How to Set Up a CA for Non-Persistent Certificate Processing

  • Article

Applies To: Windows Server 2008 R2

An enterprise certification authority (CA) running on Windows Server 2008 R2 can be configured for non-persistent certificate processing, which is processing certificate requests and issuing certificates without storing requests and certificates in the CA database. This configuration is intended to address the needs of high-volume certificate issuance scenarios including Network Access Protection (NAP) deployments with Internet Protocol security (IPsec) enforcement in which hundreds or thousands of certificates with short validity periods are issued every day.

By default, certificate processing includes storing a record of each certificate request and issued certificate in the CA database. A sustained high volume of requests increases the CA database growth rate and could consume all available disk space if not monitored.

The CA database configuration option DBFLAGS_ENABLEVOLATILEREQUESTS combined with the certificate template configuration option Do not store certificates and requests in the CA database enables non-persistent certificate processing and can help reduce the CA database growth rate and frequency of database management tasks.

When non-persistent certificate processing is enabled, certificate revocation is not possible because a copy of the certificate is not stored in the CA database. However, when certificates are valid for a short period (eight hours, for example), certificate revocation may not be practical or beneficial. The configuration described in this guide gives you the option to reduce the resources required by the CA database if certificate revocation is not required for your scenario.

In scenarios that do not require certificate revocation, certificate validation times can be reduced by enabling the certificate template option Do not include revocation information in issued certificates. If no certificate revocation information is present in a certificate, revocation status is not checked during certificate validation. This option is recommended when Do not store certificates and requests in the CA database is enabled.

Configuring a CA for non-persistent certificate processing

Complete the following steps to enable the CA database configuration option DBFLAGS_ENABLEVOLATILEREQUESTS.

Important

You must also configure certificate templates to enable the certificate template option Do not store certificates and requests in the CA database. Certificate requests based on templates that do not have this option enabled are processed normally and certificate records are stored in the CA database.

To configure a CA for non-persistent certificate processing

  1. Log on as a CA administrator.

  2. Open a command prompt window.

  3. Type certutil –setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS and press ENTER.

  4. Type sc stop certsvc and press ENTER.

  5. Type sc start certsvc and press ENTER.

Configuring certificate templates for non-persistent certificate processing

Complete the following steps to enable certificate requests based on the configured template to be processed by an enterprise CA without storing records in the CA database.

You can modify an existing certificate template or duplicate a template and configure the duplicate. You must also assign the template to a CA to make it available to domain users and computers.

Both procedures should be completed by using Server Manager running on an enterprise CA or remotely connected to an enterprise CA. You must be a member of the Enterprise Admins or Domain Admins group.

To configure certificate templates for non-persistent certificate processing

  1. Log on to an enterprise CA as a member of the Enterprise Admins group.

  2. Start Server Manager.

  3. In the console tree, expand Roles, expand Active Directory Certificate Services, and click Certificate Templates.

  4. In the details pane, right-click the certificate template you want to configure, and click Properties.

  5. Click the Server tab.

  6. Click Do not store certificates and requests in the CA database.

  7. Click Do not include revocation information in issued certificates.

  8. Click OK.

Complete the following steps to assign the certificate template to an enterprise CA.

To assign a certificate template to an enterprise CA

  1. In Server Manager, in the console tree, expand the name of your CA.

  2. Right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  3. In the Enable Certificate Templates dialog box, click the certificate template you configured in the previous procedure, and then click OK.

Note

Any certificate template that is already present on the CA will not be displayed in the Enable Certificate Templates dialog box. To view the list of templates assigned to the CA, close the dialog box and click Certificate Templates. Delete any template with the same name as the template that you want to add. Repeat step 3 to assign the new template.

Verifying non-persistent certificate processing

To verify your CA is configured for non-persistent certificate processing, complete one of the procedures described below to enroll for a certificate based on a certificate template that you have configured for non-persistent certificate processing and then verify a certificate record is not stored in the CA database. You can also verify the issued certificate does not contain revocation information in the CRL distribution point extension.

To manually enroll for a certificate by using the Certificate Request wizard, complete the procedure Request a Certificate (https://go.microsoft.com/fwlink/?LinkId=179367). In step 4 of the procedure, select a certificate template that you have configured for non-persistent certificate processing.

Alternatively, you can perform autoenrollment for user certificates by completing the following procedure or by running the command certutil.exe -pulse. To use autoenrollment, you must configure autoenrollment in your environment and grant Autoenroll permissions on the certificate template.

To perform autoenrollment

  1. Log on to a domain member computer by using an account that has Autoenroll, Enroll, and Read permissions for the certificate templates that are assigned to the destination CA.

  2. Click Start, and then click Run.

  3. Type certmgr.msc, and then click OK to open the Certificates snap-in.

  4. In the console tree, right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

  5. On the Before You Begin page, click Next.

  6. On the Request Certificates page, a list of one or more certificate templates should be displayed. Select the check box next to each certificate template that you want to request, and then click Enroll.

Note

If the correct certificate templates are not displayed, click Show all templates to display all certificate templates that are assigned to the issuing CA. A status of Unavailable indicates the user account does not have permission to autoenroll for a certificate. Follow the steps in the "To configure certificate templates for autoenrollment" procedure earlier in this topic. For more information, see Troubleshooting Certificate Enrollment.

  1. Click Finish to complete the enrollment process.

  2. In the console tree, double-click Personal, and then click Certificates to display a list of installed user certificates and to verify that the certificate that you requested is displayed.

If you enabled the certificate template option Do not include revocation information in issued certificates you can use the following procedure to verify that revocation is not included in the issued certificate.

The procedure should be completed on the same domain member computer you used to verify certificate enrollment.

To verify revocation information is not included in certificates

  1. Start the Certificates snap-in.

  2. In the tree view, expand Personal, and click Certificates.

  3. Double-click the certificate you were issued in the previous procedure.

  4. Click the Details tab.

  5. In Fields, click CRL Distribution Points.

  6. In the lower pane, verify there is no revocation information.

After the certificate is issued, complete the following procedure to verify that a record of the certificate is not stored in the CA database.

To verify non-persistent certificate processing on your CA

  1. Log on to your CA as a CA administrator.

  2. Start Server Manager.

  3. In the console tree, expand Roles, expand Active Directory Certificate Services, expand your CA, and then click Issued Certificates.

  4. In the details pane, review the list of issued certificates to ensure the certificate you requested in the previous procedure is not stored in the CA database.