Active Directory Certificate Services: Difference between revisions
(3 intermediate revisions by the same user not shown) | |||
Line 80: | Line 80: | ||
|CRLF_IGNORE_CROSS_CERT_TRUST_ERROR || 0x00000100 || | |CRLF_IGNORE_CROSS_CERT_TRUST_ERROR || 0x00000100 || | ||
|- | |- | ||
|CRLF_PUBLISH_EXPIRED_CERT_CRLS || 0x00000200 || | |CRLF_PUBLISH_EXPIRED_CERT_CRLS || 0x00000200 || In- or Exclude expired certificates in the CRL (https://social.technet.microsoft.com/wiki/contents/articles/16227.large-crls-what-is-added-to-a-certificate-revocation-list-crl.aspx?Sort=MostUseful&PageIndex=1) | ||
|- | |- | ||
|CRLF_ENFORCE_ENROLLMENT_AGENT || 0x00000400 || | |CRLF_ENFORCE_ENROLLMENT_AGENT || 0x00000400 || | ||
Line 102: | Line 102: | ||
|CRLF_PRESERVE_REVOKED_CA_CERTS || 0x00080000 || | |CRLF_PRESERVE_REVOKED_CA_CERTS || 0x00080000 || | ||
|} | |} | ||
<syntaxhighlight language="powershell"> | |||
certutil -getreg ca\CRLFlags | |||
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE | certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE | ||
</syntaxhighlight> | |||
==EDIT Flags== | ==EDIT Flags== | ||
Line 119: | Line 122: | ||
|EDITF_ADDOLDCERTTYPE || 0x00000010 || | |EDITF_ADDOLDCERTTYPE || 0x00000010 || | ||
|- | |- | ||
|EDITF_ATTRIBUTEENDDATE || 0x00000020 || | |EDITF_ATTRIBUTEENDDATE || 0x00000020 || Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity. | ||
|- | |- | ||
|EDITF_BASICCONSTRAINTSCRITICAL || 0x00000040 || (default 2008R2) | |EDITF_BASICCONSTRAINTSCRITICAL || 0x00000040 || (default 2008R2) Marks Basic Constraints extension as critical. | ||
|- | |- | ||
|EDITF_BASICCONSTRAINTSCA || 0x00000080 || | |EDITF_BASICCONSTRAINTSCA || 0x00000080 || Enables Basic Constraints extension for CA certificates. | ||
|- | |- | ||
|EDITF_ENABLEAKIKEYID || 0x00000100 || (default 2008R2) | |EDITF_ENABLEAKIKEYID || 0x00000100 || (default 2008R2) Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension. | ||
|- | |- | ||
|EDITF_ATTRIBUTECA || 0x00000200 || | |EDITF_ATTRIBUTECA || 0x00000200 || | ||
Line 131: | Line 134: | ||
|EDITF_IGNOREREQUESTERGROUP || 0x00000400 || | |EDITF_IGNOREREQUESTERGROUP || 0x00000400 || | ||
|- | |- | ||
|EDITF_ENABLEAKIISSUERNAME || 0x00000800 || | |EDITF_ENABLEAKIISSUERNAME || 0x00000800 || Enables issuer name value to appear in Authority Key Identifier (AKI) extension. | ||
|- | |- | ||
|EDITF_ENABLEAKIISSUERSERIAL || 0x00001000 || | |EDITF_ENABLEAKIISSUERSERIAL || 0x00001000 || Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension. | ||
|- | |- | ||
|EDITF_ENABLEAKICRITICAL || 0x00002000 || | |EDITF_ENABLEAKICRITICAL || 0x00002000 || Marks Authority Key Identifier (AKI) extension as critical. | ||
|- | |- | ||
|EDITF_SERVERUPGRADED || 0x00004000 || | |EDITF_SERVERUPGRADED || 0x00004000 || | ||
|- | |- | ||
|EDITF_ATTRIBUTEEKU || 0x00008000 || | |EDITF_ATTRIBUTEEKU || 0x00008000 || Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request). | ||
|- | |- | ||
|EDITF_ENABLEDEFAULTSMIME || 0x00010000 || (default 2008R2) | |EDITF_ENABLEDEFAULTSMIME || 0x00010000 || (default 2008R2) | ||
Line 145: | Line 148: | ||
|EDITF_EMAILOPTIONAL || 0x00020000 || | |EDITF_EMAILOPTIONAL || 0x00020000 || | ||
|- | |- | ||
|EDITF_ATTRIBUTESUBJECTALTNAME2 || 0x00040000 || | |EDITF_ATTRIBUTESUBJECTALTNAME2 || 0x00040000 || Enables definition of Subject Alternate Name in request attributes (Against security best practice! DISABLE ALL NORMAL USER INTERACTION for this CA, because this settings allows all templates to be used with user defined SAN's) | ||
|- | |- | ||
|EDITF_ENABLELDAPREFERRALS || 0x00080000 || | |EDITF_ENABLELDAPREFERRALS || 0x00080000 || Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios. | ||
This flag is necessary only for Cross-Forest Enrollment scenarios. | |||
|- | |- | ||
|EDITF_ENABLECHASECLIENTDC || 0x00100000 || (default 2008R2) | |EDITF_ENABLECHASECLIENTDC || 0x00100000 || (default 2008R2) | ||
Line 159: | Line 163: | ||
| EDITF_ENABLEUPNMAP || 0x01000000 || | | EDITF_ENABLEUPNMAP || 0x01000000 || | ||
|} | |} | ||
https://www.sysadmins.lv/projects/pspki/Enable-PolicyModuleFlag.aspx | |||
<syntaxhighlight language="powershell"> | |||
certutil -getreg policy\EditFlags | |||
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE | certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE | ||
</syntaxhighlight> | |||
src: Microsoft's certsrv.h | src: Microsoft's certsrv.h |
Latest revision as of 16:23, 3 March 2017
Microsoft's PKI Product.
Technet Wiki -> http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx
Windows Server Roles
Certificate Authority | CA role itself | |
Certificate Enrollment Policy Web Service | CEP - Enrollment to non-domain machines | http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx |
Certificate Enrollment Web Service | CES - Enrollment to non-domain machines | http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx |
Certificate Authority Web Enrollment | Web interface to CA | |
Network Device Enrollment service | NDES for routers etc | http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx |
Online Responder | OCSP responder |
Tools
Certificate Propagation in Enterprise CA
AD Location
CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
AIA
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.
Certification Authorities
All certificates from this container are propagated to each client as a part of group policy processing to client’s Trusted Root Certification Authorities container.
Enrollment Services
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container. Also, this container is enumerated during certificate enrollment process.
NTAuthCertificates
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.
Standalone
For standalone, you'll need to do this manually... -> http://unixwiz.net/techtips/deploy-webcert-gp.html
Group Policy
Settings are located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies.
certsvc flags
Config of ADCS sits in registry @ HLKM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\NameOfYourCA
Some fields you'll come across
CRL FLlags
Flag Name | Flag value | Comment |
---|---|---|
CRLF_DELTA_USE_OLDEST_UNEXPIRED_BASE | 0x00000001 | |
CRLF_DELETE_EXPIRED_CRLS | 0x00000002 | (default 2008R2) |
CRLF_CRLNUMBER_CRITICAL | 0x00000004 | |
CRLF_REVCHECK_IGNORE_OFFLINE | 0x00000008 | |
CRLF_IGNORE_INVALID_POLICIES | 0x00000010 | |
CRLF_REBUILD_MODIFIED_SUBJECT_ONLY | 0x00000020 | |
CRLF_SAVE_FAILED_CERTS | 0x00000040 | |
CRLF_IGNORE_UNKNOWN_CMC_ATTRIBUTES | 0x00000080 | |
CRLF_IGNORE_CROSS_CERT_TRUST_ERROR | 0x00000100 | |
CRLF_PUBLISH_EXPIRED_CERT_CRLS | 0x00000200 | In- or Exclude expired certificates in the CRL (https://social.technet.microsoft.com/wiki/contents/articles/16227.large-crls-what-is-added-to-a-certificate-revocation-list-crl.aspx?Sort=MostUseful&PageIndex=1) |
CRLF_ENFORCE_ENROLLMENT_AGENT | 0x00000400 | |
CRLF_DISABLE_RDN_REORDER | 0x00000800 | |
CRLF_DISABLE_ROOT_CROSS_CERTS | 0x00001000 | |
CRLF_LOG_FULL_RESPONSE | 0x00002000 | |
CRLF_USE_XCHG_CERT_TEMPLATE | 0x00004000 | |
CRLF_USE_CROSS_CERT_TEMPLATE | 0x00008000 | |
CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT | 0x00010000 | To enable the parsing of request attributes for subject information (which is required for Netscape browser enrollment) |
CRLF_REVCHECK_IGNORE_NOREVCHECK | 0x00020000 | |
CRLF_PRESERVE_EXPIRED_CA_CERTS | 0x00040000 | |
CRLF_PRESERVE_REVOKED_CA_CERTS | 0x00080000 |
certutil -getreg ca\CRLFlags
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE
EDIT Flags
Flag Name | Flag value | Comment |
---|---|---|
EDITF_ENABLEREQUESTEXTENSIONS | 0x00000001 | |
EDITF_REQUESTEXTENSIONLIST | 0x00000002 | (default 2008R2) |
EDITF_DISABLEEXTENSIONLIST | 0x00000004 | (default 2008R2) |
EDITF_ADDOLDKEYUSAGE | 0x00000008 | (default 2008R2) |
EDITF_ADDOLDCERTTYPE | 0x00000010 | |
EDITF_ATTRIBUTEENDDATE | 0x00000020 | Allows to specify certificate's validity end date. While certificate's validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate's validity. |
EDITF_BASICCONSTRAINTSCRITICAL | 0x00000040 | (default 2008R2) Marks Basic Constraints extension as critical. |
EDITF_BASICCONSTRAINTSCA | 0x00000080 | Enables Basic Constraints extension for CA certificates. |
EDITF_ENABLEAKIKEYID | 0x00000100 | (default 2008R2) Enables KeyID (issuer's public key hash) value to appear in Authority Key Identifier (AKI) extension. |
EDITF_ATTRIBUTECA | 0x00000200 | |
EDITF_IGNOREREQUESTERGROUP | 0x00000400 | |
EDITF_ENABLEAKIISSUERNAME | 0x00000800 | Enables issuer name value to appear in Authority Key Identifier (AKI) extension. |
EDITF_ENABLEAKIISSUERSERIAL | 0x00001000 | Enables issuer certificate's serial number to appear in Authority Key Identifier (AKI) extension. |
EDITF_ENABLEAKICRITICAL | 0x00002000 | Marks Authority Key Identifier (AKI) extension as critical. |
EDITF_SERVERUPGRADED | 0x00004000 | |
EDITF_ATTRIBUTEEKU | 0x00008000 | Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request). |
EDITF_ENABLEDEFAULTSMIME | 0x00010000 | (default 2008R2) |
EDITF_EMAILOPTIONAL | 0x00020000 | |
EDITF_ATTRIBUTESUBJECTALTNAME2 | 0x00040000 | Enables definition of Subject Alternate Name in request attributes (Against security best practice! DISABLE ALL NORMAL USER INTERACTION for this CA, because this settings allows all templates to be used with user defined SAN's) |
EDITF_ENABLELDAPREFERRALS | 0x00080000 | Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios.
This flag is necessary only for Cross-Forest Enrollment scenarios. |
EDITF_ENABLECHASECLIENTDC | 0x00100000 | (default 2008R2) |
EDITF_AUDITCERTTEMPLATELOAD | 0x00200000 | |
EDITF_DISABLEOLDOSCNUPN | 0x00400000 | |
EDITF_DISABLELDAPPACKAGELIST | 0x00800000 | |
EDITF_ENABLEUPNMAP | 0x01000000 |
https://www.sysadmins.lv/projects/pspki/Enable-PolicyModuleFlag.aspx
certutil -getreg policy\EditFlags
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE
src: Microsoft's certsrv.h