You need local administrative credentialsonly, but for the purposes of this exercise, it is all right to use the  domain administrator account. This server can berunning Windows Server 2008 Standard Edition,  Windows Server 2008 Enterprise Edition, or Windows Server 2008 DatacenterEdition.

2. Launch ServerManager from the Administrative Tools program group.

3. Right-click theRoles node in the tree pane and select AddRoles.

4. Review the Before YouBegin information and click Next.

5. On the Select Server Rolespage, select Active Directory Certificate Services and clickNext.

6. On the Introduction toActive Directory Certificate Services page, clickNext.

7. On the Select RoleServices page, select Certification Authority and clickNext.

Because this will be a  root CA andyou will take it offline as soon as you create the issuing CA, youdo not  assign  any other role  features orservices.

8. On the Specify Setup Typepage, select Standalone and click Next.

9. On the CA Type page,select Root CA and click Next.

10. On the Set Up Private Keypage, select Create A New Private Key and clickNext.

You need to create a new private keybecause you are creating a new root CA. However, if you were reinstalling a  CA because of a system failure, you would usean existing key, one that was generated during  the initial installation of the root CA. In addition, if you werecreating a root CA to be chained with an external  third-partyCA,  you would use the last option, to use the key provided bythe third-party CA. You must install  the key on the server before you begin the AD CS installation for the optionto be available.  Use the  instructions provided by your third-party CA to install the certificate.

11. On the ConfigureCryptography For CA page, select the suggested cryptographicservice provider  (CSP).  Select a  key characterlength of 2048. Select the sha1 hash algorithm forsigning certificates issued by this CA. Also  select Use Strong Private Key Protection Features Provided By ThisCSP.

There are several options on thispage.

• • CSPs arethe engines the Microsoft Crypto application programming interface(API) will use to  generate  the  key pair for thisroot CA. CSPs can be either software or hardware based. Forexample, the  RSA#Microsoft  Software Key StorageProvider is software based, and the RSA#Microsoft Smart CardKey  Storage Provider  is hardware based.
  • Keycharacter length determines the length of the keys in the pair.Four lengths are possible. Remember  that  the longerthe key, the more processing the server will require todecode it.
  • Hashalgorithms are used to produce and assign a hash value on the keysin the pair. Because they are  assigned to the keys, anytampering of the key will change the hash value and invalidate thekey. Hash  values  provide further key protection. Thealgorithm you select will simply use a different calculation method to  generate the hash value.
  • The lastoption on the page provides further protection for the root CAbecause use of the CA will require  administrative access andwill work with only this level of access. You use this option toprovide further  protection for this root CA.

12. Click Next.

13. On the Configure CA Namepage, type <Domain>-Root-CA, leave the distinguishedname suffix as is, and click  Next.  You use thisname because it will be embedded in every subordinatecertificate issued by the chain.

14. On the Set ValidityPeriod page, change the year value to 20 and clickNext.

15. On the ConfigureCertificate Database page, specify the storage locations forthe certificate database and the  certificatedatabase log. Because this is a root CA that should be takenoffline and should be used only to generate  certificates forthe issuing CAs, you can place both on the D drive.

16. For the databaselocation, click Browse, navigate to the D drive, click Make NewFolder, and name it  CertData.  Click OK.For the logs, create a folder on the D drive and name itCertLogs. Click Next.

17. Review the informationavailable on the AD CS page and click Install. When theinstallation completes, review the  installation results andclick Close.

Your root CA is installed.

Note: you will no longerbe able to change the name of this server unless youuninstall AD CS first. This is one  more reason for notusing a server name in the CA name in step 12.

When you select OnlineResponder, the wizard will ask you to add the Web Server rolewith the required  features. Click Add  Required RoleServices.

8. Click Next.

You do not select the CA WebEnrollment because this is an internal enterprise CA, andenterprise CAs rely on AD DS to  distribute certificates tousers and devices. If you were installing this CA in an externalnetwork,  you might consider using Web Enrollment to enable users to request certificates from yourCA.

You cannot choose the Network DeviceEnrollment Service (NDES) installation at this timebecause AD CS  does not support  installing a CA atthe same time as you install NDES. If you want to installNDES, you  must select Add Role Services from  ServerManager after the CA installation has completed.

9. On the Specify Setup Typepage, select Enterprise and click Next.

10. On the Specify CA Typepage, select Subordinate CA and click Next.

11. On the Set Up Private Keypage, select Create A New Private Key and clickNext.

12. On the ConfigureCryptography For CA page, accept the default values andclick Next.

13. On the Configure CA Namepage, type <Domain>-Issuing-CA01, leave the defaultdistinguished name suffix as is,  and click Next.

You use a valid name and a number becauseyou should create additional issuing CAs forredundancy purposes.

14. On the RequestCertificate From A Parent CA page, select Save A CertificateRequest To File And Manually Send It Later To A  Parent CAif the Root CA is no longer online.

15. Select CertificateRequest Name from the File Name field and copy it to theclipboard, using Ctrl + C, and then  click Browseand  navigate to your Documents folder. Paste the name in theFile Name field, using Ctrl + V; click Save, and then click Next.

16. On the ConfigureCertificate Database page, specify the storage locations for thecertificate database and the  certificatedatabase  log.

In a production environment,issuing CAs will be used heavily; this means you shouldplace the data and the logs on different  drives.

17. For the databaselocation, click Browse, navigate to the D drive, click Make NewFolder, and name it  CertData.  ClickOK.

18. For the logs, create afolder on the E drive and name it CertLogs. ClickNext when ready.

19. Review the installationof IIS. Click Next.

20. On the Web Server RoleServices page, review the required services and clickNext.

21. Review the information inthe Confirm Installation Selections page and click Install.When the installation  completes, review the installation results and click Close.

The subordinate CA setup is notusable until it has been issued a root CA certificate and thiscertificate has  been used to  complete the installationof this subordinate CA.

• • Distinguished Encoding Rules (DER) Encoded Binary X.509 is oftenused for computers that do not run  the Windows operating system. This creates certificate files in the CERformat.
  • Base-64Encoded X.509 supports S/MIME, which is the format used totransfer secured e-mails over the  Internet. On servers, it is usually used for non-Windows operatingsystems. This also creates certificate  files in theCER format.
  • Cryptographic Message Syntax Standard (PKCS #7) is the format usedto transfer certificates and their  chained pathfrom  one computer to another. This format uses the P7Bfile format.
  • PersonalInformation Exchange (PKCS #12) is also used to transfercertificates and their chained path  from one computerto  another, but in addition, this format supports thetransfer of the private key as well as  the public key. Usethis format with  caution because transporting the privatekey can jeopardize it. This  format uses the PFX fileformat.
  • MicrosoftSerialized Certificate Store is a custom Microsoft format thatshould be used when you need to  transfer root certificates from one computer to another. This uses the SSTfile format.

Revocation is one of the only vehiclesavailable to you to control certificates when they are misused orwhen you need to cancel  deployed certificates. This is onereason your revocation configuration should becompleted before you begin to issue certificates.

To create a revocationconfiguration, perform the following actions:

1. Specify CertificateRevocation List (CRL) distribution points.

2. Configure CRL and DeltaCRL overlap periods.

3. Schedule the publicationof CRLs.

1. Begin with the CRL distributionpoint. Revocation configurations are performed in theCertification Authority  console.

1. Log on to an issuingCA with a domain account that has local administrativerights.

2. Launch the CertificationAuthority console from the Administrative Tools programgroup.

3. Right-click the issuing CAname and select Properties.

4. In the Properties dialogbox, click the Extensions tab and verify that the SelectExtension drop-down list is set to CRL  Distribution Point(CDP). Also make sure that the Publish CRLs To ThisLocation and the  Publish Delta CRLs To ThisLocation  check boxes are selected.

5. Click OK.

If you made any changes to the CAsconfiguration, you will be prompted to stop and restart the AD CSservice.  Click Yes to do  so.

2. Configure CRL and Delta CRL overlapperiods. This is performed with the Certutil.exe command.

1. On the issuing CA, open anelevated command prompt and execute the following commands:

certutil -setregca\CRLOverlapUnits value

certutil -setregca\CRLOverlapPeriod units

certutil -setregca\CRLDeltaOverlapUnits value

certutil -setregca\CRLDeltaOverlapPeriod units

Value is the value you wantto use to set the overlap period, and units is in minutes,hours, or days. For  example, you could set  the CRLoverlap period to 24 hours and the Delta CRL publication period to12 hours.  For this, you  would use the following commands:

certutil -setreg ca\CRLOverlapUnits24

certutil -setreg ca\CRLOverlapPeriodhours

certutil -setreg ca\CRLDeltaOverlapUnits12

certutil -setregca\CRLDeltaOverlapPeriod hours

2. Go to the CertificationAuthority console and right-click the issuing CA server nameto stop and restart  the  service.

3. Configure the publication of theCRLs.

1. In the CertificationAuthority console, expand the console tree below the issuingCA server name.

2. Right-click RevokedCertificates and select Properties.

3. On the CRL PublishingParameters tab, configure the CRL and Delta CRLpublication periods.

By default, both values are set to one weekand one day, respectively. If you expect to have a high throughput of  certificates and need to ensure highavailability of the CRLs, decrease both values. If not,  keepthe default values. You  can also view existing CRLs on theView CRLs tab.

4. Click OK. Yourrevocation configuration is complete.

Now, you will install the NDES feature.Again, this task is performed on CertIssueSERVER, butyou must use  CertRootSERVER to create a user accountfirst.

Now you're ready to install the NDESservice.

Keep in mind that key length affects CPUusage; therefore, unless you have stringent security requirements,  keep the  2048 keylength.

Your NDES service is now installed andready to work. Your installation of the issuing server iscomplete.

• • you mustconfigure and install an OCSP Response Signing certificateand
  • configurean Authority Information Access extension to supportit.
  • Afterthis is done, you must assign the template to a CA andthen
  • enroll the system to obtain the certificate.

1. Log on to an issuingCA server, using a domain account with localadministrative access rights.

2. In Server Manager, expandRoles\Active Directory Certificate Services\ CertificateTemplates(servername).

3. Right-click the OCSPResponse Signing template and click Duplicate Template.Select a Windows Server 2008  Enterprise  Editiontemplate and click OK.

4. Type a valid name for thenew template, for example, OCSP Response Signing WS08.

5. Select the PublishCertificate in Active Directory check box.

6. On the Securitytab, under Group Or User Names, click Add, click ObjectTypes to enable the Computer object  type, and click OK.

7. Type the name and clickCheck Names or browse to find the computer that hosts the onlineresponder.  Click OK.

8. Click the computername and then, in the Permissions section of the dialogbox, select the Allow: Read, Enroll,  and Autoenroll options.

9. Click OK to createthe duplicate template.

Your certificate template isready.

Now you must configure the AuthorityInformation Access (AIA)  Extension to support theOR.

1. Log on to an issuingCA, using a domain account with local administrativecredentials.

2. Launch Server Manager fromthe Administrative Tools program group.

3. Expand Roles \ActiveDirectory Certificate Services \Issuing CA servername.

4. In the Actions pane,select Properties.

5. Click the Extensionstab, click the Select Extension drop-down list, and thenclick Authority Information Access  (AIA).

6. Specify the locations toobtain certificate revocation data. In this case, select thelocation beginning with  HTTP:// (http://localhost)

7. Select the Include InThe AIA Extension Of Issued Certificates and the IncludeIn The Online Certificate Status  Protocol  (OCSP)Extension check boxes.

8. Click OK to applythe changes. Note that you must stop and restart the AD CS servicebecause of the change.

9. Click Yes at thesuggested dialog box.

10. Now move to theCertificate Templates node under the issuing CA name andright-click it, select New, and then  choose Certificate Template To Issue.

11. In the Enable CertificateTemplates dialog box, select the new OCSP Response Signingtemplate you created  earlier and  click OK. Thenew template should appear in the details pane.

12. To assign the template tothe server, reboot it.

You now need to verify thatthe OCSP certificate has been assigned to the server. You do sowith the  Certificates snap- in. By default, thissnap-in is not in a console. You must create a new console to useit.

13. Open the Start menu, typemmc in the search box, and press Enter.

14. In the MMC, selectAdd/Remove Snap-in from the File menu to open the Add OrRemove Snap-ins dialog box.

15. Select theCertificates snap-in and click Add.

16. Select ComputerAccount and click Next.

17. Select LocalComputer and click Finish.

18. Click OK to closethe Add Or Remove Snap-ins dialog box.

19. Select Save from the Filemenu to save the console and place it in your Documents folder.Name the  console  Computer  Certificates andclick Save.

20. Expand Certificates\Personal \Certificates and verify that it contains the new OCSPcertificate.

21. If the certificate is notthere, install it manually by right-clicking Certificatesunder Personal, choosing All Tasks,  and then  selectingRequest New Certificate.

22. On the CertificateEnrollment page, click Next.

23. Select the new OCSPcertificate and click Enroll.

24. On the next page, clickthe down arrow to the right of Details, and then clickView Certificate. Browse through the  tabs toview  the certificate details. Click OK.

25. Click Finish tocomplete this part of the operation.

26. Right-click theCertificate, choose All Tasks, and then select ManagePrivate Keys.

27. On the Securitytab, under User Group Or User Names, click Add.

28. In the Select Users,Computers, or Groups dialog box, click Locations and selectthe local server name. Click  OK.

29. Type NetworkService and click Check Names.

30. Click OK.

31. Click Network Service,and then, in the Permissions section of the dialog box,select Allow: Full Control.

32. Click OK to closethe dialog box.

Your OR is ready to providecertificate validation information.

Because each CA that is an OR in an arrayincludes its own certificate, each also requires a revocation configuration. The  revocationconfiguration will serve requests for specific CA key pairs andcertificates. In  addition, you need to update the revocation configuration for a CA each time you renew its keypair.

To create a RevocationConfiguration, perform the following steps:

1. Log on to an issuingCA, using a domain account that has local administrativerights.

2. Launch Server Manager fromthe Administrative Tools program group.

3. Expand Roles \ActiveDirectory Certificate Services \Online Responder \RevocationConfiguration.

4. Right-click RevocationConfiguration and choose Add RevocationConfiguration.

5. Click Next at theWelcome page.

6. On the Name The RevocationConfiguration page, assign a valid name.

Because each revocation configuration istied to a particular CA, it makes sense to include theCA’s name in  the name of  the configuration, for example, RCCertIssueSERVER01.

7. Click Next.

8. On the Select CACertificate Location page, identify where the certificate can beloaded from. You can choose from  Active  Directory, froma local certificate store, or from a file.

9. Choose Select ACertificate For An Existing Enterprise CA and clickNext. Now, the OR must validate that the  issuerof the  certificate, in this case, the root CA, has avalid certificate. Two choices are possible: Active Directory or Computer Name.

10. Because your root CA isoffline, choose Active Directory and clickBrowse.

11. Locate the certificatefor the root CA and click OK. After the certificate isselected, the wizard will load the Online  Responder signing templates.

12. Click Next.

On the Select A Signing Certificate page,you must select a signing method because the OR signseach response to  clients  before it sends it. Threechoices are available:

• • Automatic selection will load a certificate from the OCSP templateyou created earlier.
  • Manually, you can choose the certificate to use.
  • CACertificate uses the certificate from the CA itself.

13. Choose AutomaticallySelect A Signing Certificate and select Auto-Enroll for anOCSP signing certificate.

14. Browse for a CA andselect the issuing CA. Click OK. This shouldautomatically select the template you prepared  earlier.

15. Click Next. Nowthe wizard will initialize the revocation provider. If, for somereason, it cannot find it, you will need  to add the provider manually.

16. Click Provider,and then click Add under Base CRLs. For example, you coulduse the following HTTP address: http://localhost/ca.crl.

17. Click OK. Repeatthis step for the Delta CRLs and use the same HTTPaddress. Click OK.

However, because you are obtaining thecertificate from Active Directory, the listed provider will be anaddress  in ldap://  format and should be providedautomatically by the wizard. AD CS relies on Lightweight Directory Access Protocol (LDAP)  to obtain information from theAD DS directory store.

18. Click Finish tocomplete the revocation configuration.

You should now have a new revocationconfiguration listed in the details pane. Repeat thisprocedure for each  CA that is  an OR.

Certificate templates are used to generatethe certificates you will use in your AD CS configuration.Enterprise  CAs use version 2 and 3 templates. These templatesare configurable and enable you to personalize them. To  prepare templates for various uses,

• • you mustfirst configure each template you intend to use and,
  • aftereach is configured, deploy each to your CAs.
  • Aftertemplates are deployed, you can use them to issuecertificates.

• • 
    
    Begin by identifying which templates you wantto use, and then move on to the procedure.
    1. Log on to an issuingCA, using domain administrative credentials.
    2. Launch Server Manager fromthe Administrative Tools program group.
    3. Expand Roles\ActiveDirectory Certificate Services\Certificate Templates(servername).
    4. Note that all the existingtemplates are listed in the details pane.
    IMPORTANT Upgrading certificateauthorities
    If you are upgrading an existingCA infrastructure to Windows Server 2008, the first time youlog on to a  new server running AD CS, you will be promptedto update the existing certificate templates. Answer Yes to do so. This upgrades all templates to Windows Server2008 versions.
    5. Note that you areconnected to a DC by default. To work with templates, you mustbe connected to a DC so  that the templates can bepublished to AD DS.
    6. If you are not connected,use the Connect To Another Writable Domain Controllercommand in the Action  pane to do so. You are ready to createthe templates you require.
    7. Select the sourcetemplate, right-click the template to select DuplicateTemplate, and select the version of  Windows Server tosupport. This should always be Windows Server 2008 unlessyou are running in a mixed  PKI hierarchy.
    8. Name the new template,customize it, and save the customizations.
    Customize templates according to thefollowing guidelines:

• • • • To create an EFS template, select the Basic EFStemplate as the source, duplicate it for  Windows  Server2008, and name it. Use a valid name, for example, Basic EFSWS08, and then move  through  the property tabs tocustomize its content. Pay particular attention to key archival onthe  Request Handling tab and make sure you select theArchive Subject Encryption Private Key  check box.Also, use encryption to send the key to the CA. Archivalstorage of the private key  enables you to protect it if theuser ever loses it. You can also use the Subject Name tab toadd  information such as Alternate Subject Name values.Click OK.
      • If you plan to use EFS, you must also create anEFS Recovery Agent template. Duplicate it for  WindowsServer 2008. Name it with a valid name such as EFS RecoveryAgent WS08. Publish the  recovery agent certificate inActive Directory. Note that the recovery agent certificate is validfor a  much longer period than the EFS certificate itself.Also, use the same settings on the other  property tabsas you assigned to the Basic EFS duplicate.
      • If you plan to use wireless networks, create aNetwork Policy Server (NPS) template for use with  yoursystems. Basically, you create the template and configure it forautoenrollment. Then, the next  time the NPS servers inyour network update their Group Policy settings, they will be assigned new  certificates. Use the RAS and IASServer templates as the sources for your new NPStemplate.  Duplicate it for Windows Server 2008. Name itappropriately, for example, NPS  Server WS08. Publish it in Active Directory. Move to the Security tab toselect the RAS and IAS Servers group to  assign theAutoenroll  as well as the Enroll permissions.Review other tabs as needed and save  the new template.
      • If you want to use smart card logons, createduplicates of the Smartcard Logon and Smartcard  Usertemplates. Set the duplicates for Windows Server 2008. Name themappropriately and publish  them in Active Directory. You donot use Autoenrollment for these certificates because youneed  to use smart card enrollment stations to distribute thesmart cards themselves to the users.
      • If you want to protect Web servers or DCs, createduplicates of the Web Server and Domain  ControllerAuthentication templates. Do not use the DomainController template; it is designed for  earlier versions ofthe operating system. Duplicate them for Windows Server 2008,publish them in  Active Directory, and verify their otherproperties.

• NOTE Configuring duplicate templates

  The configuration of each template typeoften includes additional activities that are not necessarilytied  to AD CS. Make sure you view the AD CS onlinehelp to review the activities associated with the publication of each certificate type.

  Now that your templates are ready, you mustissue the template to enable the CA to issue certificatesbased  on these personalized templates.

  9. In Server Manager, expandRoles\Active Directory Certificate Services\Issuing CAName\Certificate  Templates.

  10. To issue a template,right-click Certificate Templates, choose New, andthen select Certificate Template To  Issue.

  11. In the Enable CertificateTemplates dialog box, use Ctrl + click to select all the templatesyou want to  issue, and then click OK.

  
  

  Now you're ready to configureenrollment. This is done through Group Policy. You canchoose either to create a  new Group Policy for this purposeor to modify an existing Group Policy object. This policy must beassigned to all  members of the domain; therefore, theDefault Domain Policy might be your best choice or, if youdo not want to  modify this policy, create a new policy andassign it to the entire domain. You use the Group PolicyManagement  Console (GPMC) to do so.

  1. Log on to a DC, andthen launch Group Policy Management from the Administrative Toolsprogram group.

  2. Locate or create theappropriate policy and right-click it to choose Edit.

  3. To assignautoenrollment for Computers, expand ComputerConfiguration \Policies \Windows Settings  \SecuritySettings \Public Key Policies.

  4. Double-clickCertificate Services Client – Auto-Enrollment.

  5. Enable the policy andselect the Renew Expired Certificates, Update PendingCertificates, And Remove  Revoked Certificates checkbox.

  6. Select the UpdateCertificates That Use Certificate Templates check box if youhave already issued some  certificates manually for thispurpose. Click OK to assign these settings.

  7. To assignautoenrollment for Users, expand UserConfiguration \Policies \Windows Settings \Security Settings \Public Key Policies.

  8. Enable the policy andselect the same options as for computers.

  9. Notice that you can enableExpiration Notification for users. Enable it and set anappropriate value. This  will notify users when theircertificates are about to expire.

  10. Click OK to assignthese settings.

  IMPORTANT Computer and User GroupPolicy settings

  Normally, you should not apply both userand computer settings in the same Group Policy object. This is done here only to illustrate the settings you need to apply toenable autoenrollment.

  11. Close the GPMC.

  12. Return to the issuingCA and move to Server Manager to set the default action yourissuing CA will use  when it receives certificaterequests.

  13. Right-click theissuing CA server name under AD CS and chooseProperties.

  14. Click the PolicyModule tab and click the Properties button.

  15. To have certificatesissued automatically, select Follow The Settings In TheCertificate Template, If  Applicable. Otherwise,Automatically Issue The Certificate. Click OK. (Youcan use this to turn off  AutoEnrollmenttemporarily)

  16. Click OK onceagain to close the Properties dialog box. Your issuing CA is nowready for production  and  will  begin to issuecertificates automatically when they are requested either bydevices or by users.

• • ThePrivate Key And CA Certificate option will protect thecertificate for this server.
  • TheCertificate Database And Certificate Database Log optionwill protect the certificates this CA  manages. You can alsoperform incremental database backups.

For example, you could create the backup toa file share on a central server location. Keep in mind,however,  that you are backing up highly sensitive data andtransporting it over the network, which might not be the best solution. A better choice might be to back up to a local folder andthen copy the backup to removable media.

4. Identify the location andclick Next. Note that the target location must beempty.

5. Assign a strongpassword to the backup. Click Next.

6. Review the information andclick Finish. The wizard performs the backup. Protect thebackup media thoroughly  because it contains verysensitive information.

You can also perform automated backupsthrough the command line with the Certutil.execommand with  the  appropriate switches to back up andrestore the database.

To restore information, use theCertification Authority Restore Wizard.

When you request a restore operation byright-clicking the server name, selecting All Tasks, andchoosing Restore  CA, the wizard willimmediately prompt you to stop the CA service before therestore operation can begin. Click OK.  After theservice is stopped, the Welcome page of the wizard appears.

1. Click Next.

2. Select the itemsyou want to restore. You can restore the private key and the CAcertificate as well as the database  and log. Choose the itemsto restore.

3. Type the locationof the backup files or click Browse to locate the backupdata. Click Next.

4. Type the passwordto open the backup and click Next.

5. Verify your settings andclick Finish. After the restore operation is complete, thewizard will offer to restart the AD  CS service.

6. Click Yes. Verifythe operation of your CA after the restore is complete.

Errors exist in your configuration. If younavigate to the Contoso-Root-CA, you will see that this CAalso  includes errors according to Enterprise PKI. Theseerrors refer to the Web-based download locations for the  CRLDistribution Point and for the AIA. These errors appear becausethey refer to locations that do not exist.  These locationsmust be created manually in IIS. However, because youare using an AD DS–integrated AD  CS deployment,you do not need to add Web-based download locations even ifthey are indicated by default  in the configuration of AD CS.In an AD DS–integrated deployment, the directory service isresponsible for AIA  and CRL distribution, and, because thisservice is highly available, no secondary location is required. Infact,  you need to add secondary locations only if you wantto make them available to mobile or external users  whoare outside your internal network. If you do so, your URLswill need to be available externally.

5. Click<Domain>-Root-CA under the Enterprise PKI node andselect Manage CA.

This launches the Certificate Authoritystandalone console with a focus on the root CA. Remember thatServer  Manager can work with the local serveronly. Therefore, you need to use the standaloneconsole.

6. Right-click<Domain>-Root-CA and select Properties.

7. Click the Extensionstab and verify that CRL Distribution Point (CDP) isselected in the drop-down list.

8. Selecthttp://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crlin the locations  section of the dialog box and clearInclude In CRLs, Clients Use This To Find Delta CRL Locations aswell as Include  in the CDP extension of issuedcertificates.

9. Select AuthorityInformation Access (AIA) from the drop-down list.

10. Selecthttp://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><Certificate-Name>.crtand clear  Include in the AIA extension of issuedcertificates. Click OK to apply your changes.

AD CS automatically points to a CertEnrollvirtual directory under the default Web site for Web as theCDP.  However, the installation process for AD CS does notcreate this virtual directory by default. In addition, because this is a root CA, it does not host IIS and will be takenoffline. Pointing to a nonexistent Web server as  a CDPlocation is not good practice, and this location mustbe removed from the CA’s configuration;  otherwise, itwill be embedded in the certificates it issues.

11. Because you modified theconfiguration of the AD CS server, the console will ask you torestart AD CS on this  server. Click Yes.

12. Close the CertificateAuthority console and return to Enterprise PKI in ServerManager.

13. On the toolbar, click theRefresh button to update Enterprise PKI. Note that thoughthere are no longer  location  errors for the root CA,there are still errors under the issuing CA.

You are ready to correct the errors inthe issuing CA.

1. Right-click<Domain>-Issuing-CA under AD CS in Server Manager andselect Properties. In this case, you can  use ServerManager because <Domain>-Issuing-CA is the localcomputer.

2. Click the Extensionstab and verify that CRL Distribution Point (CDP) is selected inthe drop-down list.

3. Selecthttp://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crlin the locations  section of the dialog box and clearInclude In CRLs, Clients Use This To Find Delta CRL Locations aswell as Include  in the CDP extension of issuedcertificates.

4. Select AuthorityInformation Access (AIA) from the drop-down list.

5. Selecthttp://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><Certificate-Name>.crtand clear  Include in the AIA extension of issuedcertificates. Click OK to apply your changes.

Once again, AD CS automatically points to aCertEnroll virtual directory under the default Web site for Webas  the CDP. However, the installation process for AD CS doesnot create this virtual directory by default. If you  need toprovide Web support for CRLs, even if this is only an internaldeployment, you would need to create  the virtual directory inIIS. However, in this case, it is not required. Also, asa best practice, you do not remove  the HTTP location. Ifyou need to add it later, the proper format for the URL willalready be there, and you will  need to recheck only theappropriate options.

6. Because you modified theconfiguration of the AD CS server, the console will ask you torestart AD CS on this  server. Click Yes.

7. Return to EnterprisePKI in Server Manager.

8. On the toolbar, click theRefresh button to update Enterprise PKI.

Note that there is now only one error underthe issuing CA. This error stems from the originalself-signed  certificate that was generated duringinstallation of this CA. This certificate is superseded by thecertificate that  was issued by the root CA. Because of this,you must revoke the original certificate.

9. To finalize yourconfiguration, move to <Domain>-Issuing-CA under AD CSand select Issued Certificates. This  will list allcertificates issued by this CA in the details pane.

10. Locate the firstcertificate. It should be of a CA Exchange type. The certificatetype is listed under the Certificate  Template column in thedetails pane.

11. Right-click thiscertificate, select All Tasks, and then click RevokeCertificate.

12. In the CertificateRevocation dialog box, select Superseded from the drop-down list,verify the date, and click OK.

When you revoke the certificate, it isautomatically moved to the Revoked Certificates folder and is nolonger  valid. However, because you newly revoked acertificate, you must update the revocation list.

13. Right-click theRevoked Certificates node and choose All Tasks toselect Publish.

14. In the Publish CRLdialog box, select New CRL and click OK.

15. Return to Enterprise PKIand click the Refresh button. There should no longer be anyerrors in the  Enterprise PKI  view.

You will need to perform theseactivities in your network when you implement AD CS; otherwise,your  Enterprise PKI views will always displayerrors.

Note that all the existing templates arelisted in the details pane.

Note also that you are connected to a DC(DCSERVER) by default. To work with templates, you must be  connected to a DC so that the templates can bepublished to AD DS. If you are not connected, you must use the Connect To Another Writable Domain Controllercommand in the action pane to do  so.

5. Select the BasicEFS template in the details pane, right-click it, and selectDuplicate Template.

6. Select the version ofWindows Server to support—in this case, Windows Server2008—and click OK.

7. Name the template BasicEFS WS08 and set the following options. Leave all other optionsas is.

• • On theRequest Handling tab, select the Archive Subject’sEncryption Private Key and the Use  Advanced SymmetricAlgorithm To Send The Key To The CA check boxes. Archivalstorage of  the  private key enables you to protect it ifthe user loses it.
  • On theSubject Name tab, add information to the AlternateSubject Name values. Select the E-mail Name  andUser Principal Name (UPN) check boxes.

8. Click OK.

9. Right-click the EFSRecovery Agent template and choose Duplicate.

10. Select the version ofWindows Server to support—in this case, Windows Server2008—and click OK.

11. Name the template EFSRecovery Agent WS08 and set the following options. Leave allother options as is.

• • On theGeneral tab, select the Publish certificate in the ActiveDirectory check box. Note that the  recovery agentcertificate is valid for a much longer period than is the EFScertificate itself.
  • On theRequest Handling tab, make sure you select the ArchiveSubject’s Encryption Private Key and  the UseAdvanced Symmetric Algorithm To Send The Key To The CA checkboxes. Archival storage of  the private key enables you toprotect it if the user loses it.
  • On theSubject Name tab, add information to the Alternate SubjectName values. Select the E-mail Name  and UserPrincipal Name (UPN) check boxes.

12. Click OK.

13. In Server Manager, expandRoles \Active Directory Certificate Services \Issuing CA Name\Certificate Templates.

14. To issue a template,right-click Certificate Templates, choose New, andthen select Certificate Template To  Issue.

15. In the EnableCertificate Templates dialog box, use Ctrl + click to selectboth Basic EFS WS08 and EFS  Recovery Agent WS08and click OK.

Your templates are ready.

1. Move to DCSERVER and logon as a domain administrator.

2. Launch Group PolicyManagement from the Administrative Tools program group.

3. Expand all the nodes tolocate the Default Domain policy. Right-click it and chooseEdit.

4. To assign autoenrollmentfor computers, expand Computer Configuration \Policies \WindowsSettings \Security  Settings \Public Key Policies.

5. Double-clickCertificate Services Client – Auto-Enrollment.

6. Enable the policy andselect the Renew Expired Certificates, Update PendingCertificates, And Remove  Revoked Certificates checkbox.

7. Enable ExpirationNotification For Users and leave the value at 10%. This will notifyusers when their  certificates are about to expire.

8. Click OK to assignthese settings.

9. Close the GPMC. Yourpolicy is ready.

Your issuing CA is now ready for productionand will begin to issue EFS certificates automatically when theyare  requested either by your users or bycomputers.

• Aroot CA is the first CA in the hierarchy. Theroot CA has a self-signed certificate, and is often offline toprotect the CA from  compromise. The root CA typically doesnot issue certificates to end users or computers (unless thePKI structure is very  small).
• Asubordinate CA is a CA authorized by the rootCA to issue certificates to other CAs or users or computers.The  subordinate CA gets its certificate from the root CA. Youadd subordinate CAs to your hierarchy to distribute the workloadof  issuing certificates, or to designate specific CAs toissue certificates for specific uses.
• Computers must trust the issuing CA (or the root CA in the PKIhierarchy). To configure a client computer to trust a CA you can:
  • Importthe CA certificate into the Trusted Root store.
  • UseGroup Policy to automatically import the CA certificate. When youuse Active Directory Certificate Services (AD  CS), clients inyour network are automatically configured to trust your internalCAs.
  • Use acertificate issued by a public PKI (such as VeriSign). By default,computers are already configured to trust well-  knownCAs.
• You canuse Active Directory Certificate Services (AD CS) to create yourown PKI. Servers running AD CS issue certificates  to usersand computers. When you install AD CS on a server, you choose one(or more) of the following role services:

• When youconfigure a server as a CA, you designate the CA as a root orsubordinate CA. In addition, you configure the CA  type aseither a standalone or enterprise CA. The following table comparesthe features of each type:

• Inaddition to OCSP and NDES, installing a CA on a server runningWindows Server 2008 provides support for version 3 certificates. Version 3 certificates add support for Suite Bencryption. Suite B is a set of standards applying tointegrity,  encryption, key exchange, and digital signaturesspecified by the National Security Agency (NSA). Suite B protocolsare  FIPS- compliant, meaning they adhere to the guidelinesand standards of the Federal Information Processing Standards (FIPS) body. Suite B capabilities add support for:
  • SHA-2hashing (SHA-256 (256-bits) and SHA-384)
  • TheAdvanced Encryption Standard (AES) (AES-GMAC-128, 192, and 256 fordata integrity; AES-GCM-128, 192, and  256 for data integrityand encryption)
  • Elliptical Curve Cryptography (ECC) (ECDSA-P246 and P284 signingfor certificates used for authentication)

Version 3 certificates can only be issuedby CAs running Windows Server 2008, and can only be used bycomputers running  Windows Vista or Windows Server2008.

• • Most PKIinfrastructure designs use multiple CAs with varying configurationsand roles. Two common designs are as follows:

• • Withautoenrollment, certificates can be requested, issued, or renewedwithout user intervention. Autoenrollment requires the following:
    • Anenterprise CA. Because the enterprise CA uses Active Directory, theCA must be a domain member with access to  ActiveDirectory.
    • WindowsXP or higher clients.
    • Version2 certificates. You can copy a version 1 certificate to make aversion 2 certificate.
    • Grantthe following permissions to the certificate template: Read,Enroll, and Autoenroll.
    • EnableAutoenrollment in Group Policy. Autoenrollment can be enabled forusers or computers, and applies to the  user or computersbased on where the GPO is linked.
  • Use keyarchival to save a copy of the private key. With key archival:
    • The CAencrypts and stores the key for a version 2 or 3 certificatetemplate. After the client generates the key pair, it encrypts the private key and sends it back to the CA. The CAverifies the private key, reencrypts it, and archives it.
    • Youdefine one or more Key Recovery Agents. These are users who areable to restore the archived keys in case  they are lost.
    • You canonly implement key archival if all your clients are Windows XP/2000or later. Key archival only works with  version 2 or 3templates and with enterprise CAs to which the Windows server 2003schema extensions have been  applied.
  • Thepolicy module on the CA determines whether certificate requests areapproved automatically or whether they must be  approvedmanually.
    • Bydefault, manual approval is required on standalone CAs, whileautomatic approval is allowed on enterprise CAs.
    • Eachcertificate template also has a policy module that overrides the CApolicy module. Modify the certificate template  policy moduleto specify a custom approval method for the certificate type.
  • The CRLDistribution Point (CDP) identifies locations where the CRL ispublished.
  • TheAuthority Information Access (AIA) extension list identifieslocations where the CA certificate is published. Clientcomputers  use this information to retrieve the certificatefor a CA if the CA is offline.
  • A CAmanager has the Manage CA permission and can modify theconfiguration of a CA. A certificate manager has the Issue and Manage Certificates permission and can approve or revokecertificates on the CA.
  • Whendeploying smart cards, designate an enrollment agent. An enrollmentagent is someone who can request certificates on  behalf ofanother user.
    • Theenrollment agent manages smart cards, using a special workstation,called an enrollment station, with a smart card  readerto initialize the smart card and request a certificate for the userwhich is then saved on the smart card.
    • You canuse the Identity Lifecycle Manager tool to simplify managingcertificates used by smart cards.
  • WindowsServer 2008 includes the Enterprise PKI snap-in (PKIView) that letsyou view the arrangement of CAs within your PKI  and check thestatus of the CA certificate as well as the availability of AIA andCDP locations for each CA.

• • • Certification authorities (CAs). Root and subordinateCAs are used to issue certificates to users, computers, and services, and to manage their validity.
    • CA Web enrollment. Web enrollment allows users toconnect to a CA by means of a Web browser in order to:
      • Requestcertificates and review certificate requests.
      • Retrievecertificate revocation lists (CRLs).
      • Performsmart card certificate enrollment.
    • Online Responder service. The Online Responderservice implements the Online Certificate Status Protocol (OCSP)by  decoding revocation status requests for specificcertificates, evaluating the status of these certificates, andsending back   a signed response containing the requestedcertificate status information.  
    • Network Device Enrollment Service. The Network DeviceEnrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate EnrollmentProtocol (SCEP) from Cisco Systems Inc.

SCEP was developed to support the secure,scalable issuance of certificates to network devices by usingexisting CAs. The  protocol supports CA and registrationauthority public key distribution, certificate enrollment,certificate revocation, certificate  queries, and certificaterevocation queries.

Requirements forUsing AD CS

CAs can be set up on servers running avariety of operating systems, including Windows® 2000 Server,Windows Server® 2003, and  Windows Server 2008. However,not all operating systems support all features or designrequirements, and creating an optimal design  requires carefulplanning and lab testing before you deploy AD CS in a productionenvironment. Although you can deploy AD CS with  as littlehardware as a single server for a single CA, many deploymentsinvolve multiple servers configured as root, policy, andissuing   CAs, and other servers configured as OnlineResponders.

The following table lists the AD CScomponents that can be configured on different editions of WindowsServer 2008.

The following features are available onservers running Windows Server 2008 that have been configured asCAs.

• • Step 1:Setting Up an Enterprise Root CA
  • Step 2:Installing the Online Responder
  • Step 3:Configuring the CA to Issue OCSP Response SigningCertificates
  • Step4: Creating a Revocation Configuration
  • Step 5:Verifying that the AD CS Lab Setup Functions Properly

Step 1: Setting Upan Enterprise Root CA

An enterprise root CA is the anchor oftrust for the basic lab setup. It will be used to issuecertificates to the Online Responder and  client computer, andto publish certificate information to Active Directory DomainServices (AD DS).

Note

1.   Log on to LH_PKI1 as adomain administrator.

2.   Click Start,point to Administrative Tools,and then click ServerManager.

3.   In the RolesSummary section, click Add roles.

4.   On the SelectServer Roles page, select the Active Directory CertificateServices check box. Click Next two times.

5.   On the Select RoleServices page, select the Certification Authority checkbox,and then click Next.

6.   On the SpecifySetup Type page, click Enterprise,and then clickNext.

7.   On the Specify CAType page, click Root CA, and then clickNext.

8.   On the Set UpPrivate Key and Configure Cryptography for CA pages, youcan configure optional configuration settings,  includingcryptographic service providers. However, for basic testingpurposes, accept the default values by clicking Next twice.

9.   In the Common namefor this CA box, type the common name of the CA,RootCA1, and then click Next.

10.  On the Set theCertificate Validity Period page, accept the default validityduration for the root CA, and then click Next.

11.  On the ConfigureCertificate Database page, accept the default values or specifyother storage locations for the certificate  database and thecertificate database log, and then click Next.

12.  After verifying the informationon the Confirm Installation Options page, clickInstall.

13.     Review theinformation on the confirmation screen to verify that theinstallation was successful.

Step 2: Installingthe Online Responder

An Online Responder can be installed on anycomputer running Windows Server 2008 Enterprise or Windows Server2008 Datacenter.  The certificate revocation data can comefrom a CA on a computer running Windows Server 2008, a CA on acomputer running  Windows Server 2003, or from a non-MicrosoftCA.

Note

IIS must also be installed on this computerbefore the Online Responder can be installed.

1.   Log on to LH_PKI1 as adomain administrator.

2.   Click Start,point to Administrative Tools,and then click ServerManager.

3.   Click ManageRoles. In the Active Directory Certificate Servicessection, click Add role services.

4.   On the Select RoleServices page, select the Online Responder checkbox.

You are prompted to install IIS and WindowsActivation Service.

5.   Click Add RequiredRole Services, and then click Next three times.

6.   On the ConfirmInstallation Options page, click Install.

7.When the installation is complete, reviewthe status page to verify that the installation wassuccessful.

Step 3:Configuring the CA to Issue OCSP Response SigningCertificates

Configuring a CA to support OnlineResponder services involves configuring certificate templates andissuance properties for OCSP  Response Signing certificatesand then completing additional steps on the CA to support theOnline Responder and certificate  issuance.

Note

1.   Log on to LH_PKI1 as a CAadministrator.

2.   Open the CertificateTemplates snap-in.

3.   Right-click theOCSP Response Signing template, and then click DuplicateTemplate.

4.   Type a new name for theduplicated template, such as OCSP ResponseSigning_2.

5.   Right-click theOCSP Response Signing_2 certificate template, and then clickProperties.

6.   Click theSecurity tab. Under Group or user name, clickAdd, and then type the name or browse to select thecomputer  hosting the Online Responder service.

7.   Click the computername, LH_PKI1, and in the Permissions dialogbox, select the Read and Autoenroll check boxes. 

8.   While you have theCertificate Templates snap-in open, you can configure certificatetemplates for users and computers by  substituting the desiredtemplates in step 3, and repeating steps 4 through 7 to configurepermissions for LH_CLI1 and your  test useraccounts.

To configure the CA to support OnlineResponders, you need to use the Certification Authority snap-in tocomplete two key steps:

• • • Add thelocation of the Online Responder to the authority informationaccess extension of issued certificates.
    • Enablethe certificate templates that you configured in the previousprocedure for the CA.

1.   Open the CertificationAuthority snap-in.

2.   In the console tree, clickthe name of the CA.

3.   On the Actionmenu, click Properties.

4.   Click theExtensions tab. In the Select extension list, clickAuthority Information Access (AIA).

5.   Select the Includein the AIA extension of issue certificates and Include inthe online certificate status protocol (OCSP)  extensioncheck boxes.

6.   Specify the locations fromwhich users can obtain certificate revocation data; for this setup,the location is http://LH_PKI1/ocsp.

7.   In the console tree of theCertification Authority snap-in, right-click CertificateTemplates, and then click New Certificate  Templates toIssue.

8.   In EnableCertificate Templates, select the OCSP Response Signingtemplate and any other certificate templates that you configured previously, and then click OK.

9.   Open CertificateTemplates, and verify that the modified certificate templatesappear in the list.

Step 4: Creating aRevocation Configuration

A revocation configuration includes all ofthe settings that are needed to respond to status requestsregarding certificates that have  been issued by using aspecific CA key.

These configuration settings include the CAcertificate, the signing certificate for the Online Responder, andthe locations to which  clients are directed to send theirstatus requests.

Important

1.   Start or restart LH_PKI1 toenroll for certificates.

2.   Log on as a CAadministrator.

3.   Open the Certificatessnap-in for the computer account. Open the Personal certificatestore for the computer, and verify that it  contains acertificate titled OCSP Response Signing.

4.   Right-click thiscertificate, and then click Manage PrivateKeys.

5.   Click theSecurity tab. In the User Group or user name dialogbox, click Add, enter Network Service to the Groupor user  name list, and then click OK.

6.   Click NetworkService, and in the Permissions dialog box, select theFull Control check box.

7.   Click OKtwice.

Creating a revocation configurationinvolves the following tasks:

• • • Identify the CA certificate for the CA that supports the OnlineResponder.
    • Identify the CRL distribution point for the CA.
    • Selecta signing certificate that will be used to sign revocation statusresponses.
    • Selecta revocation provider, the component responsible for retrieving andcaching the revocation information used by  the OnlineResponder.

1.   Open the Online Respondersnap-in.

2.   In the Actionspane, click Add Revocation Configuration to start the AddRevocation Configuration wizard, and then click Next.

3.   On the Name theRevocation Configuration page, type a name for the revocationconfiguration, such as LH_RC1, and then  clickNext.

4.   On the Select CAcertificate Location page, click Select a certificate froman existing enterprise CA, and then click Next.

5.   On the following page, thename of the CA, LH_PKI1, should appear in the Browse CAcertificates published in Active  Directory box.

• • • If itappears, click the name of the CA that you want to associate withyour revocation configuration, and then click Next.
    • If itdoes not appear, click Browse for CA Computer and type thename of the computer hosting LH_PKI1 or click  Browseto locate this computer. When you have located the computer, clickNext.

Note

You might also be able to link to the CAcertificate from the local certificate store, or by importing itfrom removable  media in step 4.

6.   View the certificate andcopy the CRL distribution point for the parent root CA, RootCA1. Todo this:

a.   Open the CertificateServices snap-in. Select an issued certificate.

b.   Double-click thecertificate, and then click the Details tab.

c.   Scroll down and selectthe CRL Distribution Points field.

d.   Select and copy the URL forthe CRL distribution point that you want to use.

e.   ClickOK.

7.   On the SelectSigning Certificate page, accept the default option,Automatically select signing certificate, and thenclick  Next.

8. On the Revocation Providerpage, click Provider.

9.   On the RevocationProvider Properties page, click Add, enter the URL ofthe CRL distribution point, and then click OK.

10.  Click Finish.

11.  Using the Online Respondersnap-in, select the revocation configuration, and then examine thestatus information to verify that  it is functioning properly.You should also be able to examine the properties of the signingcertificate to verify that the Online  Responder is configuredproperly.

Step 5: Verifyingthat the AD CS Lab Setup Functions Properly

You can verify the setup steps describedpreviously as you perform them.

After the installation is complete, youshould verify that your basic test setup is functioning properly byconfirming that you can  autoenroll certificates, revokecertificates, and make accurate revocation data available from theOnlline responder.

1.   On the CA, configure severalcertificate templates to autoenroll certificates for LH_CLI1 andusers on this computer.

2.   When information about thenew certificates has been published to AD DS, open a command prompton the client computer  and enter the following command tostart certificate autoenrollment:

certutil -pulse

3.   On LH_CLI1, use theCertificates snap-in to verify that the certificates have beenissued to the user and to the computer, as appropriate.

4.   On the CA, use theCertification Authority snap-in to view and revoke one or more ofthe issued certificates by clicking  CertificationAuthority (Computer)/CA name/Issued Certificates and selectingthe certificate you want to revoke. On the  Actionmenu, point to All Tasks, and then click RevokeCertificate. Select the reason for revoking the certificate,and click Yes.

5.   In the CertificationAuthority snap-in, publish a new CRL by clickingCertification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Actionmenu, point to All Tasks, and click Publish.

6.   Remove all CRL distributionpoint extensions from the issuing CA by opening the CertificationAuthority snap-in and then  selecting the CA. On theAction menu, click Properties.

7.   On theExtensions tab, confirm that Select extension is setto CRL Distribution Point (CDP).

8.   Click any CRL distributionpoints that are listed, click Remove, and then clickOK.

9.   Stop and restart ADCS.

10.  Repeat steps 1 and 2 above, andthen verify that clients can still obtain revocation data. To dothis, use the Certificates snap-in  to export the certificateto a file (*.cer). At a command prompt, type:

certutil -url<exportedcert.cer>

11.  In the Verify andRetrieve dialog box that appears, click From CDP andFrom OCSP and compare the results.

• • LH_DC1:This computer will be the domain controller for your testenvironment.
  • LH_CA_ROOT1: This computer will host a stand-alone root CA for thetest environment.
  • LH_CA_ISSUE1: This enterprise CA will be subordinate to LH_CA_ROOT1and issue client certificates for the Online Responder  andclient computers.

• • LH_ORS1.This server will host the Online Responder.
  • LH_NDES.This server will host the Network Device Enrollment Servicethatmakes it possible to issue and manage certificates  forrouters and other network devices.
  • LH_CLI1:This client computer running Windows Vista will autoenroll forcertificates from LH_CA_ISSUE1 and verify certificate  statusfrom LH_ORS1.

1.   Set up a domain controlleron LH_DC1 for contoso.com, including some OUs to contain one ormore users for LH_CLI1, client  computers in the domain, andfor the servers hosting CAs and Online Responders.

2.   Install Windows Server 2008on the other servers in the test configuration and join them to thedomain.

3.   Install Windows Vista onLH_CLI1, and join LH_CLI1 to contoso.com.

• • Step 1:Setting Up the Stand-Alone Root CA
  • Step 2:Setting Up the Enterprise Subordinate Issuing CA
  • Step 3:Installing and Configuring the Online Responder
  • Step 4:Configuring the Issuing CA to Issue OCSP Response SigningCertificates
  • Step 5:Configuring the Authority Information Access Extension toSupport the Online Responder
  • Step 6:Assigning the OCSP Response Signing Template to a CA
  • Step 7:Enrolling for an OCSP Response Signing Certificate
  • Step 8:Creating a Revocation Configuration
  • Step 9:Setting Up and Configuring the Network Device EnrollmentService
  • Step 10:Verifying that the Advanced AD CS Test Setup FunctionsProperly

1.   Log on to LH_CA_ROOT1 as anadministrator.

2.   Start the Add RolesWizard.On the Select Server Roles page, select the ActiveDirectory Certificate Services check box, and  then clickNext two times.

3.   On the Select RoleServices page, select the Certification Authority checkbox, and then click Next.

4.   On the SpecifySetup Type page, click Standalone, and then clickNext.

5.   On the Specify CAType page, click Root CA, and then clickNext.

6.   On the Set UpPrivate Key and Configure Cryptography for CA pages, youcan configure optional settings, including  cryptographicservice providers. However, for basic testing purposes, accept thedefault values by clicking Next twice.

7.   In the Common namefor this CA box, type the common name of the CA,RootCA1, and then click Next.

8.   On the Set theCertificate Validity Period page, accept the default validityduration for the root CA, and then click Next.

9.   On the ConfigureCertificate Database page, accept the default values or specifyother storage locations for the certificate  database and thecertificate database log, and then click Next.

10.  After verifying theinformation on the Confirm Installation Options page,click Install.

1.   Log on to LH_CA_ISSUE1 as adomain administrator.

2.   Start the Add RolesWizard.On the Select Server Roles page, select the ActiveDirectory Certificate Services check box, and  then clickNexttwo times.

3.   On the Select RoleServices page, select the Certification Authority checkbox, and then click Next.

4.   On the SpecifySetup Type page, click Enterprise, and then clickNext.

5.   On the Specify CAType page, click Subordinate CA, and then clickNext.

6.   On the Set UpPrivate Key and Configure Cryptography for CA pages, youcan configure optional settings, including  cryptographicservice providers. However, for basic testing purposes, accept thedefault values by clicking Next twice.

7.   On the RequestCertificate page, browse to locate LH_CA_ROOT1, or if, the rootCA is not connected to the network, save the  certificaterequest to a file so that it can be processed later. ClickNext.

The subordinate CA setup will not be usableuntil it has been issued a root CA certificate and this certificatehas been used to  complete the installation of the subordinateCA.

8.   In the Common namefor this CA box, type the common name of the CA,LH_CA_ISSUE1.

9.   On the Set theCertificate Validity Period page, accept the default validityduration for the CA, and then click Next.

10.  On the ConfigureCertificate Database page, accept the default values or specifyother storage locations for the certificate  database and thecertificate database log, and then click Next.

11.  After verifying theinformation on the Confirm Installation Options page,click Install.

1.   Log on to LH_ORS1 as anadministrator.

2.   Start the Add Roles Wizard.On the Select Server Rolespage, select the ActiveDirectoryCertificate Services check box, and  then clickNext two times.

3.   On the Select RoleServices page, clear the Certification Authority checkbox, select the Online Responder check box, and  thenclick Next.

You are prompted to install IIS and WindowsActivation Service.

4.   Click Add RequiredRole Services, and then click Next three times.

5.   On the ConfirmInstallation Options page, click Install.

1.   Log on to LH_CA_ISSUE1 as aCA administrator.

2.   Open the CertificateTemplates snap-in.

3.   Right-click theOCSP Response Signing template, and then click DuplicateTemplate.

4.   Type a new name for theduplicated template, such as OCSP ResponseSigning_2.

5.   Right-click theOCSP Response Signing_2 certificate template, and then clickProperties.

6.   Click theSecurity tab. Under Group or user name, clickAdd and type the name or browse to select the computerhosting the  Online Responder service.

7.   Click the computername, LH_ORS1, and in the Permissions dialogbox, select the Read and Autoenroll check boxes. 

1.   Log on to LH_CA_ISSUE1 as aCA administrator.

2.   Open the CertificationAuthority snap-in.

3.   In the console tree, clickthe name of the CA.

4.   On the Actionmenu, click Properties.

5.   On theExtensions tab, click Select extension, and thenclick Authority Information Access (AIA).

6.   Select the Includein the AIA extension of issue certificates and Include inthe online certificate status protocol (OCSP)  extensioncheck boxes.

7.   Specify the locations fromwhich users can obtain certificate revocation data; for this setup,the location is http://LH_ORS1/ocsp.

8.   In the console tree of theCertification Authority snap-in, right-click CertificateTemplates, and then click New Certificate  Templates toIssue.

9.   In EnableCertificate Templates, select the OCSP Response Signingtemplate and any other certificate templates that you configured previously, and then click OK.

1.   Open the CertificationAuthority snap-in.

2.   Right-clickCertificate Templates, and then click CertificateTemplate to Issue.

3.   Select the OCSPResponse Signing_2 template from the list of availabletemplates, and then click OK.

1.   Start or restart LH_ORS1 toenroll for the certificates.

2.   Log on as a CAadministrator.

3.   Open the Certificatessnap-in for the computer. Open the Personal certificate store forthe computer, and then verify that it  contains a certificatetitled OCSP Response Signing_2.

4.   Right-click thiscertificate, and then click Manage PrivateKeys.

5.   Click theSecurity tab. In the User Group or user name dialogbox, click Add to type in and add Network Service to theGroup  or user name list, and then clickOK.

• • Identifythe CA certificate for the CA that supports the OnlineResponder.
  • Identifythe CRL distribution point for the CA.
  • Select asigning certificate that will be used to sign revocation statusresponses.
  • Select arevocation provider, the component responsible for retrieving andcaching the revocation information used by the  OnlineResponder.

1.   Log on to LH_ORS1 as adomain administrator.

2.   Open the Online Respondersnap-in.

3.   In the Actionspane, click Add Revocation Configuration to start the AddRevocation Configuration wizard, and then click Next.

4.   On the Name theRevocation Configuration page, type a name for the revocationconfiguration, such as LH_RC1, and then  clickNext.

5.   On the Select CACertificate Location page, click Select a certificate for anexisting enterprise CA, and then click Next.

6.   On the following page, thename of the CA, LH_CA_ISSUE1, should appear in the BrowseCA certificates published in Active  Directory box.

• • • If itappears, click the name of the CA that you want to associate withyour revocation configuration, and then click Next.
    • If itdoes not appear, click Browse for CA Computer and type thename of the computer hosting LH_CA_ISSUE1 or  clickBrowse to locate this computer. When you have located thecomputer, click Next.

Note

You might also be able to link to the CAcertificate from the local certificate store, or by importing itfrom removable  media in step 5.

7.   View the certificate andcopy the CRL distribution point for the parent root CA, RootCA1. Todo this:

a.   Open the CertificateServices snap-in, and then select an issuedcertificate.

b.   Double-click thecertificate, and then click the Details tab.

c.   Scroll down and selectthe CRL Distribution Points field.

d.   Select and copy the URL forthe CRL distribution point that you want to use.

e.   ClickOK.

8.   On the SelectSigning Certificate page, accept the default, Automaticallyselect signing certificate, and then click Next.

9.   On the RevocationProvider page, click Provider.

10.  On the RevocationProvider Properties page, click Add, enter the URL ofthe CRL distribution point, and then click OK.

11.  Click Finish.

• • Generates and provides one-time enrollment passwords toadministrators
  • Processes SCEP enrollment requests
  • Retrieves pending requests from the CA

1.   Log on to LH_NDES as anenterprise administrator.

2.   Start the Add RolesWizard.On the Select Server Roles page, select the ActiveDirectory Certificate Services check box, and  then clickNext two times.

3.   On the Select RoleServices page, clear the Certification Authority checkbox, and then select Network Device Enrollment Service.

You are prompted to install IIS and WindowsActivation Service.

4.   Click Add RequiredRole Services, and then click Next three times.

5.   On the ConfirmInstallation Options page, click Install.

6.   When the installation iscomplete, review the status page to verify that the installationwas successful.

7.   Because this is a newinstallation and there are no pending SCEP certificate requests,click Replace existing Registration  Authority (RA)certificates, and then click Next.

When the Network Device Enrollment Serviceis installed on a computer where a registration authority alreadyexists, the  existing registration authority and any pendingcertificate requests are deleted.

8.   On the SpecifyUser Account page, click Select User, and type the username ndes_user1 and password for this account,  whichthe Network Device Enrollment Service will use to authorizecertificate requests. Click OK, and then clickNext.

9.   On the SpecifyCA page, select either the CA name or Computername check box, click Browse to locate the CA thatwill  issue the Network Device Enrollment Servicecertificates, LH_CA_ISSUE1, and then click Next.

10.  On the Specify RegistryAuthority Information page, type ndes_1 in the RAname box. Under Country/region,select the  checkbox for the country/region you are in, and then clickNext.

11.  On the ConfigureCryptography page, accept the default values for the signatureand encryption keys, and then click Next.

1.   On the CA, configure severalcertificate templates to autoenroll certificates for LH_CLI1 andusers on this computer.

2.   When information about thenew certificates has been published to AD DS, open a command prompton the client computer  and enter the following command tostart certificate autoenrollment:

certutil -pulse

3.   On the client computer, usethe Certificates snap-in to verify that the certificates have beenissued to the user and to the  computer, asappropriate.

4.   On the CA, use theCertification Authority snap-in to view and revoke one or more ofthe issued certificates by clicking  CertificationAuthority (Computer)/CA name/Issued Certificates and selectingthe certificate you want to revoke. On the  Actionmenu, point to All Tasks, and then click RevokeCertificate. Select the reason for revoking the certificate,and click Yes.

5.   In the CertificationAuthority snap-in, publish a new CRL by clickingCertification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Actionmenu, point to All Tasks, and click Publish.

6.   Remove all CRL distributionpoint extensions from the issuing CA by opening the CertificationAuthority snap-in and then  selecting the CA. On theAction menu, click Properties.

7.   On theExtensions tab, confirm that Select extension is setto CRL Distribution Point (CDP).

8.   Click any CRL distributionpoints that are listed, click Remove, and clickOK.

9.   Stop and restart ADCS.

10.  Repeat steps 1 and 2 above, andthen verify that clients can still obtain revocation data. To dothis, use the Certificates snap-in  to export the certificateto a file (*.cer). At a command prompt, type:

certutil -url<exportedcert.cer>