Domain Controller Certificate Installation

  • Article

Applies To: Windows Server 2003 with SP1

Installing a certificate on a domain controller implies that the certificate and associated private key are available to the local system (computer) account. Since the key material has been previously generated and the certificate request is still pending at the domain controller, the certificate must be accepted (installed). Acceptance refers to the operation whereby the certificate and the key material are linked, and the certificate request is deleted from the Certificate Enrollment Requests container.

When an Administrator accepts a certificate, certreq will look into the Certificate Enrollment Requests container of the local machine store first, and if no corresponding request is found, it looks into the current user’s (Administrator) Certificate Enrollment Requests container. Thus, you can accept machine certificate requests as Administrator.

Installing Domain Controller Certificates

The following procedure will install the domain controller certificate locally in the local system profile but not in Active Directory. To install the certificate on the target domain controller, perform the following steps with the Windows Server 2003 version of certreq and certutil. On a Windows 2000 domain controller, you must add a prefix to the commands. The prefix is the path you have copied the commands to. In this white paper, the %HOMEDRIVE%\W2K3AdmPak path is used.

  1. Log on to the target domain controller.

  2. Make the CER- and P7B-file from the previous section available to the domain controller.

  3. From a command-line prompt, run the following command.

    CERTREQ -ACCEPT <dcname>.p7b

    Replace <dcname> with the name of the target domain controller. The command will not report any confirmation of success.

  4. Verify that the certificate has been installed in the local system personal certificate store by running the following command at a command-line prompt:

    certutil -viewstore My

    A window will appear that displays all certificates that are available in the local computer personal store.

  5. Log off your domain controller.

Publishing Domain Controller Certificates

As mentioned previously, a stand-alone CA is not capable of publishing certificates in Active Directory. However, SMTP replication requires the use of domain controller certificates published in Active Directory. For certificates that are enrolled asynchronously through an offline process, you must manually publish these certificates in Active Directory.

The following steps instruct you to examine the certificates that reside in the domain controller’s local machine certificate store before the new certificate is published in Active Directory. The new certificate is published and you will be able to verify that the certificate was published properly.

Publishing certificates into computer objects in Active Directory requires write permissions for the userCertificate attribute that is part of any computer object. Administrators and members of the built-in domain group “Cert Publishers” have this permission by default.

The reqdccert.bat script creates a file called <dcname>-vfy.bat that contains the correct certutil command to verify the domain controller’s certificate in Active Directory. You can use this batch file instead of typing the certutil –viewstore commands manually as described in the following steps.

Perform the following steps to manually view and publish a domain controller certificate in Active Directory.

  1. Log on as domain administrator or a member of the Cert Publishers global group for the target domain controller. Technically, the publication can be performed at any computer that is a domain member, but for convenience, the domain controller is used in this scenario.

  2. Verify that there are no certificates already published on the domain controller’s Active Directory object.

    Note

    The following steps work only with the Windows Server 2003 version of certutil.exe. Thus, if you perform the following steps from a Windows 2000 domain controller, you must add a prefix to the certutil command. The prefix is the path you have copied the certutil command to. In this white paper, %HOMEDRIVE%\W2K3AdmPak is used.

    Run the following command from a command-line prompt.

    certutil -viewstore “ldap:///cn=<dcname>,ou=domain controllers,dc=<domainname>,dc=<com>?usercertificate”

    Replace the <dcname> variable with the name of the target domain controller and <domainname> and <com> variable names with the appropriate domain suffix.

    A window should appear with no certificates displayed. This is expected since no certificates have been published yet.

  3. Click Cancel to close the window.

  4. The certificate is published in Active Directory using the userCertificate attribute on the machine account object for the domain controller. Run the following command to write the certificate to the domain controller’s Active Directory object.

    certutil –f –dspublish <dcname>.cer machine

    Replace the <dcname> variable with the name of the target domain controller.

    The command determines the proper Active Directory object by the subject information in the certificate. The publication will fail if no object can be found based on the subject information.

    Note

    The use of the “machine” parameter is a mandatory requirement in the previous command example.

  5. To verify that the certificate was published successfully, perform the following steps from a command-line prompt.

    certutil -viewstore “ldap:///cn=<dcname>,dc=<domainname>,dc=<com>?usercertificate”

    If the domain controller’s computer object has no certificates in the userCertificate attribute, the certutil output will display an empty list in the window. If “?userCertificate” was omitted from the command line parameters or an invalid object class was specified, an error message will appear such as the following:

    CertUtil: -viewstore command FAILED: 0x80092009 (-2146885623) 
CertUtil: Cannot find the requested object.

Note

It is always a good practice to verify the certificates in the requestor’s Active Directory object as well. If the certificate templates have not been configured correctly and the certificate template was configured to publish certificates in Active Directory, these certificates may be published to the user account that created the certificate request. To examine certificates in the domain administrator’s Active Directory user object, run the following command.

certutil –viewstore “ldap:///cn=Administrator,cn=Users,dc=<domainname>,dc=<com>”

If computer certificates are found in this object, follow the instructions to remove them in Removing Certificates from an Active Directory Computer Object.