the Online Responder check box, and then click Next. You are prompted to install IIS and Windows Activation Service. 4. Click Add Required Role Services, and then click Next three times. 5. On the Confirm Installation Options page, click Install. 6. When the installation is complete, review the status page to verify that the installation was successful. Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates As with any certificate template, the OCSP Response Signing template must be configured with the enrollment permissions for Read, Enroll, Autoenroll, and Write before any certificates can be issued based on the template. To configure certificate templates for your test environment 1. Log on to LH_CA_ISSUE1 as a CA administrator. 2. Open the Certificate Templates snap-in. 3. Right-click the OCSP Response Signing template, and then click Duplicate Template. 4. Type a new name for the duplicated template, such as OCSP Response Signing_2. 5. Right-click the OCSP Response Signing_2 certificate template, and then click Properties. 6. Click the Security tab. Under Group or user name, click Add and type the name or browse to select the computer hosting the Online Responder service. 7. Click the computer name, LH_ORS1, and in the Permissions dialog box, select the Read and Autoenroll check boxes. 8. While you have the Certificate Templates snap-in open, you can configure certificate templates for users and computers by substituting the desired templates in step 3, and repeating steps 4 through 7 to configure permissions for LH_CLI1 and your test user accounts. Step 5: Configuring the Authority Information Access Extension to Support the Online Responder You need to configure the CAs to include the URL for the Online Responder as part of the authority information access extension of the issued certificate. This URL is used by the Online Responder client to validate the certificate status. 17
To configure the authority information access extension to support the Online Responder 1. Log on to LH_CA_ISSUE1 as a CA administrator. 2. Open the Certification Authority snap-in. 3. In the console tree, click the name of the CA. 4. On the Action menu, click Properties. 5. On the Extensions tab, click Select extension, and then click Authority Information Access (AIA). 6. Select the Include in the AIA extension of issue certificates and Include in the online certificate status protocol (OCSP) extension check boxes. 7. Specify the locations from which users can obtain certificate revocation data; for this setup, the location is http://LH_ORS1/ocsp. 8. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. 9. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK. 10. Open Certificate Templates, and verify that the modified certificate templates appear in the list. Step 6: Assigning the OCSP Response Signing Template to a CA Once the templates are properly configured, the CA needs to be configured to issue that template. To configure the CA to issue certificates based on the newly created OCSP Response Signing template 1. Open the Certification Authority snap-in. 2. Right-click Certificate Templates, and then click Certificate Template to Issue. 3. Select the OCSP Response Signing_2 template from the list of available templates, and then click OK. Step 7: Enrolling for an OCSP Response Signing Certificate Enrollment might not take place right away. Therefore, before you proceed to the next step, confirm that certificate enrollment has taken place so that a signing certificate exists on the computer, and verify that the permissions on the signing certificate allow the Online Responder to use it. 18
To verify that the signing certificate is properly configured 1. Start or restart LH_ORS1 to enroll for the certificates. 2. Log on as a CA administrator. 3. Open the Certificates snap-in for the computer. Open the Personal certificate store for the computer, and then verify that it contains a certificate titled OCSP Response Signing_2. 4. Right-click this certificate, and then click Manage Private Keys. 5. Click the Security tab. In the User Group or user name dialog box, click Add to type in and add Network Service to the Group or user name list, and then click OK. 6. Click Network Service, and in the Permissions dialog box, select the Full Control check box. Click OK twice. Step 8: Creating a Revocation Configuration Creating a revocation configuration involves the following tasks: • Identify the CA certificate for the CA that supports the Online Responder. • Identify the CRL distribution point for the CA. • Select a signing certificate that will be used to sign revocation status responses. • Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder. To create a revocation configuration 1. Log on to LH_ORS1 as a domain administrator. 2. Open the Online Responder snap-in. 3. In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configuration wizard, and then click Next. 4. On the Name the Revocation Configuration page, type a name for the revocation configuration, such as LH_RC1, and then click Next. 5. On the Select CA Certificate Location page, click Select a certificate for an existing enterprise CA, and then click Next. 6. On the following page, the name of the CA, LH_CA_ISSUE1, should appear in the Browse CA certificates published in Active Directory box. • If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click Next. • If it does not appear, click Browse for CA Computer and type the name of the computer hosting LH_CA_ISSUE1 or click Browse to locate this computer. When you have located the computer, click Next. 19
Note You might also be able to link to the CA certificate from the local certificate store, or by importing it from removable media in step 5. 7. View the certificate and copy the CRL distribution point for the parent root CA, RootCA1. To do this: a. Open the Certificate Services snap-in, and then select an issued certificate. b. Double-click the certificate, and then click the Details tab. c. Scroll down and select the CRL Distribution Points field. d. Select and copy the URL for the CRL distribution point that you want to use. e. Click OK. 8. On the Select Signing Certificate page, accept the default, Automatically select signing certificate, and then click Next. 9. On the Revocation Provider page, click Provider. 10. On the Revocation Provider Properties page, click Add, enter the URL of the CRL distribution point, and then click OK. 11. Click Finish. 12. Using the Online Responder snap-in, select the revocation configuration, and then examine the status information to verify that it is functioning properly. You should also be able to examine the properties of the signing certificate to verify that the Online Responder is configured properly. Step 9: Setting Up and Configuring the Network Device Enrollment Service The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates. The Network Device Enrollment Service operates as an ISAPI filter on IIS that performs the following functions: • Generates and provides one-time enrollment passwords to administrators • Processes SCEP enrollment requests • Retrieves pending requests from the CA SCEP was developed as an extension to existing HTTP, PKCS #10, PKCS #7, RFC 2459, and other standards to enable network device and application certificate enrollment with CAs. SCEP is identified and documented on the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/?LinkId=71055). 20
Before you begin this procedure, create a user ndes_user1 and add this user to the IIS user group. Then, use the Certificate Templates snap-in to configure Read and Enroll permissions for this user on the IPSEC (Offline Request) certificate template. To set up and configure the Network Device Enrollment Service 1. Log on to LH_NDES as an enterprise administrator. 2. Start the Add RolesWizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times. 3. On the Select Role Services page, clear the Certification Authority check box, and then select Network Device Enrollment Service. You are prompted to install IIS and Windows Activation Service. 4. Click Add Required Role Services, and then click Next three times. 5. On the Confirm Installation Options page, click Install. 6. When the installation is complete, review the status page to verify that the installation was successful. 7. Because this is a new installation and there are no pending SCEP certificate requests, click Replace existing Registration Authority (RA) certificates, and then click Next. When the Network Device Enrollment Service is installed on a computer where a registration authority already exists, the existing registration authority and any pending certificate requests are deleted. 8. On the Specify User Account page, click Select User, and type the user name ndes_user1 and password for this account, which the Network Device Enrollment Service will use to authorize certificate requests. Click OK, and then click Next. 9. On the Specify CA page, select either the CA name or Computer name check box, click Browse to locate the CA that will issue the Network Device Enrollment Service certificates, LH_CA_ISSUE1, and then click Next. 10. On the Specify Registry Authority Information page, type ndes_1 in the RA name box. Under Country/region,select the check box for the country/region you are in, and then click Next. 11. On the Configure Cryptography page, accept the default values for the signature and encryption keys, and then click Next. 12. Review the summary of configuration options, and then click Install. Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly You can verify the setup steps described previously as you perform them. 21
After the installation is complete, you should verify that your advanced test setup is functioning properly. To verify that the advanced AD CS test setup functions properly 1. On the CA, configure several certificate templates to autoenroll certificates for LH_CLI1 and users on this computer. 2. When information about the new certificates has been published to AD DS, open a command prompt on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse 3. On the client computer, use the Certificates snap-in to verify that the certificates have been issued to the user and to the computer, as appropriate. 4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)/CA name/Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes. 5. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and click Publish. 6. Remove all CRL distribution point extensions from the issuing CA by opening the Certification Authority snap-in and then selecting the CA. On the Action menu, click Properties. 7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP). 8. Click any CRL distribution points that are listed, click Remove, and click OK. 9. Stop and restart AD CS. 10. Repeat steps 1 and 2 above, and then verify that clients can still obtain revocation data. To do this, use the Certificates snap-in to export the certificate to a file (*.cer). At a command prompt, type: certutil -url <exportedcert.cer> 11. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP and compare the results. 22

Recommended

Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideChris x-MS
 
Developing modern mobile web apps
Developing modern mobile web appsDeveloping modern mobile web apps
Developing modern mobile web appsSteve Xu
 
Tcpip fund
Tcpip fundTcpip fund
Tcpip fundSteve Xu
 
Esm rel notes_v5.2
Esm rel notes_v5.2Esm rel notes_v5.2
Esm rel notes_v5.2Protect724
 
Adds domain upgrade
Adds domain upgradeAdds domain upgrade
Adds domain upgradeBudiyanto Raharja
 
IDRAC 7 with ad whitepaper_v1.1
IDRAC 7 with ad whitepaper_v1.1IDRAC 7 with ad whitepaper_v1.1
IDRAC 7 with ad whitepaper_v1.1Matti Hyppönen
 
Data mining extensions dmx - reference
Data mining extensions dmx - referenceData mining extensions dmx - reference
Data mining extensions dmx - referenceSteve Xu
 
Developer’s guide to microsoft unity
Developer’s guide to microsoft unityDeveloper’s guide to microsoft unity
Developer’s guide to microsoft unitySteve Xu
 

Recommended

Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideChris x-MS
 
Developing modern mobile web apps
Developing modern mobile web appsDeveloping modern mobile web apps
Developing modern mobile web appsSteve Xu
 
Tcpip fund
Tcpip fundTcpip fund
Tcpip fundSteve Xu
 
Esm rel notes_v5.2
Esm rel notes_v5.2Esm rel notes_v5.2
Esm rel notes_v5.2Protect724
 
Adds domain upgrade
Adds domain upgradeAdds domain upgrade
Adds domain upgradeBudiyanto Raharja
 
IDRAC 7 with ad whitepaper_v1.1
IDRAC 7 with ad whitepaper_v1.1IDRAC 7 with ad whitepaper_v1.1
IDRAC 7 with ad whitepaper_v1.1Matti Hyppönen
 
Data mining extensions dmx - reference
Data mining extensions dmx - referenceData mining extensions dmx - reference
Data mining extensions dmx - referenceSteve Xu
 
Developer’s guide to microsoft unity
Developer’s guide to microsoft unityDeveloper’s guide to microsoft unity
Developer’s guide to microsoft unitySteve Xu
 
Integration services extending packages with scripting
Integration services extending packages with scriptingIntegration services extending packages with scripting
Integration services extending packages with scriptingSteve Xu
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfsandeep updahayay
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfBilguun Ganbat
 
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...Ivan Hui
 
Agm application virtualization_(app-v)_5.0
Agm application virtualization_(app-v)_5.0Agm application virtualization_(app-v)_5.0
Agm application virtualization_(app-v)_5.0Steve Xu
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfsHeo Gòm
 
Oracle® Trading Community Architecture
Oracle® Trading Community ArchitectureOracle® Trading Community Architecture
Oracle® Trading Community ArchitectureOracle Groups
 
Sql server community_fa_qs_manual
Sql server community_fa_qs_manualSql server community_fa_qs_manual
Sql server community_fa_qs_manualSteve Xu
 
Windows azure sql_database_tutorials
Windows azure sql_database_tutorialsWindows azure sql_database_tutorials
Windows azure sql_database_tutorialsSteve Xu
 
Getting started with the entity framework 4.1 using asp.net mvc
Getting started with the entity framework 4.1 using asp.net mvcGetting started with the entity framework 4.1 using asp.net mvc
Getting started with the entity framework 4.1 using asp.net mvcSteve Xu
 
Oracle database 12c client installation overview
Oracle database 12c client installation overviewOracle database 12c client installation overview
Oracle database 12c client installation overviewbupbechanhgmail
 
Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills
 
2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...
2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...
2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...National Business Officers Association (NBOA)
 
porocĚŚilo opazovalna praksa
porocĚŚilo opazovalna praksaporocĚŚilo opazovalna praksa
porocĚŚilo opazovalna praksaBarbara Dekleva
 
WHAT ANTHROPOLOGISTS CAN CONTRIBUTE
WHAT ANTHROPOLOGISTS CAN CONTRIBUTEWHAT ANTHROPOLOGISTS CAN CONTRIBUTE
WHAT ANTHROPOLOGISTS CAN CONTRIBUTEDeppy Keranidou
 
Ancillary product poster - analysis task new
Ancillary product poster - analysis task newAncillary product poster - analysis task new
Ancillary product poster - analysis task newjvillacci
 
NBOA 2017: Business Operations Track
NBOA 2017: Business Operations TrackNBOA 2017: Business Operations Track
NBOA 2017: Business Operations TrackNational Business Officers Association (NBOA)
 
Saikiran Kastury
Saikiran KasturySaikiran Kastury
Saikiran Kasturysaikiran Kastury
 
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOS
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOSTESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOS
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOSJAVIER HUARANGA
 
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017JAVIER HUARANGA
 
PLAN DE GESTIĂ“N DE RIESGO 2017
PLAN DE GESTIĂ“N DE RIESGO 2017PLAN DE GESTIĂ“N DE RIESGO 2017
PLAN DE GESTIĂ“N DE RIESGO 2017JAVIER HUARANGA
 
Cuadro comparativo - Constituciones de 1961 y 1999
Cuadro comparativo - Constituciones de 1961 y 1999Cuadro comparativo - Constituciones de 1961 y 1999
Cuadro comparativo - Constituciones de 1961 y 1999danny rondon
 

More Related Content

What's hot

Integration services extending packages with scripting
Integration services extending packages with scriptingIntegration services extending packages with scripting
Integration services extending packages with scriptingSteve Xu
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfsandeep updahayay
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfBilguun Ganbat
 
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...Ivan Hui
 
Agm application virtualization_(app-v)_5.0
Agm application virtualization_(app-v)_5.0Agm application virtualization_(app-v)_5.0
Agm application virtualization_(app-v)_5.0Steve Xu
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfsHeo Gòm
 
Oracle® Trading Community Architecture
Oracle® Trading Community ArchitectureOracle® Trading Community Architecture
Oracle® Trading Community ArchitectureOracle Groups
 
Sql server community_fa_qs_manual
Sql server community_fa_qs_manualSql server community_fa_qs_manual
Sql server community_fa_qs_manualSteve Xu
 
Windows azure sql_database_tutorials
Windows azure sql_database_tutorialsWindows azure sql_database_tutorials
Windows azure sql_database_tutorialsSteve Xu
 
Getting started with the entity framework 4.1 using asp.net mvc
Getting started with the entity framework 4.1 using asp.net mvcGetting started with the entity framework 4.1 using asp.net mvc
Getting started with the entity framework 4.1 using asp.net mvcSteve Xu
 
Oracle database 12c client installation overview
Oracle database 12c client installation overviewOracle database 12c client installation overview
Oracle database 12c client installation overviewbupbechanhgmail
 
Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills
 

What's hot (12)

Integration services extending packages with scripting
Integration services extending packages with scriptingIntegration services extending packages with scripting
Integration services extending packages with scripting
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revf
 
Active directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revfActive directory rights_management_services_luna_sa_revf
Active directory rights_management_services_luna_sa_revf
 
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...
Post-Install_Actions_and_Considerations_for_Oracle_WebLogic_Server_Patch_Set_...
 
Agm application virtualization_(app-v)_5.0
Agm application virtualization_(app-v)_5.0Agm application virtualization_(app-v)_5.0
Agm application virtualization_(app-v)_5.0
 
Moodle andoffice365withadfs
Moodle andoffice365withadfsMoodle andoffice365withadfs
Moodle andoffice365withadfs
 
Oracle® Trading Community Architecture
Oracle® Trading Community ArchitectureOracle® Trading Community Architecture
Oracle® Trading Community Architecture
 
Sql server community_fa_qs_manual
Sql server community_fa_qs_manualSql server community_fa_qs_manual
Sql server community_fa_qs_manual
 
Windows azure sql_database_tutorials
Windows azure sql_database_tutorialsWindows azure sql_database_tutorials
Windows azure sql_database_tutorials
 
Getting started with the entity framework 4.1 using asp.net mvc
Getting started with the entity framework 4.1 using asp.net mvcGetting started with the entity framework 4.1 using asp.net mvc
Getting started with the entity framework 4.1 using asp.net mvc
 
Oracle database 12c client installation overview
Oracle database 12c client installation overviewOracle database 12c client installation overview
Oracle database 12c client installation overview
 
Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...
 

Viewers also liked

2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...
2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...
2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...National Business Officers Association (NBOA)
 
porocĚŚilo opazovalna praksa
porocĚŚilo opazovalna praksaporocĚŚilo opazovalna praksa
porocĚŚilo opazovalna praksaBarbara Dekleva
 
WHAT ANTHROPOLOGISTS CAN CONTRIBUTE
WHAT ANTHROPOLOGISTS CAN CONTRIBUTEWHAT ANTHROPOLOGISTS CAN CONTRIBUTE
WHAT ANTHROPOLOGISTS CAN CONTRIBUTEDeppy Keranidou
 
Ancillary product poster - analysis task new
Ancillary product poster - analysis task newAncillary product poster - analysis task new
Ancillary product poster - analysis task newjvillacci
 
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOS
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOSTESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOS
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOSJAVIER HUARANGA
 
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017JAVIER HUARANGA
 
PLAN DE GESTIĂ“N DE RIESGO 2017
PLAN DE GESTIĂ“N DE RIESGO 2017PLAN DE GESTIĂ“N DE RIESGO 2017
PLAN DE GESTIĂ“N DE RIESGO 2017JAVIER HUARANGA
 
Cuadro comparativo - Constituciones de 1961 y 1999
Cuadro comparativo - Constituciones de 1961 y 1999Cuadro comparativo - Constituciones de 1961 y 1999
Cuadro comparativo - Constituciones de 1961 y 1999danny rondon
 

Viewers also liked (10)

2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...
2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...
2016 National Business Officers Association (NBOA) Annual Meeting Facilities ...
 
porocĚŚilo opazovalna praksa
porocĚŚilo opazovalna praksaporocĚŚilo opazovalna praksa
porocĚŚilo opazovalna praksa
 
WHAT ANTHROPOLOGISTS CAN CONTRIBUTE
WHAT ANTHROPOLOGISTS CAN CONTRIBUTEWHAT ANTHROPOLOGISTS CAN CONTRIBUTE
WHAT ANTHROPOLOGISTS CAN CONTRIBUTE
 
Ancillary product poster - analysis task new
Ancillary product poster - analysis task newAncillary product poster - analysis task new
Ancillary product poster - analysis task new
 
NBOA 2017: Business Operations Track
NBOA 2017: Business Operations TrackNBOA 2017: Business Operations Track
NBOA 2017: Business Operations Track
 
Saikiran Kastury
Saikiran KasturySaikiran Kastury
Saikiran Kastury
 
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOS
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOSTESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOS
TESIS: MÉTODO DIALÉCTICO EN LA FORMACIÓN DE CONCEPTOS
 
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017
PLAN DE CONTINGENCIA SOBRE LLUVIAS INTENSAS Y HELADAS 2017
 
PLAN DE GESTIĂ“N DE RIESGO 2017
PLAN DE GESTIĂ“N DE RIESGO 2017PLAN DE GESTIĂ“N DE RIESGO 2017
PLAN DE GESTIĂ“N DE RIESGO 2017
 
Cuadro comparativo - Constituciones de 1961 y 1999
Cuadro comparativo - Constituciones de 1961 y 1999Cuadro comparativo - Constituciones de 1961 y 1999
Cuadro comparativo - Constituciones de 1961 y 1999
 

Similar to Set Up Active Directory Certificate Services Lab

Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Ethos Technologies
 
Getting started with cisco configuration
Getting started with cisco configurationGetting started with cisco configuration
Getting started with cisco configurationMario Pellegrino
 
Which Azure certification is good for my career growth
Which Azure certification is good for my career growthWhich Azure certification is good for my career growth
Which Azure certification is good for my career growthFlexmind
 
Windows server 2008_setting up step -by- step
Windows server 2008_setting up step -by- stepWindows server 2008_setting up step -by- step
Windows server 2008_setting up step -by- stepsalomemegrelishvili
 
Sage 100 ERP (MAS90) Web Services Manual
Sage 100 ERP (MAS90) Web Services ManualSage 100 ERP (MAS90) Web Services Manual
Sage 100 ERP (MAS90) Web Services Manual90 Minds Consulting Group
 
SCCM on Microsoft Azure
SCCM on Microsoft AzureSCCM on Microsoft Azure
SCCM on Microsoft AzureMohamed Tawfik
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
Azure Overview Arc
Azure Overview ArcAzure Overview Arc
Azure Overview Arcrajramab
 
Microsoft Cloud Computing - Windows Azure Platform
Microsoft Cloud Computing - Windows Azure PlatformMicrosoft Cloud Computing - Windows Azure Platform
Microsoft Cloud Computing - Windows Azure PlatformDavid Chou
 
SQL Server and System Center Advisor
SQL Server and System Center AdvisorSQL Server and System Center Advisor
SQL Server and System Center AdvisorEduardo Castro
 
Microsoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft Private Cloud
 
Enter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto Edition
Enter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto EditionEnter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto Edition
Enter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto EditionMark Broadbent
 
Q1 Southern California Session Slides
Q1 Southern California Session SlidesQ1 Southern California Session Slides
Q1 Southern California Session SlidesHarold Wong
 
Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1LiquidHub
 
Microsoft azure architect design (az 304) practice tests 2022
Microsoft azure architect design (az 304) practice tests 2022Microsoft azure architect design (az 304) practice tests 2022
Microsoft azure architect design (az 304) practice tests 2022SkillCertProExams
 
Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Ismail Muhammad
 

Similar to Set Up Active Directory Certificate Services Lab (20)

Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010
 
Getting started with cisco configuration
Getting started with cisco configurationGetting started with cisco configuration
Getting started with cisco configuration
 
Which Azure certification is good for my career growth
Which Azure certification is good for my career growthWhich Azure certification is good for my career growth
Which Azure certification is good for my career growth
 
Windows server 2008_setting up step -by- step
Windows server 2008_setting up step -by- stepWindows server 2008_setting up step -by- step
Windows server 2008_setting up step -by- step
 
Sage 100 ERP (MAS90) Web Services Manual
Sage 100 ERP (MAS90) Web Services ManualSage 100 ERP (MAS90) Web Services Manual
Sage 100 ERP (MAS90) Web Services Manual
 
SCCM on Microsoft Azure
SCCM on Microsoft AzureSCCM on Microsoft Azure
SCCM on Microsoft Azure
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
Rst4userguide
Rst4userguideRst4userguide
Rst4userguide
 
Azure Overview Arc
Azure Overview ArcAzure Overview Arc
Azure Overview Arc
 
Microsoft Cloud Computing - Windows Azure Platform
Microsoft Cloud Computing - Windows Azure PlatformMicrosoft Cloud Computing - Windows Azure Platform
Microsoft Cloud Computing - Windows Azure Platform
 
SQL Server and System Center Advisor
SQL Server and System Center AdvisorSQL Server and System Center Advisor
SQL Server and System Center Advisor
 
Microsoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility WhitepaperMicrosoft India - System Center Controlling Costs and Driving Agility Whitepaper
Microsoft India - System Center Controlling Costs and Driving Agility Whitepaper
 
Enter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto Edition
Enter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto EditionEnter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto Edition
Enter The Dragon - SQL 2014 on Server Core - SQLSaturday #341 Porto Edition
 
BikramSamaddar
BikramSamaddarBikramSamaddar
BikramSamaddar
 
Q1 Southern California Session Slides
Q1 Southern California Session SlidesQ1 Southern California Session Slides
Q1 Southern California Session Slides
 
Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1
 
Microsoft azure architect design (az 304) practice tests 2022
Microsoft azure architect design (az 304) practice tests 2022Microsoft azure architect design (az 304) practice tests 2022
Microsoft azure architect design (az 304) practice tests 2022
 
Rupendra Singh
Rupendra SinghRupendra Singh
Rupendra Singh
 
Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01Sql Azure Database whitepaper r01
Sql Azure Database whitepaper r01
 

Recently uploaded

GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 

Recently uploaded (20)

GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 

Set Up Active Directory Certificate Services Lab

  • 1. AD CS Step-By-Step Guide Microsoft Corporation Published: April 2007 Author: Roland Winkler Editor: Debbie Swanson Abstract This step-by-step guide describes the steps needed to set up a basic configuration of Active Directory® Certificate Services (AD CS) in a lab environment. AD CS in Windows Server® 2008 provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies. 1
  • 2. Copyright Information This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. 2
  • 3. Contents AD CS Step-By-Step Guide............................................................................................................1 Abstract....................................................................................................................................1 Copyright Information......................................................................................................................2 Contents.......................................................................................................................................... 3 Windows Server Active Directory Certificate Services Step-by-Step Guide....................................5 AD CS Technology Review..........................................................................................................5 Requirements for Using AD CS...................................................................................................6 AD CS Basic Lab Scenario..........................................................................................................7 Steps for Setting up a Basic Lab.................................................................................................7 Step 1: Setting Up an Enterprise Root CA...............................................................................8 Step 2: Installing the Online Responder...................................................................................9 Step 3: Configuring the CA to Issue OCSP Response Signing Certificates..............................9 Step 4: Creating a Revocation Configuration..........................................................................11 Step 5: Verifying that the AD CS Lab Setup Functions Properly.............................................12 AD CS Advanced Lab Scenario.................................................................................................13 Steps for Setting Up an Advanced Lab......................................................................................14 Step 1: Setting Up the Stand-Alone Root CA.........................................................................15 Step 2: Setting Up the Enterprise Subordinate Issuing CA....................................................15 Step 3: Installing and Configuring the Online Responder.......................................................16 Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates...............17 Step 5: Configuring the Authority Information Access Extension to Support the Online Responder..........................................................................................................................17 Step 6: Assigning the OCSP Response Signing Template to a CA........................................18 Step 7: Enrolling for an OCSP Response Signing Certificate.................................................18 Step 8: Creating a Revocation Configuration.........................................................................19 Step 9: Setting Up and Configuring the Network Device Enrollment Service.........................20 Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly.........................21 3
  • 4. Windows Server Active Directory Certificate Services Step-by-Step Guide This step-by-step guide describes the steps needed to set up a basic configuration of Active Directory® Certificate Services (AD CS) in a lab environment. AD CS in Windows Server® 2008 provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. This document includes: • A review of AD CS features • Requirements for using AD CS • Procedures for a basic lab setup to test AD CS on a minimum number of computers • Procedures for an advanced lab setup to test AD CS on a larger number of computers to more realistically simulate real-world configurations AD CS Technology Review Using the Active Directory Certificate Services option of the Add Roles Wizard, you can set up the following components of AD CS: • Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage their validity. • CA Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to: • Request certificates and review certificate requests. • Retrieve certificate revocation lists (CRLs). • Perform smart card certificate enrollment. • Online Responder service. The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates, evaluating the status of these certificates, and sending back a signed response containing the requested certificate status information. Important Online Responders can be used as an alternative to or an extension of CRLs to provide certificate revocation data to clients. Microsoft Online Responders are based on and comply with RFC 2560 for OCSP. For more information about RFC 2560, see the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/? LinkID=67082). 5
  • 5. • Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc. Note SCEP was developed to support the secure, scalable issuance of certificates to network devices by using existing CAs. The protocol supports CA and registration authority public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation queries. Requirements for Using AD CS CAs can be set up on servers running a variety of operating systems, including Windows® 2000 Server, Windows Server® 2003, and Windows Server 2008. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with as little hardware as a single server for a single CA, many deployments involve multiple servers configured as root, policy, and issuing CAs, and other servers configured as Online Responders. Note A limited set of server roles is available for a Server Core installation of Windows Server 2008 and for Windows Server 2008 for Itanium-based Systems. The following table lists the AD CS components that can be configured on different editions of Windows Server 2008. Components Web Standard Enterprise Datacenter CA No Yes Yes Yes Network Device Enrollment Service No No Yes Yes Online Responder service No No Yes Yes The following features are available on servers running Windows Server 2008 that have been configured as CAs. AD CS features Web Standard Enterprise Datacenter Version 2 and version 3 certificate No No Yes Yes 6
  • 6. AD CS features Web Standard Enterprise Datacenter templates Key archival No No Yes Yes Role separation No No Yes Yes Certificate Manager restrictions No No Yes Yes Delegated enrollment agent restrictions No No Yes Yes AD CS Basic Lab Scenario The following sections describe how you can set up a lab to begin evaluating AD CS. We recommend that you first use the steps provided in this guide in a test lab environment. Step- by-step guides are not necessarily meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document. Steps for Setting up a Basic Lab You can begin testing many features of AD CS in a lab environment by using as few as two servers running Windows Server 2008 and one client computer running Windows Vista®. The computers for this guide are named as follows: • LH_DC1: This computer will be the domain controller for your test environment. • LH_PKI1: This computer will host an enterprise root CA for the test environment. This CA will issue client certificates for the Online Responder and client computers. Note Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. • LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from LH_PKI1 and verify certificate status from LH_ PKI1. To configure the basic lab setup for AD CS, you need to complete the following prerequisite steps: • Set up a domain controller on LH_DC1 for contoso.com, including some organizational units (OUs) to contain one or more users for the client computer, client computers in the domain, and for the servers hosting CAs and Online Responders. • Install Windows Server 2008 on LH_PKI1, and join LH_PKI1 to the domain. 7
  • 7. • Install Windows Vista on LH_CLI1, and join LH_CLI1 to contoso.com. After you have completed these preliminary setup procedures, you can begin to complete the following steps: Step 1: Setting Up an Enterprise Root CA Step 2: Installing the Online Responder Step 3: Configuring the CA to Issue OCSP Response Signing Certificates Step 4: Creating a Revocation Configuration Step 5: Verifying that the AD CS Lab Setup Functions Properly Step 1: Setting Up an Enterprise Root CA An enterprise root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the Online Responder and client computer, and to publish certificate information to Active Directory Domain Services (AD DS). Note Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. To set up an enterprise root CA 1. Log on to LH_PKI1 as a domain administrator. 2. Click Start, point to Administrative Tools,and then click Server Manager. 3. In the Roles Summary section, click Add roles. 4. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Nexttwo times. 5. On the Select Role Services page, select the Certification Authority check box,andthen click Next. 6. On the Specify Setup Type page, click Enterprise,and then click Next. 7. On the Specify CA Type page, click Root CA, and then click Next. 8. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. 9. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next. 10. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next. 11. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and 8
  • 8. then click Next. 12. After verifying the information on the Confirm Installation Options page, click Install. 13. Review the information on the confirmation screen to verify that the installation was successful. Step 2: Installing the Online Responder An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA. Note IIS must also be installed on this computer before the Online Responder can be installed. To install the Online Responder 1. Log on to LH_PKI1 as a domain administrator. 2. Click Start, point to Administrative Tools,and then click Server Manager. 3. Click Manage Roles. In the Active Directory Certificate Services section, click Add role services. 4. On the Select Role Services page, select the Online Responder check box. You are prompted to install IIS and Windows Activation Service. 5. Click Add Required Role Services, and then click Next three times. 6. On the Confirm Installation Options page, click Install. 7. When the installation is complete, review the status page to verify that the installation was successful. Step 3: Configuring the CA to Issue OCSP Response Signing Certificates Configuring a CA to support Online Responder services involves configuring certificate templates and issuance properties for OCSP Response Signing certificates and then completing additional steps on the CA to support the Online Responder and certificate issuance. Note These certificate template and autoenrollment steps can also be used to configure certificates that you want to issue to a client computer or client computer users. 9
  • 9. To configure certificate templates for your test environment 1. Log on to LH_PKI1 as a CA administrator. 2. Open the Certificate Templates snap-in. 3. Right-click the OCSP Response Signing template, and then click Duplicate Template. 4. Type a new name for the duplicated template, such as OCSP Response Signing_2. 5. Right-click the OCSP Response Signing_2 certificate template, and then click Properties. 6. Click the Security tab. Under Group or user name, click Add, and then type the name or browse to select the computer hosting the Online Responder service. 7. Click the computer name, LH_PKI1, and in the Permissions dialog box, select the Read and Autoenroll check boxes. 8. While you have the Certificate Templates snap-in open, you can configure certificate templates for users and computers by substituting the desired templates in step 3, and repeating steps 4 through 7 to configure permissions for LH_CLI1 and your test user accounts. To configure the CA to support Online Responders, you need to use the Certification Authority snap-in to complete two key steps: • Add the location of the Online Responder to the authority information access extension of issued certificates. • Enable the certificate templates that you configured in the previous procedure for the CA. To configure a CA to support the Online Responder service 1. Open the Certification Authority snap-in. 2. In the console tree, click the name of the CA. 3. On the Action menu, click Properties. 4. Click the Extensions tab. In the Select extension list, click Authority Information Access (AIA). 5. Select the Include in the AIA extension of issue certificates and Include in the online certificate status protocol (OCSP) extension check boxes. 6. Specify the locations from which users can obtain certificate revocation data; for this setup, the location is http://LH_PKI1/ocsp. 7. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. 8. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK. 9. Open Certificate Templates, and verify that the modified certificate templates 10
  • 10. appear in the list. Step 4: Creating a Revocation Configuration A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key. These configuration settings include the CA certificate, the signing certificate for the Online Responder, and the locations to which clients are directed to send their status requests. Important Before you create a revocation configuration, ensure that certificate enrollment has taken place so that a signing certificate exists on the computer and adjust the permissions on the signing certificate to allow the Online Responder to use it. To verify that the signing certificate is properly configured 1. Start or restart LH_PKI1 to enroll for certificates. 2. Log on as a CA administrator. 3. Open the Certificates snap-in for the computer account. Open the Personal certificate store for the computer, and verify that it contains a certificate titled OCSP Response Signing. 4. Right-click this certificate, and then click Manage Private Keys. 5. Click the Security tab. In the User Group or user name dialog box, click Add, enter Network Service to the Group or user name list, and then click OK. 6. Click Network Service, and in the Permissions dialog box, select the Full Control check box. 7. Click OK twice. Creating a revocation configuration involves the following tasks: • Identify the CA certificate for the CA that supports the Online Responder. • Identify the CRL distribution point for the CA. • Select a signing certificate that will be used to sign revocation status responses. • Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder. To create a revocation configuration 1. Open the Online Responder snap-in. 2. In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configurationwizard, and then click Next. 3. On the Name the Revocation Configuration page, type a name for the revocation 11
  • 11. configuration, such as LH_RC1, and then click Next. 4. On the Select CA certificate Location page, click Select a certificate from an existing enterprise CA, and then click Next. 5. On the following page, the name of the CA, LH_PKI1, should appear in the Browse CA certificates published in Active Directory box. • If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click Next. • If it does not appear, click Browse for CA Computer and type the name of the computer hosting LH_PKI1 or click Browse to locate this computer. When you have located the computer, click Next. Note You might also be able to link to the CA certificate from the local certificate store, or by importing it from removable media in step 4. 6. View the certificate and copy the CRL distribution point for the parent root CA, RootCA1. To do this: a. Open the Certificate Services snap-in. Select an issued certificate. b. Double-click the certificate, and then click the Details tab. c. Scroll down and select the CRL Distribution Points field. d. Select and copy the URL for the CRL distribution point that you want to use. e. Click OK. 7. On the Select Signing Certificate page, accept the default option, Automatically select signing certificate, and then click Next. 8. On the Revocation Provider page, click Provider. 9. On the Revocation Provider Properties page, click Add, enter the URL of the CRL distribution point, and then click OK. 10. Click Finish. 11. Using the Online Responder snap-in, select the revocation configuration, and then examine the status information to verify that it is functioning properly. You should also be able to examine the properties of the signing certificate to verify that the Online Responder is configured properly. Step 5: Verifying that the AD CS Lab Setup Functions Properly You can verify the setup steps described previously as you perform them. After the installation is complete, you should verify that your basic test setup is functioning properly by confirming that you can autoenroll certificates, revoke certificates, and make accurate revocation data available from the Onlline responder. 12
  • 12. To verify that the AD CS test setup functions properly 1. On the CA, configure several certificate templates to autoenroll certificates for LH_CLI1 and users on this computer. 2. When information about the new certificates has been published to AD DS, open a command prompt on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse 3. On LH_CLI1, use the Certificates snap-in to verify that the certificates have been issued to the user and to the computer, as appropriate. 4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)/CA name/Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes. 5. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and click Publish. 6. Remove all CRL distribution point extensions from the issuing CA by opening the Certification Authority snap-in and then selecting the CA. On the Action menu, click Properties. 7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP). 8. Click any CRL distribution points that are listed, click Remove, and then click OK. 9. Stop and restart AD CS. 10. Repeat steps 1 and 2 above, and then verify that clients can still obtain revocation data. To do this, use the Certificates snap-in to export the certificate to a file (*.cer). At a command prompt, type: certutil -url <exportedcert.cer> 11. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP and compare the results. AD CS Advanced Lab Scenario The following sections describe how you can set up a lab to evaluate more features of AD CS than in the basic lab setup. 13
  • 13. Steps for Setting Up an Advanced Lab To test additional features of AD CS in a lab environment, you will need five computers running Windows Server 2008 and one client computer running Windows Vista. The computers for this guide are named as follows: • LH_DC1: This computer will be the domain controller for your test environment. • LH_CA_ROOT1: This computer will host a stand-alone root CA for the test environment. • LH_CA_ISSUE1: This enterprise CA will be subordinate to LH_CA_ROOT1 and issue client certificates for the Online Responder and client computers. Note Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. • LH_ORS1. This server will host the Online Responder. • LH_NDES. This server will host the Network Device Enrollment Servicethat makes it possible to issue and manage certificates for routers and other network devices. • LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from LH_CA_ISSUE1 and verify certificate status from LH_ORS1. To configure the advanced lab setup for AD CS, you need to complete the following prerequisite steps: 1. Set up a domain controller on LH_DC1 for contoso.com, including some OUs to contain one or more users for LH_CLI1, client computers in the domain, and for the servers hosting CAs and Online Responders. 2. Install Windows Server 2008 on the other servers in the test configuration and join them to the domain. 3. Install Windows Vista on LH_CLI1, and join LH_CLI1 to contoso.com. After you have completed these preliminary setup procedures, you can begin to complete the following steps: Step 1: Setting Up the Stand-Alone Root CA Step 2: Setting Up the Enterprise Subordinate Issuing CA Step 3: Installing and Configuring the Online Responder Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates Step 5: Configuring the Authority Information Access Extension to Support the Online Responder Step 6: Assigning the OCSP Response Signing Template to a CA Step 7: Enrolling for an OCSP Response Signing Certificate Step 8: Creating a Revocation Configuration Step 9: Setting Up and Configuring the Network Device Enrollment Service Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly 14
  • 14. Step 1: Setting Up the Stand-Alone Root CA A stand-alone root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the subordinate issuing CA. Because it is critical to the security of the public key infrastructure (PKI), this CA is online in many PKIs only when needed to issue certificates to subordinate CAs. To set up a stand-alone root CA 1. Log on to LH_CA_ROOT1 as an administrator. 2. Start the Add RolesWizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times. 3. On the Select Role Services page, select the Certification Authority check box, and then click Next. 4. On the Specify Setup Type page, click Standalone, and then click Next. 5. On the Specify CA Type page, click Root CA, and then click Next. 6. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. 7. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next. 8. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next. 9. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next. 10. After verifying the information on the Confirm Installation Options page, click Install. Step 2: Setting Up the Enterprise Subordinate Issuing CA Most organizations use at least one subordinate CA to protect the root CA from unnecessary exposure. An enterprise CA also allows you to use certificate templates and to use AD DS for enrollment and publishing certificates. To set up an enterprise subordinate issuing CA 1. Log on to LH_CA_ISSUE1 as a domain administrator. 2. Start the Add RolesWizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Nexttwo times. 3. On the Select Role Services page, select the Certification Authority check box, 15
  • 15. and then click Next. 4. On the Specify Setup Type page, click Enterprise, and then click Next. 5. On the Specify CA Type page, click Subordinate CA, and then click Next. 6. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. 7. On the Request Certificate page, browse to locate LH_CA_ROOT1, or if, the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click Next. The subordinate CA setup will not be usable until it has been issued a root CA certificate and this certificate has been used to complete the installation of the subordinate CA. 8. In the Common name for this CA box, type the common name of the CA, LH_CA_ISSUE1. 9. On the Set the Certificate Validity Period page, accept the default validity duration for the CA, and then click Next. 10. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next. 11. After verifying the information on the Confirm Installation Options page, click Install. Step 3: Installing and Configuring the Online Responder An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA. An Online Responder will typically not be installed on the same computer as a CA. Note IIS must also be installed on this computer before the Online Responder can be installed. As part of the setup process a virtual directory named OCSP is created in IIS and the Web proxy is registered as an Internet Server Application Programming Interface (ISAPI) extension. To install the Online Responder service 1. Log on to LH_ORS1 as an administrator. 2. Start the Add Roles Wizard. On the Select Server Rolespage, select the Active DirectoryCertificate Services check box, and then click Next two times. 16
  • 16. 3. On the Select Role Services page, clear the Certification Authority check box, select the Online Responder check box, and then click Next. You are prompted to install IIS and Windows Activation Service. 4. Click Add Required Role Services, and then click Next three times. 5. On the Confirm Installation Options page, click Install. 6. When the installation is complete, review the status page to verify that the installation was successful. Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates As with any certificate template, the OCSP Response Signing template must be configured with the enrollment permissions for Read, Enroll, Autoenroll, and Write before any certificates can be issued based on the template. To configure certificate templates for your test environment 1. Log on to LH_CA_ISSUE1 as a CA administrator. 2. Open the Certificate Templates snap-in. 3. Right-click the OCSP Response Signing template, and then click Duplicate Template. 4. Type a new name for the duplicated template, such as OCSP Response Signing_2. 5. Right-click the OCSP Response Signing_2 certificate template, and then click Properties. 6. Click the Security tab. Under Group or user name, click Add and type the name or browse to select the computer hosting the Online Responder service. 7. Click the computer name, LH_ORS1, and in the Permissions dialog box, select the Read and Autoenroll check boxes. 8. While you have the Certificate Templates snap-in open, you can configure certificate templates for users and computers by substituting the desired templates in step 3, and repeating steps 4 through 7 to configure permissions for LH_CLI1 and your test user accounts. Step 5: Configuring the Authority Information Access Extension to Support the Online Responder You need to configure the CAs to include the URL for the Online Responder as part of the authority information access extension of the issued certificate. This URL is used by the Online Responder client to validate the certificate status. 17
  • 17. To configure the authority information access extension to support the Online Responder 1. Log on to LH_CA_ISSUE1 as a CA administrator. 2. Open the Certification Authority snap-in. 3. In the console tree, click the name of the CA. 4. On the Action menu, click Properties. 5. On the Extensions tab, click Select extension, and then click Authority Information Access (AIA). 6. Select the Include in the AIA extension of issue certificates and Include in the online certificate status protocol (OCSP) extension check boxes. 7. Specify the locations from which users can obtain certificate revocation data; for this setup, the location is http://LH_ORS1/ocsp. 8. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue. 9. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK. 10. Open Certificate Templates, and verify that the modified certificate templates appear in the list. Step 6: Assigning the OCSP Response Signing Template to a CA Once the templates are properly configured, the CA needs to be configured to issue that template. To configure the CA to issue certificates based on the newly created OCSP Response Signing template 1. Open the Certification Authority snap-in. 2. Right-click Certificate Templates, and then click Certificate Template to Issue. 3. Select the OCSP Response Signing_2 template from the list of available templates, and then click OK. Step 7: Enrolling for an OCSP Response Signing Certificate Enrollment might not take place right away. Therefore, before you proceed to the next step, confirm that certificate enrollment has taken place so that a signing certificate exists on the computer, and verify that the permissions on the signing certificate allow the Online Responder to use it. 18
  • 18. To verify that the signing certificate is properly configured 1. Start or restart LH_ORS1 to enroll for the certificates. 2. Log on as a CA administrator. 3. Open the Certificates snap-in for the computer. Open the Personal certificate store for the computer, and then verify that it contains a certificate titled OCSP Response Signing_2. 4. Right-click this certificate, and then click Manage Private Keys. 5. Click the Security tab. In the User Group or user name dialog box, click Add to type in and add Network Service to the Group or user name list, and then click OK. 6. Click Network Service, and in the Permissions dialog box, select the Full Control check box. Click OK twice. Step 8: Creating a Revocation Configuration Creating a revocation configuration involves the following tasks: • Identify the CA certificate for the CA that supports the Online Responder. • Identify the CRL distribution point for the CA. • Select a signing certificate that will be used to sign revocation status responses. • Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder. To create a revocation configuration 1. Log on to LH_ORS1 as a domain administrator. 2. Open the Online Responder snap-in. 3. In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configuration wizard, and then click Next. 4. On the Name the Revocation Configuration page, type a name for the revocation configuration, such as LH_RC1, and then click Next. 5. On the Select CA Certificate Location page, click Select a certificate for an existing enterprise CA, and then click Next. 6. On the following page, the name of the CA, LH_CA_ISSUE1, should appear in the Browse CA certificates published in Active Directory box. • If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click Next. • If it does not appear, click Browse for CA Computer and type the name of the computer hosting LH_CA_ISSUE1 or click Browse to locate this computer. When you have located the computer, click Next. 19
  • 19. Note You might also be able to link to the CA certificate from the local certificate store, or by importing it from removable media in step 5. 7. View the certificate and copy the CRL distribution point for the parent root CA, RootCA1. To do this: a. Open the Certificate Services snap-in, and then select an issued certificate. b. Double-click the certificate, and then click the Details tab. c. Scroll down and select the CRL Distribution Points field. d. Select and copy the URL for the CRL distribution point that you want to use. e. Click OK. 8. On the Select Signing Certificate page, accept the default, Automatically select signing certificate, and then click Next. 9. On the Revocation Provider page, click Provider. 10. On the Revocation Provider Properties page, click Add, enter the URL of the CRL distribution point, and then click OK. 11. Click Finish. 12. Using the Online Responder snap-in, select the revocation configuration, and then examine the status information to verify that it is functioning properly. You should also be able to examine the properties of the signing certificate to verify that the Online Responder is configured properly. Step 9: Setting Up and Configuring the Network Device Enrollment Service The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates. The Network Device Enrollment Service operates as an ISAPI filter on IIS that performs the following functions: • Generates and provides one-time enrollment passwords to administrators • Processes SCEP enrollment requests • Retrieves pending requests from the CA SCEP was developed as an extension to existing HTTP, PKCS #10, PKCS #7, RFC 2459, and other standards to enable network device and application certificate enrollment with CAs. SCEP is identified and documented on the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/?LinkId=71055). 20
  • 20. Before you begin this procedure, create a user ndes_user1 and add this user to the IIS user group. Then, use the Certificate Templates snap-in to configure Read and Enroll permissions for this user on the IPSEC (Offline Request) certificate template. To set up and configure the Network Device Enrollment Service 1. Log on to LH_NDES as an enterprise administrator. 2. Start the Add RolesWizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times. 3. On the Select Role Services page, clear the Certification Authority check box, and then select Network Device Enrollment Service. You are prompted to install IIS and Windows Activation Service. 4. Click Add Required Role Services, and then click Next three times. 5. On the Confirm Installation Options page, click Install. 6. When the installation is complete, review the status page to verify that the installation was successful. 7. Because this is a new installation and there are no pending SCEP certificate requests, click Replace existing Registration Authority (RA) certificates, and then click Next. When the Network Device Enrollment Service is installed on a computer where a registration authority already exists, the existing registration authority and any pending certificate requests are deleted. 8. On the Specify User Account page, click Select User, and type the user name ndes_user1 and password for this account, which the Network Device Enrollment Service will use to authorize certificate requests. Click OK, and then click Next. 9. On the Specify CA page, select either the CA name or Computer name check box, click Browse to locate the CA that will issue the Network Device Enrollment Service certificates, LH_CA_ISSUE1, and then click Next. 10. On the Specify Registry Authority Information page, type ndes_1 in the RA name box. Under Country/region,select the check box for the country/region you are in, and then click Next. 11. On the Configure Cryptography page, accept the default values for the signature and encryption keys, and then click Next. 12. Review the summary of configuration options, and then click Install. Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly You can verify the setup steps described previously as you perform them. 21
  • 21. After the installation is complete, you should verify that your advanced test setup is functioning properly. To verify that the advanced AD CS test setup functions properly 1. On the CA, configure several certificate templates to autoenroll certificates for LH_CLI1 and users on this computer. 2. When information about the new certificates has been published to AD DS, open a command prompt on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse 3. On the client computer, use the Certificates snap-in to verify that the certificates have been issued to the user and to the computer, as appropriate. 4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)/CA name/Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes. 5. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and click Publish. 6. Remove all CRL distribution point extensions from the issuing CA by opening the Certification Authority snap-in and then selecting the CA. On the Action menu, click Properties. 7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP). 8. Click any CRL distribution points that are listed, click Remove, and click OK. 9. Stop and restart AD CS. 10. Repeat steps 1 and 2 above, and then verify that clients can still obtain revocation data. To do this, use the Certificates snap-in to export the certificate to a file (*.cer). At a command prompt, type: certutil -url <exportedcert.cer> 11. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP and compare the results. 22