Active Directory Certificate Services: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 80: Line 80:
|CRLF_IGNORE_CROSS_CERT_TRUST_ERROR || 0x00000100 ||
|CRLF_IGNORE_CROSS_CERT_TRUST_ERROR || 0x00000100 ||
|-
|-
|CRLF_PUBLISH_EXPIRED_CERT_CRLS || 0x00000200 ||
|CRLF_PUBLISH_EXPIRED_CERT_CRLS || 0x00000200 || In- or Exclude expired certificates in the CRL (https://social.technet.microsoft.com/wiki/contents/articles/16227.large-crls-what-is-added-to-a-certificate-revocation-list-crl.aspx?Sort=MostUseful&PageIndex=1)
|-
|-
|CRLF_ENFORCE_ENROLLMENT_AGENT || 0x00000400 ||
|CRLF_ENFORCE_ENROLLMENT_AGENT || 0x00000400 ||
Line 102: Line 102:
|CRLF_PRESERVE_REVOKED_CA_CERTS || 0x00080000 ||
|CRLF_PRESERVE_REVOKED_CA_CERTS || 0x00080000 ||
|}
|}
<syntaxhighlight language="powershell">
certutil -getreg ca\CRLFlags
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE
</syntaxhighlight>


==EDIT Flags==
==EDIT Flags==
Line 119: Line 122:
|EDITF_ADDOLDCERTTYPE || 0x00000010 ||
|EDITF_ADDOLDCERTTYPE || 0x00000010 ||
|-
|-
|EDITF_ATTRIBUTEENDDATE || 0x00000020 ||
|EDITF_ATTRIBUTEENDDATE || 0x00000020 || Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity.
|-
|-
|EDITF_BASICCONSTRAINTSCRITICAL || 0x00000040 || (default 2008R2)
|EDITF_BASICCONSTRAINTSCRITICAL || 0x00000040 || (default 2008R2) Marks Basic Constraints extension as critical.
|-
|-
|EDITF_BASICCONSTRAINTSCA || 0x00000080 ||
|EDITF_BASICCONSTRAINTSCA || 0x00000080 || Enables Basic Constraints extension for CA certificates.
|-
|-
|EDITF_ENABLEAKIKEYID || 0x00000100 || (default 2008R2)
|EDITF_ENABLEAKIKEYID || 0x00000100 || (default 2008R2) Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension.
|-
|-
|EDITF_ATTRIBUTECA || 0x00000200 ||
|EDITF_ATTRIBUTECA || 0x00000200 ||
Line 131: Line 134:
|EDITF_IGNOREREQUESTERGROUP || 0x00000400 ||
|EDITF_IGNOREREQUESTERGROUP || 0x00000400 ||
|-
|-
|EDITF_ENABLEAKIISSUERNAME || 0x00000800 ||
|EDITF_ENABLEAKIISSUERNAME || 0x00000800 || Enables issuer name value to appear in Authority Key Identifier (AKI) extension.
|-
|-
|EDITF_ENABLEAKIISSUERSERIAL || 0x00001000 ||
|EDITF_ENABLEAKIISSUERSERIAL || 0x00001000 || Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension.
|-
|-
|EDITF_ENABLEAKICRITICAL || 0x00002000 ||
|EDITF_ENABLEAKICRITICAL || 0x00002000 || Marks Authority Key Identifier (AKI) extension as critical.
|-
|-
|EDITF_SERVERUPGRADED || 0x00004000 ||
|EDITF_SERVERUPGRADED || 0x00004000 ||
|-
|-
|EDITF_ATTRIBUTEEKU || 0x00008000 ||
|EDITF_ATTRIBUTEEKU || 0x00008000 || Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request).
|-
|-
|EDITF_ENABLEDEFAULTSMIME || 0x00010000 || (default 2008R2)
|EDITF_ENABLEDEFAULTSMIME || 0x00010000 || (default 2008R2)
Line 145: Line 148:
|EDITF_EMAILOPTIONAL || 0x00020000 ||
|EDITF_EMAILOPTIONAL || 0x00020000 ||
|-
|-
|EDITF_ATTRIBUTESUBJECTALTNAME2 || 0x00040000 ||
|EDITF_ATTRIBUTESUBJECTALTNAME2 || 0x00040000 || Enables definition of Subject Alternate Name in request attributes (Against security best practice! DISABLE ALL NORMAL USER INTERACTION for this CA, because this settings allows all templates to be used with user defined SAN's)
|-
|-
|EDITF_ENABLELDAPREFERRALS || 0x00080000 ||
|EDITF_ENABLELDAPREFERRALS || 0x00080000 || Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios.
This flag is necessary only for Cross-Forest Enrollment scenarios.
|-
|-
|EDITF_ENABLECHASECLIENTDC || 0x00100000 || (default 2008R2)
|EDITF_ENABLECHASECLIENTDC || 0x00100000 || (default 2008R2)
Line 159: Line 163:
| EDITF_ENABLEUPNMAP || 0x01000000 ||
| EDITF_ENABLEUPNMAP || 0x01000000 ||
|}
|}
https://www.sysadmins.lv/projects/pspki/Enable-PolicyModuleFlag.aspx
<syntaxhighlight language="powershell">
certutil -getreg policy\EditFlags
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE
 
</syntaxhighlight>
src: Microsoft's certsrv.h
src: Microsoft's certsrv.h

Latest revision as of 16:23, 3 March 2017

Microsoft's PKI Product.

Technet Wiki -> http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx

Some good to knows

Windows Server Roles

Certificate Authority CA role itself
Certificate Enrollment Policy Web Service CEP - Enrollment to non-domain machines http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
Certificate Enrollment Web Service CES - Enrollment to non-domain machines http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
Certificate Authority Web Enrollment Web interface to CA
Network Device Enrollment service NDES for routers etc http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx
Online Responder OCSP responder

Tools


Certificate Propagation in Enterprise CA

from http://www.sysadmins.lv/blog-en/understanding-active-directory-certificate-services-containers-in-active-directory.aspx

AD Location

CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}

AIA

All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.

Certification Authorities

All certificates from this container are propagated to each client as a part of group policy processing to client’s Trusted Root Certification Authorities container.

Enrollment Services

All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container. Also, this container is enumerated during certificate enrollment process.

NTAuthCertificates

All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.

Standalone

For standalone, you'll need to do this manually... -> http://unixwiz.net/techtips/deploy-webcert-gp.html

Group Policy

Settings are located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies.


certsvc flags

Config of ADCS sits in registry @ HLKM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\NameOfYourCA

Some fields you'll come across

CRL FLlags

Flag Name Flag value Comment
CRLF_DELTA_USE_OLDEST_UNEXPIRED_BASE 0x00000001
CRLF_DELETE_EXPIRED_CRLS 0x00000002 (default 2008R2)
CRLF_CRLNUMBER_CRITICAL 0x00000004
CRLF_REVCHECK_IGNORE_OFFLINE 0x00000008
CRLF_IGNORE_INVALID_POLICIES 0x00000010
CRLF_REBUILD_MODIFIED_SUBJECT_ONLY 0x00000020
CRLF_SAVE_FAILED_CERTS 0x00000040
CRLF_IGNORE_UNKNOWN_CMC_ATTRIBUTES 0x00000080
CRLF_IGNORE_CROSS_CERT_TRUST_ERROR 0x00000100
CRLF_PUBLISH_EXPIRED_CERT_CRLS 0x00000200 In- or Exclude expired certificates in the CRL (https://social.technet.microsoft.com/wiki/contents/articles/16227.large-crls-what-is-added-to-a-certificate-revocation-list-crl.aspx?Sort=MostUseful&PageIndex=1)
CRLF_ENFORCE_ENROLLMENT_AGENT 0x00000400
CRLF_DISABLE_RDN_REORDER 0x00000800
CRLF_DISABLE_ROOT_CROSS_CERTS 0x00001000
CRLF_LOG_FULL_RESPONSE 0x00002000
CRLF_USE_XCHG_CERT_TEMPLATE 0x00004000
CRLF_USE_CROSS_CERT_TEMPLATE 0x00008000
CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT 0x00010000 To enable the parsing of request attributes for subject information (which is required for Netscape browser enrollment)
CRLF_REVCHECK_IGNORE_NOREVCHECK 0x00020000
CRLF_PRESERVE_EXPIRED_CA_CERTS 0x00040000
CRLF_PRESERVE_REVOKED_CA_CERTS 0x00080000
certutil -getreg ca\CRLFlags
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE

EDIT Flags

Flag Name Flag value Comment
EDITF_ENABLEREQUESTEXTENSIONS 0x00000001
EDITF_REQUESTEXTENSIONLIST 0x00000002 (default 2008R2)
EDITF_DISABLEEXTENSIONLIST 0x00000004 (default 2008R2)
EDITF_ADDOLDKEYUSAGE 0x00000008 (default 2008R2)
EDITF_ADDOLDCERTTYPE 0x00000010
EDITF_ATTRIBUTEENDDATE 0x00000020 Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity.
EDITF_BASICCONSTRAINTSCRITICAL 0x00000040 (default 2008R2) Marks Basic Constraints extension as critical.
EDITF_BASICCONSTRAINTSCA 0x00000080 Enables Basic Constraints extension for CA certificates.
EDITF_ENABLEAKIKEYID 0x00000100 (default 2008R2) Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension.
EDITF_ATTRIBUTECA 0x00000200
EDITF_IGNOREREQUESTERGROUP 0x00000400
EDITF_ENABLEAKIISSUERNAME 0x00000800 Enables issuer name value to appear in Authority Key Identifier (AKI) extension.
EDITF_ENABLEAKIISSUERSERIAL 0x00001000 Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension.
EDITF_ENABLEAKICRITICAL 0x00002000 Marks Authority Key Identifier (AKI) extension as critical.
EDITF_SERVERUPGRADED 0x00004000
EDITF_ATTRIBUTEEKU 0x00008000 Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request).
EDITF_ENABLEDEFAULTSMIME 0x00010000 (default 2008R2)
EDITF_EMAILOPTIONAL 0x00020000
EDITF_ATTRIBUTESUBJECTALTNAME2 0x00040000 Enables definition of Subject Alternate Name in request attributes (Against security best practice! DISABLE ALL NORMAL USER INTERACTION for this CA, because this settings allows all templates to be used with user defined SAN's)
EDITF_ENABLELDAPREFERRALS 0x00080000 Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios.

This flag is necessary only for Cross-Forest Enrollment scenarios.

EDITF_ENABLECHASECLIENTDC 0x00100000 (default 2008R2)
EDITF_AUDITCERTTEMPLATELOAD 0x00200000
EDITF_DISABLEOLDOSCNUPN 0x00400000
EDITF_DISABLELDAPPACKAGELIST 0x00800000
EDITF_ENABLEUPNMAP 0x01000000

https://www.sysadmins.lv/projects/pspki/Enable-PolicyModuleFlag.aspx

certutil -getreg policy\EditFlags
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE

src: Microsoft's certsrv.h