Active Directory Certificate Services: Difference between revisions
No edit summary (change visibility) |
|||
Line 57: | Line 57: | ||
Some fields you'll come across | Some fields you'll come across | ||
CRL FLlags | ==CRL FLlags== | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
Line 94: | Line 94: | ||
|CRLF_USE_CROSS_CERT_TEMPLATE || 0x00008000 || | |CRLF_USE_CROSS_CERT_TEMPLATE || 0x00008000 || | ||
|- | |- | ||
|CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT || 0x00010000 || | |CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT || 0x00010000 || To enable the parsing of request attributes for subject information (which is required for Netscape browser enrollment) | ||
|- | |- | ||
|CRLF_REVCHECK_IGNORE_NOREVCHECK || 0x00020000 || | |CRLF_REVCHECK_IGNORE_NOREVCHECK || 0x00020000 || | ||
Line 102: | Line 102: | ||
|CRLF_PRESERVE_REVOKED_CA_CERTS || 0x00080000 || | |CRLF_PRESERVE_REVOKED_CA_CERTS || 0x00080000 || | ||
|} | |} | ||
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE | |||
EDIT Flags | ==EDIT Flags== | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
Line 159: | Line 159: | ||
| EDITF_ENABLEUPNMAP || 0x01000000 || | | EDITF_ENABLEUPNMAP || 0x01000000 || | ||
|} | |} | ||
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE | |||
src: Microsoft's certsrv.h |
Revision as of 10:34, 18 March 2016
Microsoft's PKI Product.
Technet Wiki -> http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx
Windows Server Roles
Certificate Authority | CA role itself | |
Certificate Enrollment Policy Web Service | CEP - Enrollment to non-domain machines | http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx |
Certificate Enrollment Web Service | CES - Enrollment to non-domain machines | http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx |
Certificate Authority Web Enrollment | Web interface to CA | |
Network Device Enrollment service | NDES for routers etc | http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx |
Online Responder | OCSP responder |
Tools
Certificate Propagation in Enterprise CA
AD Location
CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
AIA
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.
Certification Authorities
All certificates from this container are propagated to each client as a part of group policy processing to client’s Trusted Root Certification Authorities container.
Enrollment Services
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container. Also, this container is enumerated during certificate enrollment process.
NTAuthCertificates
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.
Standalone
For standalone, you'll need to do this manually... -> http://unixwiz.net/techtips/deploy-webcert-gp.html
Group Policy
Settings are located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies.
certsvc flags
Config of ADCS sits in registry @ HLKM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\NameOfYourCA
Some fields you'll come across
CRL FLlags
Header text | Header text | Header text |
---|---|---|
CRLF_DELTA_USE_OLDEST_UNEXPIRED_BASE | 0x00000001 | |
CRLF_DELETE_EXPIRED_CRLS | 0x00000002 | |
CRLF_CRLNUMBER_CRITICAL | 0x00000004 | |
CRLF_REVCHECK_IGNORE_OFFLINE | 0x00000008 | |
CRLF_IGNORE_INVALID_POLICIES | 0x00000010 | |
CRLF_REBUILD_MODIFIED_SUBJECT_ONLY | 0x00000020 | |
CRLF_SAVE_FAILED_CERTS | 0x00000040 | |
CRLF_IGNORE_UNKNOWN_CMC_ATTRIBUTES | 0x00000080 | |
CRLF_IGNORE_CROSS_CERT_TRUST_ERROR | 0x00000100 | |
CRLF_PUBLISH_EXPIRED_CERT_CRLS | 0x00000200 | |
CRLF_ENFORCE_ENROLLMENT_AGENT | 0x00000400 | |
CRLF_DISABLE_RDN_REORDER | 0x00000800 | |
CRLF_DISABLE_ROOT_CROSS_CERTS | 0x00001000 | |
CRLF_LOG_FULL_RESPONSE | 0x00002000 | |
CRLF_USE_XCHG_CERT_TEMPLATE | 0x00004000 | |
CRLF_USE_CROSS_CERT_TEMPLATE | 0x00008000 | |
CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT | 0x00010000 | To enable the parsing of request attributes for subject information (which is required for Netscape browser enrollment) |
CRLF_REVCHECK_IGNORE_NOREVCHECK | 0x00020000 | |
CRLF_PRESERVE_EXPIRED_CA_CERTS | 0x00040000 | |
CRLF_PRESERVE_REVOKED_CA_CERTS | 0x00080000 |
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE
EDIT Flags
Header text | Header text | Header text |
---|---|---|
EDITF_ENABLEREQUESTEXTENSIONS | 0x00000001 | |
EDITF_REQUESTEXTENSIONLIST | 0x00000002 | |
EDITF_DISABLEEXTENSIONLIST | 0x00000004 | |
EDITF_ADDOLDKEYUSAGE | 0x00000008 | |
EDITF_ADDOLDCERTTYPE | 0x00000010 | |
EDITF_ATTRIBUTEENDDATE | 0x00000020 | |
EDITF_BASICCONSTRAINTSCRITICAL | 0x00000040 | |
EDITF_BASICCONSTRAINTSCA | 0x00000080 | |
EDITF_ENABLEAKIKEYID | 0x00000100 | |
EDITF_ATTRIBUTECA | 0x00000200 | |
EDITF_IGNOREREQUESTERGROUP | 0x00000400 | |
EDITF_ENABLEAKIISSUERNAME | 0x00000800 | |
EDITF_ENABLEAKIISSUERSERIAL | 0x00001000 | |
EDITF_ENABLEAKICRITICAL | 0x00002000 | |
EDITF_SERVERUPGRADED | 0x00004000 | |
EDITF_ATTRIBUTEEKU | 0x00008000 | |
EDITF_ENABLEDEFAULTSMIME | 0x00010000 | |
EDITF_EMAILOPTIONAL | 0x00020000 | |
EDITF_ATTRIBUTESUBJECTALTNAME2 | 0x00040000 | |
EDITF_ENABLELDAPREFERRALS | 0x00080000 | |
EDITF_ENABLECHASECLIENTDC | 0x00100000 | |
EDITF_AUDITCERTTEMPLATELOAD | 0x00200000 | |
EDITF_DISABLEOLDOSCNUPN | 0x00400000 | |
EDITF_DISABLELDAPPACKAGELIST | 0x00800000 | |
EDITF_ENABLEUPNMAP | 0x01000000 |
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE
src: Microsoft's certsrv.h