Active Directory Certificate Services
Microsoft's PKI Product.
Technet Wiki -> http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx
Windows Server Roles
Certificate Authority | CA role itself | |
Certificate Enrollment Policy Web Service | CEP - Enrollment to non-domain machines | http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx |
Certificate Enrollment Web Service | CES - Enrollment to non-domain machines | http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx |
Certificate Authority Web Enrollment | Web interface to CA | |
Network Device Enrollment service | NDES for routers etc | http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx |
Online Responder | OCSP responder |
Tools
Certificate Propagation in Enterprise CA
AD Location
CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}
AIA
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.
Certification Authorities
All certificates from this container are propagated to each client as a part of group policy processing to client’s Trusted Root Certification Authorities container.
Enrollment Services
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container. Also, this container is enumerated during certificate enrollment process.
NTAuthCertificates
All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.
Standalone
For standalone, you'll need to do this manually... -> http://unixwiz.net/techtips/deploy-webcert-gp.html
Group Policy
Settings are located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies.
certsvc flags
Config of ADCS sits in registry @ HLKM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\NameOfYourCA
Some fields you'll come across
CRL FLlags
Flag Name | Flag value | Comment |
---|---|---|
CRLF_DELTA_USE_OLDEST_UNEXPIRED_BASE | 0x00000001 | |
CRLF_DELETE_EXPIRED_CRLS | 0x00000002 | (default 2008R2) |
CRLF_CRLNUMBER_CRITICAL | 0x00000004 | |
CRLF_REVCHECK_IGNORE_OFFLINE | 0x00000008 | |
CRLF_IGNORE_INVALID_POLICIES | 0x00000010 | |
CRLF_REBUILD_MODIFIED_SUBJECT_ONLY | 0x00000020 | |
CRLF_SAVE_FAILED_CERTS | 0x00000040 | |
CRLF_IGNORE_UNKNOWN_CMC_ATTRIBUTES | 0x00000080 | |
CRLF_IGNORE_CROSS_CERT_TRUST_ERROR | 0x00000100 | |
CRLF_PUBLISH_EXPIRED_CERT_CRLS | 0x00000200 | In- or Exclude expired certificates in the CRL (https://social.technet.microsoft.com/wiki/contents/articles/16227.large-crls-what-is-added-to-a-certificate-revocation-list-crl.aspx?Sort=MostUseful&PageIndex=1) |
CRLF_ENFORCE_ENROLLMENT_AGENT | 0x00000400 | |
CRLF_DISABLE_RDN_REORDER | 0x00000800 | |
CRLF_DISABLE_ROOT_CROSS_CERTS | 0x00001000 | |
CRLF_LOG_FULL_RESPONSE | 0x00002000 | |
CRLF_USE_XCHG_CERT_TEMPLATE | 0x00004000 | |
CRLF_USE_CROSS_CERT_TEMPLATE | 0x00008000 | |
CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT | 0x00010000 | To enable the parsing of request attributes for subject information (which is required for Netscape browser enrollment) |
CRLF_REVCHECK_IGNORE_NOREVCHECK | 0x00020000 | |
CRLF_PRESERVE_EXPIRED_CA_CERTS | 0x00040000 | |
CRLF_PRESERVE_REVOKED_CA_CERTS | 0x00080000 |
certutil -getreg ca\CRLFlags
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE
EDIT Flags
Flag Name | Flag value | Comment |
---|---|---|
EDITF_ENABLEREQUESTEXTENSIONS | 0x00000001 | |
EDITF_REQUESTEXTENSIONLIST | 0x00000002 | (default 2008R2) |
EDITF_DISABLEEXTENSIONLIST | 0x00000004 | (default 2008R2) |
EDITF_ADDOLDKEYUSAGE | 0x00000008 | (default 2008R2) |
EDITF_ADDOLDCERTTYPE | 0x00000010 | |
EDITF_ATTRIBUTEENDDATE | 0x00000020 | |
EDITF_BASICCONSTRAINTSCRITICAL | 0x00000040 | (default 2008R2) |
EDITF_BASICCONSTRAINTSCA | 0x00000080 | |
EDITF_ENABLEAKIKEYID | 0x00000100 | (default 2008R2) |
EDITF_ATTRIBUTECA | 0x00000200 | |
EDITF_IGNOREREQUESTERGROUP | 0x00000400 | |
EDITF_ENABLEAKIISSUERNAME | 0x00000800 | |
EDITF_ENABLEAKIISSUERSERIAL | 0x00001000 | |
EDITF_ENABLEAKICRITICAL | 0x00002000 | |
EDITF_SERVERUPGRADED | 0x00004000 | |
EDITF_ATTRIBUTEEKU | 0x00008000 | |
EDITF_ENABLEDEFAULTSMIME | 0x00010000 | (default 2008R2) |
EDITF_EMAILOPTIONAL | 0x00020000 | |
EDITF_ATTRIBUTESUBJECTALTNAME2 | 0x00040000 | Enables definition of Subject Alternate Name in request attributes (Against security best practice! DISABLE ALL NORMAL USER INTERACTION for this CA, because this settings allows all templates to be used with user defined SAN's) |
EDITF_ENABLELDAPREFERRALS | 0x00080000 | |
EDITF_ENABLECHASECLIENTDC | 0x00100000 | (default 2008R2) |
EDITF_AUDITCERTTEMPLATELOAD | 0x00200000 | |
EDITF_DISABLEOLDOSCNUPN | 0x00400000 | |
EDITF_DISABLELDAPPACKAGELIST | 0x00800000 | |
EDITF_ENABLEUPNMAP | 0x01000000 |
certutil -getreg policy\EditFlags
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE
src: Microsoft's certsrv.h