Active Directory Certificate Services

From WikiWiki
Jump to navigation Jump to search

Microsoft's PKI Product.

Technet Wiki -> http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx

Some good to knows

Windows Server Roles

Certificate Authority CA role itself
Certificate Enrollment Policy Web Service CEP - Enrollment to non-domain machines http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
Certificate Enrollment Web Service CES - Enrollment to non-domain machines http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
Certificate Authority Web Enrollment Web interface to CA
Network Device Enrollment service NDES for routers etc http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx
Online Responder OCSP responder

Tools


Certificate Propagation in Enterprise CA

from http://www.sysadmins.lv/blog-en/understanding-active-directory-certificate-services-containers-in-active-directory.aspx

AD Location

CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}

AIA

All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.

Certification Authorities

All certificates from this container are propagated to each client as a part of group policy processing to client’s Trusted Root Certification Authorities container.

Enrollment Services

All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container. Also, this container is enumerated during certificate enrollment process.

NTAuthCertificates

All certificates from this container are propagated to each client as a part of group policy processing to client’s Intermediate Certification Authorities container.

Standalone

For standalone, you'll need to do this manually... -> http://unixwiz.net/techtips/deploy-webcert-gp.html

Group Policy

Settings are located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies.


certsvc flags

Config of ADCS sits in registry @ HLKM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\NameOfYourCA

Some fields you'll come across

CRL FLlags

Flag Name Flag value Comment
CRLF_DELTA_USE_OLDEST_UNEXPIRED_BASE 0x00000001
CRLF_DELETE_EXPIRED_CRLS 0x00000002 (default 2008R2)
CRLF_CRLNUMBER_CRITICAL 0x00000004
CRLF_REVCHECK_IGNORE_OFFLINE 0x00000008
CRLF_IGNORE_INVALID_POLICIES 0x00000010
CRLF_REBUILD_MODIFIED_SUBJECT_ONLY 0x00000020
CRLF_SAVE_FAILED_CERTS 0x00000040
CRLF_IGNORE_UNKNOWN_CMC_ATTRIBUTES 0x00000080
CRLF_IGNORE_CROSS_CERT_TRUST_ERROR 0x00000100
CRLF_PUBLISH_EXPIRED_CERT_CRLS 0x00000200 In- or Exclude expired certificates in the CRL (https://social.technet.microsoft.com/wiki/contents/articles/16227.large-crls-what-is-added-to-a-certificate-revocation-list-crl.aspx?Sort=MostUseful&PageIndex=1)
CRLF_ENFORCE_ENROLLMENT_AGENT 0x00000400
CRLF_DISABLE_RDN_REORDER 0x00000800
CRLF_DISABLE_ROOT_CROSS_CERTS 0x00001000
CRLF_LOG_FULL_RESPONSE 0x00002000
CRLF_USE_XCHG_CERT_TEMPLATE 0x00004000
CRLF_USE_CROSS_CERT_TEMPLATE 0x00008000
CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT 0x00010000 To enable the parsing of request attributes for subject information (which is required for Netscape browser enrollment)
CRLF_REVCHECK_IGNORE_NOREVCHECK 0x00020000
CRLF_PRESERVE_EXPIRED_CA_CERTS 0x00040000
CRLF_PRESERVE_REVOKED_CA_CERTS 0x00080000
certutil -getreg ca\CRLFlags
certutil -setreg ca\CRLFlags +CRLF_ATTRIBUTE

EDIT Flags

Flag Name Flag value Comment
EDITF_ENABLEREQUESTEXTENSIONS 0x00000001
EDITF_REQUESTEXTENSIONLIST 0x00000002 (default 2008R2)
EDITF_DISABLEEXTENSIONLIST 0x00000004 (default 2008R2)
EDITF_ADDOLDKEYUSAGE 0x00000008 (default 2008R2)
EDITF_ADDOLDCERTTYPE 0x00000010
EDITF_ATTRIBUTEENDDATE 0x00000020
EDITF_BASICCONSTRAINTSCRITICAL 0x00000040 (default 2008R2)
EDITF_BASICCONSTRAINTSCA 0x00000080
EDITF_ENABLEAKIKEYID 0x00000100 (default 2008R2)
EDITF_ATTRIBUTECA 0x00000200
EDITF_IGNOREREQUESTERGROUP 0x00000400
EDITF_ENABLEAKIISSUERNAME 0x00000800
EDITF_ENABLEAKIISSUERSERIAL 0x00001000
EDITF_ENABLEAKICRITICAL 0x00002000
EDITF_SERVERUPGRADED 0x00004000
EDITF_ATTRIBUTEEKU 0x00008000
EDITF_ENABLEDEFAULTSMIME 0x00010000 (default 2008R2)
EDITF_EMAILOPTIONAL 0x00020000
EDITF_ATTRIBUTESUBJECTALTNAME2 0x00040000 Enables definition of Subject Alternate Name in request attributes (Against security best practice! DISABLE ALL NORMAL USER INTERACTION for this CA, because this settings allows all templates to be used with user defined SAN's)
EDITF_ENABLELDAPREFERRALS 0x00080000
EDITF_ENABLECHASECLIENTDC 0x00100000 (default 2008R2)
EDITF_AUDITCERTTEMPLATELOAD 0x00200000
EDITF_DISABLEOLDOSCNUPN 0x00400000
EDITF_DISABLELDAPPACKAGELIST 0x00800000
EDITF_ENABLEUPNMAP 0x01000000
certutil -getreg policy\EditFlags
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTE

src: Microsoft's certsrv.h