Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows Server
Getting Started
 AD CS Step-by-Step Guide
Collapse All/Expand All Collapse All
Active Directory Certificate Services Step-by-Step Guide

Updated: November 7, 2008

Applies To: Windows Server 2008

noteNote
To download a copy of this document, see http://go.microsoft.com/fwlink/?LinkId=137417.

This step-by-step guide describes the steps needed to set up a basic configuration of Active Directory® Certificate Services (AD CS) in a lab environment.

AD CS starting in Windows Server® 2008 provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies.

ImportantImportant
By installing Active Directory Certificate Services (AD CS), you are either creating or extending a Public Key Infrastructure (PKI). A PKI that meets the requirements of most organizations is a multi-tier Certification Authority (CA) hierarchy that implements an Offline Root CA (http://social.technet.microsoft.com/wiki/contents/articles/2900.aspx). For more information, see PKI Design Brief Overview (http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx). Additional step-by-step information is available in the TechNet Wiki article AD CS and PKI Step-by-Steps, Labs, Walkthroughs, HowTo, and Examples (http://social.technet.microsoft.com/wiki/contents/articles/4797.aspx).

This document includes:

  • A review of AD CS features

  • Requirements for using AD CS

  • Procedures for a basic lab setup to test AD CS on a minimum number of computers

  • Procedures for an advanced lab setup to test AD CS on a larger number of computers to more realistically simulate real-world configurations

 AD CS Technology Review

Using the Active Directory Certificate Services option of the Add Roles Wizard, you can set up the following components of AD CS:

  • Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage their validity.

  • CA Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to:

    • Request certificates and review certificate requests.

    • Retrieve certificate revocation lists (CRLs).

    • Perform smart card certificate enrollment.

  • Online Responder service. The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates, evaluating the status of these certificates, and sending back a signed response containing the requested certificate status information.

    ImportantImportant
    Online Responders can be used as an alternative to or an extension of CRLs to provide certificate revocation data to clients. Microsoft Online Responders are based on and comply with RFC 2560 for OCSP. For more information about RFC 2560, see the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/?LinkID=67082).

  • Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc.

    noteNote
    SCEP was developed to support the secure, scalable issuance of certificates to network devices by using existing CAs. The protocol supports CA and registration authority public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation queries.

 Requirements for Using AD CS

CAs can be set up on servers running a variety of operating systems, including Windows® 2000 Server, Windows Server® 2003, Windows Server 2008. Windows Server® 2008 R2. However, not all operating system versions support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with as little hardware as a single server for a single CA, many deployments involve multiple servers configured as root, policy, and issuing CAs, and other servers configured as Online Responders.

noteNote
A limited set of server roles is available for a Server Core installation of Windows Server 2008 and for Windows Server 2008 for Itanium-based Systems.

The following table lists the AD CS components that can be configured on different editions of Windows Server 2008.

 

Components Web Standard Enterprise Datacenter

CA

No

Yes

Yes

Yes

Network Device Enrollment Service

No

No

Yes

Yes

Online Responder service

No

No

Yes

Yes

The following features are available on servers running Windows Server 2008 that have been configured as CAs.

 

AD CS features Web Standard Enterprise Datacenter

Version 2 and version 3 certificate templates

No

No

Yes

Yes

Key archival

No

No

Yes

Yes

Role separation

No

No

Yes

Yes

Certificate Manager restrictions

No

No

Yes

Yes

Delegated enrollment agent restrictions

No

No

Yes

Yes
 AD CS Basic Lab Scenario

The following sections describe how you can set up a lab to begin evaluating AD CS.

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
 Steps for Setting up a Basic Lab

You can begin testing many features of AD CS in a lab environment by using as few as two servers running Windows Server 2008 and one client computer running Windows Vista®. The computers for this guide are named as follows:

  • Test_DC1: This computer will be the domain controller for your test environment.

  • TEST_PKI1: This computer will host an enterprise root CA for the test environment. This CA will issue client certificates for the Online Responder and client computers.

noteNote
Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

  • TEST_CLI1: This client computer running Windows Vista will autoenroll for certificates from TEST_PKI1 and verify certificate status from TEST_ PKI1.

To configure the basic lab setup for AD CS, you need to complete the following prerequisite steps:

  • Set up a domain controller on TEST_DC1 for contoso.com, including some organizational units (OUs) to contain one or more users for the client computer, client computers in the domain, and for the servers hosting CAs and Online Responders.

  • Install Windows Server 2008 on TEST_PKI1, and join TEST_PKI1 to the domain.

  • Install Windows Vista on TEST_CLI1, and join TEST_CLI1 to contoso.com.

After you have completed these preliminary setup procedures, you can begin to complete the following steps:

Step 1: Setting Up an Enterprise Root CA

Step 2: Installing the Online Responder

Step 3: Configuring the CA to Issue OCSP Response Signing Certificates

Step 4: Creating a Revocation Configuration

Step 5: Verifying that the AD CS Lab Setup Functions Properly

 Step 1: Setting Up an Enterprise Root CA

An enterprise root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the Online Responder and client computer, and to publish certificate information to Active Directory Domain Services (AD DS).

noteNote
Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

 To set up an enterprise root CA

  1. Log on to TEST_PKI1 as a domain administrator.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the Roles Summary section, click Add roles.

  4. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.

  5. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  6. On the Specify Setup Type page, click Enterprise, and then click Next.

  7. On the Specify CA Type page, click Root CA, and then click Next.

  8. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.

  9. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next.

  10. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.

  11. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.

  12. After verifying the information on the Confirm Installation Options page, click Install.

  13. Review the information on the confirmation screen to verify that the installation was successful.
 Step 2: Installing the Online Responder

An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA.

noteNote
IIS must also be installed on this computer before the Online Responder can be installed.

 To install the Online Responder

  1. Log on to TEST_PKI1 as a domain administrator.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. Click Manage Roles. In the Active Directory Certificate Services section, click Add role services.

  4. On the Select Role Services page, select the Online Responder check box.

    You are prompted to install IIS and Windows Activation Service.

  5. Click Add Required Role Services, and then click Next three times.

  6. On the Confirm Installation Options page, click Install.

  7. When the installation is complete, review the status page to verify that the installation was successful.
 Step 3: Configuring the CA to Issue OCSP Response Signing Certificates

Configuring a CA to support Online Responder services involves configuring certificate templates and issuance properties for OCSP Response Signing certificates and then completing additional steps on the CA to support the Online Responder and certificate issuance.

noteNote
These certificate template and autoenrollment steps can also be used to configure certificates that you want to issue to a client computer or client computer users.

 To configure certificate templates for your test environment

  1. Log on to TEST_PKI1 as a CA administrator.

  2. Open the Certificate Templates snap-in.

  3. Right-click the OCSP Response Signing template, and then click Duplicate Template.

  4. Type a new name for the duplicated template, such as OCSP Response Signing 2.

  5. On the Security tab, under Group or user name, click Add to open the Select Users, Computers or Groups dialog box.

  6. Click Object Types, select the Computers check box, and then click OK.

  7. Enter the name of the computer hosting the Online Responder service, TEST_PKI1, and click OK.

  8. On the Security tab, under Group or user name, select the computer name, TEST_PKI1, and in the Permissions box, select the Read, Enroll, and Autoenroll check boxes.

  9. While you have the Certificate Templates snap-in open, you can configure certificate templates for users and computers by substituting the desired templates in step 3, and repeating steps 4 through 7 to configure permissions for TEST_CLI1 and your test user accounts.

To configure the CA to support Online Responders, you need to use the Certification Authority snap-in to complete two key steps:

  • Add the location of the Online Responder to the authority information access extension of issued certificates.

  • Enable the certificate templates that you configured in the previous procedure for the CA.

 To configure a CA to support the Online Responder service

  1. Open the Certification Authority snap-in.

  2. In the console tree, click the name of the CA.

  3. On the Action menu, click Properties.

  4. Click the Extensions tab. In the Select extension list, click Authority Information Access (AIA), and then click Add.

  5. In the Location box, type http://test_pki1/ocsp, and click OK.

  6. In the Select extension list, click the location you entered, and then select the Include in the online certificate status protocol (OCSP) extension check box. Click OK, and then click Yes to restart AD CS.

  7. After AD CS has restarted, in the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue.

  8. In the Enable Certificate Templates dialog box, select the duplicate OCSP Response Signing 2 template you created previously. Select any other certificate templates that you configured previously, and then click OK.

  9. In the console tree, click Certificate Templates, and verify that the modified certificate templates appear in the list.
 Step 4: Creating a Revocation Configuration

A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key.

These configuration settings include the CA certificate, the signing certificate for the Online Responder, and the locations to which clients are directed to send their status requests.

 To manually force enrollment for the signing certificate (Optional)

  1. Start or restart TEST_PKI1 to enroll for certificates.

    ImportantImportant
    The Group Policy settings for the domain must have an autoenrollment policy enabled. Use the Group Policy Management Console (GPMC) to verify the Certificate Services Client – Autoenrollment setting in Computer Configuration\Policies\Software Settings\Windows Settings\Security Settings\Public Key Policies. Verify that Configuration Mode is set to Enabled and that the Renew expired certificates and Update certificates check boxes are selected. See Configure Certificate Autoenrollment for more information.

  2. Log on to the Online Responder computer as a CA administrator.

  3. Open the Certificates snap-in for the computer account. Open the Personal certificate store for the computer, and verify that it contains a certificate with the intended purpose of OCSP Signing.

  4. Right-click this certificate, and then click Manage Private Keys.

  5. Click the Security tab. In the User Group or user name dialog box, click Add, enter Network Service to the Group or user name list, and then click OK.

  6. Click Network Service, and in the Permissions dialog box, select the Full Control check box.

  7. Click OK.

Creating a revocation configuration involves the following tasks:

  • Identify the CA certificate for the CA that supports the Online Responder.

  • Identify the CRL distribution point for the CA.

  • Select a signing certificate that will be used to sign revocation status responses.

  • Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder.

 To create a revocation configuration

  1. Open the Online Responder snap-in.

  2. In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configuration wizard, and then click Next.

  3. On the Name the Revocation Configuration page, type a name for the revocation configuration, such as TEST_RC1, and then click Next.

  4. On the Select CA certificate Location page, click Select a certificate from an existing enterprise CA, and then click Next.

  5. On the Choose CA certificate page, click Browse CA certificates published in Active Directory, and then click Browse. The name of the CA, TEST_PKI1, should appear in the Select Certification Authority dialog box.

    • If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click OK.

    • If it does not appear, click Cancel, and on the Choose CA Certificate page, click Browse for a CA by Computer name, type TEST_PKI1 (the name of the computer hosting the Online Responder), and then click OK.

    • After choosing a CA certificate, click Next.

      noteNote
      You can also select the CA certificate from the local certificate store or import it from removable media in step 4.

  6. On the Select Signing Certificate page, accept the default option, Automatically select signing certificate, and select the Autoenroll for an OCSP signing certificate check box.

    noteNote
    With this option selected, the Online Responder will obtain the certificate automatically from the issuing CA. This is necessary if you skipped the optional step to manually force enrollment for the signing certificate.

  7. Click Browse to open the Select Certification Authority dialog box, click the CA that issues OCSP Signing certificates, and then click OK.

  8. Ensure that the Certificate Template box displays the duplicate OCSP Response Signing template that you created previously, and then click Next.

  9. On the Revocation Provider page, click Provider.

  10. In the Revocation Provider Properties dialog box, verify that all locations in the Base CRLs list are valid, and then click OK.

  11. Click Finish.

  12. Using the Online Responder snap-in, select the revocation configuration, and then examine the status information to verify that it is functioning properly. You should also be able to examine the properties of the signing certificate to verify that the Online Responder is configured properly.
 Step 5: Verifying that the AD CS Lab Setup Functions Properly

You can verify the setup steps described previously as you perform them.

After the installation is complete, you should verify that your basic test setup is functioning properly by confirming that you can autoenroll certificates, revoke certificates, and make accurate revocation data available from the Online Responder.

 To verify that the AD CS test setup functions properly

  1. On the CA, configure several certificate templates to autoenroll certificates for TEST_CLI1 and users on this computer.

  2. When information about the new certificates has been published to AD DS, open a command prompt on the client computer and enter the following command to start certificate autoenrollment:

    certutil -pulse

  3. On TEST_CLI1, use the Certificates snap-in to verify that the certificates have been issued to the user and to the computer, as appropriate.

  4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)/CA name/Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes.

  5. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and click Publish.

  6. Remove all CRL distribution point extensions from the issuing CA by opening the Certification Authority snap-in and then selecting the CA. On the Action menu, click Properties.

  7. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).

  8. Click any CRL distribution points that are listed, click Remove, and then click OK.

  9. Stop and restart AD CS.

  10. Repeat steps 1 and 2 above, and then verify that clients can still obtain revocation data. To do this, use the Certificates snap-in to export the certificate to a file (*.cer). At a command prompt, type:

    certutil -url <exportedcert.cer>

  11. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP and compare the results.
 AD CS Advanced Lab Scenario

The following sections describe how you can set up a lab to evaluate more features of AD CS than in the basic lab setup.

 Steps for Setting Up an Advanced Lab

To test additional features of AD CS in a lab environment, you will need five computers running Windows Server 2008 and one client computer running Windows Vista. The computers for this guide are named as follows:

  • TEST_DC1: This computer will be the domain controller for your test environment.

  • TEST_CA_ROOT1: This computer will host a stand-alone root CA for the test environment.

  • TEST_CA_ISSUE1: This enterprise CA will be subordinate to TEST_CA_ROOT1 and issue client certificates for the Online Responder and client computers.

noteNote
Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

  • TEST_ORS1. This server will host the Online Responder.

  • TEST_NDES. This server will host the Network Device Enrollment Service that makes it possible to issue and manage certificates for routers and other network devices.

  • TEST_CLI1: This client computer running Windows Vista will autoenroll for certificates from TEST_CA_ISSUE1 and verify certificate status from TEST_ORS1.

To configure the advanced lab setup for AD CS, you need to complete the following prerequisite steps:

  1. Set up a domain controller on TEST_DC1 for contoso.com, including some OUs to contain one or more users for TEST_CLI1, client computers in the domain, and for the servers hosting CAs and Online Responders.

  2. Install Windows Server 2008 on the other servers in the test configuration and join them to the domain.

  3. Install Windows Vista on TEST_CLI1, and join TEST_CLI1 to contoso.com.

After you have completed these preliminary setup procedures, you can begin to complete the following steps:

Step 1: Setting Up the Stand-Alone Root CA

Step 2: Setting Up the Enterprise Subordinate Issuing CA

Step 3: Installing and Configuring the Online Responder

Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates

Step 5: Configuring the Authority Information Access Extension to Support the Online Responder

Step 6: Assigning the OCSP Response Signing Template to a CA

Step 7: Enrolling for an OCSP Response Signing Certificate

Step 8: Creating a Revocation Configuration

Step 9: Setting Up and Configuring the Network Device Enrollment Service

Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly

 Step 1: Setting Up the Stand-Alone Root CA

A stand-alone root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the subordinate issuing CA. Because it is critical to the security of the public key infrastructure (PKI), this CA is online in many PKIs only when needed to issue certificates to subordinate CAs.

 To set up a stand-alone root CA

  1. Log on to TEST_CA_ROOT1 as an administrator.

  2. Start the Add Roles Wizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times.

  3. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  4. On the Specify Setup Type page, click Standalone, and then click Next.

  5. On the Specify CA Type page, click Root CA, and then click Next.

  6. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.

  7. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next.

  8. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.

  9. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.

  10. After verifying the information on the Confirm Installation Options page, click Install.

 Step 2: Setting Up the Enterprise Subordinate Issuing CA

Most organizations use at least one subordinate CA to protect the root CA from unnecessary exposure. An enterprise CA also allows you to use certificate templates and to use AD DS for enrollment and publishing certificates.

 To set up an enterprise subordinate issuing CA

  1. Log on to TEST_CA_ISSUE1 as a domain administrator.

  2. Start the Add Roles Wizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times.

  3. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  4. On the Specify Setup Type page, click Enterprise, and then click Next.

  5. On the Specify CA Type page, click Subordinate CA, and then click Next.

  6. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.

  7. On the Request Certificate page, browse to locate TEST_CA_ROOT1, or if, the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click Next.

    The subordinate CA setup will not be usable until it has been issued a root CA certificate and this certificate has been used to complete the installation of the subordinate CA.

  8. In the Common name for this CA box, type the common name of the CA, TEST_CA_ISSUE1.

  9. On the Set the Certificate Validity Period page, accept the default validity duration for the CA, and then click Next.

  10. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.

  11. After verifying the information on the Confirm Installation Options page, click Install.

 Step 3: Installing and Configuring the Online Responder

An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA. An Online Responder will typically not be installed on the same computer as a CA.

noteNote
IIS must also be installed on this computer before the Online Responder can be installed. As part of the setup process a virtual directory named OCSP is created in IIS and the Web proxy is registered as an Internet Server Application Programming Interface (ISAPI) extension.

 To install the Online Responder service

  1. Log on to TEST_ORS1 as an administrator.

  2. Start the Add Roles Wizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times.

  3. On the Select Role Services page, clear the Certification Authority check box, select the Online Responder check box, and then click Next.

    You are prompted to install IIS and Windows Activation Service.

  4. Click Add Required Role Services, and then click Next three times.

  5. On the Confirm Installation Options page, click Install.

  6. When the installation is complete, review the status page to verify that the installation was successful.
 Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates

As with any certificate template, the OCSP Response Signing template must be configured with the enrollment permissions for Read, Enroll, Autoenroll, and Write before any certificates can be issued based on the template.

 To configure certificate templates for your test environment

  1. Log on to TEST_CA_ISSUE1 as a CA administrator.

  2. Open the Certificate Templates snap-in.

  3. Right-click the OCSP Response Signing template, and then click Duplicate Template.

  4. Type a new name for the duplicated template, such as OCSP Response Signing_2.

  5. Right-click the OCSP Response Signing_2 certificate template, and then click Properties.

  6. Click the Security tab. Under Group or user name, click Add, and type the name or browse to select the computer hosting the Online Responder service.

  7. Click the computer name, TEST_ORS1, and in the Permissions dialog box, select the Read and Autoenroll check boxes.

  8. While you have the Certificate Templates snap-in open, you can configure certificate templates for users and computers by substituting the desired templates in step 3, and repeating steps 4 through 7 to configure permissions for TEST_CLI1 and your test user accounts.
 Step 5: Configuring the Authority Information Access Extension to Support the Online Responder

You need to configure the CAs to include the URL for the Online Responder as part of the authority information access extension of the issued certificate. This URL is used by the Online Responder client to validate the certificate status.

 To configure the authority information access extension to support the Online Responder

  1. Log on to TEST_CA_ISSUE1 as a CA administrator.

  2. Open the Certification Authority snap-in.

  3. In the console tree, click the name of the CA.

  4. On the Action menu, click Properties.

  5. On the Extensions tab, click Select extension, and then click Authority Information Access (AIA).

  6. Select the Include in the online certificate status protocol (OCSP) extension check box, and click OK.

  7. Specify the locations from which users can obtain certificate revocation data; for this setup, the location is http://TEST_ORS1/ocsp.

  8. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue.

  9. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.

  10. Open Certificate Templates, and verify that the modified certificate templates appear in the list.
 Step 6: Assigning the OCSP Response Signing Template to a CA

Once the templates are properly configured, the CA needs to be configured to issue that template.

 To configure the CA to issue certificates based on the newly created OCSP Response Signing template

  1. Open the Certification Authority snap-in.

  2. Right-click Certificate Templates, and then click Certificate Template to Issue.

  3. Select the OCSP Response Signing_2 template from the list of available templates, and then click OK.
 Step 7: Enrolling for an OCSP Response Signing Certificate

Enrollment might not take place right away. Therefore, before you proceed to the next step, confirm that certificate enrollment has taken place so that a signing certificate exists on the computer, and verify that the permissions on the signing certificate allow the Online Responder to use it.

 To verify that the signing certificate is properly configured

  1. Start or restart TEST_ORS1 to enroll for the certificates.

  2. Log on as a CA administrator.

  3. Open the Certificates snap-in for the computer. Open the Personal certificate store for the computer, and then verify that it contains a certificate titled OCSP Response Signing_2.

  4. Right-click this certificate, and then click Manage Private Keys.

  5. Click the Security tab. In the User Group or user name dialog box, click Add to type in and add Network Service to the Group or user name list, and then click OK.

  6. Click Network Service, and in the Permissions dialog box, select the Full Control check box. Click OK twice.
 Step 8: Creating a Revocation Configuration

Creating a revocation configuration involves the following tasks:

  • Identify the CA certificate for the CA that supports the Online Responder.

  • Identify the CRL distribution point for the CA.

  • Select a signing certificate that will be used to sign revocation status responses.

  • Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder.

 To create a revocation configuration

  1. Log on to TEST_ORS1 as a domain administrator.

  2. Open the Online Responder snap-in.

  3. In the Actions pane, click Add Revocation Configuration to start the Add Revocation Configuration wizard, and then click Next.

  4. On the Name the Revocation Configuration page, type a name for the revocation configuration, such as TEST_RC1, and then click Next.

  5. On the Select CA Certificate Location page, click Select a certificate for an existing enterprise CA, and then click Next.

  6. On the following page, the name of the CA, TEST_CA_ISSUE1, should appear in the Browse CA certificates published in Active Directory box.

    • If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click Next.

    • If it does not appear, click Browser for a CA by Computer name and type the name of the computer hosting TEST_CA_ISSUE1 or click Browse to locate this computer. When you have located the computer, click Next.

      noteNote
      You can also select the CA certificate from the local certificate store or import it from removable media in step 5.

  7. View the certificate and copy the CRL distribution point for the parent root CA, RootCA1. To do this:

    1. Open the Certificate Services snap-in, and then select an issued certificate.

    2. Double-click the certificate, and then click the Details tab.

    3. Scroll down and select the CRL Distribution Points field.

    4. Select and copy the URL for the CRL distribution point that you want to use.

    5. Click OK.

  8. On the Select Signing Certificate page, accept the default, Automatically select signing certificate, and then click Next.

  9. On the Revocation Provider page, click Provider.

  10. On the Revocation Provider Properties page, click Add, enter the URL of the CRL distribution point, and then click OK.

  11. Click Finish.

  12. Using the Online Responder snap-in, select the revocation configuration, and then examine the status information to verify that it is functioning properly. You should also be able to examine the properties of the signing certificate to verify that the Online Responder is configured properly.
 Step 9: Setting Up and Configuring the Network Device Enrollment Service

The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates.

The Network Device Enrollment Service operates as an ISAPI filter on IIS that performs the following functions:

  • Generates and provides one-time enrollment passwords to administrators

  • Processes SCEP enrollment requests

  • Retrieves pending requests from the CA

SCEP was developed as an extension to existing HTTP, PKCS #10, PKCS #7, RFC 2459, and other standards to enable network device and application certificate enrollment with CAs. SCEP is identified and documented on the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/?LinkId=71055).

Before you begin this procedure, create a user ndes_user1 and add this user to the IIS user group. Then, use the Certificate Templates snap-in to configure Read and Enroll permissions for this user on the IPSEC (Offline Request) certificate template.

 To set up and configure the Network Device Enrollment Service

  1. Log on to TEST_NDES as an enterprise administrator.

  2. Start the Add Roles Wizard. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times.

  3. On the Select Role Services page, clear the Certification Authority check box, and then select Network Device Enrollment Service.

    You are prompted to install IIS and Windows Activation Service.

  4. Click Add Required Role Services, and then click Next three times.

  5. On the Confirm Installation Options page, click Install.

  6. When the installation is complete, review the status page to verify that the installation was successful.

  7. Because this is a new installation and there are no pending SCEP certificate requests, click Replace existing Registration Authority (RA) certificates, and then click Next.

    When the Network Device Enrollment Service is installed on a computer where a registration authority already exists, the existing registration authority and any pending certificate requests are deleted.

  8. On the Specify User Account page, click Select User, and type the user name ndes_user1 and password for this account, which the Network Device Enrollment Service will use to authorize certificate requests. Click OK, and then click Next.

  9. On the Specify CA page, select either the CA name or Computer name check box, click Browse to locate the CA that will issue the Network Device Enrollment Service certificates, TEST_CA_ISSUE1, and then click Next.

  10. On the Specify Registry Authority Information page, type ndes_1 in the RA name box. Under Country/region, select the check box for the country/region you are in, and then click Next.

  11. On the Configure Cryptography page, accept the default values for the signature and encryption keys, and then click Next.

  12. Review the summary of configuration options, and then click Install.
 Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly

You can verify the setup steps described previously as you perform them.

After the installation is complete, you should verify that your advanced test setup is functioning properly.

 To verify that the advanced AD CS test setup functions properly

  1. On the CA, configure several certificate templates to autoenroll certificates for TEST_CLI1 and users on this computer.

  2. When information about the new certificates has been published to AD DS, open a command prompt on the client computer and enter the following command to start certificate autoenrollment:

    certutil -pulse

  3. On the client computer, use the Certificates snap-in to verify that the certificates have been issued to the user and to the computer, as appropriate.

  4. On the CA, use the Certification Authority snap-in to view and revoke one or more of the issued certificates by clicking Certification Authority (Computer)/CA name/Issued Certificates and selecting the certificate you want to revoke. On the Action menu, point to All Tasks, and then click Revoke Certificate. Select the reason for revoking the certificate, and click Yes.

  5. In the Certification Authority snap-in, publish a new CRL by clicking Certification Authority (Computer)/CA name/Revoked Certificates in the console tree. Then, on the Action menu, point to All Tasks, and click Publish.

  6. On the client computer, use the Certificates snap-in to export one of the issued certificates and save it as an X.509 file.

  7. Open a command prompt, and enter the following command:

    certutil –url <exportedcert.cer>

  8. In the Verify and Retrieve dialog box, click OCSP (from AIA), and then click Retrieve. After the CRL is retrieved, the status will display Verified.

See Also

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Stand alone root CA      method115 ... method116   |   Edit   |   Show History
The first part of this guide is great but the second part had me confused as I thought the stand alone root CA was going to be an offline CA. They should include a guide on how to install an offline root CA as to me that is much more realistic then the way it is now. Then again I have next to no real world experience with ADCS so I could be wrong.
Tags What's this?: Add a tag
Flag as ContentBug
To fix the error in the Enterprise PKI view      Jean-Benoit Paux ... lvong   |   Edit   |   Show History
When launching the Enterprise PKI mmc, the OCSP module shows an error as described by Olilvier Baier on this page.

To resolve this error, revoke the CA Exchange certificate, stop and start the CA service and go back to the enterprise view to refresh. A new CA Exchange certificate is created (with the correct AIA info including the OSCP url) so the check is OK afterthat.

-------
I also have this issue and the above method did not work. I was able to fix this with this work around.
1. From AD CS, right click on root CA, properties.
2. On extensions tab, select "Authority Information Access (AIA)
3. Select ldap://cn=<CATruncatedName>.....
4. uncheck "Include in AIA extension of issued certificates.
5. restart root CA services.
6. View Enterprise PKI and status will be "OK" including OCSP Location #1.
7. Return to step #4 and put back the check box.
Tags What's this?: error (x) ocsp (x) pki (x) view (x) Add a tag
Flag as ContentBug
OCSP Location shows an error in Enterprise-PKI, but works      olibaier ... Kurt L Hudson   |   Edit   |   Show History
Hello,

thank you for this tutorial. I did work through it several time and get always the same error message in the PKI Snapin about the OCSP Location.
Everything works find and (nearly) like expected. But I don't like the Enterprise PKI reports the OCSP Location as errornous.

The PKI SnapIn for Enterprise-PKI shows an error at OCSP-Location#1 (http://test-ocsp/ocsp)
I cannot browse the OCSP location, either. IIS reports an Internal Server error. I think this could be OK, as I did not POST any data in my request.
The OCSP SnapIn reposts the Revocation Configuaration status as OK.

The OCSP seems to work. Same with the OCSP Web Proxy.
I can revoke certificates and when I check them with certutil -URL the certificate is reported to be revoked.

So my questions are: Should the Enterprise-PKI Report the OCSP Location as OK? How I can a debog the OCASP Web Proxy? Is the 500 Internal Server error OK, when accessing the OCSP Web proxy directly?

I'm running Windows 2008R2.

If there is a better place to post such questions, please let me know.

-------------------
See http://social.technet.microsoft.com/wiki/contents/articles/1587.aspx#PKIViewOCSP. That might help. Please, post all additional AD CS related questions to the Windows Server Security Forum: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Server Core      Isotonic ... Kurt L Hudson   |   Edit   |   Show History
+1. I wasted much time for looking that information and didn't find one yet.

------------------------------
There is a CA on Server Core setup guide as of July 2010, at http://technet.microsoft.com/en-us/library/ff849263(WS.10).aspx.
Core      Rick Eveleigh ... Kurt L Hudson   |   Edit   |   Show History
But how do you do all this in Core? Please could all Technet articles like this for 2008 &;;amp; R2 procedures have links to 'how to do it in core'!

-----------
There is a CA on Server Core setup guide as of July 2010, at http://technet.microsoft.com/en-us/library/ff849263(WS.10).aspx.
Verification Steps      james_jones ... Kurt L Hudson   |   Edit   |   Show History

A couple steps outlined under "To verify that the AD CS test setup functions properly" are extremely vague and need to be expanded. For example:

"On the CA, configure several certificate templates to autoenroll certificates for TEST_CLI1 and users on this computer."

Which snap-in am I supposed to do this in? Certificates? Certificate Authority? Certificate Templates? Which one? Also, doesn't autoenrollment imply some action concerning group policy in AD? I'm lost.

"When information about the new certificates has been published to AD DS..."

Does this happen automatically? How can I tell when it happens? Or does it require some action on my behalf? If so, what action is required in order to get this information published?

Apart from this section, the rest of this document is very clear and helpful. Can anyone clear these steps up for me? Thanks.


-------------------

Yes, autoenrollment is enabled through Active Directory Domain Services Group Policy: http://technet.microsoft.com/en-us/library/cc731522.aspx


I am working on clearer and more step-by-step documentation. In the mean time, please, post all AD CS related questions to the Windows Server Security Forum: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

ADCS for 2 Domain Trees in Single Forest      Imran Ijaz ... Kurt L Hudson   |   Edit   |   Show History
I have successfully configured a four (4) tear model in server 2008 r2. adds, root, issuer and responder. all system that join my first domain they get certificate. every thing is working fine. now i have created a new domain tree in same forest. i want to provide same services to my new domain memebers as of first one. i.e to isse certificate to all joined computers of new domain. how i will configure this.

-----------------
See the Certificate Enrollment Services guide for this information. Right now it is only published on the download center, but I am working on getting it published to the regular library.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&;;id=1746
Error Local AIA #2 LocalDeltaCRL #2 Local CDP #2      BrunoOliveiraBastos   |   Edit   |   Show History
Hi, i install a CA Enterprise, and after this i install only the Online Responder and configure, i revoke the CA Enterprise Exchange, but in my Enterprise PKI i have a error in Local AIA #2 LocalDeltaCRL #2 Local CDP #2 with cant connect to http://server.test.com/CertEnroll/teste-SERVER-CA.crl or http://server.test.com/CertEnroll/teste-SERVER-CA.crl+. I want to know if i have to install Web Enrollment before Online Responder in same machine for resolve this error, or if exist another solution so solve this.
Tags What's this?: Add a tag
Flag as ContentBug
Windows Server 2008 R2 Update Please?      PoNeTale   |   Edit   |   Show History
It would be nice if these step-by-step guides were updated for Windows Server 2008 R2
Tags What's this?: Add a tag
Flag as ContentBug
Verification Steps - a few more details      JFL-Eum   |   Edit   |   Show History
How to "configure several certificate templates to autoenroll certificates" ?

To do this, in the "Active Directory Certificate Services" Snap-in:

1) go to "Certificate Templates" (the one that is at the same level as "Enterprise PKI" and Your CA.
Select the "Computer" template.
Right-clic and select "duplicate template".

If you have only windows 7 / windows server 2008 computers, you can select "Windows Server 2008 enterprise".
If you still have windows XP or windows server 2003 machines, you must select "Windows Server 2003" otherwise those compluter will not be able to use the template.
(Note : don't knwow if the 2008 version works for Vista or not).

Change the "template Display name" as you like, for example "Computer-AutoEnroll"
Leave all settings as is, except for the security tab.
In security tabs, select the group "Domain Computers" and check boxes Read, Enroll and Autoenroll in the "allow" column.

Now you have a new certificate template, but it's not available to computers yet.

2) Expand you CA and go to the "Certificate Templates" container.
Right-click in the central windows, choose "New" > "Certificate Template to Issue", then select the newly created template.

Now when a client computer try to autoenroll, they will find a suitable certificate.

This is required since the default "Computer" template allow "enroll" but does not allow "autoenroll" and you can't add this permission.

For autoenrollment other settings and troubleshooting, refer to the very useful page here :
http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx

Tags What's this?: Add a tag
Flag as ContentBug
AD CS not supported on Server Core for Windows Server 2008      Brett.Bentley ... awlva kumar   |   Edit   |   Show History
This step-by-step guide is for Windows Server 2008. AD CS is not available in Server Core for Windows Server 2008. However, AD CS has been added to Server Core for Windows Server 2008 R2. Also note that only the CA is available on Server Core, not any of the other AD CS role services such as NDES or OCSP.

There is a CA on Server Core setup guide as of July 2010, at http://technet.microsoft.com/en-us/library/ff849263(WS.10).aspx.

The simplest way to manage the CA on Server Core in Windows Server 2008 R2 is to use Server Manager or the CA snap-in from a full installation of Windows Server and make a remote connection to the Server Core CA. For more information about remoting with Server Manager, see http://technet.microsoft.com/en-us/library/dd184088.aspx and http://technet.microsoft.com/en-us/library/dd759202.aspx.

HTH,
Brett
Flag as ContentBug
Thank      TM-naiman   |   Edit   |   Show History

Thank

Tags What's this?: Add a tag
Flag as ContentBug
© 2012 Microsoft. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker