Configure Certification Authorities

Article
07/18/2012

You can use the Certification Authority console to configure CAs. This includes the following tasks:

Installing the CA certificate when necessary.
Configuring exit module settings.
Configuring policy module settings.
Scheduling certificate revocation list publication.
Modifying security permissions and delegate control of CAs.
Enabling optional Netscape-compatible Web-based revocation checking.

For more information about how to use the Certification Authority console to perform these tasks, see Certificate Services Help.

Installation of the Certification Authority Certificate

If you requested a certificate for a subordinate CA from an offline CA during the installation process, you must later obtain the CA certificate and install it to certify the CA. The CA does not run until the CA certificate is installed. You do not have to do this for root CAs or subordinate CAs that received the certificate from an enterprise CA during the installation process.

To obtain the CA certificate, use the Submit a Saved Request page of the Web Enrollment Support pages to submit the certificate request file that was created during the installation process. When the Issued Certificate page appears, click Install this certification path to install the certification path file for the CA. Then use the Certification Authority console to install the certification path file and certify the CA.

To use the Certification Authority console to install the CA certificate, right-click the CA node. Click All Tasks, and then click Install CA Certificate . The CA certificate is installed from the issuing parent CA, and then the CA service starts.

Configuration of Policy Module Settings

If the default policy module settings described in this section meet your needs, no further configuration is necessary. To configure the policy module setting by using the Certification Authority console, right-click the CA node and then click Properties . When the CA Properties dialog box appears, click Policy Module and then click Configure . When the Properties dialog box appears, modify the following settings as necessary.

Default Action (for Stand-alone Certification Authorities)

By default, the Set the certificate request to pending check box is selected and the request is held as pending until an administrator approves it for stand-alone CAs. Click Automatically approve the certificate requests to configure a stand-alone CA to issue each valid certificate request automatically. Note, however, that this is a major security risk and, thus, is not recommended. This option does not apply for enterprise CAs.

X.509 Extensions

You can click Add or Remove to modify the CRL distribution points that are listed in the CRL Distribution Points box. For example, to ensure that users have convenient access to CRLs, you can add a CRL distribution point for commonly used public folders and the URL for a page on your internal Web site. The CA writes these CRL distribution points into every certificate that it issues to support certificate revocation checking by applications such as Internet Explorer. You must also configure an exit module for the CA to publish its CRLs to any CRL distribution points you add. To disable a CRL distribution point that is listed in the CRL Distribution Points box, you can clear the check box next to it.

You can click Add or Remove to modify the certificate distribution points that are listed in Authority Information Access . For example, to ensure that users have convenient access to the certificate for a specified CA, you can add a certificate distribution point for frequently used public folders and the URL for a page on your internal Web site. The certificate for this CA is published to these certificate distribution points. In addition, the CA writes these certificate distribution points into every certificate that it issues. To disable a certificate distribution point that is listed in Authority Information Access , you can clear the check box next to a certificate distribution point. When you view the Certification Path dialog box for a certificate that is issued by this CA, and you select the CA's certificate in the path and click View , the system looks for the certificate in the order the certificate distribution points are listed in Authority Information Access .

Configuration of Exit Module Settings

If the default exit module settings described in this section meet your needs, no further configuration is necessary. To configure the active exit modules with the Certification Authority console, right-click the CA node, and then click Properties . When the CA Properties dialog box appears, click Exit Module, and then click Add or Remove to modify the active modules that are listed in Active exit modules . If you use custom exit modules that you have developed or exit modules provided by third-party vendors, you must install the exit module as an active module.

Install additional exit modules if you want to publish certificates and CRLs to different locations than those that are supported by the default enterprise and default stand-alone exit modules. For example, you might install a custom exit module to publish certificates to a Web page or to a third-party directory service.

No matter what exit modules are installed, certificates are not published unless the publication location is specified in the certificate request. The exit modules enable certificates to be published to the locations specified in certificate requests.

To configure an exit module's settings with the Certification Authority console, right-click the CA node, and then click Properties . When the CA name Properties dialog box appears, click Exit Modules . Select the module you want to configure, and then click Configure . When the Properties dialog box appears, modify the options that are described in Table 16.10.

Table 16.10 Certificate Publication

Option	Description
Allow certificate publication to Active Directory	By default, this option is selected for the default enterprise exit module. If you do not want to publish certificates or CRLs to Active Directory, clear the check box associated with this option. This option is not available for the default stand-alone exit module.
Allow certificate publication to the file system	By default, this option is selected for the default stand-alone exit module. If you do not want to publish certificates or CRLs to the file system, clear the check box associated with this option. By default, the check box for this option is cleared for the default enterprise exit module. If you want to enable certificates to be published to the file system, select the check box associated with this option.

Allow certificate publication to Active Directory

By default, this option is selected for the default enterprise exit module. If you do not want to publish certificates or CRLs to Active Directory, clear the check box associated with this option. This option is not available for the default stand-alone exit module.

Allow certificate publication to the file system

By default, this option is selected for the default stand-alone exit module. If you do not want to publish certificates or CRLs to the file system, clear the check box associated with this option. By default, the check box for this option is cleared for the default enterprise exit module. If you want to enable certificates to be published to the file system, select the check box associated with this option.

For enterprise CAs, certificates are published to Active Directory as long as the default exit module is active and configured to publish certificates to Active Directory (the default setting). For stand-alone CAs, certificates are published to the local file system as long as the default exit module is active and configured to allow certificates to be published to the local file system (the default setting).

Scheduling Certificate Revocation List Publication

If the default CRL publication schedule meets your needs (a new CRL is published every week), no further configuration is necessary. The following are some examples of how you might modify the default CRL publication:

Schedule daily rather than weekly publication of CRLs because you expect a high rate of certificate revocations or because you want to ensure greater protection of valuable information that is being protected by public key security functions.
Schedule biweekly or monthly publication of CRLs because you expect a low rate of certificate revocations.
Turn off automatic CRL publication for offline CAs, such as stand-alone root CAs or stand-alone intermediate CAs, and instead publish CRLs manually.

To change the CRL publication schedule with the Certification Authority console, right-click the Revoked Certificates node of the CA, and then click Properties . When the Revoked Certificate Properties dialog box appears, configure the CRL publication options that are described in Table 16.11.

Table 16.11 CRL Publishing Parameters

Option	Description
Publish Interval	Type the interval and select Hours , Days , Weeks , Months , or Years . For example, to schedule biweekly CRL publication, type 2 and select Weeks .
Next Publish	Displays the time that the next CRL is scheduled to be published.
Disable Scheduled Publishing	Select to turn off automatic CRL publishing for this CA.
View Current CRL	Select to view the most current CRL for this CA.

Configuration of Certificates to Be Issued

When an enterprise CA is installed, the default issuing policy is configured to issue the following certificate types: Administrator, Domain Controller, Computer, Basic EFS, EFS Recovery Agent, User, Subordinate Certification Authority, and Web Server. You can configure each CA's issuing policy to meet the needs of your organization.

Before you can issue other certificate types besides the default, you must use the Certification Authority console to add the certificate type to the issuing policy. You can also use the Certification Authority console to delete certificate types from an enterprise CA's issuing policy. For example, you might modify the certificate issuing policy for a root or an intermediate CA to issue only Subordinate Certification Authority certificates. You might configure an issuing CA by adding the Trust List Signing certificate type to the default issuing policy and by deleting the Subordinate Certification Authority certificate type from the default issuing policy. You might want to configure a CA to issue only the Enrollment Agent certificate. You can also configure an issuing CA so that it issues only the Smart Card Logon and Smart Card User certificates to support the deployment of smart cards.

To add a certificate type to issuing policy with the Certification Authority console, right-click the Policy Settings node of the CA. Click New , and then click Certificate to Issue . When the Select Certificate Template dialog box appears, select one or more of the listed certificate templates, and then click OK . The selected certificate templates are added to the issuing policy.

When you select the Policy Settings node of a CA, the certificate types that the CA can issue are displayed in the details pane of the console. To delete a certificate template from the issuing policy, select the certificate template and press the DELETE key; or right-click the certificate template, and then click Delete .

Permission to enroll for each certificate type is controlled by the ACLs for each certificate template, as described in "Modify the Default Security Permissions for Certificate Templates (Optional)" later in this chapter. You also can use the Certification Authority console to modify security settings for a CA to prevent some users or members of some security groups from enrolling for certificates from that CA.

Modification of Security for a Certification Authority

By default, members of the local Administrators and Authenticated Users security groups and members of the global Domain Admins and Enterprise Admins security groups are granted Enroll permissions, so they can request certificates from the CA. This means that by default all users in the domain can request certificates from the CA for all certificate types that they are authorized to receive. In addition, members of the local Administrators security group and members of the global Domain Admins and Enterprise Admins security groups are granted Manage permissions for the CA. If the default security for the CA meets your needs, no further configuration is necessary.

To configure new security settings for a CA by using the Certification Authority console, right-click the CA node, and then click Properties . When the CA Properties dialog box appears, click Security, and then modify the security settings as needed. Click Add or Remove to change the user accounts or security groups that are listed. When you select a security group or a user account from the list, the corresponding permissions appear in the Permissions box.

To change basic permissions, select a security group or a user account from the list, and then select or clear the appropriate check boxes next to the basic permissions in the Permissions box. You can select permissions check boxes in either the Allow or Deny columns. If you select a check box in the Allow column, the corresponding permissions are granted to the selected security group. If you select a check box in the Deny column, the corresponding permissions are denied to the selected security group.

To modify advanced permissions, click Advanced . When the Permissions dialog box appears, click Add or Remove to change the security groups or user accounts that are listed. Select a security group or a user account, and then click View/Edit to modify the advanced permissions.

Table 16.12 contains descriptions of the permissions you can configure for a CA. All of the permissions can be modified in the advanced Permissions dialog box.

Table 16.12 Permissions for Certificate Templates

Permission	Description
Manage (basic)	Determines which user accounts and security groups can manage the CA with the Certification Authority console or run command-line programs. By default, members of the local Administrators security group and members of the global Domain Admins and Enterprise Admins security groups are granted these permissions.
Enroll (basic)	Determines which user accounts and security groups can request certificates from the CA. By default, members of the local Administrators and Authenticated Users security groups and members of the global Domain Admins and Enterprise Admins security groups are granted these permissions.
Read (basic)	Determines which user accounts and security groups can read configuration information for the CA. By default, members of the local Administrators and Authenticated Users security groups and members of global Domain Admins and Enterprise Admins security groups are granted these permissions.
Write Configuration (advanced only)	Determines which user accounts and security groups can change configuration data for the CA. By default, these permissions are granted to all user accounts and security groups with Manage permissions.
Read Control (advanced only)	Determines which user accounts and security groups have read permission to view the security settings for the CA. By default, these permissions are granted to all user accounts and security groups with Read Configuration permissions.
Modify Permissions (advanced only)	Determines which user accounts and security groups can change permissions for CA security. By default, these permissions are granted to all user accounts and security groups with Manage permissions.
Modify Owner (advanced only)	Determines which user accounts and security groups can change the owner of the CA object. By default, these permissions are granted to all user accounts and security groups with Manage permissions.
Revoke Certificates (advanced only)	Determines which user accounts and security groups can revoke certificates. By default, these permissions are granted to all user accounts and security groups with Manage permissions.
Approve Certificates (advanced only)	Determines which user accounts and security groups can approve certificate requests for stand-alone CAs. By default, these permissions are granted to all user accounts and security groups with Manage permissions.
Read Database (advanced only)	Determines which user accounts and security groups can gain access to and read the information in the certificate database. By default, these permissions are granted to all user accounts and security groups with Manage permissions.

Enabling Netscape-compatible Web-based Revocation Checking

Netscape-compatible Web browsers support a proprietary online certificate revocation checking method that checks for revoked certificates at a location that is listed in an extension field of the certificate. To enable Netscape-compatible, Web-based revocation check extensions to be added to every certificate, run the following Certutil command from the command prompt on the CA server:

certutil -SetReg Policy\RevocationType +AspEnable

Then stop and start the Certification Authority service. Certificates that are issued by the certification authority after it is restarted contain the extension.