Showing posts with label Active Directory Certificate Services. Show all posts
Showing posts with label Active Directory Certificate Services. Show all posts

Saturday, November 8, 2014

Windows Server 2012 R2 Implementing a Basic PKI MVA course

There is a new Microsoft Virtual Academy course which is talked about Basic PKI on Windows Server 2012 R2. The course is hosted by Morgan Webb, Microsoft Technical Evangelist. This course is provided basic concepts for administrators to implement PKI on Windows Server 2012 R2. Morgan talked about stand-alone CA, Root CA and Enterprise CA. He also gave demonstrations to install and configure properties of All CA environment. Finally, he showed how to manage and configure certificate templates. If you'd like to get some basic concepts to implement and manage Basic PKI on Windows Server 2012 R2, don't miss this course.
 
 
This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: , ,

Sunday, July 21, 2013

Duplicating all certificate templates and CA Servers for Enterprise CA in Windows Servers

By default, Enterprise Administrator can duplicate all certificate templates. To delegate duplication of all certificate templates, we need to modify the settings of Active Directory.

Lab environment
Host name: DC01.adcslab.local
Roles: Domain Controller and DNS server of adcslab.local
Operating System: Windows Server 2008 R2

Host name: DC02.corp.adcslab.local
Roles: Domain Controller and DNS server of corp.adcslab.local
Operating System: Windows Server 2008 R2

Host name: CS01.corp.adcslab.local
Roles: member server of corp.adcslab.local and AD CS
Operating System: Windows Server 2008 Enterprise x64 edition

CA environment:
1 CA server, CS01.corp.adcslab.local, with ADCSLAB root CA

Goal
Assign right to Terry, which is a user of corp.adcslab.local, to manage all certificate templates.

Configuring Manage CA permissions
By default, Enterprise Admins, Domain Admins and local administrators group of AD CS server can manage "Certification Authority". Now, I will grant the permission for Terry, is a user of corp.adcslab.local, to manage CA.

1. On CS01, log in as corp.adcslab.local Administrator.
2. Launch "Certification Authority".
3. Right-click "ADCSLAB Root CA", select "Properties".


4. On "ADCSLAB Root CA Properties" window, select "Security" tab.


5. On "Security" tab, click "Add".
6. On "Select Users, Computers, or Groups" window, enter "Terry".


7. Click "OK".
8. Next to "Permissions for Terry", check "Allow - Issue and Manage Certificates" and "Allow - Manage CA".


9. Click "OK".

Remark: In production environment, we should grant the permissions to a global or universal group that contains users for managing CA.

Test result
1. On CS01, log in as Terry.
2. Launch "Certification Authority".
3. Expand "ADCSLAB Root CA > Certificate Templates".


4. On right pane, right-click "Basic EFS" and then select "Delete".


5. On "Disable certificate templates" window, click "Yes".


As a result, Terry can manage ADCSLAB Root CA.


Delegate duplication of all certificate templates
1. On DC01, log in as adcslab.local Administrator.
2. Click "Start", enter "adsiedit.msc" to launch "ADSI Edit".
3. Right-click "ADSI Edit", select "Connect to".


4. On "Connection Settings" window, next to "Select a well known Naming Context", select "Configuration".


5. Click "OK".

Remark: Make sure you connected to "Configuration" of Forest Root Domain.

6. Expand "Configuration > CN=Configuration,DC=adcslab,DC=local > CN=Services > CN=Public Key Services".
7. On central pane, right-click "CN=Certificate Templates", select "Properties".


8. On "CN=Certificate Templates Properties" tab, click "Security" tab.


9. Click "Add".
10. On "Select Users, Computers, or Groups" window, click "Locations".


11. On "Locations" window, select "corp.adcslab.local".


12. Click "OK".
13. Next to "Enter the object names to select (examples)", enter "Terry".


14. Click "OK".
15. Next to "Permissions for Terry", check "Allow - Full control".


16. Click "OK".
17. On central pane, right-click "CN=OID", select "Properties".


18. On "CN=OID Properties" tab, click "Security" tab.
19. Click "Add".
20. On "Select Users, Computers, or Groups" window, click "Locations".


21. On "Locations" window, select "corp.adcslab.local".


22. Click "OK".
23. Next to "Enter the object names to select (examples)", enter "Terry" and then click "OK".
24. Next to "Permissions for Terry", check "Allow - Full control".


25. Click "OK".
26. Close "ADSI Edit".

Remark: In production environment, we should grant the permissions to a global or universal group that contains users for "Certificate Templates" and "OID".

Test result
1. On CS01, log in as corp.adcslab.local Administrator.
2. Click "Start", enter "certtmpl.msc" to launch Certificate Templates Console.
3. On "Certificate Templates" console, right-click "Computer" and then select "Duplicate Template".


4. On "Duplicate Template" window, select "Windows 2003 Server, Enterprise Edition" and then click "OK".


CORP.ADCSLAB.LOCAL administrator could not duplicate the certificate template because we haven't granted permission for CORP.ADCSLAB.LOCAL administrator.


5. Click "OK".
6. Log off corp.adcslab.local Administrator.
7. Log in as Terry
8. Launch "Certificate Templates".
9. On "Certificate Templates" console, right-click "Computer" and then select "Duplicate Template".
10. On "Duplicate Template" window, select "Windows 2003 Server, Enterprise Edition" and then click "OK".
11. On "General" tab of "Properties of New Template" window, next to "Template display name" and then enter "ADCSLAB Computer".


12. Click "OK".

As a result, Terry can duplicate the computer certificate template.


Reference:

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: , ,

Tuesday, May 8, 2012

How to enable Certification Authority Auditing on Windows Server

By default, the Auditing function is not enabled on the CA server. After the auditing is enabled, all the events will be logged in the "Security log". To enable the auditing, I need to modify the following settings.

1. On the CA server, log in as Administrator.
2. Launch "Certification Authority".
3. Right-click the name of the CA, select "Properties".
4. Select "Auditing" tab.
5. Check the events which you want to audit.


6. Click "OK".
7. Launch "Local Group Policy Editor".
8. Expand "Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy".
9. Double-click "Audit object access".
10. Check "Success" and "Failure".


11. Click "OK".



12. Close "Local Group Policy Editor".

Remark: If your CA server is a member server of the domain, you can configure the Domain Group Policy.

13. Restart "Active Directory Certificate Services".

As a result, the auditing has been enabled on the CA server.

References:
Configure CA Event Auditing
http://technet.microsoft.com/en-us/library/cc772451(v=ws.10).aspx

CA Auditing
http://technet.microsoft.com/en-us/library/cc758154(v=ws.10).aspx

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels:

Saturday, April 2, 2011

Decommission a Windows enterprise certification authority and how to remove ll related objects from Windows Server 2003

Step 1: Revoke all active certificates that are issued by the enterprise CA
1. At the CA server, log in as Domain Administrator.
2. Click "Start > Administrative Tools > Certification Authority".
3. Expand "<CA Name> > Issued Certificates".
4. At right pane, select all certificates.
5. Right-click the selected certificates, select "All Tasks > Revoke Certificate".
6. Next to "Reason code", select "Cease of Operation".

Figure 1: Cease of Operation

7. Click "Yes".

Step 2: Delete all certificate templates
1. In the "Certification Authority" console, select "Certificate Templates".
2. At right pane, select all certificate templates.
3. Right-click the selected certificate templates, select "Delete".
4. Click "Yes".

Figure 2: Certificate Templates

It can prevent users to request the certificate from the CA Server.

Step 3: Increase the CRL publication interval
1. In the "Certification Authority" console, right-click "Revoked Certificates", select "Properties".
2. Next to "CRL publication interval", type a suitably long value.

Remark: The lifetime of the Certification Revocation List (CRL) should be longer than the lifetime that remains for certificates that have been revoked.

3. Clear "Publish Delta CRLs" check box.

Figure 3: Revoked Certificates properties

4. Click "OK".

Step 4: Publish a new CRL
1. Still in "Certification Authority" console, right-click "Revoked Certificates", select "All Tasks > Publish".

Figure 4: Publish CRL

2. Select "New CRL", click "OK".

Remark: Make sure all clients can access the CDP of CRL.

Step 5: Deny any pending requests (optional)
By default, an enterprise CA does not store certificate requests. However, an administrator can change this default behavior. To deny any pending certificate requests, follow these steps:

1. Still in "Certificate authority" console, select "Pending requests" folder.
2. At right pane, select all pending requests.
3. Right-click the selected pending requests, select "All Tasks > Deny Request".

Step 6: Uninstall Certificate Services from the server
1. Launch "Command Prompt", enter "certutil -shutdown".

Figure 5: Stop certificate services

2. Enter "certutil -key" to list all the key stores for local computer.

Figure 6: List all the key

3. Enter "certutil -delkey <CA Name>" to delete the private keys associated with the CA.

Remark: <CA Name> is Windows 2003 Enterprise root CA. Therefore, the command line in this example is the following:

certutil -delkey "Windows 2003 Enterprise Root CA"

4. Make sure the private key for your CA has been deleted.
5. Use "Add\Remove Windows Components" to uninstall "Certificate Services".

Step 7: Remove CA objects from Active Directory
When Microsoft Certificate Services is installed on a server that is a member of a domain, several objects are created in the configuration container in Active Directory.

When the CA is uninstalled, only the pKIEnrollmentService object is removed. The other objects are left in place because there are likely still outstanding certificates issued by the CA. In order for clients to successfully process these outstanding certificates, they need to locate the AIA and CDP paths in Active Directory. Good practice is to revoke all outstanding certificates (Reason: Cease of Operation), extend the lifetime of the CRL, and publish it in Active Directory. When those outstanding certificates are processed by the various clients, validation should fail and those certificates will not be used.

1. At Domain Controller, log in as Domain Administrator.
2. Launch "Active Directory Sites and Services".
3. At left pane, select "Active Directory Sites and Services".
4. On the menu, click "View > Show Services Node".

Figure 7: Show Services Node

5. At left pane, expand "Services > Public Key Services > AIA".
6. At right pane, delete "certificateAuthority" object for your Certification Authority.

Figure 8: certificateAuthority object

7. At left pane, select "CDP".
8. Locate the Container object for the server where Certification Services is installed. Delete the container and the objects it contains.

Figure 9: Container object

9. Select "Certification Authorities", delete "certificateAuthority" object for your Certification Authority in right pane.
10. Select "Enrollment Services", verify that the pKIEnrollmentService object for your Certification Authority was removed when Certificate Services was installed. If not, delete it.
11. Select "Certificate Template", delete all the Certificate Templates in right pane.
12. Select "Public Key Services", locate the "NTAuthCertificates" object.

Figure 10: NTAuthcertificates object

13. if there are no other Enterprise or Stand-alone CAs installed in the forest, delete the object.

Step 8: Delete the CA database
When Certification Services is uninstalled, the CA database is left intact so that the CA can be re-created on another server.

1. To remove the CA database, delete the "%systemroot%\system32\Certlog" folder.

Step 9: Domain Controller Cleanup
1. At domain Controller, log in as Domain Administrator.
2. Launch "Command Prompt", enter "certutil -dcinfo deleteBad".

Remark: Certutil.exe tried to validate all the DC certificates that are issued to the domain controllers. Certificates that do not validate are removed.

Reference:
http://support.microsoft.com/kb/889250/en-us

http://technet.microsoft.com/en-us/library/cc782041(WS.10).aspx

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at 2 comments:
Labels: , ,
Subscribe to: Comments (Atom)