This step-by-step guide describes the steps needed to set up a basic configuration of Active Directory® Certificate Services (AD CS) in a lab environment.
AD CS in Windows Server® 2008 provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies.
This document includes:
| • | A review of AD CS features |
| • | Requirements for using AD CS |
| • | Procedures for a basic lab setup to test AD CS on a minimum number of computers |
| • | Procedures for an advanced lab setup to test AD CS on a larger number of computers to more realistically simulate real-world configurations |
AD CS Technology Review
Using the Active Directory Certificate Services option of the Add Roles Wizard, you can set up the following components of AD CS:
| • | Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage their validity. | ||||||
| • | CA Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to:
|
||||||
| • | Online Responder service. The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates, evaluating the status of these certificates, and sending back a signed response containing the requested certificate status information.
|
||||||
| • | Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc.
|
Important:equirements for Using AD CS
CAs can be set up on servers running a variety of operating systems, including Windows® 2000 Server, Windows Server® 2003, and Windows Server 2008. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with as little hardware as a single server for a single CA, many deployments involve multiple servers configured as root, policy, and issuing CAs, and other servers configured as Online Responders.
The following table lists the AD CS components that can be configured on different editions of Windows Server 2008.
| Components | Web | Standard | Enterprise | Datacenter |
The following features are available on servers running Windows Server 2008 that have been configured as CAs.
| AD CS features | Web | Standard | Enterprise | Datacenter |
AD CS Basic Lab Scenario
The following sections describe how you can set up a lab to begin evaluating AD CS.
We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document.
Steps for Setting up a Basic Lab
You can begin testing many features of AD CS in a lab environment by using as few as two servers running Windows Server 2008 and one client computer running Windows Vista®. The computers for this guide are named as follows:
| • | LH_DC1: This computer will be the domain controller for your test environment. |
| • | LH_PKI1: This computer will host an enterprise root CA for the test environment. This CA will issue client certificates for the Online Responder and client computers. |
|
Note:| • | LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from LH_PKI1 and verify certificate status from LH_ PKI1. |
To configure the basic lab setup for AD CS, you need to complete the following prerequisite steps:
| • | Set up a domain controller on LH_DC1 for contoso.com, including some organizational units (OUs) to contain one or more users for the client computer, client computers in the domain, and for the servers hosting CAs and Online Responders. |
| • | Install Windows Server 2008 on LH_PKI1, and join LH_PKI1 to the domain. |
| • | Install Windows Vista on LH_CLI1, and join LH_CLI1 to contoso.com. |
After you have completed these preliminary setup procedures,you can begin to complete the following steps:
Step 1: Setting Up an Enterprise Root CA
Step 2: Installing the Online Responder
Step 3: Configuring the CA to Issue OCSP Response Signing Certificates
Step 4: Creating a Revocation Configuration
Step 5: Verifying that the AD CS Lab Setup Functions Properly
Step 1: Setting Up an Enterprise Root CA
An enterprise root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the Online Responder and client computer, and to publish certificate information to Active Directory Domain Services (AD DS).
| To set up an enterprise root CA |
Step 2: Installing the Online Responder
An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA.
| To install the Online Responder |
Step 3: Configuring the CA to Issue OCSP Response Signing Certificates
Configuring a CA to support Online Responder services involves configuring certificate templates and issuance properties for OCSP Response Signing certificates and then completing additional steps on the CA to support the Online Responder and certificate issuance.
|
| To configure certificate templates for your test environment |
To configure the CA to support Online Responders, you need to use the Certification Authority snap-in to complete two key steps:
| • | Add the location of the Online Responder to the authority information access extension of issued certificates. |
| • | Enable the certificate templates that you configured in the previous procedure for the CA. |
| To configure a CA to support the Online Responder service |
Step 4: Creating a Revocation Configuration
A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key.
These configuration settings include the CA certificate, the signing certificate for the Online Responder, and the locations to which clients are directed to send their status requests.
|
| To verify that the signing certificate is properly configured |
Creating a revocation configuration involves the following tasks:
| • | Identify the CA certificate for the CA that supports the Online Responder. |
| • | Identify the CRL distribution point for the CA. |
| • | Select a signing certificate that will be used to sign revocation status responses. |
| • | Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder. |
| To create a revocation configuration | |||
| • | If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click Next. | ||
| • | If it does not appear, click Browser for a CA by Computer name and type the name of the computer hosting LH_PKI1 or click Browse to locate this computer. When you have located the computer, click Next.
|
Step 5: Verifying that the AD CS Lab Setup Functions Properly
You can verify the setup steps described previously as you perform them.
After the installation is complete, you should verify that your basic test setup is functioning properly by confirming that you can autoenroll certificates, revoke certificates, and make accurate revocation data available from the Onlline responder.
| To verify that the AD CS test setup functions properly |
AD CS Advanced Lab Scenario
The following sections describe how you can set up a lab to evaluate more features of AD CS than in the basic lab setup.
Steps for Setting Up an Advanced Lab
To test additional features of AD CS in a lab environment, you will need five computers running Windows Server 2008 and one client computer running Windows Vista. The computers for this guide are named as follows:
| • | LH_DC1: This computer will be the domain controller for your test environment. |
| • | LH_CA_ROOT1: This computer will host a stand-alone root CA for the test environment. |
| • | LH_CA_ISSUE1: This enterprise CA will be subordinate to LH_CA_ROOT1 and issue client certificates for the Online Responder and client computers. |
|
| • | LH_ORS1. This server will host the Online Responder. |
| • | LH_NDES. This server will host the Network Device Enrollment Servicethat makes it possible to issue and manage certificates for routers and other network devices. |
| • | LH_CLI1: This client computer running Windows Vista will autoenroll for certificates from LH_CA_ISSUE1 and verify certificate status from LH_ORS1. |
To configure the advanced lab setup for AD CS, you need to complete the following prerequisite steps:
| 1. | Set up a domain controller on LH_DC1 for contoso.com, including some OUs to contain one or more users for LH_CLI1, client computers in the domain, and for the servers hosting CAs and Online Responders. |
After you have completed these preliminary setup procedures, you can begin to complete the following steps:
Step 1: Setting Up the Stand-Alone Root CA
Step 2: Setting Up the Enterprise Subordinate Issuing CA
Step 3: Installing and Configuring the Online Responder
Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates
Step 5: Configuring the Authority Information Access Extension to Support the Online Responder
Step 6: Assigning the OCSP Response Signing Template to a CA
Step 7: Enrolling for an OCSP Response Signing Certificate
Step 8: Creating a Revocation Configuration
Step 9: Setting Up and Configuring the Network Device Enrollment Service
Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly
Step 1: Setting Up the Stand-Alone Root CA
A stand-alone root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the subordinate issuing CA. Because it is critical to the security of the public key infrastructure (PKI), this CA is online in many PKIs only when needed to issue certificates to subordinate CAs.
| To set up a stand-alone root CA |
Step 2: Setting Up the Enterprise Subordinate Issuing CA
Most organizations use at least one subordinate CA to protect the root CA from unnecessary exposure. An enterprise CA also allows you to use certificate templates and to use AD DS for enrollment and publishing certificates.
| To set up an enterprise subordinate issuing CA |
Step 3: Installing and Configuring the Online Responder
An Online Responder can be installed on any computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter. The certificate revocation data can come from a CA on a computer running Windows Server 2008, a CA on a computer running Windows Server 2003, or from a non-Microsoft CA. An Online Responder will typically not be installed on the same computer as a CA.
|
| To install the Online Responder service |
Step 4: Configuring the Issuing CA to Issue OCSP Response Signing Certificates
As with any certificate template, the OCSP Response Signing template must be configured with the enrollment permissions for Read, Enroll, Autoenroll, and Write before any certificates can be issued based on the template.
| To configure certificate templates for your test environment |
Step 5: Configuring the Authority Information Access Extension to Support the Online Responder
You need to configure the CAs to include the URL for the Online Responder as part of the authority information access extension of the issued certificate. This URL is used by the Online Responder client to validate the certificate status.
| To configure the authority information access extension to support the Online Responder |
Step 6: Assigning the OCSP Response Signing Template to a CA
Once the templates are properly configured, the CA needs to be configured to issue that template.
| To configure the CA to issue certificates based on the newly created OCSP Response Signing template |
Step 7: Enrolling for an OCSP Response Signing Certificate
Enrollment might not take place right away. Therefore, before you proceed to the next step, confirm that certificate enrollment has taken place so that a signing certificate exists on the computer, and verify that the permissions on the signing certificate allow the Online Responder to use it.
| To verify that the signing certificate is properly configured |
Step 8: Creating a Revocation Configuration
Creating a revocation configuration involves the following tasks:
| • | Identify the CA certificate for the CA that supports the Online Responder. |
| • | Identify the CRL distribution point for the CA. |
| • | Select a signing certificate that will be used to sign revocation status responses. |
| • | Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder. |
| To create a revocation configuration | |||
| • | If it appears, click the name of the CA that you want to associate with your revocation configuration, and then click Next. | ||
| • | If it does not appear, click Browser for a CA by Computer name and type the name of the computer hosting LH_CA_ISSUE1 or click Browse to locate this computer. When you have located the computer, click Next.
|
Step 9: Setting Up and Configuring the Network Device Enrollment Service
The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates.
The Network Device Enrollment Service operates as an ISAPI filter on IIS that performs the following functions:
| • | Generates and provides one-time enrollment passwords to administrators |
| • | Processes SCEP enrollment requests |
| • | Retrieves pending requests from the CA |
SCEP was developed as an extension to existing HTTP, PKCS #10, PKCS #7, RFC 2459, and other standards to enable network device and application certificate enrollment with CAs.
Before you begin this procedure, create a user ndes_user1 and add this user to the IIS user group. Then, use the Certificate Templates snap-in to configure Read and Enroll permissions for this user on the IPSEC (Offline Request) certificate template.
| To set up and configure the Network Device Enrollment Service |
Step 10: Verifying that the Advanced AD CS Test Setup Functions Properly
You can verify the setup steps described previously as you perform them.
After the installation is complete, you should verify that your advanced test setup is functioning properly.
| To verify that the advanced AD CS test setup functions properly |
(Microsoft.com)
Popularity: 25% [?]
Be The First To Comment
Sorry the comment area are closed