Best Practices For Implementing A Microsoft Windows Server 2003 Public Key Infrastructure

Best Practices for Implementing a
Microsoft Windows Server 2003 Public

Key Infrastructure
Microsoft Corporation
Author: David B. Cross and Carsten B. Kinder
bstract
A quick start guide that provides all the information that you need to deploy a viable K!
that is based on "indo#s $erver %&&' technology.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
eents depicted herein are fictitious, and no association with an! real compan!,
organization, product, domain name, e-mail address, logo, person, place, or eent is
intended or should be inferred. "ompl!ing with all applicable cop!right laws is the
responsibilit! of the user. Without limiting the rights under cop!right, no part of this
document ma! be reproduced, stored in or introduced into a retrieal s!stem, or
transmitted in an! form or b! an! means #electronic, mechanical, photocop!ing,
recording, or otherwise$, or for an! purpose, without the express written permission of
%icrosoft "orporation.
%icrosoft ma! hae patents, patent applications, trademar&s, cop!rights, or other
intellectual propert! rights coering subject matter in this document. 'xcept as expressl!
proided in an! written license agreement from %icrosoft, the furnishing of this document
does not gie !ou an! license to these patents, trademar&s, cop!rights, or other
intellectual propert!.
( )**+ %icrosoft "orporation. ,ll rights resered.
%icrosoft, ,ctie -irector!, Windows, Windows ./, and Windows 0erer are either
registered trademar&s or trademar&s of %icrosoft "orporation in the United 0tates and1or
other countries.
,ll other trademar&s are propert! of their respectie owners.
!ontents
Best ractices for !mplementing a Microsoft "indo#s $erver %&&' ublic Key
!nfrastructure.................................................................................................................. (
Abstract....................................................................................................................... (
Contents............................................................................................................................ '
About )his Document *Best ractices for !mplementing a Microsoft "indo#s $erver %&&'
ublic Key !nfrastructure+............................................................................................... ,
Document $tructure........................................................................................................ ,
$cope............................................................................................................................. ,
-elated !nformation...................................................................................................... (&
.vervie# of the K! Design rocess *Best ractices for !mplementing a Microsoft
"indo#s $erver %&&' ublic Key !nfrastructure+.........................................................(&
!ntegration !nto /0isting /nvironments *Best ractices for !mplementing a Microsoft
"indo#s $erver %&&' ublic Key !nfrastructure+..........................................................((
Determining $ecure Application -equirements.............................................................((
"indo#s $erver %&&' K! and Dependencies *Best ractices for !mplementing a
Microsoft "indo#s $erver %&&' ublic Key !nfrastructure+..........................................('
1e# 2eatures of a "indo#s $erver %&&' CA..............................................................('
3ersion % )emplates.................................................................................................. (4
Certificate /nrollment................................................................................................ (5
6ser Certificate Autoenrollment................................................................................. (7
Certificate -ene#al................................................................................................... (8
Key Archival and -ecovery....................................................................................... (,
Delta C-9s................................................................................................................ %&
:ualified $ubordination............................................................................................. %&
$imple Certificate /nrollment rotocol......................................................................%&
-ole $eparation......................................................................................................... %(
CA ermissions............................................................................................................ %'
Command;line Administration )ools..........................................................................%'
CA 2ault )olerance....................................................................................................... %'
Deployment lanning *Best ractices for !mplementing a Microsoft "indo#s $erver %&&'
ublic Key !nfrastructure+............................................................................................. %<
Designing the CA !nfrastructure.................................................................................... %4
Considerations.......................................................................................................... %5
Defining CA )ypes and -oles....................................................................................... %5
Choosing /nterprise or $tand;alone CAs..................................................................%5
Authentication and Authori=ation............................................................................... %,
Certificate -equest Approval..................................................................................... %,
.ffline and .nline CAs.............................................................................................. '&
hysical rotection.................................................................................................... '&
)echnical rotection.................................................................................................. '(
>ard#are C$s......................................................................................................... '(
$electing a )rust Model................................................................................................ '%
$pecifying CA -oles.................................................................................................. ''
-ootCA...................................................................................................................... '4
!ntermediate CAs....................................................................................................... '5
!ssuing CAs............................................................................................................... '7
6nderstanding -oot )rust......................................................................................... '7
/nterprise )rust......................................................................................................... ',
?roup olicy )rust..................................................................................................... ',
1)Auth...................................................................................................................... ',
Manual )rust on a 9ocal Computer...........................................................................<(
Manual )rust by 6ser................................................................................................ <(
"indo#s 6pdate....................................................................................................... <%
Creating an /nrollment $trategy...............................................................................<'
Creating a CA -ene#al $trategy............................................................................... <<
Determining the )otal 1umber of CAs..........................................................................<4
>ard#are -equirements............................................................................................... <5
>ard#are ?uidelines................................................................................................. <5
rocessor 1otes........................................................................................................ <8
Disk Configuration 1otes........................................................................................... <8
$calability.................................................................................................................. <8
Creating Certificate olicies and Certificate ractice $tatements....................................<8
$ecurity olicy.............................................................................................................. <,
Certificate olicy........................................................................................................... <,
Certificate ractice $tatement...................................................................................... 4&
-evocation olicy......................................................................................................... 4(
C-9 Best ractices....................................................................................................... 4%
9DA C-9 Best ractices............................................................................................ 4<
>)) C-9 Distribution oint 6-9 Best ractices........................................................45
Delta C-9s................................................................................................................... 47
.nline Certificate $tatus rotocol $upport...................................................................48
Best ractices for C-9 ublication...............................................................................48
A!A /0tensions............................................................................................................. 4,
Certificate 3alidity eriod and Key 9ength....................................................................5&
/0ample $cenario for Contoso........................................................................................ 5%
latform Decision......................................................................................................... 5'
K! Design.................................................................................................................... 5'
-oot CA........................................................................................................................ 5<
!ntermediate CAs.......................................................................................................... 5<
!ssuing CAs.................................................................................................................. 54
Contoso /nvironment $ummary................................................................................... 54
$tand;alone .ffline -oot CA........................................................................................ 54
!nstallation rerequisites............................................................................................... 55
!nstall the .ffline -oot CA............................................................................................ 55
"orkgroup Membership............................................................................................... 55
!nstalling an >$M on an .ffline -oot CA......................................................................57
repare the CAolicy.inf 2ile for the -oot CA..............................................................57
!nstalling the .ffline -oot CA $oft#are Components....................................................5,
3erify the -oot CA Configuration.................................................................................. 7'
3erify the -oot CA Certificate....................................................................................... 7'
3erify the Corporate-ootCA Configuration !nformation................................................7<
.ffline -oot CA Configuration....................................................................................... 7<
Map the 1amespace of Active Directory to an .ffline CA@s -egistry Configuration. .74
Configure Corporate-ootCA Distribution oints for C-9 and A!A.............................74
Configure Corporate-ootCA Distribution oints for C-9 and A!A by 6sing the 6ser
!nterface................................................................................................................. 75
Configure Corporate-ootCA Distribution oints for the C-9....................................77
Configure Corporate-ootCA Distribution oints for A!A............................................8&
Configure the Corporate-ootCA C-9 and A!A C-9 Distribution oint 2rom a Batch
2ile......................................................................................................................... 8%
3erify the Corporate-ootCA C-9 and A!A Configuration...........................................8'
Configure C-9 ublication !nterval By 6sing the 6ser !nterface...............................84
Configure C-9 ublication 2rom a Batch 2ile...........................................................84
$et the 3alidity eriod for !ssued Certificates at the .ffline -oot CA........................85
-epublish the Corporate-ootCA C-9.......................................................................87
-epublish the C-9 by 6sing the MMC......................................................................87
-epublish the C-9 from a Command rompt...........................................................87
3erify the ublished C-9.......................................................................................... 87
Determine the 1ame of the Most Current C-9.........................................................88
2inali=e the CA Configuration.................................................................................... 8,
$tand;alone .ffline !ntermediate CA *!ntermediateCA(+..................................................8,
!nstallation rerequisites............................................................................................... 8,
!nstall an >$M on !ntermediateCA(.............................................................................,&
repare the CAolicy.inf 2ile for !ntermediateCA(.......................................................,&
.btain the Certificate and !ts C-9 from Corporate-ootCA...........................................,(
!mport the -oot CA Certificate and C-9 to the !ntermediate CA..................................,%
!mport the -oot CA Certificate and C-9 to an !ntermediate CA 6sing the MMC..........,'
2ind a Certificate in the Certificate $tore......................................................................,4
!mport the -oot CA Certificate and C-9 into an !ntermediate CA from a Batch 2ile.....,5
3erify the -oot CA Certificate !mport rocedure 2rom a Command rompt................,7
!nstall the .ffline !ntermediate CA $oft#are Components............................................,7
3erify the Certificate -equest..................................................................................... (&%
Certificate -equest rocessing #ith the -oot CA through MMC................................(&'
3erify the !ntermediateCA( Certificate........................................................................(&<
/0port the .ffline !ntermediate Certificate at the -oot CA..........................................(&4
!nstall the Certificate on !ntermediateCA(..................................................................(&5
3erify the !ntermediateCA( Certificate )rust Chain....................................................(&5
!nstall the Certificate on !ntermediateCA(..................................................................(&7
!nstall the Certificate at !ntermediateCA(...................................................................(&8
!nstallation Cleanup.................................................................................................... (&,
Configure !ntermediateCA(........................................................................................ (&,
!nclude CA olicy in Certificate -equests...................................................................(&,
3erify the !ntermediateCA( Configuration...................................................................((&
2inali=e the CA Configuration..................................................................................... ((&
$tand;alone .ffline !ntermediate CA *Corporate$ub%CA+.............................................((&
.nline /nterprise !ssuing CAs *Corporate/nt(CA+........................................................(((
/nterprise CA !nstallation rerequisites......................................................................((%
repare the Active Directory /nvironment...............................................................((%
Domain Membership............................................................................................... ((<
-etrieve the Certificate and its C-9 from Corporate-ootCA and !ntermediateCA(.((<
Distribute a -oot CA Certificate #ith ?roup olicy..................................................((5
!mport arentCA Certificates and C-9s into Active Directory..................................((7
?et CA $aniti=ed 1ame and D1$ 1ame.................................................................((8
!mportCA Certificates and C-9s from Corporate-ootCA and Coporate$ub0CA.....((,
$et the Appropriate ermissions for Certificate and C-9 access............................(%(
ublish CA Certificates and C-9s of Corporate-ootCA and Coporate$ub(CA......(%(
3erify that the Domain Controller >as ublished the Certificates and C-9 into Active
Directory.............................................................................................................. (%%
3erify )hat the CA Certificate and C-9 Are !mported into Active Directory.............(%'
)emplate 6pgrade from "indo#s %&&&......................................................................(%4
repare the CAolicy.inf 2ile for the !ssuing CA.....................................................(%4
!nstall the .nline !ssuing /nterprise CA.....................................................................(%4
Certificate -equest rocessing #ith the .ffline arent CA *!ntermediateCA(+
)hrough "eb /nrollment $upport........................................................................('(
3erify the /nterprise$ub(CA Certificate..................................................................(''
!nstall the Certificate at the Corporate/nt(CA Computer........................................(''
3erify the Corporate/nt(CA )rust Chain.................................................................(''
K! >ealth )ool........................................................................................................ ('4
Configure the /nterprise .nline CA...........................................................................('4
3erify the /nterprise$ubCA Configuration...............................................................('5
Certification Authority Maintenance................................................................................ ('5
Best ractices for C-9 ublication.............................................................................('7
C-9 artitioning...................................................................................................... ('7
Automatic -ootCA Cross;Certificate ?eneration.....................................................('8
Certification Authority Backup and -ecovery..............................................................(',
-epair the Certificate $tore..................................................................................... (<&
Appendi0 A: Directory .bAects....................................................................................... (<&
Directory obAects that are created by an enterprise CA..............................................(<(
Directory .bAects )hat Are Created by the 2irst /nterpriseCA in the 2orest..............(<(
Contents of BB9ocalhostBCertConfig and BB9ocalhostBCert/nroll......................................(<%
-elationship of the Configuration Container and Certificate $tore.................................(<5
Default CA Certificate and C-9 $torage........................................................................(<8
Mapping Custom .bAect !dentifiers to 2riendly 1ames..................................................(<,
CAolicy.inf $ynta0........................................................................................................ (<,
$ample CAolicy.inf 2ile for Corporate-ootCA..........................................................(4&
$ample CAolicy.inf 2ile for !ntermediateCA(............................................................(4(
$ample CAolicy.inf 2ile for Corporate/nt(CA..........................................................(4(
C-9 Distribution oint -eplacement )oken...................................................................(4%
C-9 ublishing roperties............................................................................................. (4<
A!A ublishing roperties............................................................................................... (45
$ample $cript to Configure Corporate-ootCA...............................................................(45
$ample $cript to Configure !ntermediateCA..................................................................(5&
$ample $cript to Configure the /nterprise$ubCA..........................................................(5'
Appendi0 B: arameters for a )hree;)ier CA )opology..................................................(55
-ootCA Configuration arameters............................................................................. (55
!ntermediate CA Configuration arameters................................................................(75
!ssuing CA Configuration arameters.........................................................................(8<
Appendi0 C: Additional !nformation................................................................................(,&
bout "#is $ocument %Best Practices for
Implementing a Microsoft Windows
Server 2003 Public Key Infrastructure&
)his document is a quick start guide that you can use to set up a Microsoft "indo#s
$erver %&&' public key infrastructure *K!+. !t provides all the information that you need
to deploy a viable K! that is based on "indo#s $erver %&&' technology.
)he document outlines a proven K! architecture that is applicable for the maAority of
organi=ations. !t includes tips and decision best practices that have been obtained from
customer e0periences.
)o ensure that configuration steps have been implemented correctlyC this document also
includes useful verification steps. "here possibleC information regarding the configuration
and installation of a server running a member of the "indo#s %&&& $erver family is
provided for comparison.
$ocument Structure
)his document is based on Designing a ublic Key !nfrastructureC in the %icrosoft
Windows 0erer )**2 -eplo!ment 3it that is listed in the D-elated !nformationD section in
this document. $ome issues are addressed only in the %icrosoft Windows 0erer )**2
-eplo!ment 3it chapterC #hile other issues are described only in this document. )he
similar structure provides easier navigation through the planning and deployment phase if
you #ork #ith all of these documents.
Important
)his document refers to features included #ith "indo#s $erver %&&'C $tandard
/ditionC and "indo#s $erver %&&'C /nterprise /dition. )hese features are not
included on computers running "indo#s $erver %&&'C "eb /dition.
Scope
)his document provides implementation guidelines for administrators #ho are deploying
a "indo#s $erver %&&' K! in their organi=ation.
)his #hite paper is not an introduction to public key technologiesC certification authoritiesC
or certificates. !t assumes that the reader has a good understanding of K! and Active
Directory concepts.
Because this #hite paper is focused on technologyC it does not outline organi=ational
guidelines and rules that are mandatory for a successful K! implementation. Eou should
apply organi=ational requirements and best practices in conAunction #ith the
recommendations in this #hite paper to ensure a successful deployment.
A number of detailed best practices that are combined #ith real;#orld field e0perience
from Microsoft and >e#lett ackard Consulting $ervices have been incorporated into this
#hite paper.
'elated Information
)his documentation e0tends the Designing a ublic Key !nfrastructure chapter in the
%icrosoft Windows 0erer )**2 -eplo!ment 3itC #hich contains overall K! planning and
designC and the "indo#s $erver %&&' >elp topicsC #hich contains checklists and
configuration information. )he chapter in the %icrosoft Windows 0erer )**2
-eplo!ment 4uide focuses on broad deployment considerations.
(verview of t#e PKI $esign Process
%Best Practices for Implementing a
Key Infrastructure&
Designing a K! involves the follo#ing steps #hich may or may not be performed in this
order:
.utline the business scenario
Define the application certificate requirements
Create certificate policies and practices statements
Design the certification authority *CA+ infrastructure
Create a certificate rene#al strategy
Develop a CA management plan
10
Integration Into )*isting )nvironments
%Best Practices for Implementing a
Key Infrastructure&
"hen you combine client computers running Microsoft "indo#s %&&& rofessional or
Microsoft "indo#s F rofessional and computers running a member of the "indo#s
$erver %&&' familyC you have a range of K! enhancements that let you securely e0tend
your net#ork to employeesC partnersC customersC and services. !t enhances the
management and performance features of the "indo#s %&&& security infrastructure.
"indo#s F rofessional and the "indo#s $erver %&&' family offer many K!;specific
business benefits to organi=ations that require secure business processes and !)
infrastructures.
)he base set of features is provided in the "indo#s $erver %&&' familyC and enhanced
certification authority functionality is provided in "indo#s $erver %&&' $erverC /nterprise
/ditionC and "indo#s $erver %&&' $erverC Datacenter /dition. )he K! that is part of the
"indo#s $erver %&&' release is an improved version of the "indo#s %&&& K!
functionality. 1everthelessC you can combine a "indo#s $erver %&&';driven K! #ith an
e0isting "indo#s %&&& Active Directory environment and certification authority *CA+
infrastructure.
Client computers running either the "indo#s %&&& or "indo#s F operating systems #ill
benefit the most from a "indo#s $erver %&&' K! deploymentC along #ith hard#are
devices that support the "indo#s environment. 2or more information about the
capabilities of each clientC see the "indo#s $erver %&&' >elp.
$etermining Secure pplication
'e+uirements
)he "indo#s $erver %&&' $tandard and /nterprise /ditions include a full;featured K!
that delivers the business benefits of current public key cryptography. 6sersC computersC
and services benefit from encryption and signing capabilities.
)he "indo#s $erver %&&' K! supports a broad range of applicationsC including:
$ecure logon #ith smart cards
Confidential and secure e;mail
$ecure code
11
)rustedC on;demand access to net#ork resources for remote users and trustedC
permanent net#ork connectivity for remote offices #ith net#ork securityC including
remote accessC virtual private net#orks *31+ and #ireless authentication
2ile protection in the event of stolen or lost portable computers and other storage
devices
Access control and single;identity authori=ation across a range of "eb and
application servers
Digital signatures that enable tamper;proofC legally;binding transactions
$calable technology to support millions of users and high;volume digital signature
transactions
2or more information about ho# the "indo#s K! supports these applicationsC see the
follo#ing articles on the Microsoft "eb site:
>o# K! "orks on the Microsoft )ech1et "eb site
Microsoft "indo#s %&&& ublic Key !nfrastructure !ntroduction on the Microsoft
)ech1et "eb site
Applications .vervie# on the Microsoft )ech1et "eb site
)he "indo#s $erver %&&' K! solution has several advantages over commercial third;
party K!s that are not part of the operating system and must be purchased separately.
6sers and access control are managed centrally through Active DirectoryC #hich
simplifies the overall K! management burden. 2urtherC a "indo#s $erver %&&' K!
does not require either per;certificate or per;user license fees that #ould raise the total
cost of o#nership *)C.+ of the system. )he K! functionality in the "indo#s $erver %&&'
family integrates very #ell #ith many other features of the operating system.
Windows Server 2003 PKI and
$ependencies %Best Practices for
2rom a technical perspectiveC a "indo#s $erver %&&' K! has some requirements
before you can deploy it. )his section describes fundamental process information and
installation details for a successful "indo#s $erver %&&' K! implementation.
12
,ew -eatures of a Windows Server 2003 !
"indo#s F and "indo#s $erver %&&' environments can benefit the most from all of the
features of the "indo#s $erver %&&' certification authority *CA+C but mi0ed
configurations #ith earlier versions of "indo#s are also supportedC #ith a little less
functionality.
)he follo#ing table lists the features that are described later in this section. )hese
features are available through the CA if the CA is installed on a specific version of the
operating system.
"able . PKI feature support wit# a ! t#at is installed on different versions of t#e
operating system
Windows Server
2003/ )nterprise
)dition or
$atacenter )dition
Windows Server
2003/ Standard
)dition
Windows 2000
Server
3% templates /nterprise CA only 1ot supported 1ot supported
Key archival and
recovery
$upported 1ot supported 1ot supported
Auto;enrollment Both user and
computer
certificates
supported
Computer
certificates
supported
Computer
certificates
supported
Delta certificate
revocation lists
*C-9s+
$upported $upported 1ot supported
:ualified
subordination
$upported $upported 1ot supported
-ole separation $upported 1ot supported 1ot supported
,ote
"indo#s $erver %&&'C "eb /dition does not include certification authority
functionalityC but may be used as a K! client.
)he follo#ing table lists the features that can be used at the client #ith a given CA
infrastructure:
13
"able 2 PKI features t#at are available to clients
2or additional informationC see the follo#ing articles:
K! /nhancements in "indo#s F rofessional and "indo#s .1/) $erver on the
Microsoft "eb site
"hat@s 1e# in $ecurity for "indo#s F rofessional and "indo#s F >ome /dition
on the Microsoft "eb site
Data rotection and -ecovery in "indo#s F on the Microsoft "eb site
0ersion 2 "emplates
)emplates are the building plan for certificates. A template turns a certificate request into
a certificate signed #ith the CAs private key. 2or e0ampleC a template defines the validity
time of a certificate and the certificate@s subAect name.
)he most significant difference bet#een the version ( *3(+ and version % *3%+ templates
is that 3( templates are predefined and unchangeable. "ith 3% templatesC a CA
administrator is able to configure a #ide range of settings that apply during certificate
enrollmentC such as minimum key lengthC subAect name definitionC enrollment
requirements like enrollment agent signatureC and so on.
14
3% templates are available only #ith an enterprise CA that is running "indo#s $erver
%&&'C /nterprise /dition or Datacenter /dition. An enterprise CA that is running "indo#s
$erver %&&'C $tandard /dition does not support 3% templates.
?enerallyC templates are stored in the Active Directory configuration naming conte0t and
are usable #ith any CA in an Active Directory forest if they are assigned to the CA. A
single set of templates are available for use by all CAs in the forest. >o#everC 3%
templates can only be utili=ed #ith "indo#s $erver %&&'C /nterprise /dition or
Datacenter /dition CAs.
)o use 3% templatesC the Active Directory schema must be e0tended to the "indo#s
$erver %&&' schema in the forest. !f the Active Directory environment consists of
"indo#s $erver %&&' domain controllers onlyC no action is required to benefit from a
"indo#s $erver %&&' K!. !f all domain controllers of a forest that hosts the "indo#s
$erver %&&' CAs are running "indo#s %&&& $erverC you must also install Microsoft
"indo#s %&&& $ervice ack ' *$'+ or later on all domain controllersC in addition to the
ne# "indo#s $erver %&&' schema definitions. 2or more information about ho# to
upgrade the schemaC see repare the Active Directory environment in this document.
2or more detailed information about certificate templatesC their usageC and their
definition capabilitiesC see DCertificatesD in the "indo#s $erver %&&' 2amily >elp.
2or more information about certificate enrollmentC see DCertificate /nrollmentD in the
M$ "indo#s %&&& ublic Key !nfrastructure !ntroduction #hite paper on the
Microsoft )ech1et "eb site.
2or more information about e0tending the schema for 3% templatesC see the
"indo#s $erver %&&' >elp topics regarding certificate templates.
!ertificate )nrollment
Eou can enroll 3% templates #ith any computer running "indo#s F or later through the
default enrollment methodsC including the Certificates Microsoft Management Console
*MMC+C the built;in auto;enrollment mechanismC "eb enrollment supportC or command;
line tools.
A computer running "indo#s %&&& cannot use the Certificates MMC to enroll a 3%
template. >o#everC any client that is running Microsoft !nternet /0plorer 4.&( or later can
use a 3% template to enroll certificates through the "eb enrollment methods and a
do#nloaded ActiveF control. )o do#nload the ActiveF control on a client computerC it is
necessary to log on as an Administrator or o#er 6ser on the local computer. !n additionC
clients running "indo#s %&&& can enroll 3% templates through a )erminal $erver
connection running on an appropriate member of the "indo#s $erver %&&' family.
15
,ote
An enrollment agent that enrolls certificates that are based on 3% templates
requires either a "indo#s F or "indo#s $erver %&&' enrollment station. )here
is no support to enroll 3% templates #ith an enrollment agent on a "indo#s %&&&
enrollment station. 1everthelessC certificates that are based on 3% templates that
have been enrolled through an enrollment agent on either a "indo#s F or
"indo#s $erver %&&' enrollment station can be used on a "indo#s %&&& client
computer.
!f certificates have been enrolled #ith a "indo#s %&&& K! #here only 3( templates
#ere availableC there is no immediate need to re;enroll or rene# these certificates #ith 3%
templates.
)he follo#ing table lists different enrollment methods that are supported on computers
that are running "indo#s %&&&C "indo#s FC or the "indo#s $erver %&&' family. Eou
can use scripted enrollment #ith support of CA!C.M and Fenroll. *CA!C.M and
Fenroll documentationC including samplesC can be found on the Microsoft Developer
1et#ork *M$D1+ "eb site.+
"able 3 !ertificate )nrollment
!ertificates MM! Web1enrollment Scripted enrollment
$elf enrollment on a
"indo#s %&&&
#orkstation
3( template: Ees
3% template: 1o
3( template: Ees
3% template: Ees
3( template: Ees
3% template: Ees
$elf enrollment
through a "indo#s
$erver %&&'
)erminal $erver
session
3( template: Ees
3% template: Ees
3( template: Ees
3% template: Ees
3( template: Ees
3% template: Ees
/nrollment agent on
a "indo#s %&&&
#orkstation
3( template: 1o
3% template: 1o
3( template: Ees
3% template: 1o
3( template: 1o
3% template: 1o
/nrollment agent
through a "indo#s
$erver %&&'
)erminal $erver
session
3( template: 1o
3% template: 1o
3( template: Ees
3% template: Ees
3( template: 1o
3% template: 1o
16
,ote
Because a K! is a forest resourceC the Active Directory site structure is not taken
into account #hen any kind of certificate is requested and issued. An Active
DirectoryGintegrated certificate requester enumerates all registered enrollment
services in Active Directory and sends its request to a CA that can enroll the
certificate type that the user #ants. )he client does not necessarily choose the
closest CAC from a net#ork perspective. Because of thisC you should verify that
the CA deployment ensures that any client has reliable net#ork connectivity #ith
a CA.
2ser !ertificate utoenrollment
Autoenrollment provides a quick and simple #ay to issue user certificates and to benefit
from applications that can use K!. 6ser autoenrollment also minimi=es K! deployment
costs.
Certificate autoenrollment also #orks in a )erminal $erver session if you use a "indo#s
-emote Display rotocol *-D+ 4.( client.
"hen you use a computer that is running "indo#s FC you can automatically enroll
users and computers for certificatesC including smart card;based certificates. !n contrastC
the "indo#s %&&& $erver family only supports certificate autoenrollment for computer
certificates. 6ser certificate auto;enrollment builds on the standard "indo#s security
model for domain authentication and authori=ation. )his model may not be suitable for all
certificate issuance or scenarios.
6sing the ne# autoenrollment featureC organi=ations can manage the certificate lifecycle
through 3% templates for users. )his includes:
Certificate rene#al
$uperseding of certificates
Multiple signature requirements
Depending on the configuration of the template that is used for autoenrollmentC the user
can be notified #hen a certificate enrollment or rene#al is performed.
Certificate autoenrollment is based on the combination of ?roup olicy settings and 3%
certificate templates. )his combination allo#s certificate enrollment and rene#al in the
background for computers and users at any time #hen you apply ?roup olicy.
)o perform autoenrollmentC the certificate requester must be registered and authenticated
as either a user or computer in Active Directory.
17
2or more informationC see Certificate Autoenrollment in "indo#s $erver %&&' on the
!ertificate 'enewal
"hen a certificate comes to the end of its lifetimeC it must be rene#ed or replaced to
ensure that the certificate o#ner is able to continue #ith the certificates purpose.
!n certificate rene#alC the rene#al requester already o#ns a certificate. )he rene#al
takes the information of the e0isting certificate into account #hen the rene#al request is
submitted. A certificate can either be rene#ed #ith a ne# key or the e0isting key can be
used for the rene#ed certificate.
!f a certificate #as enrolled #ith a 3% templateC it cannot be rene#ed if it #as based on a
3( template. >o#everC a certificate that #as enrolled #ith a 3( template can be rene#ed
#ith a certificate that #as made from a 3% template.
"able 3 !ertificate 'enewal
!ertificates MM! Web1enrollment Scripted enrollment
$elf rene#al on
"indo#s %&&&
#orkstation
3( template: Ees
3% template: 1o
3( template: 1o
3% template: 1o
3( template: Ees
3% template: Ees
$elf rene#al on
"indo#s %&&&
#orkstation #ith
"indo#s $erver
%&&' )erminal
$erver session
3( template: Ees
3% template: Ees
3( template: 1o
3% template: 1o
3( template: Ees
3% template: Ees
-ene#al #ith
enrollment agent on
"indo#s %&&&
#orkstation
3( template: 1o
3% template: 1o
3( template: 1o
3% template: 1o
3( template: 1o
3% template: 1o
-ene#al #ith
enrollment agent on
"indo#s %&&&
#orkstation #ith
"indo#s $erver
%&&' )erminal
$erver session
3( template: 1o
3% template: 1o
3( template: 1o
3% template: 1o
3( template: 1o
3% template: 1o
18
Key rc#ival and 'ecovery
Key archival and recovery is only available for encryption certificates by 3% templatesC
because the archival option must be individually set for each template. Key archival is
most often used for encryption keys that are used to protect persisted data.
rivate keys that are associated #ith certificates that are used only for digital signature
are not archived and are blocked by the certification authority. )he archival and recovery
function that is available #ith the Microsoft /0change %&&& Key Management $erver
*KM$+ has been replaced by the enterprise CA running "indo#s $erver %&&'C /nterprise
/dition.
)he enterprise certification authority on a computer that is running "indo#s $erver %&&'C
/nterprise /ditionC supports migration of the archive database from the /0change %&&&
KM$ to ensure a smooth transition of technologies.
/ncrypting 2ile $ystem */2$+ #ill continue to support decentrali=ed data recovery
methods as #ell as key archival on clients that are running "indo#s F.
$elta !'4s
Delta certificate revocation lists *C-9s+ decrease the net#ork traffic that is caused #hen
a ne# certificate revocation list needs to be do#nloaded. "ithout delta C-9sC a client
must receive the base C-9 that contains all certificates that are revoked by a CA. )o
decrease the C-9@s si=e and make more frequent updates valuableC delta C-9s only
retain the certificates that have been revoked since the last publication of the base C-9.
$ome limitations apply to delta C-9s:
Delta C-9s are issued by "indo#s $erver %&&' stand;alone and enterprise CAs.
.nly clients that are running "indo#s F rofessional and later are able to check
the validity of certificates against delta C-9s.
2or more information about this topicC see )roubleshooting Certificate $tatus and
-evocation on the Microsoft )ech1et "eb site.
5ualified Subordination
:ualified subordination allo#s cross;certification of CA certificates #ith name constraints
and provides for more precise control of certificate trusts. "ith qualified subordinationC an
administrator can also include or e0clude certificate purposes. 2or e0ampleC qualified
subordination might reAect !nternet rotocol security *!$ec+ usage #ith a third;party
19
certificateC but allo#s secure e;mail #ith the same certificateC even if the certificates key
usage #ould allo# !$ec and secure e;mail.
:ualified subordination requires a "indo#s F or "indo#s $erver %&&' operating
system as the certificate requester and a "indo#s $erver %&&'C /nterprise /dition CA.
Simple !ertificate )nrollment Protocol
Eou can implement secure net#orking #ith the $imple Certificate /nrollment rotocol
*$C/+. )he Microsoft $C/ *M$C/+ component is an !nternet $erver Application
rogramming !nterface *!$A!+ filter that uses Microsoft !nternet !nformation $ervices
*!!$+ and is installed directly on a CA to support the $C/ enrollment protocol #ith
net#ork devices.
2or more informationC see article %<,(%4C 6sing Certificates for "indo#s %&&& and Cisco
!.$ !nteroperationC in the Microsoft Kno#ledge Base.
'ole Separation
)here are a number of tasks in the K! process that you should understand:
!ertificate enrollment. $ends a certificate request to the CAC and then the CA
issues the certificate and then deploys a certificate to the certificate holder.
!ertificate renewal. $ends a request to rene# an e0isting certificate to the CAC the
CA issues the certificateC and then the CA deploys a certificate to the certificate
holder.
!ertificate revocation. -evokes certificates and publishes the certificate revocation
list *C-9+.
'ecovery. rovides the certificate holder #ith both a certificate and a key that are
stored in the CA database.
)here are also a number of roles that are related to a "indo#s $erver %&&' CAC although
you may not need all of these roles:
)he ! manager maintains the CA and its configuration.
)he ! administrator delegates certificate;management permissions to Certificate
Managers.
)he certificate manager issues and revokes certificates.
)he enrollment agent requests and deploys certificates.
20
)he certificate #older requests self;maintained certificates and is able to use the
certificate.
)he recovery agent recovers certificates for specific applicationsC such as /2$.
)he follo#ing table sho#s #hich role can perform a particular task and #hat permissions
are required to perform that function. )he top ro# lists various rolesC and the left column
lists the tasks. )he table te0t describes the permission that is required to perform each
task.
"able 6 !ertificate 'oles and "as7s
!ertificate
8older
)nrollment
gent
'ecovery
gent
!ertificate
Manager
! Manager
Maintain 1ot applicable 1ot applicable 1ot
applicable
1ot
applicable
-equires CA
Manager
permissions
on the CA
obAect
-equest -equires
certificate
holders
membership
on the
certificates
template AC9
-equires
certificate
holders
membership
on the
certificates
template AC9
1ot
applicable
1ot
applicable
1ot applicable
-ene# -equires
certificate
holders
membership
on the
certificates
template AC9
-equires
certificate
holders
membership
on the
certificates
template AC9
1ot
applicable
1ot
applicable
1ot applicable
!ssue 1ot applicable 1ot applicable 1ot
applicable
Certificate
Manager
permission
on a
template
1ot applicable
21
!ertificate
8older
)nrollment
gent
'ecovery
gent
!ertificate
Manager
! Manager
-evoke 1ot applicable 1ot applicable 1ot
applicable
Certificate
manager
permission
1ot applicable
-ecover 1ot applicable 1ot applicable Key
recovery
agent
certificate
1ot
applicable
1ot applicable
! Permissions
2or a "indo#s $erver %&&' stand;alone CA that is installed on a server that is not a
member of an Active Directory domainC local administrator permissions are mandatory to
manage the CA functions.
.n a server that is a domain memberC the user #ho installs an enterprise CA must be a
member of the Active Directory -oot Domain Admins and /nterprise Admins security
group. Eou should ensure that the installation account is a member of both security
groups. )his set of permissions is required for any enterprise CA installationC and it
assumes that the /nterprise Admins group or Domain Admins group also is a member of
the local server Administrators group. )o install a stand;alone CAC only local administrator
privileges are required.
During setupC containers and obAects that contain enrollment and CA information are
created as part of the configuration container of Active Directory. 2or a list of obAect
default permissions that are used by a CAC see article %',7&5C DDefault ermission
$ettings for /nterprise Certificate AuthorityCD in the Microsoft Kno#ledge Base.
!t is recommended that you use only the Certification Authority MMC to change security
permissions for the CA. !f you use other mechanismsC such as the Active Directory $ites
and $ervices MMCC you may cause an unsupported environment due to a configuration
mismatch bet#een Active Directory and the local CA registry. )he Certificate )emplates
MMC ensures consistency in the AC9s. !f AC9s are changed manuallyC specific
permissions may be missing and the CA #ill not function as e0pected.
!ommand1line dministration "ools
Command;line administration tools are part of the "indo#s $erver %&&' family and may
be installed on computers running "indo#s F and later through the "indo#s $erver
22
%&&' Administration )ools ackC #hich is available on the "indo#s $erver %&&'
installation media. Command;line tools that are required for CA administration on
"indo#s %&&& operating systems are only installed #ith "indo#s %&&& Certificate
$ervices. 2or more information about !ertutil9e*e and !ertre+9e*eC including a
description and the necessary synta0C see the "indo#s $erver %&&' >elp.
! -ault "olerance
?enerallyC you should use certification authority fault tolerance because:
2or online CAsC it provides certificate issuance services.
2or both online and offline CAsC it provides certificate revocation information.
1either "indo#s %&&& nor "indo#s $erver %&&' technology supports native clustering
of the CA database or certificate services. .nly one CA instance can be installed at a
time on a server running a "indo#s $erver %&&' operating system.
An enterprise CA is designed to provide natural fault tolerance in an Active Directory
environment. !f one enterprise CA does not #ork or is not availableC client services #ill
automatically attempt enrollment #ith the ne0t available enterprise CA in the forest. 1o
errors are generated and no user interaction is required. 2or more informationC see
D.nline /nterprise !ssuing CAsD later in this document.
!f a CA is not available because of a hard#are failureC for e0ampleC it might still be
necessary to publish the C-9 on a regular basis. )he C-9 publication interval depends
on the CA configuration. !f the CA does not publish the C-9 in timeC clients cannot verify
certificates against the latest version of the C-9.
)o publish a C-9 on behalf of a CAC you must o#n the CA private key. !f the CA private
key has been e0ported to a fileC it is technically possible to resign a C-9 on behalf of the
CA and e0tend the lifetime of the C-9.
,ote
/0porting the CA private key could raise a security risk because the o#ner of the
CA@s private key is able to act on behalf of the CA. )he CA private key must be
maintained very carefully and must be stored in a secure vault that is protected
through secure and audited processes.
23
$eployment Planning %Best Practices for
Before you can deploy a K!C you should go through a #ell;defined planning phase. !f
you do not do thisC the K! can become valueless after only a short time in operation. )o
avoid this issueC make sure that the deployment planning covers the follo#ing areas.
"able : PKI Planning !onsiderations
Planning area Possible considerations
Business requirements Defining application requirement
Defining solutions goals
Choosing appropriate technology
CA requirements !nsource the CA infrastructure
.utsource the CA infrastructure
!nteroperability #ith application
requirements
K! trust model
/nrollment policy Certificate practice statements
6sers and computers
6se of certificate templates
$ervice level requirements
-evocation policy C-9sC delta C-9sC .nline Certificate $tatus
rotocol *.C$+
-eplication latency
$esigning t#e ! Infrastructure
2or more information about ho# to decide #hat services are provided by the CA typesC
see the articles on the follo#ing Microsoft "eb sites:
24
DM$ "indo#s %&&& ublic Key !nfrastructure !ntroductionD on the Microsoft )ech1et
"eb site
DAn !ntroduction to the "indo#s %&&& ublic;Key !nfrastructureD on the Microsoft
"eb site
DCryptography and Microsoft ublic Key !nfrastructureD on the Microsoft )ech1et "eb
site
Dlanning Eour ublic Key !nfrastructureD on the Microsoft )ech1et "eb site
!onsiderations
)here are some important parameters that help #hen a organi=ation starts its K!
planning. 2rom a technical vie#pointC there are a number of key factors that can give you
rough estimates:
)he number of CAs that you need can be estimated by:
)he si=e and the geographical spread of the deployment
)he required trust relationship bet#een certificate holders and the CA
-equirements for different certificate practice statements *C$+
)echnical requirements based on application demands
artner relationships and trust model requirements
$ecurity requirementsC availabilityC and service levels indicate the depth of the
hierarchy and the CA locations.
$efining ! "ypes and 'oles
)o plan your CA infrastructureC you need to understand the different types of CAs that are
available and the roles that the CAs can take.
)he follo#ing section supplies the most important planning information.
!#oosing )nterprise or Stand1alone !s
Certificate $ervices offers t#o types of CAs that have different feature sets: enterprise
CAs and stand;alone CAs. A "indo#s $erver %&&' K! may consist of both types of
CAsC #hich is often recommended for the enterprise environment. A comparison of
strengths of the stand;alone CA and the enterprise CA may help you decide #hat CA type
is required for #hich role.
25
A stand;alone CA should be used if:
!t is an offline root or offline intermediate CA.
$upport of templates that you can customi=e is not required.
A strong security and approval model is required.
2e#er certificates are enrolled and the manual #ork that you must do to issue
certificates is acceptable.
Clients are heterogeneous and cannot benefit from Active Directory.
!t is combined #ith a third party -egistration Authority solution in a multi;forest or
heterogeneous environment
!t issues certificates to routers through the $C/ protocol
An enterprise CA should be used if:
A large number of certificates should be enrolled and approved automatically.
Availability and redundancy is mandatory.
Clients need the benefits of Active Directory integration.
2eatures such as autoenrollment or modifiable 3% templates are required.
Key archival and recovery is required to escro# encryption keys
)he follo#ing table is an overvie# about the preferred roles for both CA types. Depending
on the CA topologyC these roles can be taken by a smaller or larger number of CAs.
"able ; ! "ypes and ! 'oles
! type 3 tier 2 tier . tier
.ffline root CA $tand;alone CA $tand;alone CA /nterprise CA
.ffline intermediate
CA
$tand;alone CA
!ssuing CA /nterprise CA /nterprise CA
"able < !omparison of Stand1alone and )nterprise !s
Windows Server 2003 Stand1alone ! Windows Server 2003 )nterprise !
CA configuration can be published into
Active Directory.
CA configuration is al#ays published into
Active Directory.
26
C-9 and CA certificate must be manually
published into Active Directory.
C-9C Delta C-9C CA certificateC and cross
certificates are automatically published to
the forest #here the CA configuration #as
registered.
Certificates are automatically published into
a directory service if this is specified on a
per template level. Certificate publishing
may be defined as an attribute on the
template in Active Directory.
By defaultC certificate enrollment is
available only by using "eb enrollment
support.
By defaultC certificate enrollment is possible
by using "eb enrollment or the Certificates
MMC.
Certificate request processing is done by
using >yperte0t )ransfer rotocol *>))+
or $ecure >yperte0t )ransfer rotocol
*>))$+.
Certificate request processing is done
primarily by using -CHDistributed
Component .bAect Model *DC.M+ or >))
and >))$ protocol.
Certificate is based on 3( templates #ith
custom obAect identifier *also kno#n as
.!D+.
Also issues certificates that can be modified
and duplicatedC based on 3% templates.
6ser must manually type identification
information #hen the certificate is
requested.
6ser identification information is al#ays
automatically retrieved from Active
DirectoryC regardless of #hether it is
requested through "eb enrollment or the
Certificates MMC.
/nrollment method *automatic or pending+
is valid for all templates. Eou cannot apply
a configuration to individual templates.
Eou can individually set the enrollment
method on each template.
Certificates are manually approved. Certificates are manually approved or they
are approved through Active Directory
authentication and access control.
Certificates are not published to a directory
locationC but to the client or the CA. #ithout
a custom;developed policy module.
Depending on the type of certificateC
certificate is automatically enrolled into the
requester@s certificate store and published to
Active DirectoryC based on template
definition.
27
Does not support certificate publishing and
obAect management based on Active
Directory.
$upports certificate publishing and obAect
management based on Active Directory.
Can be installed on a domain controllerC
member serverC or stand;alone server
*#orkgroup member+.
Can be installed on a domain controller or
member server. *)he CA is registered as a
forest resource.+ !t must not be installed on
a stand;alone server *#orkgroup member+.
ut#entication and ut#ori=ation
$tand;alone CAs use local authentication for certificate requestsC mainly through the "eb
enrollment interface. $tand;alone CAs provide an ideal service provider or commercial
K! provider platform for issuing certificates to users outside of an Active Directory
environment #here the user identity is separately verified and e0amined before the
request is submitted to the CA.
A CA running "indo#s $erver %&&'C /nterprise /ditionC uses DC.M and Kerberos
impersonation for authenticating requesters. !t compares the client token against an
access control list *AC9+ set on the certificate templateC as #ell as the DC.M enrollment
interface on the CA itselfC #hen a certificate is requested. A "indo#s %&&& $erver CA
uses remote procedure call *-C+ instead of DC.M to authenticate a requester. After the
user is authenticated and authori=ed to gain access to the requested templateC the CA
can immediately process the requestC as long as the user has the appropriate enrollment
permissions on the template and if the CAs configuration is set to autoenroll.
!ertificate 'e+uest pproval
"hen a certificate request reaches a CA that is running a member of the "indo#s $erver
%&&' familyC both CA types *enterprise and stand;alone+ can immediately issue the
certificate or put it into a pending state. !t is the responsibility of the CA administrator to
configure the enrollment method globally for a CA or on a per;template basis. .n a
"indo#s %&&& $erver CAC the enrollment method setting is valid only on a CA level: all
certificates that are issued take this configuration into account. 2or a "indo#s $erver
%&&'C /nterprise /dition enterprise CAC the enrollment method can be set individually for
a 3% template.
.n a "indo#s %&&& $erver enterprise CAC there is no choice for the enrollment method
because it immediately approves and issues certificates. .n a "indo#s %&&& $erver
28
stand;alone CAC the enrollment method is applied on the CA level and cannot be set on
the template level )his occurs because a "indo#s %&&& CA #orks only #ith 3(
certificatesC #hich cannot maintain enrollment permissions.
Default configurations of stand;alone CAs rely on administrative action both to verify the
requester@s identity *kno#n as authentication+ and to issue the certificate *kno#n as
authori=ation+. >ereC the "eb enrollment support acts as the registration authority *-A+
and the CA acts as the enrollment station. Because of thisC it is not recommended that
you have a standalone CA automatically issue certificates #ithout administrative
approvalC because a requester@s identity cannot be verified. 2or additional information
about certificate enrollmentC see DAllo#ing for autoenrollmentD in >elp and $upport
Center.
(ffline and (nline !s
)raditionallyC the decision of #hether to use either an online or offline CAs involves a
compromise bet#een availability and usability versus security. )he more sensitive that
the key material is and the higher the security requirements areC the less accessible the
CA should be to users.
Important
2or security reasonsC a CA should al#ays run on a separate computer. Do not
install an online CA on a domain controllerC even if it is technically possible.
)o maintain a CA offlineC different approaches may be applied through physical or
technical protection techniques as described belo#:
P#ysical Protection
-emove the hard disk drive and lock it in a secure location.
$hut do#n and po#er off the system.
Disconnect the net#ork cableC but keep the system running.
rotect the system from the net#ork by using either a fire#all or a router.
"ec#nical Protection
Keep the system onlineC but stop the CA service.
6se a hard#are security module *>$M+ #ith an >$M;operator hard#are token to
limit access to the CA private key. 2or more informationC see D>ard#are C$sCD later
in this document.
29
Maintaining a CA either online or offline is a standard functional definition of the CAs
operation mode. Eou can turn an offline stand;alone CA into an online stand;alone CA if
you connect it to the net#ork. Any stand;alone CA that runs on a server in a #orkgroup
and is connected to the net#ork can become an offline CA by using one of the
approaches that #as mentioned earlier.
)he stand;alone root CA is usually placed offline because it is the single point of trust for
an entire organi=ation or for several organi=ations. )he lifetime of trust depends on the
CAs certificate lifetimeC but should be planned for the long term. !f a CA must be trusted
for long periods of timeC you should take that CA offline to provide additional security
measures. AlsoC intermediate CAs are typically configured as offline CAs. An intermediate
CA is subordinate to a root CAC but also serves as a parent CA to one or more CAs.
)hose CAs may be issuing CAs or intermediate CAs. !n a CA #ith at least three tiersC an
intermediate CA is a mid;tier CA.
/very online CA implies availability and net#ork connectivity. .nline CAs are typically
issuing CAsC because issuing CAs respond to requests from usersC computersC servicesC
and net#ork devicesC such as routers. /very enterprise CA must be an online CAC
because it requires connectivity to Active Directory at all times to obtain configuration
informationC validate requestsC and publish certificates. An online CA provides more
surface area for security attacks.
,ote
As a best practiceC an offline CA server should be placed in a secure vault until a
subordinate CA certificate needs to be issued or a ne# C-9 needs to be
published.
8ardware !SPs
Eou might consider using one or more >$Ms in your K! topology. An >$M is a
dedicated hard#are device that is managed separately from the operating system. )hese
modules #ork #ith any "indo#s $erver %&&' CA to provide a secure hard#are store for
CA keys. 2rom an operating system vie# through the CryptoA! interfacesC the >$M is
seen as a cryptographic service provider *C$+ device.
)he >$M provides highly secure operational management that is protected by
multilayered hard#are and soft#are tokensC as #ell as a number of other key featuresC
including:
>ard#are;basedC cryptographic operationsC such as random number generationC key
generationC and digital signaturesC as #ell as key archival and recovery.
30
>ard#are protection of valuable private keys that are used to secure asymmetric
cryptographic operations.
$ecure management of private keys.
Acceleration of cryptographic operationsC #hich relieves the host server of having to
perform processor;intensiveC cryptographic calculations.
9oad balancing and failover in hard#are modules by using multiple >$Ms that are
linked together through a daisy chain.
Although >$Ms increase security by raising the level of key protectionC >$Ms increase
the comple0ity and cost of the K!.
$everal vendors offer >$Ms that #ork #ell on computers that are running either "indo#s
%&&& $erver or members of the "indo#s $erver %&&' family. 2or more information about
ho# to install >$Ms that are proven to #ork #ith "indo#s;based CAsC see the section
D!nstalling an >$M on an offline root CAD later in this document.
Selecting a "rust Model
)rust is a logical relationship established bet#een domains to allo# pass;through
authenticationC in #hich a trusting domain honors the logon authentications of a trusted
domain. 6ser accounts and global groups that are defined in a trusted domain can be
given rights and permissions in a trusting domainC even though the user accounts or
groups don@t e0ist in the trusting domain@s directory. Because a CA is a certificate holder
of a CA certificate and an end entity might be a certificate holder of a user certificateC the
trust relationship bet#een the issuing CA and the holder is al#ays the same. !n a rooted
0.4&, K! hierarchyC the trust relationship is inherited from top to bottom.
Eou can also control trust relationships through certificate trust lists and through qualified
subordination. *2or more informationC see the slide presentation DCertificate )rusts 9istsD
at the 1ational !nstitute of $tandards and )echnology *1!$)+ "eb site. )he selection of
an appropriate trust model can determine success for a K!. An organi=ation must think
about the number of tiers that the CA topology requires. )he hierarchy can be e0tended
from top to bottom and the number of CAs that are used for one level can gro#. 1ote that
deeper structures add comple0ity to the trust management of the K!.
,ote
"eb addresses can changeC so you might be unable to connect to the "eb site
or sites mentioned here.
2or more informationC see the article D)rusted -oot Certificates )hat Are -equired By
"indo#s %&&&D on the Microsoft Kno#ledge Base.
31
Specifying ! 'oles
An ideal K! hierarchy design divides the responsibility of the CAs. A topology that is
designed #ith requirements that have been carefully considered provides the most
fle0ible and scalable enterprise configuration. !n generalC CAs are organi=ed in
hierarchies. $ingle tier hierarchies might not provide adequate security
compartmentali=ationC e0tensibility and fle0ibility. >ierarchies #ith more than three tiers
might not provide additional value regarding securityC e0tensibility and fle0ibility.
)he most important consideration is protecting the highest instance of trust as much as
possible. $ingle;tier hierarchies are based on the need to compartmentali=e risk and
reduce the attack surface that is available to users #ho have malicious intent. A larger
hierarchy is much more difficult to administerC #ith little security benefit.
Depending on the organi=ation@s necessitiesC a K! should consist of t#o or three logical
levels that link several CAs in a hierarchy. Administrators #ho understand the design
requirements for a three;level topology may also be able to build a t#o;level topology.
A three;tier CA hierarchy consists of the follo#ing components:
A root CA that is configured as a stand;alone CA #ithout a net#ork connection
.ne or more intermediate CAs that are configured as stand;alone CAs #ithout a
net#ork connection
.ne or more issuing CAs that are configured as enterprise CAs that are connected to
the net#ork
-igure .> "#ree1tier ! 8ierarc#y
32
)o set up a t#o;tier topologyC apply all of the steps that are described in /0ample
scenario for Contoso CompanyC later in this document.
!f the organi=ation can fulfill its security requirements #ith a t#o;tier hierarchyC a three;tier
architecture is not required. "hen you do not have a middle tierC CA management applies
to t#o levels instead of three levels and might lo#er maintenance cost.
)o implement a t#o;tier topologyC use the steps that are outlined in both the D$tand;alone
offline root CAD and D.nline /nterprise !ssuing CAs *Corporate/nt(CA+D sections of this
paper.
2rom a technical perspectiveC a single level K! hierarchy can also provide basic K!
services. 9eaving out the root and the intermediate tier results in an all;in;one CA.
Because the single CA must issue certificatesC it cannot be taken offline. $ecurity and
fle0ibility is very limited #ith this type of implementation. )o implement a single;tier
topologyC apply the steps that are outlined in D.nline /nterprise !ssuing CAs
*Corporate/nt(CA+.D
)he decision of #hether or not to use a separate root CA to issue all certificates in an
organi=ation should be a need for security versus a need for cost mitigation and simple
administration.
)o summari=eC a t#o;tier to four;tier CA topology is the most common deployment. Any
organi=ation should be able to deploy a similar K! architecture to meet any
organi=ationalC businessC and technical requirementC as #ell as a respectable level of
security.
2or reliability and redundancyC improve the availability of the K! and deploy multiple
enterprise CAs instead of e0tending the depth of the hierarchy.
'oot!
A root CA is a self;signed CA. )echnicallyC the root CA runs the same code as an
intermediate or issuing CA. )he difference bet#een these types of CAs is in the role that
the CA takes. )he follo#ing table displays a list of the characteristics that a root CA
should haveC depending on the CA topology.
"able ? 'oot! !#aracteristics
!#aracteristic More t#an 2
tiers
2 tiers . tier
>igh level of physical
security
Ees Ees 1o
33
!#aracteristic More t#an 2
tiers
2 tiers . tier
ermanently offline Ees Ees 1o
>ighly restricted area
*vault+
Ees Ees Ees
Match the level of risk Ees Ees Ees
>igh level of
cryptographic security
Ees Ees Ees
9argest key si=e Ees Ees Ees
$oft#are C$
*2!$ (<&;( level (+
1o 1o Ees
$mart cards or
CMC!A tokens #ith
!1s
*2!$ (<&;( level %+
1o Ees EesC recommended
>ard#are security
modules #ith
operator hard#are
token
*2!$ (<&;( level ' or
<+
Ees EesC recommended EesC recommended
/ven if an offline root CA might run only #hen the CA certificate must be rene#ed or the
C-9 has to be publishedC the CA must be installed on reliable hard#are. !f you are
thinking about using a notebook computer to take the role of the root CAC note that it does
not meet the requirements for reliability at the time that this document is being published.
!n most customer environmentsC maintaining a root CA requires e0traordinary security
measures. )he level of security requires that the root CA is offline at all times andC
preferablyC protected in a secure physical environment. !n theoryC a desktop system #ith a
removable hard drive can be used to protect a root CA.
34
Intermediate !s
!ntermediate CAs are subordinate to the root CA. By definitionC if you implement an
intermediate CAC the topology consists of a minimum of three tiers. )he intermediate
layer of a K! hierarchy often provides useful policyC administrative or operational
differentiation. !ntermediate CAs are also kno#n as policy CAs because they are often
used to manage or dictate different security and operational policies bet#een different
geographical areasC business unitsC or the intranet or e0tranet for a corporation.
)o implement policies #ithout an intermediate CAC you can also assign policies to issuing
CAs on a logical basis.
An intermediate CA@s security requirements are the same as for the root CA because an
intermediate CA provides CA certificates to online issuing CAs. )he intermediate CA
should be an offlineC stand;alone CA.
,ote
!t is highly recommended that you only issue certificates from an intermediate CA
after the administrator manually approves the request. )his is the default
configuration for a "indo#s $erver %&&' stand;alone CA.
Issuing !s
Depending on the architectureC an issuing CA is a subordinate of an intermediate CA or a
subordinate of the root CA. /nterprise CAs are ideal for issuing large numbers of
certificatesC because they can automatically validate the user and certificate profile
information. )he purpose of an issuing CA is to enroll certificates to end;entities and not
to subordinate CAs.
,ote
Eou can limit the number of subordinate CA levels in a certificate hierarchy by
defining a ma0imum path length in the basic constraints e0tension of a CA
certificate. A path length of =ero #ill ensure that an issuing CA may only issue
certificates to end;enties. Eou can define the basic constraints e0tension and
path length by using a CApolicy.inf configuration file.
2nderstanding 'oot "rust
"hen a client uses a certificateC it is mandatory that the trust relationship bet#een the
certificate and the root CA can be verified. A certificate is trusted if the client that verifies
the certificate trusts the root CA certificate that is in the client certificates certificate trust
path as #ell. A client must have the related root CA certificate in its local certificate store
35
to proof a trust;relationship #ith the root CA. 2or more informationC see Dolicies to
establish trust of root certification authoritiesD on the Microsoft "eb site.
!f Active Directory is availableC it is important to understand ho# clients like users or
computers can benefit from Active Directory to establish a trust relationship #ith the root
CA
Eou can achieve the trust that is obtained from a root certification authority by deploying
the root CA certificate through one of the follo#ing si0 methods:
/nterprise trust in Active Directory
?roup policy in Active Directory
Certificate )rust 9ists *C)9s+ in ?roup olicy
Manual trust on a local computer
Manual trust by a user
"indo#s 6pdate
Depending on the permissions and the scope of the distribution mechanismC certificates
are put into different locations and require different maintenance tools. 2or more
informationC see the follo#ing table.
"able .0 !ertificate "rust Mec#anisms
$istribution
met#od
Scope 2ses
@roup
Policy
obAect
4ocation Maintained
wit#
/nterprise trust /ntire
forest
Ees $ervicesBublic Key
$ervicesBCertificationAuthorities
!ertutil9e*e
or K! >ealth
)ool
?roup policy
trust
Domain Ees Domain $ecurity ?roup olicy
obAect
?roup olicy
MMC
1)Auth *for
CAs trusted to
issue
authentication
certificates+
/ntire
forest
Ees $ervicesBublic Key
$ervicesB1)Auth obAect
!ertutil9e*e
or K! >ealth
)ool
36
$istribution
met#od
Scope 2ses
@roup
Policy
obAect
4ocation Maintained
wit#
Manual trust on
the local
computer
9ocal
computer
and all
users that
log on to
system
1o -egistry
>K/EI9.CA9IMAC>!1/
Certificates
MMC for the
local
computer
Manual trust by
user
Current
user
1o -egistry
>K/EIC6--/1)I6$/-
Certificates
MMC for the
local
computer
"indo#s
6pdate
9ocal
computer
and all
users that
log on to
system
1o -egistry
>K/EI9.CA9IMAC>!1/
?roup olicy
MMC or dd
or 'emove
Programs in
Control anel
)nterprise "rust
Eou can use the built;in autoenrollment service to automatically do#nload root CA
certificates and certificate trust lists *C)9s+ from the Active Directory enterprise trust store
on both "indo#s %&&& and "indo#s F clients.
2or additional informationC see the follo#ing articles on the Microsoft "eb site:
Certificate Autoenrollment in "indo#s $erver %&&' on the Microsoft )ech1et "eb
site
Configure ublic Key ?roup olicy on the Microsoft "eb site
@roup Policy "rust
?roup olicy trust is defined and configured by using the ?roup olicy MMC and the
Default Domain $ecurity ?roup olicy obAect. ?roup olicy trust is configured and
enforced for the domain #here the ?roup olicy obAect applies. Because of thisC different
37
users in different domains trust different root CAs. !t is highly recommended to create a
ne# domain policy and not edit the default domain policies.
,ote
.nly root CA certificates must be trusted and registered on client computers. Do
not add subordinate CA certificates to the ?roup olicy trustC because
intermediate and issuing CAs certificates may not be e0plicitly trusted. CryptoA!
automatically
,"ut#
)he 1)Auth store is deployed on all computers in the forest from the configuration
partition of the forest in the follo#ing directory path:
!,B,"ut#!ertificates/!,BPublic Key
Services/!,BServices/!,B!onfiguration/$!B
Important
1)Auth CAs are trusted to both issue authentication *logon+ certificates for any
user in the forest and enable logon for smart cardsC !nternet !nformation $ervices
*!!$+ mappingC and /0tensible Authentication rotocol;)ransport 9ayer $ecurity
*/A;)9$+.recise control of issuing CAs can be achieved through qualified
subordination #ith constraints.
Eou can verify the certificates that are currently registered in 1)Auth by typing the
follo#ing at a command prompt #here the domain component information is configured
#ith the name of the Active Directory root domain:
certutil9e*e 1store ldap>CCC!,B,"ut#!ertificates/!,BPublic Key
Services/!,BServices/!,B!onfiguration/$!Bcontoso/$!Bcom
Eou can see a more visual display of certificates by typing the follo#ing at a command
prompt:
certutil 1viewstore Dldap>CCC!,B,"ut#!ertificates/!,BPublic Key
Services/!,BServices/!,B!onfiguration/$!BD
Eou can also manually maintain the 1)Auth store by typing one of the follo#ing
commands at a command prompt:
certutil Eaddstore
certutil Edelstore
certutil Edspublis#"ertificate5ile,"ut#
38
2or more information about the 1)Auth store and smart card logonC see the follo#ing
articles on the Microsoft "eb sites:
D$tep;by;$tep ?uide to Mapping Certificates to 6ser AccountsD on the Microsoft
)ech1et "eb site
D>o# to !mport a )hird;arty Certificate into the 1)Auth $toreD on the Microsoft
Kno#ledge Base
D/nabling $mart Card 9ogon #ith )hird;arty CAsD on the Microsoft Kno#ledge Base
D-equirements for )hird;arty CA Domain Controller CertificatesD on the Microsoft
Kno#ledge Base
!n a "indo#s $erver %&&' Active Directory environment that contains only clients running
"indo#s FC the 1)Auth store is not mandatory for smart card logon and certificate
mappingC compared to a "indo#s $erver %&&' mi0ed environment #ith "indo#s %&&&
clients. Because "indo#s $erver %&&' Active Directory supports publishing cross;
certificates and because clients running "indo#s F support name and policy
constraints for 0.4&, certificatesC administrators may #aive the 1)Auth policy in
homogenous "indo#s $erver %&&' and "indo#s F environments. )his option requires
and assumes that CAs have defined name constraints instead of being listed in the
1)Auth store of the directory. )hereforeC domain controllers that process both smart card
logon and certificate mapping requests #ill e0plicitly trust all CAs that chain to trusted
root CAsC assuming that the certificate matches a valid user account in Active Directory.
!aution
Disabling 1)Auth policy verification enables domain controller trust of any CA
that issues a valid smart card logon certificate and chains to a trusted root CA in
the Active Directory environment. Any CAsC including the default third;party root
CAsC should have name constraints defined before disabling the 1)Auth policy. !f
this does not occurC unintended trust and logon access may occur. 6se this
option #ith e0treme caution and only #hen root CAs have been properly
constrained in the environment.
2or more information about qualified subordination and name constraintsC see Dlanning
and !mplementing Cross;Certification and :ualified $ubordination 6sing "indo#s $erver
%&&'D on the Microsoft )ech1et "eb site.
Manual "rust on a 4ocal !omputer
-oot CA certificates may also be manually trusted on a local computer by using the
Certificates MMC snap;in for the local computer. )he user must be a local administrator
to add root CA certificates to the machine certificate store. All root CA certificates in the
39
computer@s machine certificate store are inherited by all users #ho log on to that
computer. )he users trusted root certificate store and the machine trusted root certificate
store form a union from a user@s perspective.
2or more information about certificate storesC see Chapter ('C ublic Key )echnology on
the "indo#s %&&& -esource Kit "eb site.
Confirm that certificates are stored in the correct location. Any root CA certificate that is
stored in the local computers certificate store is visible to any user on that computer. !f a
root CA certificate is registered in the local computer store and if the CA certificate is also
manually added by a userC the root CA certificate might appear t#ice in the Certificates
MMC snap;in. !f a root certificate is not available in the local computers certificate store
but is available in the users storeC building a certificate chain also may not #ork for some
applications.
Eou can maintain the computers certificate store also #ith the !nternet /0plorer
Administration Kit *!/AK+ or CA!C.M. 2or more information about CA!C.MC see the
article DCA!C.M -eferenceD on the M$D1 "eb site.
Manual "rust by 2ser
!t is recommended that only administrators maintain certificate trust and that you store
only CA certificates in the local computers certificate store.
Windows 2pdate
By defaultC computers that are running "indo#s F and members of the "indo#s $erver
%&&' family run a service that #ill do#nload updated public root CA certificates that have
been added to the Microsoft root program. )he service is not available in the "indo#s
%&&& family.
Any organi=ation that has a CA that meets the requirements that are outlined in the
Microsoft -oot Certificate program is able to distribute the CA certificate through
"indo#s 6pdate. 2or more informationC see DMicrosoft -oot Certificate rogramD on the
Computers that are running either "indo#s F or "indo#s $erver %&&' periodically
do#nload the current list of -oot CA certificates that are added to the )hird;arty -oot
Certification Authority store on the local computer. 2or more informationC see the chapter
DCertificate support and the 6pdate -oot Certificates componentD in D6sing "indo#s F
rofessional #ith $ervice ack ( in a Managed /nvironment: Controlling Communication
#ith the !nternetCD #hich is available for do#nload on the Microsoft "eb site.
40
)o install or remove this serviceC you can use dd or 'emove Programs. )o do thisC
click StartC point to !ontrol PanelC and then click dd or 'emove Programs. !n the
toolbarC click ddC'emove Windows !omponentsC and thenC in !omponentsC select
the 2pdate 'oot !ertificates check bo0.
)his service can also be managed through ?roup olicy in Active Directory.
-igure 2> Windows !omponents Wi=ard
!reating an )nrollment Strategy
A certificate can be used to provide authentication evidence of its o#nerC encryptC or sign
data. Because of thisC the certificate issuer must ensure that certificate holders are kno#n
entities. Before certificates are enrolledC you should ans#er the follo#ing questions:
>o# #ill users obtain their certificatesJ
"hat is the process for enrollment identificationJ
41
)he most secure #ay to initially enroll user certificates is to do a face;to;face
authentication at the registration authority and store user certificates on hard#are tokens.
)his provides the highest level of assuranceC but also the highest cost of deployment.
!f certificate enrollment #ith hard#are tokens through enrollment agents is not an optionC
the CA can verify the certificate requester #ith domain credentials. )his authentication
method for certificate enrollment is usual #hen users self;enroll certificates. )his scenario
assumes that a user is the only person #ho is able to use the credentials.
!t is recommended that you use a combined enrollment strategy that implements a strong
initial identity check. $ubsequent certificate enrollment and rene#al can then be based
on the initial certificate.
!reating a ! 'enewal Strategy
Certificate lifetimes can have an impact on the security of your K! for the follo#ing
reasons:
.ver timeC encryption keys become more vulnerable to attack. !n generalC the longer
amount of time that a key pair is in useC the greater the risk that the key can be
compromised. )o mitigate this riskC you must establish the ma0imum allo#able key
lifetimes and rene# certificates #ith ne# key pairs before these limits are e0ceeded.
"hen a CA certificate e0piresC all subordinate certificates that are issued by this CA
for validation also e0pire. )his is kno#n as time nesting and is traditionally enforced
by CryptoA! in the client.
"hen a CA certificate is revokedC all certificates that have been issued by the CA
must also be re;issued.
/nd entity certificates e0pire #hen the issuing CA certificate reaches the end of its
lifetimeC unless:
)he end entity certificate is rene#ed #ith a ne# key pair that chains to a CA
certificate #ith a longer lifetime.
)he end entity certificate #as revoked before the CA certificate e0piration date is
reached.
Eou must plan the CA certificate rene#al precisely during the K! deployment phase. !f
this important planning step is missedC the entire K! might stop #orking #hen the CA
certificate e0piresC because all of the certificates that depend on the CAs certificate are
then no longer usable for both encryption and signing operations. -emember that a
certificate is capable of decrypting dataC even if it has e0pired or been revoked.
42
,ote
!t is strongly recommended that you generate ne# key material #hen you rene#
a CA@s certificate in order to partition the C-9 that is issued by the CA and also
prevent ambiguous certificate chaining errors caused by use of the same public
key.
$etermining t#e "otal ,umber of !s
)he total number of CAs depends on the organi=ations security requirements and the
organi=ation@s si=e. !t is also dependent upon the geographicalC politicalC and business
hierarchy of the organi=ation. As outlined earlier in this documentC there is a choice of
different trust levels that may be applied. After the organi=ation has decided ho# many
tiers should be implementedC it is important to plan the number of CAs that are required
at each level. 2or a K! topology that uses intermediate CAsC the number of CAs
depends on the number of different CA policies that are required to issue CAs. )he
number of issuing CAs depends on the number of certificates that should be issuedC the
net#ork connectivity bet#een the requester and the CAC and the number of intermediate
CAs.
A three;tier architecture consists of:
.ne root;CA
At least one policy CA *)his can be one or many servers.+
At least t#o issuing CAs for every policy CA to ensure fault tolerance
A t#o;tier architecture consists of:
.ne root;CA
At least t#o issuing CAs to ensure fault tolerance
A single;tier architecture consists only of a single CA.
1ote the follo#ing:
Eou cannot change the CA type at a later timeK you must uninstall the original CA and
then reinstall the CA to change it from either a stand;alone CA to an enterprise CA or
an enterprise CA to a stand;alone CA.
Eou can install only one instance of a CA on a "indo#s $erver %&&' system.
)he certificate distribution point and the C-9 publication interval is valid for all
certificates that are issued by a CA and cannot be set for individual certificates.
43
2or certificates that are used e0ternallyC the naming and information that is part of the
certificates should not reveal the internal K! or net#ork infrastructureC such as the name
of a CA or C-9 distribution point paths in the issued certificates.
8ardware 'e+uirements
)his section provides some general guidelines for hard#are requirements for a "indo#s
$erver %&&' CA. )his section should not be used as an authoritative guide for
performance characteristics. $pecific performance characteristics varyC depending on the
implementation and customer environment.
8ardware @uidelines
Microsoft performance testing in a lab environment has sho#n that the signing key length
of the CA has the most significant impact on the enrollment rate of the CA. A larger
number of certificates can be signed and enrolled in a given time if a smaller key si=e is
used. !f a larger key si=e is usedC more C6 time is required to issue certificates.
)he total number of issued certificates should not have a significant influence on either
server performance or the rate at #hich the CA issues certificatesK the performance of the
issuing CA stays nearly the sameC #hether thousands or millions of certificates have
previously been issued. )hereforeC the scalability of the CA is considered to be linearC
based on the si=e and performance of the disk arrays that are used to store both the
database and log files.
)he follo#ing table lists configuration factors that may affect performance of the CA.
"able .. 'esources "#at ffect ! Performance
'esource Performance notes
1umber of C6s Additional C6s increase the overall
performance of the CA. )his is the most
critical resource for a "indo#s $erver %&&'
CA.
Memory !n generalC additional memory does not
have a significant role in the enrollment
performance of the CA. )he CA should
meet general recommended system
requirements *4(% MB+C ho#everC the
minimum amount of memory is %45 MB.
44
'esource Performance notes
Disk si=e )he capacity of the disk volume that stores
the database and log files it the primary
limiting factor for the number of certificates
that a CA is able to maintain.
Disk performance !n generalC a short key length *4(% KB+
generates very little C6 utili=ation and a
very high disk load. 9arger key si=es
generate more C6 utili=ation and less disk
usage. A high;performance disk subsystem
can increase the rate of enrolled
certificates. A -A!D set is recommended for
both performance and fault;tolerance
purposes. CA operations are primarily disk;
#rite intensive.
1umber of volumes 6sing separate disks for the database and
log files provides basic performance
improvement. !n generalC the drive that
contains the CA database is used more
than the drive that contains the log files.
)he disk #rite capacity improves if you use
more physical drives in a -A!D set.
-A!D stripe si=e !t is recommended that you use a stripe si=e
larger than 5< KB.
Key length )he larger the signature key lengthC the
greater the C6 utili=ation. 9arger keys
degrade CA performance. )o be C6;
independentC you may #ant to use
hard#are acceleration to provide a large
number of both key generation and signing
operations.
Band#idth A (&& megabit net#ork connection is
suitable to enroll a large number of
certificates and causes no performance
bottleneckC assuming that the server is
running the CA e0clusively #ith no
additional applications or net#ork services.
45
Processor ,otes
!n generalC a computer that has a current processor and 4(% MB of memory is considered
sufficient for most organi=ational uses of a "indo#s $erver %&&' CA. )he enrollment rate
is directly related to the ability of the CA to sign requests that are based on C6
availability. Many hard#areC environmentalC net#orkC or client factors can affect the
performance of a CA.
$is7 !onfiguration ,otes
Disk space and disk speed also limit the performance and scalability of a CA. /ach
certificate that is issued uses appro0imately (5 KB of disk space in the databaseC and an
additional < KB is required if the private key is archived. )he certificate database must
contain all of the issued certificates to be able to revoke certificates and provide a record
of operations. Because none of the records are ever automatically tombstoned or
automatically deletedC the certificate database continuously increases in si=e #hen ne#
certificates are issued. 1evertheless a CA administrator can use the Certutil.e0e
command;line utility to delete e0pired records from the CA database.
Scalability
)he "indo#s %&&& CA has been tested to issue more than 7 million certificates and the
"indo#s $erver %&&' CA has been tested to issue more than '4 million certificates on a
single four;processorC 085;based computer. )he ma0imum database si=e #as not
reached in either of the test scenarios.
!reating !ertificate Policies and
!ertificate Practice Statements
)he definition of certificate policies and the certificate practice statement *C$+ is often
forgotten by technically;oriented planners. )he basis for both the certificate policy and
C$ are the organi=ations security policy.
Creating these documents is usually a Aoint responsibility of the legalC human resourcesC
and information security departments.
46
-igure 3> 'elations#ip Between !ertificate Policy and !ertificate Practice
Statements
Both the certificate policy and the C$ help the user of a K! determine the level of trust
that those departments can put in the certificates that are issued by a CA. )he e0istence
of policies is critical #hen dealing #ith a reliable K!. !f certificates are e0changed only
#ithin an organi=ationC the creation of a C$ and a security policy might not be
mandatory. "hen this is trueC some clauses regarding the use of K! and certificates in
the employee manual may be essential. 1ote that an organi=ational C$ is a C$ that
covers all CAs in a hierarchy. ?enerallyC a C$ covers only a specific CA.
A C and C$ may prove to required #hen certificate holders e0change or use
certificates #ith partners and entities that live outside of the company@s net#ork. "hen
e0ternal trust is implementedC it is often very important to align K! policies and practices
as part of the e0ternal contract terms.
Security Policy
)he security policy is a high;level document that is created by the corporate !) group. !t
defines a set of rules about the use and provision of security services in the organi=ationC
and should reflect your organi=ation@s business and !) strategy. )he security policy
should ans#er high;level K! questionsC such as:
"hat applications should be secured #ith certificatesJ
"hat kind of security services should be offered by using certificatesJ
!ertificate Policy
A certificate policy focuses on certificates and the CA@s responsibilities regarding these
certificates. !t defines certificate characteristics such as usageC enrollment and issuance
proceduresC as #ell as liability issues.
47
)he follo#ing references define a certificate policy as a set of rules that determine if a
certificate is applicable to either a community or a class of applications that have
common security requirements.
2or more information about the F.4&, standardC see the !nternational )elecommunication
6nion "eb site.
2or more information about the /uropean /lectronic $ignature $tandardi=ation !nitiative
*//$$!+ definitionC see the //$$! "eb site.
A certificate policy typically ans#ers the question about #hat purposes the certificate
servesC and under #hich policies and procedures the certificate has been issued. A
certificate policy typically addresses the follo#ing issues:
>o# users are authenticated during certificate enrollment
9egal issuesC such as liabilityC that might arise if the CA becomes compromised or is
used for something other than its intended purpose
)he intended purpose of the certificate
rivate key management requirementsC such as storage on smart cards or other
hard#are devices
"hether the private key can be e0ported or archived
-equirements for users of the certificatesC including #hat users must do if their
private keys are lost or compromised
-equirements for certificate enrollment and rene#al
Minimum length for the public key and private key pairs
)he certificate policy is typically defined by members of an organi=ation #ho are kno#n
as the polic! authorit!. )he policy authority typically consists of representatives from
different core departmentsC including managementC legalC auditC human resourcesC and
other departments. .verallC the policy authority members #ill also be members of the
group that defined the security policyC #hich ensures that the certificate policy is in
agreement #ith the security policy.
!ertificate Practice Statement
)he certificate practice statement *C$+ translates certificate policies into operational
procedures on the CA level. )he certificate policy focuses on a certificateK the C$
focuses on a CA. Both the //$$! and the American Bar Association *ABA+ define a C$
as a statement about the #ay that a CA issues certificates. 2or more information about
48
the ABAC see the ABA "eb site. 2or more information about the //$$!C see the //$$!
"eb site.
A C$ might include the follo#ing types of information:
ositive identification of the CAC including the CA nameC server nameC and Domain
1ame $ystem *D1$+ address
Certificate policies that are implemented by the CA and the certificate types that are
issued
oliciesC proceduresC and processes for issuingC rene#ingC and recovering certificates
Cryptographic algorithmsC cryptographic service providers *C$s+C and the key length
that is used for the CA certificate
hysicalC net#orkC and procedural security for the CA
)he certificate lifetime of each certificate that is issued by the CA
olicies for revoking certificatesC including conditions for certificate revocationC such
as employee termination and misuse of security privileges
olicies for certificate revocation lists *C-9s+C including #here to locate C-9
distribution points and ho# often C-9s are published
A policy for rene#ing the CA@s certificate before it e0pires
)he C$ should be defined by a team that consists of members of the !) departmentC
people #ho are operating and administering the !) infrastructureC and the people *often
attorneys+ that defined the certificate policy. )he C$ is a public document that should be
published on the !nternet. /very certificate that has been issued by a CA that follo#s a
C$ has an 6-9 pointer in the certificate that directs people to the public document.
"hen a certificate has a C$ pointer as part of the certificateC the Issuer Statement
button becomes available. "hen you click Issuer StatementC the 6-9 that has been
specified by the CA administrator is redirected.
Important
A C$ is al#ays valid for all certificates that are issued subordinate to the CA
that contains the qualifier. Make sure that all parameters that are listed in
Appendi0 B are part of the planning process.
'evocation Policy
Before certificates are enrolledC the K! management team should kno# ho# to revoke
certificates. Any F.4&, 3' certificate *e0cept the root CA certificate itself+ should have a
49
pointer to a valid C-9. )he C-9 distribution point is included in the certificate@s e0tension
and cannot be modified after a certificate is enrolled.
)he logical availability of the C-9 distribution point that is specified in the certificate
allo#s a K!;enabled application to verify the certificate@s validity against the C-9. )he
C-9 is essential to ensure the quality *status+ of certificates that are published by the CA.
!f the C-9 is available and the certificate@s serial number is part of the C-9C the certificate
is marked as invalid from a clients perspective.
A revoked certificate@s serial number is added to the C-9 as long as the original
certificate lifetime is valid. After the original lifetime of the certificate e0piresC the serial
number of the certificate is added to the C-9 for the last time.
,ote
Eou cannot use revoked certificates for signing or encryption operations
anymore. >o#everC you can use revoked certificates for decryption operationsC
because the revoked certificates are required for decryption.
!f an application is going to verify a certificate against the C-9 and no valid C-9 is
availableC the revocation check does not #ork and the certificate cannot be used for the
transaction. !f the application has properly implemented C-9 checkingC no authenticationC
encryptionC or signing is allo#ed #ith this certificate until a valid C-9 is available again.
2or immediate revocation of logon certificatesC consider disabling the account in Active
Directory instead of revoking the logon certificate. !t is more time efficient to delete or
disable user accounts if you #ant to immediately revoke a user@s ability to gain access to
the logon certificates.
2or more information about C-9sC A!AC and chain building refer to the D)roubleshooting
Certificate $tatus and -evocationD #hite paper on )ech1et.
!'4 Best Practices
"hen you consider C-9 distributionC you should kno# #here and ho# clients can gain
access to a C-9. )he C-9 distribution mechanism of enterprise and stand;alone CAs is
different by default.
!t is a common mistake to not modify the default C-9 distribution point of an isolated
stand;alone CA. Because a root or intermediate CA is typically disconnected from the
net#orkC K!;enabled clients cannot validate the issued certificates against the default
C-9 distribution point on the CA server. )o make a C-9 of an offline stand;alone CA
publicly availableC you must manually publish the C-9 or utili=e a custom e0itmodule or
script that publishes the C-9 to a predefined location. 2or more information about custom
50
e0it modulesC see the D/0it ModulesD chapter in the $ecurity latform $DK on the
Microsoft "eb site.
An online CA on a computer that is Aoined to an Active Directory domain or forest
automatically publishes the C-9 to Active Directory so that it can be accessible through
9DA. AlternativelyC the C-9 can be made available through an >)) 6-9 that points to
a location on a "eb server.
Depending on the certificate types that are issued #ith a CAC the order of the C-9
distribution points is important. 2or authentication certificatesC it is beneficial to have a
C-9 or fully;qualified 9DA C-9 distribution point as the first entry in the list of
distribution points. !f a relative 9DA C-9 distribution point is specifiedC a client contacts
the domain controller that is closestC according to the Active Directory site structureC to
get the C-9. 2ully;qualified 9DA C-9 distribution points eliminate latency issue that
may occur until the C-9 has been replicated in Active Directory. 2or non;authentication
certificatesC you may #ant to use 9DA because 9DA is more fault;tolerant in an Active
Directory environment compared to tolerance in a single;instance >)) server.
!t is also an option to set both an 9DA and >)) C-9 distribution point 6-9 to support
clients that are Active Directory;a#areC as #ell as clients that are not running "indo#s
and that are not Active Directory;a#are. !f you have a mi0ed client environment or both
internal and e0ternal clientsC it is a best practice to place the >)) location in the C-9
distribution point e0tension first to avoid net#ork timeouts. Any client that retrieves a C-9
on demand during certificate verification caches a copy of the C-9 in the !nternet
/0plorer temporary files until the C-9 e0pires.
,ote
!t is a best practice to publish a C-9 that is available e0ternally through an >))
location so that users and applications that are outside of the organi=ation may
perform certificate validation. !t is also a best practice to use paths and naming
that do not reveal the internal net#ork infrastructure to e0ternal entities.
)he C-9 maintains a list of revoked certificates that have been issued by a CA. )he C-9
does not maintain the validity of certificates that are o#ned by a subordinate CAC like the
CA certificate. )he subordinate CA certificates revocation status is maintained by the CAs
parent CAC since the parent CA has issued the subordinate CA certificate.
$ince a root CA certificate has no parent CA that could maintain the C-9C there is no
need to specify a C-9 distribution point for the root CA certificate itself. )o revoke a root
CAC all certificates that have been issued by the root CA must be revoked instead.
>ere are some additional planning notes:
A root CA certificate should have an empty C-9 distribution point because the C-9
distribution point is defined by the certificate issuer. $ince the roots certificate issuer
51
is the root CAC there is no value in including a C-9 distribution point for the root CA.
!n additionC some applications may detect an invalid certificate chain if the root
certificate has a C-9 distribution point e0tension set.
.ffline CAs must continue to publish C-9s.
!f certificates are e0changed #ith e0ternal entitiesC the C-9s must be available at a
location that is accessible for all internal and e0ternal entities. )o satisfy this
requirementC in this case the C-9 is usually published in the organi=ation@s perimeter
net#ork.
)o ensure redundancyC make the C-9 available through more than one location.
!f the C-9 is distributed by using Active DirectoryC plan for replication latency.
lan for C-9 publications that cannot be performed as usually scheduled and have
contingency operations prepared
)he C-9 should be valid for the amount of time that it takes for CA recovery if
hard#are fails or if soft#are does not #ork. 2or e0ampleC a one;hour C-9 publication
period is most likely not adequate time to perform a hard#are or soft#are restoration
because of the possibility of issues #ith either the hard#are or soft#are.
)he less frequently C-9s are publishedC the more time you #ill have for issue
resolution.
!f a CA cannot publish the C-9 on timeC the C-9 is not updated and #ill e0pire. !f a
C-9 has e0piredC clients cannot verify certificates that #ould require the C-9. )o
prevent certificate misuseC certificates are considered invalid if the C-9 has e0pired
or is unavailable.
A "indo#s $erver %&&' Certification Authority can publish to an !!$ cluster using
61C paths for the C-9 distribution point 6-9.
All "indo#s CAs follo# the C-9 3% format that is specified in -2C %<4, and -2C '%8&.
2or additional information about -2C %<4, and -2C '%8&C see the !nternet /ngineering
)ask 2orce "eb site.
4$P !'4 Best Practices
)he follo#ing best practices apply to 9DA;based C-9s:
An 9DA C-9 is replicated in Active Directory to all domain controllers in the forest.
Because of thisC it provides fault;tolerance in an environment #ith more than one
domain controller and can be designated as Dhighly available.D
52
)he Active Directory replication schedule should be taken into account. )his is an
important consideration since it may take longer than e0pected for every directory
server to receive the latest version of the C-9C depending on the si=e and replication
schedule of the Active Directory environment.
C-9s should not be published to Active Directory #hen the C-9 publication period is
shorter than the replication convergence time for the Active Directory forest.
Do not use escape characters in 9DA C-9 distribution point pathsC such as a
backslash *B+.
Do not include names that are specific to either internal or organi=ation names in the
C-9 distribution point. Certificates may be e0changed #ith e0ternal parties and those
parties should not be able to obtain information about internal name spaces. )o
eliminate internal names in the C-9 distribution pointC also allo# internal clients to
gain access to the e0ternal distribution pointC or implement a name mapping
mechanism that ensures that internal clients can resolve an e0ternal name and gain
access to an internal resource.
!f an 9DA C-9 distribution point for certificates that are e0changed #ith e0ternal
parties is usedC do not use the relative 9DA 6-9 that points to the closest domain
controller.
)he first part of the name is the hosting and distribution point is the 9DA name of the
server that is hosting the C-9 distribution pointK the second part of the name is the
complete 9DA path of the directory location #here the C-9 is stored. )he follo#ing
configuration string *or 9DA reference+:
ldap>CCC!,B/!,B
is interpreted as
ldap>CC"losest-omain"ontroller6!0iteC!,B/!,B
"hen you use this synta0C part one of the 9DA C-9 distribution point is left outC but it is
automatically inserted #hen the C-9 must be retrieved. )he ldap:HHH synta0 forces a
"indo#s %&&&C "indo#s FC or "indo#s $erver %&&' client that is Aoined to an Active
Directory domain to find the closest domain controller. AlternativelyC a fully qualified
domain name *2:D1+ or an e0act server path #ith a port valueC is also supported.
1ot only is the path of the C-9 is important #hen you plan an 9DA C-9 distribution
pointK you must also configure the correct search criteria and append that search criteria
to the 9DA path.
9DA searches support search suffi0es to specify attributesC depthC and obAect;classes.
Because the directory service may store several obAects of different data types in the
53
same locationC it is important to query for the correct data. A search suffi0 uses the
follo#ing format:
JattributeJdepthJobAectIclass
!f the attributeC depthC and obAectIclass search suffi0es are missingC the client selects the
correct obAect. Because there are different client implementationsC a C-9 verification
might not #ork #ithout this e0tended information.
)he follo#ing e0ample sho#s a relative 9DA C-9 distribution point *on one line+:
ldap:HHHC1L"orporateRoot",CC1LRoot7",CC1LCDCC1Lublic Key
$ervicesCC1L$ervicesCC1LConfigurationCDCLcontosoCDCLcomJ
certificate-evocation9istJbaseJobAectClassLc-9Distributionoint
!n the sample line aboveC Corporate-ootC CAIRoot7",C contosoC and com are
placeholders and must be replaced #ith parameters that are specific to the organi=ations
requirements.
)he follo#ing e0ample sho#s an absolute 9DA C-9 distribution point *on one line+:
ldap:HHcdp(.contoso.comHC1L"orporateRoot",CC1LRoot7",CC1LCDCC1Lublic Key
$ervicesCC1L$ervicesCC1LConfigurationCDCLcontosoCDCLcomJ
certificate-evocation9istJbaseJobAectClassLc-9Distributionoint
!n the sample line aboveC cdp8.contoso.comC "orporateRoot",C Root",C contosoC and
com are placeholders and must be replaced #ith parameters that are specific to the
organi=ation@s requirements.
8""P !'4 $istribution Point 2'4 Best
Practices
1on;"indo#s clients might not be able to retrieve C-9s #ith 9DA 6-9s based on
Active Directory. Because of thisC you may need to provide an additional >)) C-9
distribution point location for 9DA;enabled clients. Computers running "indo#s support
9DA and >)) 6-9s. )he follo#ing are some best practices for >)) C-9 distribution
point 6-9s:
!f you provide an >)) C-9 distribution point locationC provide fault tolerance by
having either a virtual server name that points to several physical "eb servers
*round;robin D1$+ or a clustered "eb server to provide redundancy in the >))
6-9.
>)) C-9 distribution point locations are ideal for providing accessible C-9
locations for clients that are not running the "indo#s operating system.
54
lace >)) C-9 distribution point 6-9s second in the list of the 6-9s in the C-9
distribution point e0tension #hen Active Directory;a#are clients are primarily used.
)his is to decrease net#ork traffic because the client #ould benefit from intra;site
communication #ith the domain controller.
lace >)) C-9 distribution point 6-9s first in the list of the 6-9s in the C-9
distribution point e0tension #hen clients cannot connect to the Active Directory to
verify certificates. /0amples include e0ternal "eb serversC 31 and remote access
serversC and -AD!6$ *!A$+ servers.
>)) 6-9s should contain only valid file name characters.
$elta !'4s
!n a production environmentC the number of certificates that are revoked is in relation to
the number of certificates that are issued. )he list of revoked certificates #ill vary in
lengthC depending on the number of certificates that are enrolled by a CA.
-evoked certificates are added to the C-9 as a collection of certificate serial numbers.
-2C %<4, and -2C '%8& define a method that you can use to reduce base C-9 si=es by
using delta C-9s. Delta C-9s maintain a list of certificates that have been revoked since
the last base C-9 publication.
Base C-9s and delta C-9s are cached by "indo#s clients. )o ensure the validity of a
certificateC the client uses the locally;cached base and delta C-9 until the C-9s validity
period e0pires. !f a base C-9 e0piresC the client retrieves a ne# base C-9 from the
distribution point that is specified in the certificate. !f the base C-9 is valid but the cached
delta C-9 is e0piredC a "indo#s client retrieves only the delta C-9. )ypicallyC a delta
C-9 is much smaller in si=e than a base C-9 because it saves only the certificates that
have been revoked after the last base C-9 update.
Delta C-9 best practices:
6se delta C-9s #ith issuing CAs #henever possible.
Do not use delta C-9s #ith offline CAsC because there are not as many certificates
that require frequent revocation. .ffline CAs usually have longer C-9 publication
cycles than issuing CAsC since it is abnormal to revoke a large number of CA
certificates.
)o provide clients #ith the most up;to;date revocation information #ith smaller net#ork
utili=ation *compared to the net#ork utili=ation that is required for a base C-9
distribution+C you can publish the delta C-9 on a daily basis and publish the base C-9 on
a #eekly basis. >o#everC if a large number of certificates is revoked and if the number of
revoked certificates e0ceeds the number of revoked certificates that are already part of
55
the base C-9C the si=e of a delta C-9 is larger than the si=e of a base C-9. 1ote that
this scenario is very unlikely to occur and is not considered to be typical.
Do not publish frequent delta C-9s to Active Directory if replication takes a longer period
than the delta C-9 is valid.
(nline !ertificate Status Protocol Support
A "indo#s CA does not provide online certificate status protocol *.C$+ functionality by
default. >o#everC you can enable .C$ if you install a revocation provider in CryptoA!
or through a third;party .C$ responder that communicates #ith the Microsoft
Certification Authority. 2or more information about CryptoA! or revocation providersC
search for CryptoA! on the M$D1 "eb site.
Best Practices for !'4 Publication
)he C-9 publication interval for CAs that issue certificates to CAs should be a longer
period than for CAs that issue certificates to end;entitiesC because revocation of a CA
certificate should be a very rare operation. A recommended creation interval for a ne#
C-9 of that type #ould be in the range of ,& to (8& days.
A C-9 for an offline CA should al#ays be published a fe# days before e0piration to allo#
for une0pected issues. )he publication interval for issuing CAs should be set according to
the type to issued certificates. Authentication certificates might require a less frequent
publication schedule than other certificate types.
2or offline CA C-9 publicationC you should also consider these points:
2or issuing CAsC a short C-9 publishing schedule ensures that the C-9 is current
and that any revocation can be made available as quickly as possible. 1ote that
"indo#s clients cache a C-9 for the validity period.
2or offline CAsC a longer C-9 publishing schedule ensures that the C-9 does not
have to be regenerated and republished through the required manual generation and
publishing processes.
I )*tensions
)he A!A e0tension allo#s the certificate user to obtain a current copy of the CAs current
certificate. CA certificates are required #hen a certificate chain is built. Chain building is
performed as part of the certificate verification process.
56
"hen you configure A!A e0tensionsC use the same attention to detail that you use #hen
you configure C-9 distribution point e0tensions. $ee the follo#ing e0ample for more
information about the A!A e0tension in a certificate.
-igure 3> I )*tensions
CA certificates are multivaluedC Base5<;encoded attributes in Active Directory that can
store more than one CA certificate. A multivalued A!A attribute is used for every CA
because a CA may have more than one valid certificate after CA rene#al.
1ote that multivalued attributes are limited in the number of values that they can store.
Eou cannot sure more than (C&&& CA certificates in the A!A obAect.
Compared to an 9DA A!A 6-9 that points to a multivalued obAect and distinguishes
certificates in the same obAect by the search suffi0C an >)) A!A 6-9 points only to a
single file. Because of thisC all >)) 6-9s must include the certificate suffi0 *M.cerC M.crtC
57
etc+ as the suffi0 for the file name to distinguish bet#een the multiple certificates that are
stored in the same directory on the >)) server
)he follo#ing table describes the structure of ho# certificates are stored. 1ote that an
>)) location must be unique and only one C-9 obAect *or file+ may e0ist at each e0plicit
6-9 path. An 9DA location is a single obAect in Active Directory that supports a
multivalued attribute.
"able .2 )*ample of Stored !ertificate Structure
I 8""P 2'4 %obAect& I 4$P 2'4 %obAect&
$everal files at
http:HH###.microsoft.comH
concorp;ca;&&I
Corporate-ootCA.crt
concorp;ca;&&I
Corporate-ootCA*(+.crt
concorp;ca;&&I
Corporate-ootCA*%+.crt
concorp;ca;&&I
Corporate-ootCA.crt
concorp;ca;&&I
concorp;ca;&&I
.ne multivalued
attribute at
C1LA!ACC1Lublic
Key $ervicesCC1L
$ervicesCN5N((
!ertificate 0alidity Period and Key 4engt#
)he validity period of certificates depends on the organi=ation@s requirements. )he
follo#ing table outlines some recommendations for the validity period for different CA
types.
"able .3 'ecommendations for 0alidity Periods
Purpose of !ertificate !ertificate 4ife Private Key 'enewal
Strategy
$tand;alone root CA.
*<&,5;bit key+
%& years -ene# at least every (&
years to ensure that policy
CA certificates can be
issued #ith lifetimes of (&
years. -ene# by using a
ne# key at least every %&
years.
58
Strategy
$tand;alone policy CAs
*%&<8;bit key+
(& years -ene# at least every 4
years to ensure that child;
issuing CAs can be issued
for 4 years. -ene# by using
a ne# key at least every (&
years.
/nterprise issuing CA s for
medium security certificates
*(%&<;bit key+
4 years -ene# at least every '
years to ensure that
certificates can be issued
for % years. -ene# by using
a ne# key at least every 4
years.
/nterprise issuing CA s for
high security certificates
*%&<8;bit key+
4 years -ene# #ith ne# key at least
every < years to ensure that
for a year..
/nterprise issuing CA for
e0ternal certificates
*(&<8;bit key+
4 years -ene# at least every <
years to ensure that
for a year. -ene# by using
a ne# key at least every 4
years.
$ecure mail and secure
bro#ser certificates
( year -ene# by using a ne# key
at least every % years.
$mart card certificates
*(&%<;bit key+
Administrator certificates
*(&%<;bit key+
$ecure "eb server
certificates
*(&%<;bit key+
% years -ene# by using a ne# key
59
Strategy
Business partners@ user
certificates for an e0tranet
*(&%<;bit key+
5 months -ene# by using a ne# key
at least every year.
,ote
All these values are suggestions and may be dictated by legalC governmentalC or
contractual rules that are specific to the organi=ation. Changes of policy and
e0tensions during rene#al and rekey of CAs may also require subsequent
changes of C$ recertificationC auditC and so on.
)*ample Scenario for !ontoso
$ince a lot of planning considerations and best practice approaches are covered in the
previous sectionC here is a real #orld e0ample of K! topology. )he e0ample describes
the best practices that are mentioned earlier in this document and also describes most of
the options of a comple0 K!. By leaving out distinct components *like the >$M or the
intermediate CA level+C you can also adAust the topology to environments for smaller
organi=ations.
)he fictitious organi=ations name is Contoso Company. Contoso is an international
company that has already deployed Active Directory and is introducing a "indo#s $erver
%&&' K!. )he planning for the proAect is already finished. Besides other preparation
#orkC the parameters as listed in Appendi0 BC #hich #ill drive the K! configuration.
6se the follo#ing installation instructions to set up a K! that is similar to the Contoso
K!.
Platform $ecision
)he Contoso Corporation has decided to deploy a "indo#s $erver %&&' K! hierarchy.
)he organi=ation recogni=es ease of deploymentC benefits of strengthened securityC
security;integrated applicationsC and the Active Directory;integrated management
infrastructure that is in their current Active Directory infrastructure.
Because Contoso #ants to benefit from all K! improvements to the "indo#s $erver
%&&' familyC they have prepared Active Directory to run in a "indo#s $erver %&&' forest
60
and in "indo#s $erver %&&' domain functional mode. 2or more information about ho# to
raise the domain functional level on a computer running a member of the "indo#s
$erver %&&' familyC see the article D>." ).: -aise the Domain 2unctional 9evel in the
"indo#s .1/) $erver 2amilyD on the Microsoft Kno#ledge Base.
)he Contoso company has a mi0 of clients that are running a member of the "indo#s
%&&& family or "indo#s F rofessional and uses a number of integrated applications
that can take advantage of the "indo#s $erver %&&' K!C including $ecureHMultipurpose
!nternet Mail /0tensions *$HM!M/+C encrypting file system */2$+C 9%) or !$ec 31
connectionsC 8&%.(0 #ireless accessC and $$9;enabled "eb servers. $mart cards are
used for user logon.
PKI $esign
Contoso has decided that a three;tier K! topology is most suitable for their organi=ation.
!f an organi=ation #ants to benefit from a t#o;tier K! topologyC the implementation
guidelines that are outlined in this documentation can also be applied.
)he Contoso K! consists of different certificate servers. /very CA #ill be implemented
#ith Certificate $ervices as implemented in "indo#s $erver %&&'C /nterprise /dition.
)he follo#ing figure illustrates the Certificate $ervices architecture for Contoso
Corporation.
61
-igure 6> ! 8ierarc#y for !ontoso !orporation
'oot !
)he Contoso stand;alone root CA is never connected to a net#ork and remains offline
and physically secured. )he root CA issues and revokes certificates for intermediate CAs
in the hierarchy. )o raise the security level of the CAs private keyC an >$M e0tends the
root CAs hard#are configuration. )he CA certificate and the C-9 are manually published
and made available through an >)) and an 9DA distribution point.
Intermediate !s
)he intermediate CAs are physically secured and operated offline. Contoso has decided
to operate t#o intermediate CAs. )he separation of intermediate CAs allo#s the
organi=ation to set different C-9 distribution points and C-9 publishing intervals. $ince
intermediate CAs are also treated as sensitive components in the organi=ation@s K!C they
are also equipped #ith >$Ms.
Issuing !s
)he issuing enterprise CAs are responsible for certificate enrollment to end;entities.
)hese CAs are distributed to different geographic locations to allo# local availability.
hysical securityC ho#everC has to take precedence over close pro0imity of the servers.
)hese CA servers are online and available to service requests at any time. Eou can
improve availability in the future by deploying more issuing CAs.
!ontoso )nvironment Summary
)he follo#ing list describes the Contoso environment:
A forest and domain environment #ith computers that run only members of the
"indo#s $erver %&&' family
Clients that are running either "indo#s %&&& or "indo#s F
)hree;tier K! hierarchy
$elf;signed stand;alone offline root "indo#s $erver %&&'C /nterprise /dition stand;
alone CA #ith >$M to support role;separation
62
!ntermediate offline stand;alone "indo#s $erver %&&'C /nterprise /dition stand;
alone CA #ith >$M to support role separation
$everal onlineC Active Directory;integrated issuing "indo#s $erver %&&'C /nterprise
/dition CAs to support auto;enrollment and 3% templates.
Stand1alone (ffline 'oot !
)he follo#ing section describes the steps that you should use to install an offline root CA
by using a computer running "indo#s $erver %&&'C $tandard /dition. )he installation
procedure for a "indo#s %&&& CA is similar to the installation procedure for a computer
running "indo#s $erver %&&'C $tandard /ditionC so you can also use the follo#ing
installation procedure on computers running "indo#s %&&&.
,ote
)he stand;alone offline root CA is also referred to as DCorporate-ootCAD in this
document.
Installation Prere+uisites
A server that is running "indo#s $erver %&&'C $tandard /dition is installed #ith the base
operating system and latest updates. 3erify that you have the follo#ing information before
you start to install Certificate $ervices:
)he C$ that has all of the parameters that are specific to the organi=ation
)he "indo#s $erver %&&' installation mediumC such as the original CD;-.M
Appropriate hard#are #ith a floppy disk drive
Both computer and CA naming conventions
Directory and file paths to be used for C-9 distribution pointC such as A!A
.ther CA configuration informationC such as C-9 publication intervals
>$MC if applicable
Install t#e (ffline 'oot !
)o set up the root CAC use the steps in this section. Before you beginC verify that the
follo#ing concepts have been revie#ed and approved by your organi=ation:
ublic key infrastructure concepts
63
-equirements that describe the purpose of certificate usage and enrollment
Details about CA configuration including the hierarchy of the K!
)he rene#al strategy that you are going to use for the root CA is planed
.perational security procedures and policies
Wor7group Members#ip
)he Corporate-ootCA must be a #orkgroup member because it is not connected to the
net#ork and has no link to a domain controller. 1everthelessC the server name must be
unique in your organi=ation because the server name is part of the information that #ill be
published in Active Directory.
3erify that the naming information is correct after you log on to the local computer by
using the net config wor7station command at a command prompt. *1ote that the values
that are in italics may be different for youC according to your configuration.+ )he follo#ing
section is an e0ample of ho# you can use the net config wor7station command to
accomplish this.
D:\>net config workstation
Computer name \\CONCORP-CA-00
Full Computer name concorp-ca-00
ser name A!ministrator
"orkstation acti#e on
Net$ios%m$ &000000000000'
Net()*)cpip*+,CD-C0C.-0/A0-12(1--0-3-0D34,,FD0AA05
&000-C,0(D2C0'
%oftware #ersion 6icrosoft "in!ows %er#er /007
"orkstation !omain "OR89ROP
:ogon !omain CONCORP-CA-00
CO6 Open )imeout &sec' 0
CO6 %en! Count &$;te' 3.
CO6 %en! )imeout &msec' /00
)<e comman! complete! successfull;=
3erify that the logon domain name is the same as your server name.
2or more informationC see the follo#ing articles on Microsoft "eb sites:
DChecklist: Creating a certification hierarchy #ith an offline root certification authorityD
on the Microsoft "eb site
D>." ).: !nstall a "indo#s %&&& Certificate $ervices .ffline -oot Certification
AuthorityD on the Microsoft Kno#ledge Base
64
Installing an 8SM on an (ffline 'oot !
$ome organi=ations may choose to protect the root private key #ith additional hard#are.
Before you install and configure Certificate $ervicesC verify that the >$M is correctly set
up according to the manufacturer@s installation instructions. 2or information about ho# to
install an >$M on computers that are running either "indo#s %&&& or "indo#s $erver
%&&'C see the follo#ing "eb sites:
"indo#s %&&& $erver and K!: 6sing the nCipher >ard#are $ecurity Module on the
Microsoft "eb site
Deploying Certificate $ervices on "indo#s %&&& and "indo#s .1/) $erver #ith the
Chrysalis;!)$ 9una CA' >ard#are $ecurity Module on the Microsoft "eb site
Prepare t#e !Policy9inf -ile for t#e 'oot !
An issued certificate typically inherits properties *for e0ampleC certificate lifetimeC the
distribution point of the C-9C and other parameters+ from a certificate template that is
provided by the issuing CA. $ince the root CA requires a certificate for itselfC the root CA
must self;sign the root CA certificate because there is no parent CA that could issue the
CA certificate.
Before the CA certificate is generatedC custom configuration of the CA that is relevant to
the CA certificate is required. )he CAolicy.inf file has all configuration information that is
required to generate the self signed CA certificate according to the organi=ations needs.
!aution
Configuring the CAolicy.inf file is a very important step that you must finish
before you set up a "indo#s $erver %&&' root CA. !f you do not use the
CAolicy.inf file for the offline root CA setup procedureC the C-9 and A!A
distribution points that become part of issued certificates are set to distribution
points on the local computer. Because an offline CA is never accessible from the
net#orkC clients cannot resolve the C-9 or A!A distribution point. )o prevent this
issueC you must e0plicitly add both the "RL-istribution9oint and
,uthorit!Information,ccess parameters to the CAolicy.inf file. As noted in the
DC-9 Best racticesD section in this documentC both the C-9 and A!A C-9
distribution point of a root CA need to be defined as empty.
)o ensure that the CAolicy.inf file is correctly processed:
)he A$C!! te0t file must be available on the local computer before the CA setup
procedure starts or before CA certificate rene#al is attempted
65
)he file is placed in the FSystemrootF folder on the local computer on #hich the
CA is installed
)he synta0 follo#s the specification that is described in the CAolicy.inf synta0D section in
the appendi0 of this document.
,ote
After you use CAolicy.inf on a CAC do not remove it from the computer because
configuration parametersC like rene#al key lengthC should be consistent during
the life cycle of the CA.
AlsoC during the installation procedureC you do not receive a #arning message if the
CAolicy.inf file is not in the correct format because there is no synta0 or error;checking
mechanism. 2or setup logging and debug informationC see the 0!stemrootBCertocm.log
file.
)o configure the CAolicy.inf file:
(. 9og on to the Corporate-ootCA computer as an administrator.
%. .pen a te0t editorC such as 1otepad.
'. Copy the sample te0t file that is in the D$ample CAolicy.inf file for the
Corporate-ootCAD section of this document as a template.
<. aste the te0t into the file and then save it to FSystemrootFBCAolicy.inf.
Installing t#e (ffline 'oot ! Software
!omponents
Important
erform any renaming operations before the CA services become part of the
configuration. Eou cannot change the 1etB!.$ computer name or the computer@s
membership in a domain or #orkgroup after certificate services is installedC
because the name is part of the Certification Authority configuration information.
)o install the offline root CA soft#are componentsC use the follo#ing procedure.
(. 9og on to the Corporate-ootCA computer as an administrator. 1ote that this account
#ill be permitted as a CA administrator during the CA installation procedure. Eou can
delegate the CA administrator role to other user accounts after the setup and
configuration procedures are finished. 2or more information about CA roles and
permissionC see "indo#s $erver %&&' $erver >elp.
%. 6se one of the follo#ing procedures to open ddC'emove Windows !omponents:
66
"o use a command prompt>
a. Click StartC click 'unC type cmdC and then click (K.
b. At the command promptC type sysocmgr Ci>sysoc9inf and then press /1)/-.
"o use !ontrol Panel>
a. Click StartC point to SettingsC and then click !ontrol Panel.
b. Click dd or 'emove Programs.
c. !n dd or 'emove ProgramsC click ddC'emove Windows !omponents.
,ote
)o run Certificate $ervicesC check for the follo#ing soft#are components:
Certificate $ervices
!nternet /0plorer
*.ptional+ Certificate $ervices "eb enrollment support
*.ptional+ !nternet !nformation $ervices for "eb enrollment support
!t is not recommended that you install any other "indo#s components on a "indo#s
$erver CA. !f you install additional componentsC reliability or security of a root CA may
be compromised if a secure configuration is required by the organi=ation.
An offline "indo#s %&&& CA requires !nternet !nformation $ervices to support offline
CA enrollment. 6nlike "indo#s %&&& $erverC a "indo#s $erver %&&' certification
authority can process offline certificate requests #ithin the Certification Authority
MMC
'. !n the "indo#s Components "i=ardC select the !ertificate Services check bo0C and
then click ,e*t.
<. !n ! "ypeC click Stand1alone root !C select the 2se custom settings to
generate t#e 7ey pair and ! certificate check bo0C and then click ,e*t.
!t is e0pected that the enterprise root CA and enterprise subordinate CA options are
not available because the computer is not a member of an Active Directory domain.
4. Do one of the follo#ing:
!f you installed an >$MC in !SPC select the C$ that you installed during the
>$M installation procedure.
!f you did not install an >$MC in !SPC click Microsoft Strong !ryptograp#ic
Provider.
5. In 8as# algorit#mC click the default hash algorithmC S81..
67
$>A;( is the most common and interoperable hash algorithm that is used by
applications and operating systems. 2or more information about C$ support on
computers that are running "indo#s %&&&C see DMicrosoft /nhanced C$ !s 1ot
$upported for Certificate $ervices !nstallationsD on the Microsoft Kno#ledge Base.
7. !n Key lengt#C click 30?:.
!f you choose a different key lengthC confirm that the key length is interoperable #ith
organi=ational applications and other K! components. )here is no verification of the
key length that you type into the bo0. !f an >$M or smart card C$ is utili=edC the
C$ #ill be required to interact #ith the desktop.
8. Confirm that both the llow t#is !SP to interact wit# t#e des7top check bo0 and
the 2se an e*isting 7ey check bo0es are clearedC and then click ,e*t.
,. .n ! Identifying InformationC in !ommon name for t#is !C type a name that
#ill identify the CA to you. !n this e0ampleC use !orporate'oot!.
As it is specified in the certificate practice statementC you must specify a common
name *C1+ for the CA. )he C1 cannot e0ceed 5< characters in lengthC ho#everC it is
recommended that you use a ma0imum length of 4( characters to prevent an
encoding length rule violation.
(&. *.ptional+ In $istinguis#ed name suffi*C type
$!Bconcorp/$!Bcontoso/$!Bcom.
!f you type a nameC confirm that you have typed it correctly so that it #orks in the
conte0t of the Active Directory domain name. !n the Contoso scenarioC the
distinguished name is $!Bconcorp/$!Bcontoso/$!Bcom. !f you install a CA on a
computer that is a domain member #ith /nterprise Administrator privilegesC the
distinguished name suffi0 is automatically configured. Eou can also set the
distinguished name suffi0 at a later time by using the Certutil.e0e command.
((. !n 0alidity periodC select .0 years.
/nter the validity time as defined in your organi=ation@s certificate practice statement.
!n this e0ampleC a validity period of (& years is set for Corporate-ootCA.
(%. !f you have uninstalled a CA on this computer alreadyC you receive a #arning
message that confirms that you #ant to over#rite the private key from the previous
CA installation. !t is recommended that you ensure that the private key is never
required again. !f you make a backup copy of the systemC it is more likely that you #ill
not lose any data. *!nstead of backing up the entire systemC you can also make a
backup copy of the private key. )o do thisC at a command promptC type certutil E
bac7up7ey 1G+ !f you are not sure if you #ant to over#rite the private keyC click ,o to
cancel the installation procedure. !f you click HesC a ne# key is generated and the
68
ne# key replaces the e0isting key. 1ote that "indo#s %&&& CAs do not support the
distinguished name suffi0 specification as part of the installation #i=ard.
)he public and private keys are then generated by the C$. !f you use the default
C$C the keys are #ritten to the local computers key store. !f you did not use an
>$MC the key is generated by CryptoA! and is stored in the profile of the system
account on the local computer. )he length of time that is required to generate the key
depends on both the si=e of the key that is generated and the C6 performance of
the local computer. !f an >$M is installed and selectedC the key is generated in the
>$M and stored according to the >$M specific architecture. $ince no certificate
templates are available on a stand;alone CA server that is a member of a #orkgroupC
the CA certificate needs to be built from configuration information in the registry. )he
follo#ing default key usage e0tension values are added to the CA certificate:
Digital signature
Certificate signing
Certificate offline C-9 signing
Certificate C-9 signing
>o#everC if a root CA is installed on a computer that is running either a member of
the "indo#s %&&& family or a member of the "indo#s $erver %&&' familyC and that
computer is a domain memberC the CA inherits the /nhanced Key 6sage e0tension
settings from the CA template in Active DirectoryC even if the CA is installed as a
stand;alone CA. !f no Active Directory is availableC the /nhanced Key 6sage settings
are also taken out of the configuration that is available in the registry.
('. !n !ertificate database and !ertificate database logC enter the locations of the
certificate database and the log files for the certificate database.
)he certificate database and the certificate database log must be saved to a local
1)2$ hard disk.
.n a stand;alone CA that is e0pected to infrequently issue CA certificatesC you can
retain both the certificate database and the certificate database log on the local
computer@s hard disk. )o ensure that the CA is reliable and availableC schedule
backup operations of the computer. Backup may be performed even if the CA service
is not running. 2or more information about CA backup and recoveryC see DCertification
Authority backup and recoveryD in this document.
(<. *.ptional+ )o install a CA in the same location as a previously installed CAC select the
Preserve e*isting certificate database check bo0.
!f you select this optionC the ne# CA #ill use the e0isting database and preserve the
certificates in the database. !f you do not select this optionC the e0isting database #ill
69
be deleted. Eou should use this option only #hen you are trying to restore a CA from
a backup or for CA migration.
Eou can move both the database and log files to a different location. 2or more
informationC see >." ).: Move the Certificate $erver Database and 9og 2iles on
the Microsoft Kno#ledge Base.
(4. $elect the Store configuration information in a s#ared folder check bo0 andC in
S#ared folderC enter a local pathname as the name for the shared folderC such as
C:BCAConfigC and then click ,e*t.
)he CA setup procedure cannot detect if the computer is supposed to run as either
an online or offline CA. 2or an offline CAC the shared folder is not necessaryC but must
still be specified. !f the CA is connected to the net#orkC clients can gain access to the
CA certificate through the shared folder.
Depending on the name of the shared folderC a ne# share is created on the CA
server computer. )he path to the shared folder can be either a universal naming
convention *61C+ path such as the defaultC BB9ocalhostBCAConfigC or a local pathC
such as C:BCAConfig. !f the server does not have net#ork cards installed or has all
net#ork interfaces disabledC you must choose a local path.
$ome information that is stored in the CAs configuration directory must be published
to the organi=ation@s Active Directory at a later stage. 2or more informationC see
D!mport parent CA certificates and C-9s into Active DirectoryD later in this document.
"hen the "indo#s Components "i=ard completes the Certificate $ervices
configurationC you may be asked for the server@s installation media to finish the
installation.
Because you do not need to install !!$ on this computerC you may receive a #arning
message that states that the Certificate $ervices "eb /nrollment $upport is
unavailable. !f you receive this messageC click (K and complete the installation
procedure.
-igure :> IIS Installation Warning
70
0erify t#e 'oot ! !onfiguration
)he ne0t procedure helps you to ensure that the root CA is correctly configured ready for
production operations.
0erify t#e 'oot ! !ertificate
Because the CA certificate is mandatory for a reliable certificate validation of all
certificates that have been issued by your K!C it is important to ensure that this certificate
has all of the necessary information before proceeding #ith the installation of a CA
hierarchy.
(. .n the local root CA computerC at a command promptC type:
certutil Eca9cert corporate'oot!9cer
%. 3ie# the CA certificate to validate the information that is in the CA certificate. )o do
thisC at a command promptC type:
certutil9e*e corporate'oot!9cer
'. 3erify that the italici=ed parameters are the same parameters that you noted in the
configuration document in the previous section. !n additionC make sure that the
certificate lifetime is set to a period of (& years.
%ignature Algorit<m:
Algorit<m O$>ect?!: 3=/=-10=337014=3=3=0 s<a3R%A
?ssuer: CN@CorporateRootCA
Not(efore: .A0A/00/ ,:1, P6
NotAfter: .A0A/03/ ,:01 P6
%u$>ect: CN@CorporateRootCA
0erify t#e !orporate'oot! !onfiguration
Information
6se the steps in this section to verify the CA configuration:
(. At a command promptC type certutil Ecainfo and verify the CA type. )he result #ill be
similar to the follo#ing:
CA t;pe: 7 -- %tan!-alone Root CA
2N6*%)ANDA:ON2*ROO)CA -- 7
%. At a command promptC type certutil Ggetreg O find H! Directory to verify the database
settings. 3erify the follo#ing italici=ed output:
71
ConfigurationDirector; R29*%B @ \\concorp-ca-00\CertConfig
D(Director; R29*%B @ C:\"?NDO"%\s;stem7/\Cert:og
D(:ogDirector; R29*%B @ C:\"?NDO"%\s;stem7/\Cert:og
D(%;stemDirector; R29*%B @ C:\"?NDO"%\s;stem7/\Cert:og
D()empDirector; R29*%B @ C:\"?NDO"%\s;stem7/\Cert:og
(ffline 'oot ! !onfiguration
After the stand;alone offline root CA is installedC you must configure the properties of the
offline root CA for certificates that are subsequently issued from the CA. )hese
e0tensions are necessary to ensure correct revocation and chain building.
Eou can perform all of the steps that are described in this section by using one batch
script. 2or more informationC see $ample script to configure Corporate-ootCA in this
document.
Map t#e ,amespace of ctive $irectory to an (ffline !Is
'egistry !onfiguration
!aution
!ncorrectly editing the registry may severely damage your computer. Before
making changes to the registryC you should back up any valued data on the
computer.
Because the offline root CA is not connected to the domain and does not automatically
publish the C-9 to Active DirectoryC you must set a key in the registry. )o do thisC at a
command promptC type the follo#ing command and then stop and start the CA service:
certutil9e*e Esetreg caJ$S!onfig$,
!,B!onfiguration/$!Bconcorp/$!Bcontoso/$!Bcom
#here -":concorp,-":contoso,-":com is the namespace of the forest root domain.
)his setting is primarily required for C-9s and CA certificates *A!A+ that are published in
Active Directory.
)his registry value sets the N5 replacement token that is required for the C-9 location
attributeC as #ell as the C-9 and A!A distribution points that are described in DConfigure
Corporate-ootCA distribution points for C-9 and A!A. 2or more information about the N5
replacement tokenC see C-9 distribution point replacement token in this document.
Important
After you use this command to change the registry keyC a ne# C-9 and any ne#
CA certificates that are issued must be republished. .nly ne# certificates that are
72
issued after you use the previous command #ill have this information available. !t
is important to note that you must reissue and republish any subordinate CA
certificate if it #as issued before you changed the registry key.
!onfigure !orporate'oot! $istribution Points for !'4
and I
)he C-9 and A!A distribution points must be set before any certificates are issued from
the ne# CA.
)his configuration step ensures that the correct information is embedded in each of the
issued certificates so that the certificate@s signature and revocation status can be verified.
2or additional information about certificate status and chain buildingC as #ell as ho# the
A!A and C-9 distribution point e0tensions are used by CryptoA!C see )roubleshooting
Certificate $tatus and -evocation on the Microsoft )ech1et "eb site.
2or all CA types *online or offlineC root or subordinateC enterprise or stand;alone+C the
configuration of the A!A e0tension and the C-9 distribution point e0tension is critical. !f
they are not configured correctly or if they contain invalid e0tensionsC there may be
une0pected problems. 2or e0ampleC smart card login attempts may not #orkC there may
be invalid e;mail digital signaturesC or there may be "eb sites that are not trusted.
!onfigure !orporate'oot! $istribution Points for !'4
and I by 2sing t#e 2ser Interface
C-9 distribution point and A!A e0tension changes take effect only after the CA is
restarted and the e0tensions appear in certificates issued only after the changes are
applied.
.n computers that run a member of the "indo#s %&&& familyC the C-9 and A!A
configuration process is different than on computers that are running a member of the
"indo#s $erver %&&' family.
Before changing the C-9 configurationC verify the default settings.
9og on to the computer #ith an account that has Certification Authority Administrator
permissions.
)ype the follo#ing at a command prompt:
certutil 1getreg caJ!'4Publication2'4s
)he follo#ing report of the default C-9 distribution points is displayed. 1ote these
settings if you need to change the C-9 configuration to its original state.
73
CR:Pu$licationR:s R29*6:)?*%B @
0: .0:C:\"?NDO"%\s;stem7/\Cert%r#\Cert2nroll\C7C-C4=crl
C%R:*%2RD2RP(:?%E -- 3
C%R:*%2RD2RP(:?%ED2:)A -- 10 &.1'

3: ,4:l!ap:AAACN@C,C-FCN@C/FCN@CDPFCN@Pu$lic 8e; %er#icesFCN@%er#icesFC.C30
C%R:*%2RD2RP(:?%E -- 3
C%R:*ADD)OC2R)CDP -- /
C%R:*ADD)OFR2%E2%)CR: -- 1
C%R:*ADD)OCR:CDP -- -
C%R:*%2RD2RP(:?%ED2:)A -- 10 &.1'

/: .:<ttp:AAC3ACert2nrollAC7C-C4=crl
C%R:*ADD)OFR2%E2%)CR: -- 1

7: 0:file:AA\\C3\Cert2nroll\C7C-C4=crl
As it is specified in the C$C you must configure the C-9 and A!A distribution point for
certificates issued by this CA. )o configure these e0tensions in a "indo#s $erver %&&'
CAC perform the follo#ing steps:
(. 9og on to the computer running certificate services #ith an account that has
Certification Authority Management permissions.
%. Click StartC point to ll ProgramsC point to dministrative "oolsC and then click
!ertification ut#ority.
'. !n the console treeC right;click the name of the CA that you #ant to #ork #ithC and
then click Properties.
<. Click the )*tensions tab.
!onfigure !orporate'oot! $istribution Points for t#e
!'4
(. 2irstC remove all of the C-9 distribution point locationsC e0cept for the local C-9
distribution point.
!aution
Do not remove the local C-9 distribution point location. )he local distribution
point #ill look similar to the follo#ing path:
C:B"indo#sB$ystem'%BCert$rvBCert/nrollB"orporateRoot",.crl )he CA must
publish the C-9 to the file system because all of the other distribution points
are not accessible for this offline CA. )he CA uses the local C-9 to validate
all certificates that are generated before the certificates are issued to users.
74
)he local path is not included in the C-9 distribution point e0tension of
issued certificates.
%. .n the )*tensions tabC in Select e*tensionC select !'4 $istribution Point %!$P&.
'. !n Specify location from w#ic# users can obtain a certificate revocation list
%!'4&C click the default 9DA locationC click 'emoveC and then click Hes.
<. -epeat $tep % for all C-9 distribution point locations e0cept for the local C-9
distribution point.
After you remove all of the appropriate locationsC the remaining list of C-9 distribution
points #ill be similar to the follo#ing figure.
-igure ;> !'4 $istribution Point 4ocations
1o#C you #ill add the desired C-9 distribution point locations to the list.
75
)o provide multiple access protocol methods for C-9 retrievalC different distribution points
are provided to facilitate heterogeneous environments. 1ote that the 9DA path that is
listed in the follo#ing table contains information about the organi=ation@s Active Directory
namespace. !f the certificate #ill be e0changed #ith e0ternal partiesC define a neutral
namespace. )he e0ample in this section uses the follo#ing C-9 distribution points in the
follo#ing order.
"able .3 4ist of !'4 $istribution Points for !orporate'oot!
ccess protocol !'4 distribution point
PlocalQ C:B"!1D."$Bsystem'%BCert$rvBCert/nrollBN'N8N,.crl
>)) http:HH###.contoso.comHpkiHN'N8N,.crl
9DA 9dap:HHHC1LN7N8CC1LN%CC1LCDCC1Lublic Key
$ervicesCC1L$ervicesCN5N(&
)he PlocalQ path should be the current "indo#s installation directory.
)he order in #hich you should choose the access protocols is based on the type of
certificates that are issued by a CA. A C-9 distribution point #ith >)) as the first
protocol in the list is recommended for environments #here C-9 distribution #ithout
latency is critical or #here most clients are not Aoined to an Active directory domain.
>)) locations generally do not replicate and do not have latency issues #hereas an
9DA distribution point might be located in a distributed directory serviceC like Active
Directory. )he C-9 distribution points that are listed in the table use the replacement
tokens that are described in C-9 distribution point -eplacement )oken in this document.
2or more information about C-9 namingC see the chapter C-9 Best ractices.
(. Click ddC and in 9ocationC type the appropriate C-9 distribution point path from the
previous tableC and then click (K.
Eou can also copy and paste the path from the table.
%. -epeat $tep ( for each type of access protocol.
1e0tC you must set the configuration parameters that dictate ho# the C-9 #ill be
published by the CA. )he properties must be set for every C-9 distribution point
path.
'. !n Specify locations from w#ic# users can obtain a certificate revocation list
%!'4&C click one of the paths.
<. "hile still on the Properties tabC select or clear the check bo0 that is listed in the
previous tableC depending on the type of pathC and then click pply.
76
4. -epeat steps ' and < for each path.
"able .6 !'4 $istribution Point Properties
!'4 distribution point
property
-ile 8""P 4$P
ublish C-9s to this
location check bo0
$elect 1HA Clear
!nclude in all C-9s
check bo0
1HA 1HA $elect
!nclude in C-9s
check bo0
1HA Clear $elect
!nclude in the CD
e0tension of issued
certificates check bo0
1HA $elect $elect
ublish delta C-9s to
this location check
bo0
Clear 1HA Clear
,ote
!n Publis# !'4s to t#is locationC since the "orporateRoot", computer is
not attached to the net#orkC the CA cannot automatically publish the C-9 to
the 9DA C-9 distribution point. By defaultC this option is chosen on an
enterprise CA to automate the C-9 publishing to the 9DA C-9 distribution
point.
!n Publis# !'4s to t#is locationC a 61C file path can be specified to publish to
clustered "eb servers using !!$ for C-9 fault tolerance.
!f the Publis# $elta !'4s to t#is location check bo0 is selectedC make sure that the
delta C-9 is also published. 2or more informationC see DConfigure C-9 publication
interval via the user interfaceD in this document.
2or a description of C-9 propertiesC see C-9 publishing properties in this document.
77
!onfigure !orporate'oot! $istribution Points for I
!aution
!n the procedure belo#C do not remove the local A!A path location. )he local path
#ill not be contained in the A!A e0tension of issued certificates.
(. !n "orporateRoot",PropertiesC on the )*tensions tabC select ut#ority
Information ccess %I&.
%. !n Specify locations from w#ic# users can obtain t#e certificate for t#is !C
click the default 9DA locationC click 'emoveC and then click Hes.
'. -epeat the previous step to remove all of the entries e0cept for the local entry.
Eou can also clear the check bo0es for all A!A publishing options instead of removing
the A!A path from the list.
<. Click ddC and in 4ocationC type one of the A!A distribution points from the follo#ing
tableC and then click (K.
4. -epeat the previous step for each A!A distribution point in the table belo#.
1ote that the 9DA path can e0pose internal namespace information if the
certificates #ill be e0changed #ith e0ternal parties. Change the 9DA C-9
distribution point to a permanent and publicly;available distribution point if certificates
are e0changed #ith e0ternal parties.
"able .: 4ist of I !'4 $istribution Points for !ontoso
ccess protocol I $istribution Point
PlocalQ D:B"!1D."$Bsystem'%BCert$rvBCert/nrollBN(IN'N<.crt
>)) http:HH###.contoso.comHpkiHN(IN'N<.crt
9DA ldap:HHHC1LN7CC1LA!ACC1Lublic Key
$ervicesCC1L$ervicesCN5N((
5. !n Specify locations from w#ic# users can obtain t#e certificate for t#is !C
click one of the locationsC and then select or clear the check bo0es according to the
follo#ing table.
)hese configuration parameters control ho# the A!A e0tension is used by the CA in
issued certificates. Eou must set the properties for every A!A path that is specified on
the )*tensions tab.
"able .; I Properties
78
I property -I4) 8""P 4$P
Include in t#e I
e*tension of issued
certificates check bo0
1HA $elect $elect
Include in t#e online
certificate status
protocol %(!SP&
e*tension check bo0
1HA Clear Clear
7. -epeat the previous step for each locationC e0cept for the file locations.
8. Click (KC and then click Hes to apply the changes you have made and restart the
computer.
!onfigure t#e !orporate'oot! !'4 and I !'4
$istribution Point -rom a Batc# -ile
)he C-9 distribution point path is stored as a multivalued attribute in the registry. Eou can
also set the appropriate value #ith the Certutil.e0e utility. )his procedure is similar to the
steps that are outlined in DConfigure Corporate-ootCA distribution points for C-9 and A!A
by using the user interfaceD earlier in this document. )o configure both the C-9
distribution point and A!A paths for a "indo#s $erver %&&' CA #ith !ertutil9e*eC follo#
the steps that are described in this section.
Important
Because percent character *N+ variables are handled differently than the
configuration 6! in batch files and at a command promptC you must use the NN
notation if you #ant to run the e0ample script in this section as a batch file. !f
Certutil is called from a command promptC replace NN #ith a single N.
Certutil.e0e interprets a multivalued attribute #hen you use Jn as part of the value string.
!f a multivalued attribute consists of only one valueC verify that Jn is appended as the last
character in the value string. .ther#iseC you create a string value that might be not
recogni=ed by the CA. 2or more informationC type certutil9e*e Esetreg 1G at a command
prompt.
(. .n a server that is running one of the appropriate members of the "indo#s $erver
%&&' familyC open a te0t editorC such as 1otepadC and then copy the follo#ing te0t as
t#o separate ro#s into the te0t editor.
certutil -setreg CA\CR:Pu$licationR:s
79
G3:C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC7CC-CC4=crl\n/:<ttp:AAwww=
contoso=comApkiACC7CC-CC4=crl\n30::DAP:AAACN@CC,CC-FCN@CC/FCN@CDPFCN
@Pu$lic 8e; %er#icesFCN@%er#icesFCC.CC30G
certutil -setreg CA\CACertPu$licationR:s
G3:C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC3*CC7CC1=crt\n/::DAP:AAACN
@CC,FCN@A?AFCN@Pu$lic 8e; %er#icesFCN@%er#icesFCC.CC33\n/:<ttp:AAwww
=contoso=comApkiACC3*CC7CC1=crtG
!f a "indo#s %&&& $erver is usedC the follo#ing commands perform the same
function as above:
certutil -setreg polic;\Re#ocationCR:R:
G<ttp:AAwww=contoso=comApkiACC7CC-=crl\nG
certutil -setreg polic;\:DAPRe#ocationCR:R:
Gl!ap:AAACN@CC,CC-FCN@CC/FCN@CDPFCN@Pu$lic 8e;
%er#icesFCN@%er#icesFCC.HcertificateRe#ocation:istH$aseHo$>ectclass@
cR:Distri$utionPoint\nG
certutil -setreg polic;\FileRe#ocationCR:R: G\nG
certutil -setreg polic;\?ssuercertR:
G<ttp:AAwww=contoso=comACC3*CC7CC1=crt\nG
certutil -setreg polic;\:DAP?ssuercertR:
Gl!ap:AAACN@CC,FCN@A?AFCN@Pu$lic 8e;
%er#icesFCN@%er#icesFCC.HcACertificateH$aseHo$>ectclass@
certificationAut<orit;\nG
certutil -setreg polic;\File?ssuercertR: G\nG
%. $ave the te0t file as FtempFJMy!'4!$P9cmd.
'. Close the te0t editor.
<. At a command promptC type FtempFJMy!'4!$P9cmd to e0ecute the commands
from the te0t file.
4. At a command promptC type net stop certsvc to stop the certificate serverC because
you must restart the computer to apply the change.
5. At a command promptC type net start certsvc to restart the certificate server.
0erify t#e !orporate'oot! !'4 and I !onfiguration
Because the configuration of C-9 and A!A distribution points is very importantC verify your
configuration:
(. Do one of the follo#ing:
80
If your ! is running $o t#is
A member of the "indo#s %&&&
$erver family
At a command promptC type the follo#ing
commandsC pressing /1)/- after each line:
certutil Egetreg
policyJ'evocation!'42'4
certutil Egetreg
policyJ4$P'evocation!'42'4
certutil Egetreg
policyJ-ile'evocation!'42'4
A member of the "indo#s %&&'
$erver family
commandC and press /1)/-:
certutil Egetreg caJ!'4Publication2'4s
%. 3erify that the output is similar to the values you have configured in the previous
section.
'. Do one of the follo#ing:
If your ! is running $o t#is
A member of the "indo#s %&&& $erver
family
commandsC pressing /1)/- after each
line:
certutil Egetreg policyJIssuer!ert2'4
certutil Egetreg
policyJ4$PIssuer!ert2'4
certutil Egetreg policyJ-ileIssuer!ert2'4
A member of the "indo#s %&&' $erver
family
commandsC pressing /1)/- after each
line:
certutil Egetreg
caJ!!ertPublication2'4s
<. 3erify that the output resembles the follo#ing output and contains the proper
organi=ational naming information.
81
CACertPu$licationR:s R29*6:)?*%B @
0: 3:D:\"?NDO"%\s;stem7/\Cert%r#\Cert2nroll\C3*C7C1=crt
C%R:*%2RD2RP(:?%E -- 3
3: /:l!ap:AAACN@C,FCN@A?AFCN@Pu$lic 8e;
%er#icesFCN@%er#icesFC.C33
/: /:<ttp:AAwww=contoso=comApkiAC3*C7C1=crt
!onfigure !'4 Publication Interval By 2sing t#e 2ser
Interface
After the C-9 distribution point is setC you must configure the C-9 publication interval. )o
configure the publication scheduleC use the follo#ing procedure.
(. Click StartC point to ProgramsC point to dministrative "oolsC and then click
)his opens the Certification Authority MMC $nap;in.
%. !n the console treeC right;click 'evo7ed !ertificatesC and then click Properties.
'. !n C-9 publication intervalC type a number for the C-9 publication interval according
to your C$.
2or planning informationC see Best practices for C-9 publication in this document.
1ote that publishing by using minute;based intervals is available only through the
registry and is not recommended for most installations.
<. 3erify that the Publis# $elta !'4s check bo0 is not selected.
)he Publis# $elta !'4s setting is not available on computers running a "indo#s
%&&& CA.
!onfigure !'4 Publication -rom a Batc# -ile
Eou can configure the C-9 publication schedule information in the registry by using the
!ertutil9e*e utility. )o configure the C-9 publication schedule information by using
!ertutil9e*eC use the steps in this section. 1ote that these steps #ork on a "indo#s
%&&& CA.
(. $tart a te0t editorC such as 1otepadC and then copy the follo#ing te0t into a te0t file:
certutil -setreg CA\CR:Perio!nits 3-0
certutil -setreg CA\CR:Perio! GDa;sG
net stop certs#c I net start certs#c
82
%. $ave the te0t file as FtempFJMy!'4Period9cmdC and then close the te0t editor.
'. At a command promptC type FtempFJ My!'4Period9cmdC and then press /1)/-.
!nsteadC use these steps on a "indo#s $erver %&&' CA.
(. $tart a te0t editorC such as 1otepadC and then copy the follo#ing te0t into a te0t file:
certutil -setreg CA\CR:DeltaPerio!nits 0
%. $ave the te0t file as NtempNBMyC-9eriod.cmdC and then close the te0t editor.
'. At a command promptC type NtempNB MyC-9eriod.cmdC and then press /1)/-.
Set t#e 0alidity Period for Issued !ertificates at t#e (ffline
'oot !
)he lifetime of certificates that are issued by a "indo#s stand;alone CA is set to one
year by default. Because these values might not match the organi=ation@s requirementsC
you must set a registry key to adAust this default value.
,ote
)he validity time of the root CA certificate is controlled at the setup and rene#al
of the CA certificate through the value that is specified in the CAolicy.inf file. )he
registry value that is described in this section does not affect the validity time of
the root certificate.
(. $tart a te0t editorC such as 1otepadC and then copy the follo#ing to a te0t file:
certutil -setreg ca\Dali!it;Perio!nits 30
certutil -setreg ca\Dali!it;Perio! GJearsG
%. $ave the te0t file as FtempFJMy0P9cmdC and then close the te0t editor.
'. At a command promptC type FtempFJMy0P9cmd.
2or more information about allo#ing certificate requests to control the certificate validity
timeC see Control certificate validity time by certificate request in this document.
2or more information about ho# to change the e0piration date of certificates that are
issued by a "indo#s %&&& CAC see >." ).: Change the /0piration Date of Certificates
!ssued by a "indo#s %&&& Certification Authority in the Microsoft Kno#ledge Base.
83
'epublis# t#e !orporate'oot! !'4
After the C-9 distribution point e0tensions are updated on the CAC ne# C-9s must be
published to ensure that all of the clients #ill be able to gain access to the most current
revocation list information. )he publishing can be done through the MMC or by using
!ertutil9e*e at a command prompt #ith the same results.
'epublis# t#e !'4 by 2sing t#e MM!
6se the steps in this section on either a "indo#s $erver %&&' CA or a "indo#s %&&& CA
to republish the C-9. !t is important to republish the C-9 because adapted configuration
parameters such as D$ConfigD1 are included as attributes in the C-9. AlsoC C-9
properties affect the publication of the C-9.
(. 9og onto the CA server #ith CA Manager permissions.
%. .pen the Certification Authority MMC. )o do thisC click StartC point to ll ProgramsC
point to dministrative "oolsC and then click !ertification ut#ority.
'. -ight;click 'evo7ed !ertificatesC point to ll "as7sC and then click Publis#.
A ne# base C-9 is published. A delta C-9 is published only if you have also set the
C-9 delta publication schedule.
<. "hen you are prompted to confirm the type of C-9 that should be published #ith this
requestC click ,ew !'4.
Because only base C-9s are published by the offline root CAC only the ,ew !'4
option is available.
'epublis# t#e !'4 from a !ommand Prompt
)o publish the C-9C at a command promptC type certutil 1!'4C and then press /1)/-.
"hen you do thisC the C-9 is published to the location that you configured.
0erify t#e Publis#ed !'4
)here are t#o attributes that you should verify after the C-9 is published: the publication
time and the Publis#ed !'4 locations attribute. "hen you verify the publication time for
the C-9C you are also verifying #hether the correct C-9 publication is set on the
configured schedule. Eou also need to verify that the $S!onfig$, registry value is set
correctly and that the $S!onfig$, registry value is in the C-9.
84
$etermine t#e ,ame of t#e Most !urrent !'4
(. At a command promptC type certutil EdynamicfilelistC and note that the C-9 path
name that is displayed.
%. At a command promptC type certutilC and use the C-9 path and file name from the
previous step as the command;line parameter. 2or e0ampleC you can type the
follo#ing:
certutil FsystemrootFJSystem32J!ertSrvJ!ert)nrollJ"orporateRoot",.crl
#here "orporateRoot",.crl is the file name of the current C-9.
'. 3erify that the )ffective date attribute has the same time as the e0pected C-9
publishing time.
<. 3erify that the Publis#ed !'4 4ocations attribute does not have a
DCL6navailableConfigD1 namespace.
)he Publis#ed !'4 4ocations attribute is used to verify the original location of the
C-9s publication. !f the namespace is set to 2navailable!onfig$,C clients #ill
report an error because the C-9s original distribution point cannot be verified.
Pu$lis<e! CR: :ocations
K3L:ocations
Distri$ution Point Name:
Full Name:
R:@l!ap:AAACN@CorporateRootCAFCN@concorp-ca-
00FCN@CDPFCN@Pu$licC/08e;C/0%er#icesFCN@%er#icesFDC@na#aila$le
ConfigDNHcertificateRe#ocation:istH$aseHo$>ectClass@cR:Distri$utionPoint
!f the output has a $!B2navailable!onfig$,C to resolve this behaviorC see Map the
namespace of Active Directory or -epublish the Corporate-ootCA C-9C earlier in this
document.
A C-9 that is correctly configured should have the follo#ing output:
Pu$lis<e! CR: :ocations
K3L:ocations
Distri$ution Point Name:
Full Name:
R:@l!ap:AAACN@CorporateRootCAFCN@concorp-ca-00FCN@CDPFCN
@Pu$licC/08e;C/0%er#icesFCN@%er#icesFCN@ConfigurationFDC@concorpF
DC@contosoFDC@c
omHcertificateRe#ocation:istH$aseHo$>ectClass@cR:Distri$utionPoint
85
!aution
3erify that the italici=ed te0t is the same as the value that is specified in
$S!onfig$, registry values. Eou should also verify that obAect!lass
component of the 9DA path is correctly defined.
-inali=e t#e ! !onfiguration
!f you use the steps in the previous sectionsC the CA is operational and ready to issue
certificates.
!f you install a "indo#s %&&& CA instead of a "indo#s $erver %&&' CAC it is
recommended that you also apply the additional configuration steps that are e0plained in
Disable issuer name and issuer serial numberC later in this document.
Stand1alone (ffline Intermediate !
%Intermediate!.&
)he stand;alone offline intermediate CA is also described as !ntermediateCA( in this
document.
An offline stand;alone intermediate CA is part of a three;tier topology and is primarily
used to add another layer of fle0ibility in an organi=ation. )he !ntermediateCA( is
required to issue certificates to enterprise CAs that enroll authentication certificates only
according to the C$.
!f you plan to implement a t#o;tier topologyC skip this section and go to D.nline /nterprise
!ssuing CAs *Corporate/nt(CA+CD later in this paper.
Installation Prere+uisites
)o correctly install and configure the offline stand;alone intermediate CAC you #ill need
the follo#ing:
)he C$ that has all of the parameters that are specific to your organi=ation. 2or
more informationC see DCertificate practice statementCD earlier in this paper.
)he "indo#s $erver %&&' $erver installation media
Appropriate hard#are #ith a floppy disk drive
)#o floppy disksC one labeled "ransfer1'oot! and the second labeled "ransfer1
Intermediate!.
86
)he !ntermediateCA( must be a #orkgroup member because it is not connected #ith the
net#ork and has no connectivity to a domain controller. !t is also important to ensure that
the computer name of this server is unique in the organi=ation@s net#orkC because the
computer name is part of the CA configuration information that is published in Active
Directory *2or more informationC see D!mport arent CA Certificates and C-9s into Active
DirectoryD later in this document.+ )o ensure that the computer is a #orkgroup memberC
log on to the computer that becomes the offline intermediate CA and type the follo#ing at
a command promptC and then press /1)/-:
net config wor7station
!f necessaryC change the domain membership to a #orkgroup membership.
Install an 8SM on Intermediate!.
Before the CA setup procedure startsC verify that the >ard#are $ecurity Module *>$M+ is
set up correctlyC according to the manufacturer@s installation guide. 2or more informationC
see D!nstalling an >$M on an offline root CAD in this document.
Prepare t#e !Policy9inf -ile for
Intermediate!.
Eou must provide a CAolicy.inf file before the CA setup procedure. )he most important
aspect of the capolicy.inf procedure is to allo# all issuance policies at the intermediate
level. A root CA al#ays issues a $ubCA certificate #ith all issuance policies allo#ed. At
the intermediate CA levelC this attribute must be set e0plicitlyC other#ise it #ould allo# all
application policies but no issuing policies. An issuing CA cannot define any issuing policy
if the CA certificate does not permit issuing of certificates. 2or more informationC see
Chapter <.%.(.4C DCertificate oliciesD at the !nternet 2A: Archives "eb site.
A stand;alone CA cannot define policies by certificate templatesC because this is a feature
of customi=able 3% templates. A stand;alone CA does not benefit from 3% templates to
issue certificates. )he CAolicy.inf file defines the policy that applies to all certificates that
are issued by the intermediate CA.
Compared #ith the Corporate-ootCA configurationC the CAolicy.inf file does not need
predefined C-9 and A!A e0tensions because these configuration attributes are inherited
from the parent CA #hich issues the subordinate CA certificate. -ememberC that there
are prerequisites that a CAolicy.inf file gets processed properly.
erform the follo#ing steps:
(. 9og on to the !ntermediateCA( computer #ith administrative privileges.
87
%. 6se a te0t editorC such as 1otepadC to prepare the CAolicy.inf file. 2or a templateC
use the sample file that is in D$ample CAolicy.inf file for the !ntermediateCA( later in
this paper.
'. $ave the file to FsystemrootFJ!Policy9inf
(btain t#e !ertificate and Its !'4 from
!orporate'oot!
Before you can set up the !ntermediateCA( computerC you must install the root CA
certificate and the most current C-9 that Corporate-ootCA providesC because
!ntermediateCA( verifies the root certificate trust during installation.
Eou may need to manually obtain the parent CAs certificate once. After the parent CA has
been rene#edC a ne# CA certificate must be imported into the !ntermediateCA(
certificate store again. Because the root CA and the intermediate CA are not normally
connected to the net#ork and are offlineC you cannot make the root CA certificate
available via the net#ork to the intermediate CA.
Compared to the CA certificate that can have a long validity timeC such as several yearsC
the importing method that you use for the offline parent CA C-9 must be performed at
regular intervals that correspond to the C-9 publication interval. *2or more informationC
see DConfigure C-9 publication interval by using the user interfaceCD earlier in this paper.+
Eou have to import the offline parent CA C-9 regularly because an offline CA cannot
retrieve C-9s automatically through the net#ork. Eou must install a copy of the latest
C-9 in the local certificate store of an offline CA.
)he C-9 and the CA certificate are transferred to the subordinate CA computer on a
floppy disk in the follo#ing configuration steps. )he certificate and the C-9 are available
in a file format on the computer that is running as Corporate-ootCA.
)o retrieve the CA certificate and C-9:
(. 9og on to the computer that is running the Corporate-ootCA as a user.
%. At a command promptC type the follo#ing command to copy the current certificate to
the )ransfer;-ootCA floppy disk:
certutil Eca9cert a>Jconcorp1ca100K"orporateRoot",9crtc L nul
,ote
!f the CA has already been rene#edC there might be more than one CA
certificate available. !n that caseC use the copy command to transfer all CA
certificates from the file system to the floppy disk. )o do thisC at a command
88
promptC type the follo#ing and press /1)/-. copy Fsystemroot
FJsystem32JcertsrvJcertenrollJM9crt a>J9
'. )o copy the C-9 to a floppy diskC at a command promptC type:
certutil 1@et!'4 a>J"orporateRoot",9crl
<. -emove the "ransfer1'oot! floppy disk from the driveC and then insert the floppy
disk into the subordinate CA computer.
,ote
!f the certificate #as already rene#edC there may be more than one C-9C so
it is safest to copy all of the available C-9s from the
0!stemrootB$ystem'%BCert$rvBCert/nroll folder to the disk. >o#everC during
initial setup of the root CAC there should be only one C-9 in the directory. !f
a .crl file has a R sign at the end of its nameC the Publis# $elta !'4s option
has not been s#itched offC as e0plained in an earlier configuration step.
Eou can also e0port a certificate through the Certification Authority MMC snap;in. 2or
more information about ho# to do thisC see D/0port the offline intermediate certificate at
the root CAD in this document.
Import t#e 'oot ! !ertificate and !'4 to t#e
Intermediate !
)he root CA certificate is required during the installation of the intermediate CA. !t must
be installed in the intermediate CAs certificate store before the intermediate CA is set up.
6se the Certutil.e0e command to import CA certificates into the certificate storeC as
described later in this section. "hen you do thisC the certificates and C-9s are imported
in the correct location.
!f the "orporateRoot", certificate has been rene#edC it is important that you import the
entire set of CA certificates and C-9s. A set can be identified by the version numberC
because the CA certificate and C-9 have the same version number.
)*ample
!f "orporateRoot", is running #ith a certificate that #as generated during installationC
then the follo#ing files must be imported into the intermediate CA.
"able .< -iles to Import Wit# a ,ew !ertificate
89
-ile name $escription
Concorp;ca;&&ICorporate-ootCA.crt CA certificate
"orporateRoot",.crl C-9
As mentioned earlierC you must import the CA certificate and C-9 from the
"orporateRoot", after the -oot CA certificate #as rene#ed. !n the e0ample belo#C note
that "indo#s adds an incremental value to the filename if there is more than one CA
certificate and C-9. 2or e0ampleC if the "orporateRoot", has been rene#ed t#iceC you
must import the follo#ing list of files into !ntermediateCA(.
"able .? -iles to Import Wit# a Previously12sed !ertificate
-ile name $escription
Concorp;ca;&&ICorporate-ootCA*%+.crt CA certificate
Corporate-ootCA*%+.crl C-9
Import t#e 'oot ! !ertificate and !'4 to an
Intermediate ! 2sing t#e MM!
)his section describes ho# you can import a certificate import by using the Certificates
MMC. )he follo#ing steps about ho# to import the root CA and C-9 to an intermediate
CA by using the MMC snap;in are primarily for illustration purposes.
!t is easier to import the CA certificates at a command prompt. )he procedure for this is
given later in this section.
(. )o use the Certificates MMC to import a certificate and C-9C first verify that the CA
certificate uses both the correct conte0t and container. 9og on to the
!ntermediateCA( computer as a local administrator. 9ocal admin permissions are
required to import certificates or C-9s into the local systems certificate store.
%. Click StartC click 'unC type mmc9e*eC and then press /1)/-.
'. Add the Certificates MMC snap;in:
a. .n the -ile menuC click ddC'emove Snap1inC and then click dd.
b. Click !ertificatesC and then click dd.
c. Click !omputer accountC and then click ,e*t.
90
d. Click 4ocal computerC and then click -inis#.
,ote
Because there are different certificate stores on a computerC you must
select the correct certificate store. )he computer account is required
because the CA runs as part of the local system security conte0t.
Because of thisC the CA can gain access to all of the information that is
stored in the local computer@s certificate store. .nly security principals
#ho have administrative permissions on the computer can #rite
certificates to the $ystem certificate store. 2or detailed description about
certificate storesC see the $ecurity chapter of the "indo#s %&&&
-esource Kit on the Microsoft "eb site.
e. Click !loseC and then click (K.
<. !mport the certificate. )o do this:
a. Click !ertificatesC and thenC on the 0iew menuC click (ptions.
b. $elect the P#ysical certificate stores check bo0.
c. !n the console treeC double;click !ertificates %4ocal !omputer&C double;click
"rusted 'oot !ertification ut#oritiesC and then double;click 'egistry.
d. -ight;click !ertificatesC point to ll "as7sC click ImportC and then click ,e*t.
e. !nsert the "ransfer1'oot! floppy disk into the floppy disk driveC and then click
Browse.
f. 1avigate to the certificate fileC and then click (pen.
g. Decide the location #here you #ant the certificate storedC click Place all
certificates in t#e following storeC and then click ,e*t.
1ote that your current certificate container is the predefined value because the
import procedure has been started from there.
h. After you vie# the report about #hich options you selected in the import #i=ardC
click -inis# to import the certificate.
i. After you click -inis#C you receive a message that confirms the status of
operations. AlsoC the certificate appears in the list of certificates.
4. !mport the C-9. )o do this:
a. Double;click !ertificates %4ocal !omputer&C and then double;click "rusted
'oot !ertification ut#orities.
b. -ight;click 'egistryC point to ll "as7sC click ImportC and then click ,e*t.
91
c. !nsert the "ransfer1'oot! floppy disk into the floppy disk driveC and then click
Browse.
d. Bro#se to your floppy disk driveC click the C-9 fileC and then click (pen.
e. Click Place all certificates in t#e following store to decide in w#ic# location
t#e certificate s#ould be storedC and then click ,e*t.
)he registry node that is under !ntermediate Certification Authorities is the
predefined value because the import procedure has started as an action on the
!ntermediate Certification Authorities container.
f. After you revie# the report that displays the options that you have selectedC click
2inish to import the certificate.
After you complete this procedureC the CA certificate and the C-9 are installed in the
local computers certificate store.
,ote
Eou must repeat the steps in this section to import more C-9s and certificates.
Eou must do this if the Corporate-ootCA certificate has been rene#ed or a ne#
version of the C-9 has been published.
-ind a !ertificate in t#e !ertificate Store
!f you imported the certificate into the incorrect certificate storeC you may #ant to use the
2ind Certificates option.
Eou can also use the -ind !ertificates option to identify duplicate certificates that e0ist in
several certificate stores. !f you correctly set up the certificateC the certificate is kept only
one time. !f the same certificate appears several timesC remove the duplicate certificates
and verify that the certificate is stored in the correct container. !t is important to kno#
#hich certificate belongs in #hich certificate store. 2or information about ho# to verify CA
certificatesC see the D-elationship of the Configuration Container and Certificate $toreD
section in this document. 2or more information regarding root certificatesC see the articles
D)rusted -oot Certificates )hat Are -equired By "indo#s %&&&D on the Microsoft "eb
site and D>o# to -emove a -oot Certificate from the )rusted -oot $toreD on the
Microsoft Kno#ledge Base.
)o find a certificate in the certificate store:
(. Click StartC click 'unC type mmc9e*eC and then press /1)/-.
%. -ight;click !ertificatesC and then click -ind !ertificates.
'. Choose your search criteriaC and then click -ind ,ow.
92
!f your search is successfulC you #ill see a list of certificates and the certificate@s
corresponding store that match your search criteria.
Import t#e 'oot ! !ertificate and !'4 into
an Intermediate ! from a Batc# -ile
)o import both the root CA certificate and the C-9 from a batch file:
(. 9og on to the !ntermediateCA( computer as a local administrator because local
administrative permissions are required to import certificates or C-9s into the local
computer@s certificate store.
%. Click StartC click 'unC in the (pen bo0C type cmd9e*eC and then press /1)/-.
'. !nsert the floppy disk labeled "ransfer1'oot! into the floppy disk drive on the
intermediate CA computer.
<. At a command promptC type the follo#ing t#o commandsC and then press /1)/-.
for F! in %5lopp!-rie>JM9crt& do certutil Eaddstore Ef 'oot F!
for F! in %5lopp!-rie>JM9crl& do certutil Eaddstore Ef 'oot F!
#here 5lopp!-rie is the drive letter of the floppy disk drive.
)his #ill install all certificates and the latest C-9 to the appropriate CryptoA! store.
*1ote that the loop around the certutil command simplifies the import procedure because
there may be more than one certificate or C-9 on the floppy disk that needs to be
imported.+ )he optional Ef parameter forces an over#rite of the certificate if the certificate
has been previously added to the store.
.nly valid certificates are imported to the certificate store.
,ote
Because it might be difficult to determine #hich CA certificate or C-9 version is
requiredC it is recommended thatC if several C-9s e0istC you import all C-9s from
the root CA. 2or more information about the CA certificate and C-9 storageC see
-elationship of the configuration container and certificate store in this #hite
paper.
93
0erify t#e 'oot ! !ertificate Import
Procedure -rom a !ommand Prompt
After both the root CA certificate and C-9 are importedC you can use the !ertutil9e*e
utility to confirm that the import procedure #as successful. !t is important to insure that
the certificates have been put into the right certificate stores.
)o see a list of certificates that are stored in the root CA certificate storeC type the
follo#ing command at a command prompt:
certutil Everifystore root
)he version number is sho#n as part of the output te0t that #ill appear. Confirm that the
version number of the CA certificate and the C-9 match.
Install t#e (ffline Intermediate ! Software
!omponents
)he installation procedure that you use for a subordinate CA is different from the
installation procedure that you use for a root CA. 6se the follo#ing steps to set up
!ntermediateCA(:
(. 9og onto !ntermediateCA( as a local administrator.
During the CA installation procedureC this account becomes a CA administratorC #hich
is a role that can also be delegated to other user accounts. 2or more information
about CA roles and permissionC see "indo#s $erver %&&' $erver >elp.
%. )o open the "indo#s Components "i=ardC do one of the follo#ing:
94
"o $o t#is
6se a command prompt (. Click StartC click 'unC and in .penC
type cmdC and then click (K.
%. At the command promptC type
sysocmgr Ci>sysoc9infC and then
press /1)/-.
6se Control anel (. Click StartC point to SettingsC point to
!ontrol PanelC and then click dd or
'emove Programs.
%. !n dd or 'emove ProgramsC click
ddC'emove Windows
!omponents.
'. $elect the !ertificate Services check bo0C and then click ,e*t.
)o correctly run Certificate $ervicesC the follo#ing list of soft#are components is
required. "eb enrollment and !!$ are optional components on an offline "indo#s
$erver %&&' CA that could be installed #ith the CA at the same time or at a later
date.
,ote
As described in D!nstalling the offline root CA soft#are componentsD in this
documentC !!$ is not required on an offline CA. >o#everC you can have !!$ on
the computer in order to enroll certificates through "eb enrollment support.
!!$ is not recommended as a security best practiceC but is sho#n in this
document only as an e0ample for the procedures.
Certificate $ervices CA
Certificate $ervices "eb enrollment support
!nternet /0plorer
Application $erver
/nable net#ork C.MR access
!nternet !nformation $ervices *!!$+
Common 2iles
!nternet !nformation $ervices Manager
95
"orld "ide "eb services
Active $erver ages
"orld "ide "eb services
A "indo#s %&&& offline CA requires !!$ in order to satisfy offline requests. A "indo#s
$erver %&&' CA is also able to process offline certificate requests as a function of the
Certification Authority MMC. AlternativelyC you can submit offline requests from a
command prompt by using !ertre+9e*e.
<. "hen you are prompted to choose the type of installation procedureC click Stand1
alone subordinate !C select the 2se custom setting to generate t#e 7ey pair
and ! certificates check bo0C and then click ,e*t.
)he )nterprise 'oot ! and )nterprise Subordinate ! options are not available
because the computer is not a member of an Active Directory domain.
!f you installed an >$MC in !SPC you must select the C$ that you installed
during the >$M installation procedure in !SP.
!f you did not install an >$MC in !SPC click Microsoft Strong !ryptograp#ic
Provider.
5. !n 8as# algorit#mC click S81..
)he default settingC $>A;(C is the most common and interoperable hash algorithm
that is used by applications and operating systems. 2or more information about C$
support on computers that are running "indo#s %&&&C see DMicrosoft /nhanced C$
!s 1ot $upported for Certificate $ervices !nstallationsD on the Microsoft Kno#ledge
Base.
7. !n Key lengt#C select 203<.
)here is no verification of the key length that you type into the bo0. Because of thisC
verify that the key length is interoperable #ith organi=ational applications and other
K! components.
8. 3erify that both the llow t#is !SP to interact wit# t#e des7top and 2se an
e*isting 7ey check bo0es are clearedC and then click ,e*t.
,. !n !ommon name for t#is !C type a common name for the CA. 2or this e0ampleC
type Intermediate!..
As it is specified in the C$C you must specify the common name *C1+ for this CA.
)he C1 cannot e0ceed 5< characters in lengthK ho#everC it is recommended that you
use a ma0imum C1 length of 4( characters to prevent encoding length rule violation.
96
(&. *.ptional+ !n $istinguis#ed name suffi*C type the distinguished name suffi0 for the
CAC and then click ,e*t.
!f you type a distinguished name suffi0 in $istinguis#ed name suffi*C confirm that
you have typed the name correctly so that it #orks in the conte0t of the Active
Directory domain name. !n the Contoso scenarioC the distinguished name is
-":concorp,-":contoso,-":com.
((. )he CA certificate@s validity period for a subordinate CA is al#ays determined by the
parent CA. 2or more informationC see D$et the validity period for issued certificates at
the offline root CACD earlier in this document.
(%. !f you have uninstalled a CA on this computer alreadyC you receive a #arning
message that confirms that you #ant to over#rite the private key from the previous
CA installation. !t is recommended that you ensure that the private key is never
required again. !f you make a backup copy of the systemC it is more likely that you #ill
not lose any data. *Eou can also make a backup copy of the private key as an
alternative to a system backup. )o do thisC at a command promptC type certutil E
bac7up7ey 1G+ !f you are not sure if you #ant to over#rite the private keyC click ,o to
cancel the installation procedure. !f you click HesC a ne# key is generated and the
ne# key replaces the e0isting key.
)he key pair is generated by the C$ and #ritten to the local computers key store.
('. .n !ertificate $atabase SettingsC confirm that !ertificate databaseC !ertificate
database logC and S#ared folder are set to the folder that you #ant to use.
(<. *.ptional+ )o install a CA in the same location as a CA that #as installed previouslyC
select the Preserve e*isting certificate database check bo0C and then click ,e*t.
(4. !n S#ared folderC confirm that the specified folder is set to a local pathC such as
C:BCAconfigC and then click ,e*t.
(5. !nsert the )ransfer;!ntermediateCA floppy disk into the disk drive.
(7. .n ! !ertificate 'e+uestC click Save t#e re+uest to a file andC in 'e+uest fileC
type a name for the request file that #ill be saved to the floppy diskC and then click
,e*t.
)he file must have a .req e0tensionC such as a:B!ntermediateCA(.req.
(8. !f you receive a message that !!$ must be stopped to continue the installationC click
Hes.
)he intermediate CA needs to submit the certificate request to its parent offline CA.
Because the Corporate-ootCA computer is running #ithout a net#ork connectionC
you must transfer the requested file on a floppy disk.
97
!aution
3erify that the floppy disk is available before you proceed. !f the storage
device is not accessibleC you receive an error messageC the CA setup
procedure stopsC and you must reinstall the CA. Before you can reinstall the
CAC you must uninstall Certificate $ervices "eb;/nrollment $upport if it #as
supposed to be installed.
(,. )he "indo#s Component "i=ard completes the certificate services configuration.
"hen the CA certificate has obtained a signed subordinate CA certificate from its
parent CAC the #i=ard displays a message #hich says that the installation has
finished. Make sure that the local storage device is available to save the request fileC
and then click (K.
%&. Click Hes to enable A$ pages that are required for "eb enrollment services.
!!$ is installed for illustration purposes as part of this configurationC but Active $erver
ages *A$+ pages are not enabled by default. Because of thisC the CA setup
procedure provides an option to automatically enable the A$ pages.
!f you click ,oC you can enable A$ by typing certutil Evroot at a command prompt
at a later time.
-igure <> )nable ctive Server Pages
%(. After the #i=ard finishes installing filesC click -inis#C and then click !lose.
%%. -emove the "ransfer1Intermediate! floppy disk from the disk driveC and then take
the floppy disk to the parent CA *Corporate-ootCA+.
0erify t#e !ertificate 'e+uest
Before the certificate request is submitted to the parent CAC verify that the policy identifier
that you set in the CA configuration through CAolicy.inf is correct. !f the synta0 of the
CAolicy.inf file is incorrectC certain configuration information may be missing from the
request file. )o verify that all configuration information is properly included in the
98
certificate requestC vie# and e0amine the request file. )o verify the request fileC at a
command promptC type certutilRe;uest5ileC #here Re;uest5ile is the request file that
you save to the floppy diskC including the correct pathC and then press /1)/-.
)he command produces output that is similar to the follo#ing output. 3erify that the
Certificate olicies section is correct as #ell as all of the other information that is
specified in the CAolicy.inf file.
!f the Certificate olicies section does not appear in your certificate requestC see repare
the CAolicy.inf file for !ntermediateCA(C in this documentC correct the synta0 in the
CAolicy.inf fileC and then repeat the subordinate CA installation procedure.
Attri$uteK/L: 3=/=-10=337014=3=4=31 &Certificate 2Mtensions'
DalueK/LK0L:
nknown Attri$ute t;pe
Certificate 2Mtensions: .
3=7=.=3=1=3=733=/3=3: Flags @ 0F :engt< @ 7
CA Dersion
D0=0
/=0=/4=31: Flags @ 0F :engt< @ 3.
%u$>ect 8e; ?!entifier
-1 $4 $f 7, a, 4$ 0! ,0 /- ./ 00 /, $f ,/ !a !0 .. a0 ,4 e-
/=0=/4=7/: Flags @ 0F :engt< @ 374
Certificate Policies
K3LCertificate Polic;:
Polic; ?!entifier@3=7=.=3=1=3=733=/3=17
K3F3LPolic; Nualifier ?nfo:
Polic; Nualifier ?!@ser Notice
Nualifier:
Notice )eMt@:egal polic; statement teMt=
K/LCertificate Polic;:
Polic; ?!entifier@3=7=.=3=1=3=733=/3=1,
K/F3LPolic; Nualifier ?nfo:
Polic; Nualifier ?!@CP%
Nualifier:
<ttp:AAwww=contoso=comApkiA:imite!sePolic;=<tm
K/F/LPolic; Nualifier ?nfo:
Polic; Nualifier ?!@CP%
Nualifier:
ftp:AAftp=contoso=comApkiA:imite!sePolic;=tMt
K/F7LPolic; Nualifier ?nfo:
Polic; Nualifier ?!@ser Notice
Nualifier:
Notice )eMt@:imite! use polic; statement teMt=
99
!ertificate 'e+uest Processing wit# t#e 'oot
! t#roug# MM!
)he subordinate CA certificate request that is saved on the "ransfer1Intermediate!
floppy disk must be signed by the parent *Corporate-ootCA+.
Eou can submit a request to an offline CA by using either the Certification Authority MMC
or the "eb /nrollment page that is on the parent "indo#s $erver %&&' CA. Eou can also
submit the request by typing certre+9e*e Esubmit at a command prompt. All methods
allo# you to submit a certificate request that you have saved to a request file *M.req+. )his
section #ill present the first methodC using the Certification Authority MMC. 2or more
information about using the "eb /nrollment pageC see DCertificate request processing
#ith the offline parent CA *!ntermediateCA(+ through "eb;/nrollment $upportCD later in
this document.
!aution
!f a previous CA setup procedure did not #ork and you repeat the setup
procedureC do not reuse the request file from the earlier CA setup procedure. !t
has an association #ith previous key material that #ill not be associated #ith the
current CA that you are installing.
!f a CA is set upC the key material is generated and the certificate request is submitted to
the parent CA. )he relationship bet#een key material and certificate is maintained by the
KI certificate attribute. )o ensure that the association of the CA key pair and certificate
request matchesC a unique request file must be used #hen a CA is set up.
(. 9og on to the Corporate-ootCA computer as a CA administrator.
Click StartC point to ll ProgramsC point to dministrative "oolsC and then click
%. Eou can also click StartC click 'unC type certsrv9mscC and then press /1)/-.
'. !n the console treeC right;click the certification authority you are #orking #ithC point to
ll "as7sC and then click Submit new re+uest.
<. !nsert the )ransfer;!ntermediateCA floppy disk into the Corporate-ootCA computer@s
floppy disk driveC bro#se to the disk driveC click the certificate request fileC and then
click (pen.
4. A stand;alone CA typically issues certificates only after a manual issuing process.
*Eou can change the request handling on the olicy Module tab of the CA@s
roperties.+ !n the default configurationC you must manually issue the certificate
request by the parent CA:
100
a. !n the Certification Authority MMC console treeC under the name of the CA you
are #orking #ithC double;click the Pending 'e+uests container.
b. !n the details paneC right;click the appropriate pending certificate request that
corresponds to the submitted subordinate CA requestC point to ll tas7sC point to
0iew ttributesC and then click )*tensions.
c. Click !ertificate PoliciesC and then verify that the information is correct.
!f the certificate policy information that is defined in the !ntermediate CA@s
CAolicy.inf file does not appear hereC deny the request and return to Drepare
the CAolicy.inf file for !ntermediateCA(CD earlier in this document.
d. !n the console treeC click Pending 'e+uestsC andC in the details paneC right;click
the pending requestC point to ll "as7sC and then click Issue.
)he request is processed and the certificate request is removed from the list.
By defaultC a stand;alone "indo#s %&&& or "indo#s $erver %&&' CA issues
certificates #ith only a t#o;year lifetime. Because the registry key that has an
impact on the validity time of the certificate #as previously setC the certificate
enrollment continues #ith the value that you specified. 2or more informationC see
D$et the validity period for issued certificates at the offline root CAD in this
document.
e. !n the console treeC click e0pand the Issued !ertificates container andC in the
details paneC right;click the certificateC and then click (pen to verify the certificate
as described in the ne0t step.
0erify t#e Intermediate!. !ertificate
)o ensure that the certificate that #as issued for !ntermediateCA( has the correct
certificate propertiesC verify the issued certificate:
(. Because a CA policy is specified for !ntermediateCA(C the issued certificate #ill allo#
all issuer and all application policies. .n the @eneral tabC click Issuer Statement
and verify that the certificate is valid for the follo#ing purposes:
All issuance policies
All application policies.
%. Click !lose to return to the certificate vie#er.
'. Click the $etails tabC and then verify that the !'4 $istribution Points and
ut#ority Information ccess values are the same as the distribution points that
are specified . 3erify other certificate attributesC as required. !f values do not matchC
101
see DConfigure Corporate-ootCA distribution points for C-9 and A!ACD earlier in this
documentC to help you correct the configuration.
,ote
Eou can also verify the certificate after it has been e0ported to a file. )o vie# the
certificate information from a KC$ S7C .derC or Base5<;encoded certificate fileC
at a command promptC type the "ert5ile name and hit /1)/-. -eplace ,"ert5ile
#ith the location and file name of the certificate file.
)*port t#e (ffline Intermediate !ertificate at
t#e 'oot !
!f the certificate that #as issued for the intermediate CA passes the verification stepsC
e0port the certificate from the root CA.
,ote
Because the Certificate /0port "i=ard can include the complete certificate path
#ith the e0ported fileC you should use this method instead of the binary e0port
method #hich only e0ports a single certificate.
(. .pen the Certification Authority MMC.
%. !n the console treeC under the CA that you #ant to #ork #ithC click Issued
!ertificates.
'. !n the details paneC double;click the subordinate CA certificate you #ant to #ork #ithC
click the $etails tabC click !opy to fileC and then click ,e*t.
<. Click Cryptographic Message $ynta0 $tandard G KC$S7 Certificates *.7B+C select
the !nclude all certificates in the certification path if possible check bo0C and then click
1e0t.
4. )ype a file name #ithout an e0tension for the e0port fileC and then save the file on the
"ransfer1Intermediate! floppy disk.
2or e0ampleC you could type >JIntermediate!.. )he file is automatically saved on
the floppy disk #ith a .p7b file name e0tension.
5. Click ,e*tC click -inis#C click (KC and then click (K again.
)he certificate contains only public informationC because the key material that is
associated #ith the certificate #as generated and is stored on the !ntermediateCA(
computer. )here is generally no need to protect the certificate information that is
102
stored on the floppy disk. )he CA certificate and the parent CA certificates are al#ays
considered to be public information.
7. !n the console treeC click Issued !ertificates.
8. -ight;click the issued certificate in the details paneC point to ll "as7sC and then click
)*port Binary $ata.
!n !olumns t#at contain binary dataC Binary !ertificate is the default choice.
,. Click Save binary data to a fileC and then click (K.
(&. !nsert the "ransfer1Intermediate! floppy disk into the driveC in -ile nameC enter a
file name #ith a .cer e0tensionC and then click Save.
2or e0ampleC you could type >JIntermediate!.9cer. )he certificate is then saved
in the D/-;encoded file format.
((. .n the -ile menuC click )*itC and then log off of the Corporate-ootCA computer.
Install t#e !ertificate on Intermediate!.
Eou have no# processed the request that #as sent to the root CA and saved it on the
"ransfer1Intermediate! floppy disk. Eou must no# install the signed subordinate CA
certificate that belongs to !ntermediateCA(. Eou can install the CA certificate either by
running a command at a command prompt or by using the Certification Authority MMC.
)he subordinate CA certificate request #ill only be accepted by the parent CA if it carries
the requesting CAs signature on the request.
0erify t#e Intermediate!. !ertificate "rust
!#ain
)o prevent une0plained or unintentional behaviorsC verify the certificate trust chain. Eou
must complete the trust chain verification procedure from a command prompt because
the trust path that is displayed in the Certification Authority MMC $nap;in uses a different
implementation for chain;building.
(. 9og on to the !ntermediateCA( computer as a local administrator
%. At a command promptC type
certutil Everifya<=","ert5ile9crt
#here a:B","ert5ile is the path and name of the file.
'. ress /1)/- to vie# the full certificate verification results.
103
)his command may generate a lot of output. "hen dw)rrorStatus is not equal to =eroC a
certificate verification error has occurredC so you should verify that dw)rrorStatus is
equal to =ero *&+ on each line that is produced.
Eou can also use the follo#ing command
certutil Everifya<=","ert5ile9crt N findstr Cc>dw)rrorStatus
#here a:B","ert5ile is the path and name of the file.
.utput that has completed the CA certificate verification #ithout errors looks like the
follo#ing sample output:
CertConteMtK0LK0L: !w?nfo%tatus@30/ !w2rror%tatus@0
CertConteMtK0LK3L: !w?nfo%tatus@30c !w2rror%tatus@0
)he certificate verification process retrieves any C-9 that is necessary to verify the
certificates. After the verification processC cached copies of the C-9s are available in the
temporary !nternet /0plorer folder on the client.
Install t#e !ertificate on Intermediate!.
After you have verified that the certificate trust chain can be properly builtC install the CA
certificate.
(. 9og on to the !ntermediateCA( computer as either a CA administrator or local
administrator.
%. Click StartC point to dministrative "oolsC and then click !ertification ut#ority to
start the Certification Authority MMC $nap;in.
'. !n the console treeC right;click Intermediate!.C point to ll "as7sC and then click
Install ! !ertificate.
<. !nsert the "ransfer1Intermediate! floppy disk into the floppy disk drive.
4. Bro#se to the floppy driveC click Intermediate!.9p;bC and then click (pen.
5. *.ptional+ !f the parent CA certificate has not been previously trustedC you may
receive a message that says that the root certificate is not trusted. Click (KC and then
install the root CA certificate to the trusted root CA certificate store on the local
computer.
)he root CA of the certificate chain must be locally trusted so that the CA service can
start. 2or more informationC see D!mport the root CA certificate and C-9 to the
intermediate CACD earlier in this document.
104
7. !n the console treeC right;click the name of the stand;alone offline intermediate CAC
point to ll "as7sC and then click Start Service.
)his brings the stand;alone offline intermediate CA into an operational state by
starting the CA service. Eou can also type net start certsvc at a command prompt.
1ote thatC after the CA has been started successfullyC the icon that displays the CAs
operational state turns into a green check mark.
8. .n the -ile menuC click )*it to close the Certification Authority MMC.
,. 9og off of the !ntermediateCA( computer.
Continue the installation procedure by follo#ing the steps in the !nstallation cleanup
section in this document.
Install t#e !ertificate at Intermediate!.
)o install the certificate at a command prompt:
(. 9og on to the computer as a local administrator #ith CA Management permissions.
%. At a command promptC type
certutil9e*e Einstallcert >JIntermediate!.9p;b
,ote
!f you used a .cer file instead of a p7b file and you receive a #arning
message at the end of the output such as DA certificate chain #as processedC
but terminated in a root certificate #hich is not trusted by the trust provider.
&08&&b&(&, *;%(<575%<87+CD it is possible that the parent CA certificate has
not been imported into the local computer certificate store or that the parent
CA certificate has been saved to the #rong store. )o correct this errorC see
D!mport the root CA certificate and C-9 into an intermediate CA from a batch
fileCD later in this document. )o resolve this behaviorC you can also use a
KC$S7 file *a .p7b file+ that includes the entire certificate chain instead of a
binary certificate file.
'. )o start the CA serviceC at a command promptC type net start certsvc.
Installation !leanup
2or security reasonsC it is recommended that you delete the certificate request file on the
"ransfer1Intermediate! floppy disk that you used to generate the CA certificate.
105
!onfigure Intermediate!.
After you complete the steps in the previous sections to configure the offline CAC you can
complete the remaining steps for !ntermediateCA( #ith a batch file script. )he difference
bet#een the root CA configuration and the subordinate CA configuration is the validity
period for issued certificates. )o configure the subordinate CA:
(. 9og on to the !ntermediateCA( computer as local or CA administrator.
%. $tart a te0t editorC such as 1otepad.
'. !n this documentC copy the sample te0t in $ample script to configure
!ntermediateCA$ample to a ne# document in the te0t editor.
<. $ave the te0t file as FtempFJsubcacfg9cmd.
4. Close the te0t editor.
5. At a command promptC type FtempFJsubcacfg9cmdC and then press /1)/-.
Include ! Policy in !ertificate 'e+uests
)he option around the CA issuer and application policies is a choice at #hich CA level the
policy is applied. !f you plan to configure a issuer statement at a CAC you must configure
the parent CA to add information about the CA policy to its issued certificates. $ee
D$ample CAolicy.inf file for the !ntermediateCA( later in this paper.
!f this configuration step is skippedC an intermediate CA #ill not accept or allo# CA
certificate policies from its subordinate CAs. !f requiredC you can apply this configuration
step at the time #hen a issuer or application policy needs to be included in a certificate
request from a subordinate CA.
)o include a policy in issued certificatesC enter the follo#ing commands at a command
prompt:
certutil 1v 1setreg policyJ)nable'e+uest)*tensionlist DO29692?932D
certutil Es#udown
net start certsvc
Eou can disable the setting #ith certutil 1v 1setreg policyJ)nable'e+uest)*tensionlist
D129692?932D
certutil Es#udown
net start certsvc
106
0erify t#e Intermediate!. !onfiguration
After you use the steps in the previous sectionsC ensure that the CA is configured
properly and ready for production operations. Eou should apply the verification steps as
described in the follo#ing sections in this document because they apply to the
intermediate CA the same #ay as for a root CA:
3erify the root CA configuration
3erify the Corporate-ootCA C-9 and A!A configuration
3erify the published C-9
-inali=e t#e ! !onfiguration
After you apply the steps from the previous sections in this documentC the intermediate
CA is operational and ready to issue certificates.
!f you installed a "indo#s %&&& CA instead of a "indo#s $erver %&&' CAC you should
apply the additional configuration steps that are e0plained in the Disable issuer name and
issuer serial number section in this document.
Stand1alone (ffline Intermediate !
%!orporateSub2!&
)he sample K! topology design has e0emplified t#o separate offline intermediate stand;
alone CAs that provide organi=ational and security fle0ibility. )he Corporate$ub%CA
setup is similar to the steps that are outlined for !ntermediateCA(. )he only differences
#ill be some of the configuration parametersC depending on the guidelines that are
specified in the organi=ational C$.
)o apply the sample designC install !ntermediateCA% using the identical steps for installing
!ntermediateCA(.
107
(nline )nterprise Issuing !s
%!orporate)nt.!&
)he online enterprise issuing CA is also referred to as DCorporate/nt(CAD in this
document. )he purpose of an enterprise CA is to automate certificate enrollment #ithout
making compromises in the security and authentication of issued certificates.
Depending on the K! topology that you implementC this CA might have at least one
parent CA orC in a single tier topologyC it might be a self;signed CA.
"hen you set up either a "indo#s $erver %&&' $erver enterprise CA or "indo#s %&&&
$erver enterprise CAC it is important to note that domain controllers in an Active Directory
environment automatically request certificates #hen an enterprise CA+ becomes
available in the forest.
)he automatic certificate request behavior is different bet#een computers that are
running "indo#s %&&& or "indo#s $erver %&&' domain controllers. "indo#s %&&&
domain controllers immediately start requesting certificates #hen the enrollment service
is availableK ho#everC a "indo#s $erver %&&' domain controller requests certificates
according to the Autoenrollment configuration in ?roup olicy settings. Computers that
are running "indo#s $erver %&&' domain controllers and computers that are running
"indo#s F request certificatesC according to the configuration of the ?roup olicy
obAect *?.+. Eou must enable the request processing manuallyC by using the
appropriate domain ?roup olicy. 1ote that domain controllers have their o#n ?.
settings #hich are separate from the rest of the computers in the domain. )o add an
automatic request setting for "indo#s %&&& domain controllersC create a ne# request
obAect in the follo#ing ?. path using the follo#ing procedure.
(. Click StartC click 'unC type mmcC and then press /1)/-
%. !n the console treeC double;click the domain controller policy that you #ant to #ork
#ithC double;click !omputer !onfigurationC double;click Windows SettingsC
double;click Security SettingsC double;click Public Key PoliciesC and then click
utomatic !ertificate 'e+uest Settings.
'. !n the details paneC right;click a blank areaC point to ,ewC and then click utomatic
!ertificate 'e+uest.
<. 2ollo# the instructions in the Automatic Certificate -equest $etup "i=ard.
2or more information about configuring auto;enrollment for "indo#s $erver %&&' domain
controllersC see Certificate Autoenrollment in "indo#s F on the Microsoft "eb site.
108
)nterprise ! Installation Prere+uisites
)he follo#ing items are required to correctly install and configure the online enterprise
CA:
)he C$ that has all of the parameters that are specific to your organi=ation. 2or
more informationC see DCertificate practice statementCD earlier in this paper.
)he "indo#s $erver %&&'C /nterprise /dition media
Appropriate hard#are and a floppy disk drive
A floppy disk that is labelled "ransfer1)nterprise!
)he computer must be Aoined to a domain in the appropriate Active Directory forest
9ocal administratorC /nterprise Administrator and -oot Domain Administrator
permissions
2ile and print sharing is enabled on the CA. )his is required to run the certification
authority MMC snap;in on the CA.
!f you are using a "indo#s %&&& Active Directory forestC the domain controllers must
have $ervice ack ' *$'+ applied for computers that are running "indo#s %&&&. !t
is also required to upgrade the schema to "indo#s $erver %&&' functionality as
previously described. 2or more informationC see D>." ).: -aise the Domain
2unctional 9evel in "indo#s $erver %&&'D on the Microsoft "eb site.
Eou should also ensure that the follo#ing tasks have been completed:
A server running "indo#s $erver %&&'C /nterprise /dition should be set up and
available to be used as the enterprise CA.
)he server should have the latest service packs available and installedC if
appropriate.
)he server that is hosting the CA service must be Aoined to a domain in the Active
Directory forest.
!t is possible to install a CA as a multiservice server or as a domain controllerC but this is
not recommended for security reasons. A CA has high security requirements and should
be accessed and maintained only as separate resource.
Prepare t#e ctive $irectory )nvironment
Eou can operate an "indo#s $erver %&&' enterprise CA in a "indo#s %&&& environment
if all domain controllers in the Active Directory are running "indo#s %&&& $' or later.
109
"indo#s %&&& $' domain controllers are the minimum version required to support the
schema upgrade for version % templatesC as described in the previous chapter.
)he schema upgradeC #hich does not cause a full replication in a "indo#s $erver %&&'
domain environmentC is required to add additional template informationC key archival
informationC cross;certificate obAectsC and obAect identifier *also kno#n as .!D+ obAects in
the directory.
!t is assumed that the schema upgrade is part of the organi=ation change and
management process as it can have an overall effect on the production environment.
)o upgrade the schema:
(. 9og on to the schema master domain controller as the $chema Administrator.
2or more information regarding schema administrator rolesC see D>." ).: 2ind
$ervers )hat >old 2le0ible $ingle Master .perations -olesD in the Microsoft
Kno#ledge Base.
%. Make the "indo#s $erver %&&'C /nterprise /ditionC installation media available to
the server andC at a command promptC type the follo#ing commandC and then press
/1)/-.
adprep Cforestprep
)he Adprep.e0e file is available from the Bi'85 directory on the original "indo#s
$erver %&&'C /nterprise /ditionC installation media: After you use this commandC you
receive an output that contains logging information about the schema;upgrade
process. )he output ends #ith the message DAdprep successfully updated the forest;
#ide information.D
)o enable the domain to benefit from the "indo#s $erver %&&' schema e0tensionsC you
must perform the follo#ing procedure on each domain in the forest.
(. 9og on to the domain as Domain Administrator.
%. At a command promptC type:
adprep Cdomainprep
'. -epeat the previous t#o steps for each domain in the forest.
Depending on the replication scheduleC the time required to apply the schema changes at
each domain controller in the forest #ill vary.
$omain Members#ip
An enterprise CA can enroll any user or machine in the forest. )o enable the CA to issue
certificates to users and computers that are members of other domains than the domain
110
#here the CA is installedC see the "indo#s $erver %&&' $erver >elp files or the follo#ing
articles in the Microsoft Kno#ledge Base:
"indo#s %&&& Certification Authority Configuration to ublish Certificates in Active
Directory of )rusted Domain on the Microsoft Kno#ledge Base
/nterprise CA May 1ot ublish Certificates from Child Domain or )rusted Domain on
the Microsoft Kno#ledge Base
!f the organi=ation@s Active Directory consists of several domainsC you should plan #here
to put the enterprise CAs. )here are three different approaches that you can take. 1ote
that you must evaluate these approaches according to the requirements and the Active
Directory design. /nterprise CAs can be:
!nstalled into each production domain.
Maintained in a separate K! domain.
Maintained as members of the forest root domain.
"hen you run enterprise CAs as members of the forest root domainC isolation and logical
grouping is ensured but might not be accepted by the forest root administrator group
because of security considerations. All approaches are validC but must be carefully
considered for your environment.
'etrieve t#e !ertificate and its !'4 from !orporate'oot!
and Intermediate!.
,ote
!f you implement a single;tier topologyC the steps in this section do not apply to
your environment.
Both the certificate and C-9 for all nodes in the K! hierarchy are required during
certificate validation.
Because all parent CAs of an issuing enterprise CA might be disconnected from the
net#ork *as in this sample scenario+C you cannot automatically retrieve the CA certificates
and the latest C-9s through the net#ork #hen required. Because of thisC you must make
the CA certificates and the most current C-9 available from all parent CAs before you
can set up Corporate/nt(CA.
!f the certificate of Corporate-ootCA is not available on the "ransfer1'oot! floppy diskC
perform the steps that are outlined in D.btain the certificate and its C-9 from
Corporate-ootCACD earlier in this document.
111
Eou can retrieve the certificate and C-9 for illustration purposes from !ntermediateCA(
through "eb enrollment support on the CA. !nternet !nformation $ervices is not required
to retrieve the CA certificate and C-9 from the root CA as they may copied from the
NsystemrootNBsystem'%BcertsrvBcert/nrollB path on the local system. )o retrieve the CA
certificate and C-9 through the #eb pagesC perform the follo#ing steps:
(. 9og on to the !ntermediateCA( computer.
!f the CA is accessible from the net#orkC you can use any other computer to
do#nload the CA certificate and the C-9K ho#everC these tasks require an interactive
local logon because the CA is disconnected form the net#ork.
%. Click StartC and then click Internet )*plorer.
'. !n ddressC type #ttp>CClocal#ostCcertsrv.
9ocalhost is an alias name for your current server. )he "elcome page from
!ntermediateCA( "eb enrollment support is displayed.
<. Click $ownload a ! certificate/ certificate c#ain or !'4
4. !nsert the "ransfer1Intermediate! floppy disk into the disk drive.
1e0tC do#nload the CA certificate chain.
5. Click $ownload ! certificate c#ainC and then click Save.
7. !n Save sC type a file name *for e0ampleC type a:B!ntermediateCA(.p7b+C and then
click Save.
1e0tC do#nload the latest base C-9:
8. Click $ownload latest base !'4 and then click Save.
,. !n Save sC type a file name *for e0ampleC type a:B!ntermediateCA(.crl+C and then
click Save.
!f applicable to your environmentC do#nload the latest delta C-9:
(&. !f applicableC click $ownload latest delta !'4C and then click Save.
((. !n Save sC type a file name *for e0ampleC type a:B!ntermediateCA(R.crl+C and then
click Save.
(%. -emove the "ransfer1Intermediate! disk from the disk drive.
112
$istribute a 'oot ! !ertificate wit# @roup Policy
,ote
!f you implement a single;tier topologyC the steps in this section do not apply to
your environmentC because an enterprise CA that is configured as the root CA
automatically publishes certificates to Active Directory.
!f a single tier topology is implementedC the steps in this section do not apply because an
enterprise CA that is configured as the root CA #ould publish its certificate automatically
into Active Directory.
)he validation of certificates requires the availability and e0plicit trust of the root CA
certificate that has issued certificates #ithin the certificate trust path. )he root CA
certificate provides the trust anchor from #hich K! hierarchies are derived.
)he easiest #ay to provide clients #ith the root CA certificate is through group policies.
)rust of root certification authorities should be managed and controlled through ?roup
olicy #henever possible. "hen a root CA certificate has been added to the )rusted
-oot certification authority@s container that is part of the domain security settingsC clients
that are member of the domain #ill receive the root certificate automatically.
!aution
Eou must not publish subordinate *or intermediate+ CA certificates through either
the trusted root certification authorities in ?roup olicy or an enterprise trust. !f a
subordinate CA certificate is part of this list of certificates that is published #ith
?roup oliciesC a "indo#s client #ill not build a certificate chain correctly.
)he security portion of a domain ?roup olicy setting distributes the list of trusted root
certificates to all computers that are Active Directory;a#are and members of a domain.
Because the root certificate becomes part of the computer policyC all domain;users inherit
the root certificate trust from the computers to #hich they logon.
,ote
!t is recommended that you make a copy of the default domain policy and use a
ne# policy specific to K! to administer K! policy in the domain. Modification of
any of the default values requires more in;depth planning regarding certificate
trusts and name constraints. ?roup olicy displays a slightly different vie# in a
"indo#s %&&& environment. but it provides the same functionality.
)o add the root CA certificate of Corporate-ootCA through ?roup olicy to the list of
trusted root CA certificates on all computers in the domainC use the follo#ing procedure.
(. 9og on as the domain administrator to the domain #here you #ant to deploy the root
CA certificate.
113
%. Click StartC point to ll ProgramsC point to dministrative "oolsC and then click
$omain Security Policy
Eou can also type $ompol9msc at a command prompt and then press /1)/-.
'. !n the console treeC double;click $efault $omain PolicyC double;click !omputer
!onfigurationC double;click Windows SettingsC double;click Security SettingsC and
then click Public Key Policies.
<. -ight;click )rusted -oot Certification AuthoritiesC click !mportC and then click 1e0t.
4. !nsert the "ransfer1'oot! floppy diskC and then click Browse.
5. Click (pen to select the certificate file.
7. Click lace all certificates in the follo#ing store. After the certificate is placed in the
)rusted -oot Certification Authorities containerC click 1e0t.
8. After a report displays the options that you have selected in the #i=ardC click -inis#
to import the certificate.
Eou can configure additional K! trust properties by using the )rusted -oot Certification
Authorities roperties page. )o set these propertiesC right;click "rusted 'oot
!ertification ut#oritiesC and then click Properties.
!f you disable the default third;party root CAs and enterprise root CAs optionC there may
be unintended effects #hen you try to gain access to applications such as $$9 secured
"eb sites on the !nternetC and so on.
"hen only enterprise root certificates are trustedC only CA certificates that are installed in
the follo#ing container in the configuration partition of Active Directory or through ?roup
olicy are trusted: Domain 1ameBConfigurationB$ervicesBublic Key
$ervicesBCertification Authorities.
$ee the $ites and $ervices MMC to verify the certificates. Eou must make the services
node visible to see the $ervices container.
Import Parent! !ertificates and !'4s into ctive
$irectory
)he follo#ing section outlines the procedures for publishing the CA certificates and C-9s
of offline CAs *Corporate-ootCAC !ntermediateCA(C and Corporate$ub%CA+ into Active
Directory.
114
Important
Do not use the information in this section if you are implementing a single;tier CA
because a single tier enterprise root CA publishes its root Certificate
automatically into Active Directory.
Eou must import offline CA certificates and their C-9s. 1ote that this import procedure for
the publication of CA certificates must be repeated every time that the offline CA@s
certificate is rene#ed.
Also the C-9 must be imported according to the C-9 publication strategy. /very time that
a ne# C-9 is published by the parent CAC you must repeat the publication procedure. )o
prepare the environment for the enterprise CA installationC you must register the parent
CA certificates and C-9s in Active Directory. 2or information about ho# to do thisC see
the follo#ing section in this document.
@et ! Saniti=ed ,ame and $,S ,ame
)he configuration information that is part of the C-9 in "indo#s $erver %&&' is different
from the configuration information that #as included #ith versions of the "indo#s %&&&
family. A C-9 that #as published by a "indo#s %&&& CA does not contain information
about the publication location of the C-9. *2or more informationC see 3erify the published
C-9 in this document.+ >o#everC you must kno# #here you #ant to save the C-9 during
the import process into Active Directory.
A "indo#s $erver %&&' CA stores this information in the optional Publis#ed !'4
4ocations attribute of a C-9 if the corresponding C-9 property #as set. "hen you
perform a C-9 import procedure on a computer that is running a "indo#s %&&&
operating systemC you must manually set the path of the C-9 publication location.
)o display the CAs computer name and the CAs saniti=ed nameC at a command promptC
type the follo#ing and then press /1)/-.
certutil Ecainfo
Eou can also use this command on a "indo#s %&&& CA that should be published to
Active Directory. !t is important that you note both the saniti=ed CA short name *D$
name+ and D1$ name for each "indo#s %&&& CA. A sample output from the command
is similar to the follo#ing outputC #here the items in bold are placeholders:
2Mit mo!ule count: 3
CA name: ?nterme!iateCA3
%anitiOe! CA s<ort name &D% name': ?nterme!iateCA3
CA t;pe: 1 -- %tan!-alone %u$or!inate CA
2N6*%)ANDA:ON2*%(CA -- 1
CA cert count: 3
8RA cert count: 0
115
8RA cert use! count: 0
CA certK0L: 7 -- Dali!
CA cert #ersionK0L: 0 -- D0=0
CA cert #erif; statusK0L: 0
CR:K0L: 7 -- Dali!
CR: Pu$lis< %tatusK0L: 0
CPF*(A%2 -- 3
CPF*CO6P:2)2 -- 1
Delta CR: Pu$lis< %tatusK0L: 0Me &31'
CPF*D2:)A -- /
CPF*CO6P:2)2 -- 1
CPF*%EADO" -- -
DN% Name: connoam-ca-00
A!#ance! %er#er: 3
Certtil: -CA?nfo comman! complete! successfull;=
!f either the C-9 path that is specified in the C-9 or the path #here the C-9 is physically
published is not the sameC an issuer distribution point *!D+ intersection error might
appear #hen the C-9 is verified by a client.
Import! !ertificates and !'4s from !orporate'oot!
and !oporateSub*!
!n order to continue the installation procedureC you must import CA certificates and C-9s
from parent offline CAs into Active Directory. !n generalC this procedure is a common
operation #hen the CA environment is set up. C-9 publication and distribution #ith Active
Directory is critical for a successful K! in your organi=ation. !mporting root CA
certificates into the Active Directory directly is preferred over using ?roup olicy to
distribute root CA certificatesC as this method provides for root CA trust throughout the
entire forest instead of individual domains.
BothC the CA certificate and C-9 are #ritten by the !ertutil9e*e utility into Active
Directory. 1ote that !ertutil9e*e replaces the $sstore9e*e utility that is available in the
"indo#s %&&& -esource Kit. 2or more informationC see D>." ).: 6se the Directory
$ervices $tore )ool to Add a 1on;"indo#s %&&& Certification Authority *CA+ to the K! in
"indo#s %&&&D on the Microsoft Kno#ledge Base and D)he Dsstore )ool May 1ot "ork
!f the 1etB!.$ 1ame and the D1$ Domain 1ame Are DifferentD on the Microsoft
Kno#ledge Base.
!aution
Do not use the $sstore9e*e utility that is included #ith the "indo#s %&&&
-esource Kit to import CA certificates and C-9s to a "indo#s $erver %&&'
environment.
116
)o import CA certificates and C-9s from parent offline CAs into Active DirectoryC use the
follo#ing procedure:
(. 9og on to the Corporate/nt(CA computer as dministrator of the 'oot1$omain
and also a member of the )nterprise dministrators group.
%. At a command promptC use the follo#ing sample script to import CA certificates and
C-9s from Corporate-ootCA and Coporate$ub0CA to Active Directory. 1ote that you
must change the script so that both the CA certificates and C-9s correspond to your
file names and CA names:
:
: Root CA certificates
:
certutil -!spu$lis< -f concorp-ca-00*CorporateRootCA=crt RootCA
:
: %u$ CA certificate
:
certutil -!spu$lis< -f connoam-ca-00*?nterme!iateCA3=crt %u$CA
:
: Root CA CR:s
: %ince t<ese are =N2) CA CR:% t<at <a#e t<e pu$lication location as
: part of t<e CR:F t<e pu$lication location is optional
:
: P-- pu$lication
location ---P
:
certutil -!spu$lis< -f CorporateRootCA=crl concorp-ca-00
CorporateRootCA
:
: %u$ CA CR:s
:
certutil -!spu$lis< -f ?nterme!iateCA3=crl connoam-ca-00
?nterme!iateCA3
,ote
)he Ef parameter is required because the container structure that is required to
store the certificates and C-9s and might not e0ist. )he Ef parameter is not
required if the container structure already e0ists.
Deploying the root CA certificate #ith ?roup olicy or Active Directory is not the only #ay
that you can provide clients #ith certificates of trusted root CA certificates. Eou can also
deploy root CA certificates by using the follo#ing methods:
)he !nternet /0plorer Administration Kit *!/AK+
A CA!C.M script *2or more informationC see DCA!C.M -eferenceD on the
Microsoft )ech1et "eb site.+
117
Set t#e ppropriate Permissions for !ertificate and !'4
access
)he CA administrator must ensure that any client in the K! can gain access to both the
C-9 distribution points and CA certificate.
2or >)) 6-9sC it is recommended that !nternet !nformation $ervices *!!$+ be set up and
configured to allo# anonymous access to the 6-9s that are set as C-9 distribution
points in issued certificates. "hen you do thisC clientsC regardless of their primary
authentication mechanismC can retrieve the C-9.
2or 6-9s that point to a C-9 obAect in Active DirectoryC the /veryone group has read
access by default. )o allo# clients that are not Active Directory members to gain access
to C-9 obAects in Active DirectoryC you must add the /veryone group #ith read
permissions to the domain obAects AC9. A more restrictive method that you can use to
configure anonymous access is to replace the /veryone built;in account #ith the
Anonymous built;in account.
2or more information about ho# to add -ead access permissions to clients that are
outside of the forestC see the follo#ing Microsoft "eb sites:
DAnonymous :ueriesD in the "indo#s %&&& -esource Kit
D>o# to 6se the -estrictAnonymous -egistry 3alue in "indo#s %&&&D in the
Microsoft Kno#ledge Base
Publis# ! !ertificates and !'4s of !orporate'oot! and
!oporateSub.!
ublishing the C-9s using >)) requires a "eb serverC such as !!$. )o set up !!$ to
provide the C-9 publishing point using >))C use the follo#ing procedure:
(. 9og on as a local administrator to the computer that has !!$ installed.
%. Click StartC click ll ProgramsC point to dministrative "oolsC and then click
Internet Information Services %IIS&.
'. Double;click the !!$ server nodeC and then double;click Web Sites.
)he organi=ational "eb site that #ill host the C-9 is displayed.
<. -ight;click your "eb siteC point to ,ewC click 0irtual $irectoryC and then click ,e*t.
)he 3irtual Directory Creation "i=ard starts.
4. )ype an alias name for your "eb site *for e0ampleC type PKI+C and then click ,e*t.
118
5. Choose a path #here the certificates and C-9 #ill be stored on the a local storage
deviceC and then click ,e*t.
!n this e0ampleC the CA certificates and C-9s are stored in !>JPKI.
7. $elect the 'ead check bo0C clear all of the other check bo0esC and then click -inis#.
1o other permissions are required.
8. Copy the CA certificate and C-9s from the "ransfer1'oot! floppy disk into the
C:BK! folder. -epeat this step #ith the CA certificate and C-9s stored on the
"ransfer1Intermediate! floppy disk.
,ote
Make sure that the file names that are published #ith >)) e0actly match the CA
certificate and C-9 distribution point as defined as part of the CA configuration. !f
the file names do not matchC clients #ill fail to retrieve the C-9 #ith the 6-9 that
#as specified as the C-9 distribution point.
0erify t#at t#e $omain !ontroller 8as Publis#ed t#e
!ertificates and !'4 into ctive $irectory
After you import the list of CA certificates and C-9s into Active DirectoryC verify that the
data is published to the correct location.
,ote
!n a distributed environmentC a delay occurs before any domain controller has
received the certificates and C-9s through Active Directory replication. )he delay
#ill vary depending on the Active Directory environment configuration.
Eou can verify that the CA certificates and C-9s are published to the correct location
through the Active Directory $ites and $ervices MMC $nap;in.
(. 9og on to the Corporate/nt0CA computer as the administrator of the root domain and
as a member of the /nterprise Administrators group.
%. .pen the Active Directory $ites and $ervices MMCC by doing one of the follo#ing
)o use the "indo#s interfaceC click StartC click ll ProgramsC point to
dministrative "oolsC and then click ctive $irectory Sites and Services.
)o use a command promptC at a command promptC type dssite9msc.
'. Click ctive $irectory Sites and Services.
<. .n the 0iew menuC click S#ow Services ,ode.
119
4. Click ServicesC and then click Public Key Services.
5. 3erify that the A!A container has all parent CA certificatesC and then verify that the
C-9 container has the C-9 obAects for each CA.
)he A!A container has a flat obAect structure but the C-9 distribution point container
stores C-9s in a separate container for each CA.
!f the A!A or C-9 container do not have the proper obAectsC it may be necessary to
manually republish the obAects as described above.
)o delete certificates or C-9s that are e0piredC revokedC or no longer required through the
Active Directory $ites and $ervices MMCC click the certificate or C-9 and then press
D/9/)/. Keep in mind that clients #ill need CA certificates to verify end;entity
certificates. /ven a revoked or e0pired CA certificate can be required to verify a certificate
chainT
0erify "#at t#e ! !ertificate and !'4 re Imported into
ctive $irectory
)o ensure that the correct C-9 and A!A information is published to Active DirectoryC verify
the certificate of !ntermediateCA(. !f clients cannot retrieve a C-9 from the C-9s
distribution point or do not do#nload a certain CA certificate from Active DirectoryC the
client applications #ill generate an error #hen verifying a certificates status.
,ote
!f the verification procedure in this section does not #orkC it is important to
investigate the cause of the failure. !f the publication location in Active Directory
is incorrectC correct the location by using the steps in the ublish CA certificates
and C-9s of Corporate-ootCA and Coporate$ub(CA to a "eb site section in
this article.
)o verify that the CA certificate and C-9 #ere imported correctly into Active Directory:
(. 9og on to a computer that is member of the organi=ation@s Active Directory. )he user
account that you use can be a domain user account because any user should have
read permissions to both the CA certificate and C-9 in Active Directory.
%. !nsert the "ransfer1Intermediate! floppy disk into the floppy drive
'. At a command promptC type the follo#ingC and then click 'etrieve:
certutil9e*e 1url a>JIntermediate!.9cer
)he certutil9e*e Eurl command #orks #ith any F.4&,3' certificate. Eou can also use
this command to verify user certificates. Eou can perform C-9 and A!A distribution
120
point verification by using the Certutil.e0e utility only on certificate files that are
Distinguished /ncoding -ules *D/-+ encoded *M.cer file+. !f you discover that the
C-9 distribution point is incorrectly configuredC you must correct the issue in the CA
configuration to #hich the C-9 belongs. )he C-9 distribution point is stored as an
attribute in every issued certificate. AlsoC there may be an impact on certificates that
are already enrolled if the C-9 is not correctly configured.
"hen you click 'etrieveC "indo#s performs a C-9 or A!A do#nload based on the
certificate file that has been specified. )he certificates name is displayed in
!ertificate SubAect.
"indo#s lists the certificate@s C-9 distribution points that are specified in the C-9
distribution point e0tension of the certificate and displays the verification status. )he
follo#ing figure is an e0ample of a successful verification procedure.
-igure <> 2'4 'etrieval "ool
!f the C-9 verification procedure does not #orkC the C-9 distribution point e0tensions
may not be validC or the locations of the C-9s have permissions set that do not allo#
the current user to retrieve the obAect.
<. !n the 'etrieve bo0C click !erts %from I&C and then click 'etrieve.
121
$ince the root CA certificate has no C-9 defined in this scenarioC you receive a C-9
status message saying 1o C-9. )he missing C-9 status is e0pected in this e0ampleC
since the C-9 distribution point #as set to /mpty in the root CAs CAolicy.inf file.
"emplate 2pgrade from Windows 2000
"hen you upgrade from "indo#s %&&& to a member of the "indo#s $erver %&&' familyC
you must upgrade both the properties and security settings on e0isting version ( *3(+
templates.
)o perform the upgrade to a "indo#s $erver %&&'C /nterprise /ditionC CA environmentC
open the Certificate )emplates MMC that is included #ith "indo#s $erver %&&'C
/nterprise /ditionC so that you can install and upgrade the template obAects. !t detects
that templates are available from a previous "indo#s %&&& CA installation and
automatically upgrades the templates.
)he upgrade procedure also changes the permissions that are required for template
administration. !n "indo#s %&&&C you must be a member of both the /nterprise Admins
group and -oot Domain Admins group to perform this operation. 2or more information
about certificate templatesC see D!mplementing and Administering Certificate )emplates in
"indo#s $erver %&&'D on the Microsoft )ech1et "eb site
Prepare t#e !Policy9inf -ile for t#e Issuing !
!f you apply an application or issuance policy at the level #here end entity certificates are
issuedC you have precise control over policies. !f more than one issuing CA e0ists in the
K! hierarchyC different policies can be applied to each CA to issue different certificate
types. 1everthelessC policies can be applied at a parent CA level as #ell. )ypicallyC in
most deploymentsC policies are applied at an intermediate CA level than at the leaf node
CA. "hen you define policies at a parent CA levelC the policy applies to all of the
subordinate CAs. )his could have an impact on the CA topology design.
2or an e0ample of a CAolicy.inf file #ith issuer policyC see D$ample CAolicy.inf file for
the !ntermediateCA(D later in this paper.
Install t#e (nline Issuing )nterprise !
!f you upgrade a "indo#s %&&& enterprise CA to a "indo#s $erver %&&' CAC you must
log on to the computer #ith an account that is member of both the root domain
administrators group and the enterprise administrators group.
122
"hen you perform a clean installation of the first "indo#s $erver %&&'C /nterprise
/dition CA in a ne# "indo#s $erver %&&' forestC the installation account requires that
you are a member of the /nterprise Admins group and the *root domain+ Domain Admins
group. After the first CA installationC *root domain+ Domain Admins permissions are no
longer required.
)he installation procedure for an online enterprise CA is different form the installation
procedure for the offline parent CAs. 6se the follo#ing steps to set up Corporate/nt(CA:
(. 9og on to the Corporate/nt(CA computer #ith 9ocal AdminC /nterprise AdminC and
*root domain+ Domain Admin permissions.
)he installation of an enterprise CA requires that you be able to gain access to the
Active Directory configuration container. During the CA installation procedureC the
account used to install the CA also becomes a CA administrator account #hich is a
role that can be delegated to other user accountsC as appropriate.
%. Do one of the follo#ing:
)o use the "indo#s interfaceC click StartC point to SettingsC click !ontrol PanelC
double;click dd or 'emove ProgramsC and then click ddC'emove Windows
!omponents.
)o use a command promptC click StartC click 'unC type cmdC press /1)/-C type
sysocmgr Ci>sysoc9infC and then press /1)/-.
'. $elect the !ertificate Services check bo0.
)o run Certificate $ervicesC the follo#ing soft#are components are required:
!nternet /0plorer
*.ptional+ Certificate $ervices "eb enrollment support
*.ptional+ !nternet !nformation $ervices for "eb enrollment support
!t is not recommended that you install any other "indo#s components on a "indo#s
$erver CA. !f you install additional componentsC reliability or security of a root CA may
be compromised if a secure configuration is required by the organi=ation.
<. After you select the !ertificate Services check bo0C you receive a #arning that
states that you cannot change the 1etB!.$ computer name after you install
Certificate $ervices. *1ote also that you cannot change the computer@s membership
to a domain or #orkgroup.+ Click Hes to continue #ith the installation procedureC and
then click ,e*t.
123
,ote
!!$ is not a required component on an enterprise CAC but it might be
necessary to have !!$ available for certificate "eb enrollmentC depending on
the enrollment method that is used for clients. "indo#s %&&& and "indo#s
F clients typically request certificates by using distributed C.M *DC.M+ or
auto;enrollment instead of >)). 2or more informationC see DAuthentication
and authori=ationD in this document.
4. "hen you are prompted to choose the type of installationC do one of the follo#ing:
!f you #ant this installation to be in a multi;tier K! topologyC click )nterprise
subordinate !.
!f you #ant this installation to be an enterprise CA in a single;tier topologyC click
)nterprise 'oot !. AlsoC verify that the 2se custom settings check bo0 is
selected.
!n this scenarioC the enterprise CA is installed as a subordinate CA. $elect
)nterprise subordinate !.
1ote thatC if the computer that is supposed to be an enterprise CA is a domain
memberC both the )nterprise 'oot ! and )nterprise Subordinate ! options
may be unavailable. )o find out #hy the options are unavailableC see the follo#ing
table.
"able 20 Wor7arounds for )nterprise 'oot and Subordinate ! 2navailability
124
'eason Wor7around
1o access to domain controller )he CA cannot gain access to the domain
controller through the net#ork. )he
nltest9e*e Cdsgetdc command might be
helpful to ensure connectivity #ith your
domain controller. )o use 1ltest.e0eC
install the support tools that are available
on the "indo#s $erver %&&' CD;-.M.
2or more information about nltest see
Active Directory support tools in the
"indo#s $erver %&&' online help or on
the Microsoft "eb site.
Domain controller has not replicated $ee D3erify that the domain controller has
published the certificates and C-9 in
Active DirectoryD earlier in this article.
Configuration container does not e0ist $ee D3erify that the domain controller has
published the certificates and C-9 in
Active DirectoryD earlier in this article.
After you are doneC click ,e*t.
!f an >$M #as not installedC click Microsoft Strong !ryptograp#ic Provider.
!f an >$M #as installedC you must click the C$ that #as installed during the
>$M setup procedure.
7. $elect the S81. hash algorithm.
$>A;( is the most common and interoperable hashing algorithm that is used by
programs and operating systems.
8. !n Key 4engt#C select the appropriate setting.
!n this e0ampleC set a key length of 203< for Corporate/nt(CA.
,. Confirm that the llow t#is !SP to interact wit# t#e des7top and the 2se an
e*isting 7ey check bo0es are clearedC and then click ,e*t.
!f a CA is already installed on this serverC the list of e0isting keys is created from the
system certificates that are stored in the follo#ing registry key:
125
8K)HK4(!4KM!8I,)JS(-"W')JMicrosoftJSystem!ertificatesJMyJ!ertific
ates
(&. $et the common name for this CA as specified in the C$C and then click ,e*t.
Because this CA is an enterprise CAC the distinguished name suffi0 is predefined to
use the namespace of the e0isting Active Directory@s *forest+ namespace. !t is
recommended that this value not be changed.
)he key pair is generated by the C$ and #ritten to the local computers key store. !f
an >$M has been installed and selectedC the key is generated in the >$M and stored
accordingly. !f you do not use an >$MC the key is generated by CryptoA! and stored
in the profile of the system account on the local computer. )he length of time that is
required to generate the key depends on both the si=e of key that is being generated
and the C6 performance of the local computer.
((. $pecify the location of the certificate database and the certificate database@s log filesC
and then click ,e*t.
,ote
!t is a good practice to place both the certificate database and certificate
database log on a separate volume from the partition on #hich "indo#s is
installed for issuing enterprise CAs. )his provides increased disk input and
output performance and provides sufficient storage space for the database
as it becomes larger.
Because this in an online enterprise CAC the shared folder that stores configuration
information is optional. )he purpose of the shared folder is to serve clients that do not
receive the CAs certificates through the ?roup olicy obAect *?.+ or that are not
able to retrieve the CA certificates from Active Directory or through "eb enrollment
support. Any client that has access to the shared folder can import the CA certificates
into its certificate store. Depending on the shared folders nameC a ne# share #ill be
created on the CA server computer. )he default name for the shared folder is
BB9ocalhostBCAConfig. !f you do not need to publish the CAs certificate and
configuration #ith a shared directoryC do not create a shared folder.
!f you are installing a CA in the same location as a previously installed CAC the
Preserve e*isting certificate database option is enabled. Click this option if you
#ant the ne# CA to use this database and preserve the certificates that are in the
databaseK other#iseC the database #ill be deleted. 6se this option only #hen you
#ant to restore a CA from backup or for CA migration.
(%. Click Save t#e re+uest to a fileC type a name for the request fileC click ,e*tC and
then click (K.
126
2or e0ampleC you can type a>J!orporate)nt.!9re+.
A subordinate enterprise CA needs to send the certificate request to its parent offline
CA. Because the !ntermediateCA( computer is running #ithout a net#ork connectionC
the request file must be transferred on a floppy disk.
Important
Make sure that the "ransfer1!orporate)nt. floppy disk is available before
you proceed to the ne0t step. !f "indo#s cannot access the floppy diskC you
receive an error message appears and the CA setup process stops. Before
you can reinstall the CAC you must uninstall the !ertificate Services Web1
)nrollment Support component if you selected it during setup.
)he "indo#s Component "i=ard continues the certificate services configuration.
"hen the "indo#s Component "i=ard completes the certificate services
configurationC you may need to provide the installation media to finish the installation
procedure.
('. "hen the CA certificate has obtained a signed subordinate CA certificate from its
parent CAC the installation #i=ard displays a final message that indicates that the
installation procedure is finished. Before you click (KC verify that the "ransfer1
!orporate)nt. floppy disk is available to save the request file.
Click (K to continue the installation.
(<. *.ptional+ !f !!$ is installed as part of this configuration but A$ pages are not
enabled by defaultC the CA setup procedure asks #hether you #ant to automatically
enable the A$ pages. Click Hes to enable A$ pagesC because they are required
for "eb enrollment services.
!f you click ,o because you do not #ant to enable A$ pagesC you can enable A$
pages by using the certutil Evroot command at a later time
(4. Click -inis# to complete the installation procedureC and then click !lose to close
dd or 'emove Programs.
(5. -emove the "ransfer;Corporate/nt( floppy disk from the floppy disk driveC and then
take the floppy disk to the parent CA computer *!ntermediateCA(+.
!f this installation procedure is for an enterprise root CAC continue to DConfigure the
enterprise online CAD in this document.
127
!ertificate 'e+uest Processing wit# t#e (ffline Parent !
%Intermediate!.& "#roug# Web )nrollment Support
)he follo#ing procedures are provided as an e0ample and not necessarily as a security
best practice.
Eou do not need !!$ on a CA unless you need client support for enrollment on "indo#s
clients earlier than "indo#s %&&& or non;"indo#s clients.
!n a three;tier topologyC the enterprise CA certificate request that is stored on the floppy
disk must be issued by the !ntermediateCA( computer. !n a t#o;tier topologyC the
certificate request must be issued by the root CA.
"o 'e+uest a ! !ertificate "#roug# Web )nrollment Support
(. 9og on to the CA computer that #ill issue the enterprise CA certificate #ith an
account that has certificate enrollment permissions.
%. .n the offline subordinate CA computerC open !nternet /0plorer.
'. !n ddressC type #ttp>CClocal#ostCcertsrv and then press /1)/-.
<. .n the Welcome pageC click 'e+uest a certificate.
4. .n the 'e+uest a !ertificate pageC click dvanced certificate re+uest.
5. .n the dvanced !ertificate 'e+uest pageC click Submit a certificate re+uest by
using a base1:31encoded !M! or PK!S P.0 file or Submit a renewal re+uest by
using a base1:31encoded PK!S P; file.
7. .pen a te0t editorC such as 1otepadC and open the Corporate/nt(CA request file.
8. .n the )dit menuC click Select llC and thenC on the )dit menuC click !opy.
,. !n !nternet /0plorerC on the Submit a !ertificate 'e+uest or 'enewal 'e+uest
pageC in the Saved 'e+uest bo0C right;click a blank spaceC click PasteC and then
click Submit.
)he request is submitted to the CA and remains in the ending -equests folder. 1ote
the request !D number and the time that are supplied by the "eb page. )his
information is helpful #hen you use the procedure to approve the request *by request
number+ and retrieve the certificate *by request time+.
(&. Click 8ome.
,ote
A request must be retrieved by the same user account on the same computer
from #hich it #as submitted. )he "eb page uses a bro#ser cookie to identify the
pending request. !f bro#ser cookies are blocked or if you use a different
128
computerC retrieve the certificate directly from the CA by using the Certification
Authority MMC snap;in. 2or more informationC see D/0port the offline
intermediate certificate at the root CAD in this document.
"o Issue t#e Pending 'e+uest Wit# t#e !ertification ut#ority MM!
(. .pen the Certification Authority MMC.
%. !n the console paneC double;click !ertification ut#ority %Location>f",&C double;
click the CAC and then click Pending 'e+uests.
'. !n the details paneC right;click the requestC and then click Issue.
"o Issue t#e Pending 'e+uest "#roug# Web )nrollment Support
(. .pen !nternet /0plorer.
%. !n ddressC type #ttp>CClocal#ostCcertsrv and then press /1)/-.
'. .n the Welcome pageC click 0iew t#e status of a pending certificate re+uest.
<. .n the 0iew t#e Status of a Pending !ertificate 'e+uest pageC click the request
you #ant to issue.
!f there is more than one certificate availableC click the certificate that corresponds to
the time that you sent the request to the CA.
4. .n the ne0t pageC choose a format for the ne#ly issued certificate.
!n a homogenous "indo#s environmentC it is recommended that you use the D/-;
encoded format.
6nless the root CA has been previously installed on the computer account #here the
enterprise CA is installed *?roup olicyC and so on+C the root CA certificate must be
trusted before the enterprise subordinate CA can start.
5. Click $ownload certificate c#ainC save the output to a .p7b fileC and then save the
file on a floppy disk.
2or e0ampleC you can save the file as Corporate/ntCA.p7b.
,ote
)here is no sensitive data on the floppy disk. A CA certificate is public
informationC ho#everC the associated CA private key has been generated in the
CA *or >$M+. )he private key does not leave the computer on #hich the
certificate request #as created.
129
0erify t#e )nterpriseSub.! !ertificate
)o ensure that the certificate that you issued for the Corporate/nt(CA computer has the
correct certificate propertiesC you should verify the certificate. .pen the certificate and
e0amine its certificate properties. )o vie# the certificateC double;click the certificate file in
"indo#s /0plorer or use the Certificate Manager MMC. Make sure that the validity timeC
the key lengthC and certificate policies are sho#n correctly.
Install t#e !ertificate at t#e !orporate)nt.! !omputer
)he installation procedure for the enterprise CA certificate is very similar to the
installation procedure for the !ntermediateCA( computer.
!nsert the floppy disk that has the certificate file for the parent CA certificates into the
floppy disk driveC and thenC at a command promptC type the follo#ing commandC and
then press /1)/-:
certutil9e*e Einstallcert ","ert5ile9p;b
2or more informationC see D!nstall the certificate at !ntermediateCA( at a command
promptCD later in this paper.
0erify t#e !orporate)nt.! "rust !#ain
.nly a valid trust chain ensures that the CA #ill operate as e0pected. !f the trust chain is
not correct or if the issuing CA cannot build the chain and check revocation status of
parent certificatesC the issuing CA #ill report and error #hen attempting to start. !f the CA
certificate verification failsC the follo#ing error message appears: )he revocation function
#as unable to check revocation because the revocation server #as offline *&08&&,%&('+.
)o verify the trust chain of the Corporate/nt(CA computer in advanceC at a command
promptC type run certutil Everify "ertificate.ame9crtC and then press /1)/-.
!t is also recommended that you validate the CA certificate@s C-9 distribution points. )o
do thisC at a command promptC type the follo#ing commandC and then press /1)/-:
certutil E2'4 certificate1name9crt
)he output of the script looks similar to the follo#ing figure:
130
-igure ?> 0alidated !'4 $istribution Points
)o vie# the C-9C in the 2rl columnC double;click the C-9 6-9.
,ote
Eou can verify a C-9 or A!A according to the 6-9 that is specified in a certificate.
!f a certificate and a 6-9 are both providedC the C-9s and A!As for all 6-9s that
are specified in the certificate are requested andC additionallyC the information
from the location that is specified in 2'4 to download is received.
2or troubleshooting purposesC you may also be required to do#nload the C-9 to the local
computer to e0amine the C-9. )his procedure is easy for C-9s that you can gain access
to by using >))C but this procedure is more difficult for C-9s that do have only an 9DA
C-9 distribution point.
Eou can do#nload a binary copy of a C-9 from an 9DA C-9 distribution point by using
the !ertutil9e*e command. )o do thisC type the follo#ing at a command prompt: 1ote that
you should replace the items that are in italic te0t #ith your C-9 destination and that you
should verify that the correct search filter is added after the question mark.
certutil Estore Esplit ldap>CCC!,B"orporateRoot",/!,BRoot",/!,B!$P/!,BPublic
Key Services/!,BServices/!,B!onfiguration/$!Bcontoso/$!BcomG
"ertificateReocationListGbaseGobAect!lassBc'4$istributionPoint
131
After you run the commandC a ne# C-9 file is available in the directory you used #hen
you ran the !ertutil9e*e command. )he file is named Blob&I&.crl. Eou can open the .crl
file through "indo#s /0plorer and display it as you #ould any other .crl file.
PKI 8ealt# "ool
Eou can also use the K! >ealth tool *kivie#.msc+ to verify the C-9 and A!A location.
)his tool is available from the Microsoft "indo#s Deployment and -esource Kits "eb
site.
)he K! >ealth tool is of value to CA administrators #ho maintain the enterprise. )he tool
enumerates all certification authorities *CAs+ that are associated #ith the current forestC
and then the tool displays status properties that are associated #ith those CAs.
!onfigure t#e )nterprise (nline !
)he Corporate/nt(CA computer configuration is similar to the parent subordinate CA
configurationC and you can quickly create this configuration #ith a batch script. )he
difference bet#een the parent CA configuration and the Corporate/nt(CA computer
configuration is the validity period for issued certificatesUthey are controlled by
templates in the enterprise CA instead of by the registry. 2urtherC delta C-9s are enabled
for the enterprise CA. Delta C-9 publishing is enabled by default #ith "indo#s %&&'
$erver. )o configure the enterprise CA:
(. .pen 1otepad.
%. !n this paperC go to $ample script to configure the /nterprise$ubCA and copy the
script to the clipboard.
'. !n 1otepadC paste the script into a ne# file.
<. $ave the file as FtempFJentcacfg9cmdC and then close 1otepad.
4. At a command promptC type FtempFJentcacfg9cmd and press /1)/-.
Important
!f you study the script that configures the enterprise CAC you may notice that the
4$P !'4 publication property is different than the properties for the offline
CAs. )his behavior occurs because an online CA has the capability to publish its
CA certificate and the C-9 automatically to Active Directory. )hereforeC it is
recommended that you allo# the CA to update the information that is stored at
the C-9 and A!A distribution point. An offline CA cannot use this settingC because
it cannot reach a domain controller by using the net#ork. Because of thisC no
132
publication is configured for either C-9 or A!A C-9 distribution points that are
configured #ith offline CAs.
0erify t#e )nterpriseSub! !onfiguration
)he ne0t sections help you ensure that the CA is correctly configured and is ready for
production operations. !t is recommended that you apply the verification steps that are
described in the previous sections in this document:
3erify the root CA configuration
3erify the Corporate-ootCA C-9 and A!A configuration
3erify the published C-9
An enterprise CA automatically publishes the CA certificate and C-9 into Active Directory.
Because of thisC you should also verify the C-9@s availability in Active Directory. !t is
recommended that you use the certutil E2'4 command or the K! >ealth tool that is
described in the previous section.
,ote
)he output samples that are mentioned in the previous sections in this document
are not the same as the !ntermediateCA( configuration. 3erify the appropriate
parameters according to the /nterprise$ub0CA configuration.
!ertification ut#ority Maintenance
CA maintenance and monitoring is an ongoing task after you set up the CA environment.
$ome of the most important procedures for CA maintenance are:
Correct configuration of the CAs
C-9 publication of offline CAs
C-9s that are not manually published
-ene#al of CA certificates assigned to CA operations
Backup and recovery
Eou can maintain the CA that is connected to the net#ork locally or you can maintain the
CA that is connected to the net#ork through a remote connectionK ho#everC CA
maintenance and administration tools are designed to #ork best for local operations
133
because the CA administration is a sensitive operation and should be kept as secure as
possible.
!f you #ant to use the Certificate $ervices MMC for remote administrationC for the
appropriate steps to make the CA remotely accessibleC see D6sers Allo#ed to Manage
the CA Cannot Access !t -emotelyD in the Microsoft Kno#ledge Base.
2or more information about CA operations and custom configurationC refer to the
"indo#s $erver %&&' K! .perations ?uide on the Microsoft "eb site.
Best Practices for !'4 Publication
)he follo#ing section provides information and best practices for managing and
publishing certificate revocation lists.
!'4 Partitioning
Administrators may rene# an issuing CA #ith a ne# key to partition the C-9. "hen a
ne# key and certificate are generatedC the CA uses the ne# key as #ell as any une0pired
previous keys that correspond to previous certificates #hen generating revocation
information. )hereforeC a CA may be using multiple keys at the same time and therefore
publishes multiple C-9s that correspond to those keys. Eou can see multiple valid
certificates that are assigned to the CA in the Certification Authority MMC if you click the
?eneral tab of the CA properties.
Eou can also determine the rene#al status of the CA if you e0amine the CA certificate.
)he CA version e0tension identifies ho# many times a CA has been rene#ed and ho#
many times it has been rene#ed #ith a ne# key. )he follo#ing figure displays a CA
certificate that has been rene#ed three times. 1ote that a ne# key #as issued #ith each
rene#alC #hich is #hy ! 0ersion is '.'.
134
-igure .0> 'enewed ! !ertificate
After a CA is rene#ed #ith a ne# keyC only the ne# key is used #hen signing ne#
certificates. )he une0pired previous keys continue to be used to sign C-9s for certificates
that #ere signed #ith the previous keys. )hereforeC a CA may publish multiple C-9s at
the same timeC each using a different key. )his method of CA rene#al may be an ideal
method for C-9 si=e control and effective C-9 partitioning #ith the CA.
utomatic 'oot! !ross1!ertificate @eneration
.n computers that are running a member of the "indo#s $erver %&&' familyC Microsoft
root CAs can automatically issue and publish cross certificates for a root CA that has
been rene#ed. 2or e0ampleC #hen a "indo#s $erver %&&' root CA is rene#ed #ith a
ne# keyC the root CA cross;certifies the rene#ed root CA certificate and it is considered a
135
qualified subordinate to the earlier root CA certificate. )his functionality is important if you
have an operational root CA that is trusted by other organi=ations clientsC bridge CAsC or
if it is cross;certified by other organi=ations.
)o force the root CA to use the CrossCA certificate templateC at a command promptC type
the follo#ing commandC and then press /1)/-. !f you do not use this command #ithout
this setting configuredC the CA does not use the CrossCA certificate template *even if it is
available+. !nsteadC it generates a certificate using predefined e0tensions in the registry:
certutil 1setreg caJ!'4-lags O!'4-K2S)K!'(SSK!)'"K")MP4")
)o disable automatic cross CA certificate generationC at a command promptC type the
follo#ing commandC and then press /1)/-:
certutil 1setreg caJ!'4-lags O!'4-K$ISB4)K'(("K!'(SSK!)'"S
)o force the root CA to use the CA/0change certificate template #hen generating CA
encryption certificates on demandC use the follo#ing command. "ithout this flagC the CA
uses the CA/0change certificate templateC #hen availableC and generates a certificate
#ithout the template by using pre;defined e0tensions.
certutil 1setreg caJ!'4-lags O!'4-K2S)KQ!8@K!)'"K")MP4")
!ertification ut#ority Bac7up and 'ecovery
)he CA stores information about certificates in its database and the log files that are
bound to the database. )he CA has to be able to gain access to its certificates and keys
that are stored in the local computer@s certificate store or on a hard#are device. CA
configuration information is stored in the registry.
Eou can back up the database and the log files only by using the certutil Ebac7up
command. Eou can individually back up the CA certificate and the keys by using the
certutil Ebac7up7ey command. Eou can archive the database by using the certutil E
bac7updb command. )hese backup procedures are appropriate for a restore operation
that repairs a damaged CAC assuming that the CA is correctly configured. >o#everC
neither of these commands #ill back up any of the CA configuration or role separation
information in the registry. )o back up the CAC including its configurationC use the
ntbac7up bac7up systemstate command.
,ote
Backing up a CA includes the private key that is o#ned by the CA. )he private
key is the most sensitive CA information option. !t becomes part of your backup
data if you run certutil 1bac7up7ey or if you perform a system state backup.
>andle the backup data #ith caution at all times. $tore it securely if the private
136
CA key is part of your backup. )he organi=ation@s certificate policy and security
policy must cover the handling of backup media.
A backup procedure may not #ork as e0pectedC so it is recommended that regularly
scheduled tests of restore operations be performed. 2or more information about CA
backupC see the follo#ing Microsoft Kno#ledge Base articles:
D>o# to 6se Key and Certificate BackupH-estore 6tilityD on the Microsoft Kno#ledge
Base.
DCertificate $erver Does 1ot Create Backups of !nstalled KeysD on the Microsoft
Kno#ledge Base. *)his article applies only to "indo#s %&&& $erver.+
'epair t#e !ertificate Store
"hen you restore a CA that maintains its CA certificate #ith a soft#are C$ on a
different computerC you must repair the CA configuration to allo# the CA to gain access to
the original CA certificate. "hen the CA soft#areC the databaseC and CA configuration are
restoredC you need to install the CA certificate to the local computer@s certificate store.
Eou can also use the follo#ing command to share an >$M across multiple computers:
certutil 1addstore my !0.9!ontoso9comK!'oot9crt
After you use this commandC use the follo#ing command to determine the certificate
hash:
cerutil !0.9!ontoso9comK!'oot9crt N findstr Cc> Key Id 8as#%s#a.&
"hen you use this commandC it displays the CACert$>A;(>ash value. )ake the
he0adecimal string representing the $>A;( hash *kno#n as the thumbprint propert! of a
certificate+ and use it as a parameter in the ne0t command. 2or e0ampleC you might type
the follo#ing command:
certutil 1repairstore my Dea c; ;d ;e e< cd <3 ?b e< aa ;. :d f3 b; e6 0? d? b: 32
.bD
ppendi* > $irectory (bAects
)he various K!;related containers such as CAsC enrollment servicesC templatesC obAect
identifiers *also kno#n as .!Ds+C A!AC and C-9 distribution points are created #hen you
set up the forest for the first time #ith the first enterprise CA. )he permissions on the
obAects are also set at that time.
137
$irectory obAects t#at are created by an
enterprise !
!nstalling an enterprise CA creates the follo#ing obAects:
/nrollment $ervices obAect *includes CA certificate+ G under C1L/nrollment
$ervicesCC1Lublic Key $ervicesCC1L$ervicesCC1LConfigurationCDCL
)rusted root CA obAect *includes CA certificate+ G C1LCertification
AuthoritiesCC1Lublic Key $ervicesCC1L$ervicesCC1LConfigurationCDCL
A!A obAect *includes CA certificate+ G under C1LA!ACC1Lublic Key
$ervicesCC1L$ervicesCC1LConfigurationCDCL
K-A obAect *no significantly si=ed attributes+ *"indo#s $erver %&&' only+ G under
C1LK-ACC1Lublic Key $ervicesCC1L$ervicesCC1LConfigurationCDCL
C-9 distribution point container *no significantly si=ed attributes+ G under
C1LCDCC1Lublic Key $ervicesCC1L$ervicesCC1LConfigurationCDCL
C-9 distribution point obAect *includes C-9+ G under L
C1LComputerCC1LCDCC1Lublic Key
$ervicesCC1L$ervicesCC1LConfigurationCDCLJ
)he installation procedure also adds the CA certificate to the follo#ing e0isting obAect to
provide trust for logon and authentication certificates:
)rusted /nterprise CA certificates G C1L1)AuthCertificatesCC1Lublic Key
$ervicesCC1L$ervicesCC1LConfigurationCDCL
$irectory (bAects "#at re !reated by t#e
-irst )nterprise! in t#e -orest
!nstalling the first enterprise CA in the forest also installs %, template obAects #hen
running a member of the "indo#s $erver %&&' family or %< template obAects #hen
running "indo#s %&&& in Active Directory under the follo#ing container:
C1LCertificate )emplatesCC1Lublic Key $ervicesCC1L$ervicesCC1LConfigurationCDCL
)he "indo#s $erver %&&' family adds some additional obAect identifier containers *also
kno#n as .!D+ to the configuration container. Because obAect identifiers are not
hardcoded in version % *3%+ templatesC obAect identifier containers are required to #ork
#ith 3% templates. .nly clients running "indo#s F and later may resolve obAect
identifiers in Active Directory to friendly names.
C1L.!DCC1Lublic Key $ervicesCC1L$ervicesCC1LConfigurationCDCL
138
2or more informationC see article %874<7C D.bAect !Ds Associated #ith Microsoft
CryptographyD in the Microsoft Kno#ledge Base.
!ontents of JJ4ocal#ostJ!ert!onfig
and JJ4ocal#ostJ!ert)nroll
Because more than one certificate file e0ists in the BCertConfig and BCert/nroll share
after a period of timeC the follo#ing table e0plains the certificate file name e0tensions and
their purpose. !f the CA name is used as part of a file nameC the saniti=ed CA name adds
additional escape characters in order to accommodate any e0tended A$C!! characters in
the file name. )he escape characters appear in the file name as N%&.
"able 2. !ertificate Pat#s and -ile ,ame )*tensions
)*ample of t#e file name $escription
JJ4ocal#ostJ!ert!onfigJ!ertsrv9t*t CA configuration file
JJ4ocal#ostJ!ert!onfigJ!ertsrv9ba7 revious CA configuration file if the CA
has been reinstalled
JJ4ocal#ostJ!ert!onfigJ",name9re+
JJ4ocal#ostJ!ert!onfigJ",name%.&9re+
-equest file that is used to generate the
CA certificate. -equest files are used
only for subordinate CAs. -equest files
are generated #ith the same base file
name suffi0 as certificates.
139
)*ample of t#e file name $escription
0!stem-rie,nd0!stemroot==",name9re+
0!stem-rie,nd0!stemroot==",name%.&9re+
!f no shared folder #as created during
the CA setup procedure and Active
Directory is used to publish the CAs
configuration informationC request files
are #ritten to the $ystemroot drive
instead of to the BB9ocalhostBCertConfig
file.
)o verify #here the configuration
information is publishedC at a command
promptC type certutil Egetreg
!J2se$S. !f the value is set to &C the
configuration information is #ritten to the
shared folder. !f the value is set to (C the
configuration is maintained in Active
Directory.+
JJ4ocal#ostJ!ert!onfigJ",name9crt
JJ4ocal#ostJ!ert)nrollJ",name9crt
.riginal root CA certificate *3&.&+
JJ4ocal#ostJ!ert!onfigJ",name%.&9crt
JJ4ocal#ostJ!ert)nrollJ",name%.&9crt
-ene#ed root CA certificate *3(.&+
JJ4ocal#ostJ!ert!onfigJ",name%01.&9crt
JJ4ocal#ostJ!ert)nrollJ",name%01.&9crt
Cross certificate for CA certificate 3&.&
to 3(.&
JJ4ocal#ostJ!ert!onfigJ",name%.10&9crt
JJ4ocal#ostJ!ert)nrollJ",name%.10&9crt
Cross certificate for CA certificate 3(.&
to 3&.&
JJ4ocal#ostJ!ert!onfigJ",name%2&9crt
JJ4ocal#ostJ!ert)nrollJ",name%2&9crt
rene#ed root CA cert *3%.&+
JJ4ocal#ostJ!ert)nrollJ",name9crl CA base revocation list
JJ4ocal#ostJ!ert)nrollJ",name%.&9crl CA base revocation list *first instance+
JJ4ocal#ostJ!ert)nrollJ"anameO9crl Delta C-9
JJ4ocal#ostJ!ert)nrollJ"aname%.&O9crl Delta C-9 *first instance+
140
)he cross;certificates are automatically generated #hen the Certificates service starts
after rene#ing a root CA certificate #ith a ne# key. Cross;certificates are not created for
subordinate CAsC and it does not occur #hen a root certificate is rene#ed #ith the same
key. !f you upgrade from "indo#s %&&& $erver after rene#ing a root CA certificate #ith a
ne# keyC the cross certificate is generated the first time that the certificate server service
starts after you upgrade to "indo#s $erver %&&'.
)he follo#ing sample is an e0ample of BB9ocalhostBCertenroll after a clean root CA
installation.
C:\>!ir \\:ocal<ost\certenroll
Dolume in !ri#e \\:ocal<ost\certenroll <as no la$el=
Dolume %erial Num$er is CC02-CAC(
Director; of \\:ocal<ost\certenroll
0.A3/A/00/ 33:0, A6 QD?R> =
0.A3/A/00/ 33:0, A6 QD?R> ==
0.A3/A/00/ 33:7/ A6 3F/44 concorp-
ca-00*CorporateRootCA=crt
0.A3/A/00/ 33:7/ A6 4/0 CorporateRootCA=crl
0.A3/A/00/ 33:7/ A6 7/3 nsre#*CorporateRootCA=asp
7 File&s' /F010 $;tes
/ Dir&s' 1F1,-F040F7.0 $;tes free
)he follo#ing sample is an e0ample of BB9ocalhostBCertconfig after a clean root CA
installation.
C:\>!ir \\local<ost\certconfig
Dolume in !ri#e \\local<ost\certconfig <as no la$el=
Director; of \\local<ost\certconfig
0.A3/A/00/ 3/:/- P6 QD?R> =
0.A3/A/00/ 3/:/- P6 QD?R> ==
0.A3/A/00/ 33:7/ A6 300 certsr#=$ak
0.A3/A/00/ 33:7/ A6 /3. certsr#=tMt
0.A3/A/00/ 33:7/ A6 3F/44 concorp-
7 File&s' 3F./0 $;tes
/ Dir&s' 1F1,-F040F7.0 $;tes free
)he follo#ing sample is an e0ample of BB9ocalhostBCertenroll after the t#o key rene#als
on a CA.
C:\>!ir \\local<ost\certenroll
Dolume in !ri#e \\local<ost\certenroll <as no la$el=
Director; of \\local<ost\certenroll
0.A33A/00/ 0,:1- P6 QD?R> =
0.A33A/00/ 0,:1- P6 QD?R> ==
0.A33A/00/ 00:73 P6 3F77- concorp-
141
ca-00*CorporateRootCA&3'=crt
0.A33A/00/ 00:73 P6 3F4/- concorp-ca-00*CorporateRootCA
&0-3'=crt
0.A33A/00/ 00:73 P6 3F410 concorp-ca-00*CorporateRootCA
&3-0'=crt
0.A33A/00/ 0,:1- P6 3F77- concorp-
ca-00*CorporateRootCA&/'=crt
0.A33A/00/ 33:0, A6 3F/44 concorp-
0.A33A/00/ 00:73 P6 417 CorporateRootCA&3'=crl
0.A33A/00/ 00:7/ P6 47- CorporateRootCA=crl
0.A33A/00/ 33:0, A6 7/3 nsre#*CorporateRootCA=asp
- File&s' 30F010 $;tes
/ Dir&s' 1F1-3F3,3F10. $;tes free
)he follo#ing sample is an e0ample of BB9ocalhostBCertconfig after t#o key rene#als on a
CA.
C:\>!ir \\local<ost\certconfig
Dolume in !ri#e \\local<ost\certconfig <as no la$el=
Director; of \\local<ost\certconfig
0.A33A/00/ 0,:1- P6 QD?R> =
0.A33A/00/ 0,:1- P6 QD?R> ==
0.A33A/00/ 33:/, A6 300 certsr#=$ak
0.A33A/00/ 33:0, A6 /3. certsr#=tMt
0.A33A/00/ 00:73 P6 3F4/- concorp-ca-00*CorporateRootCA
&0-3'=crt
0.A33A/00/ 00:73 P6 3F77- concorp-
ca-00*CorporateRootCA&3'=crt
0.A33A/00/ 00:73 P6 3F410 concorp-ca-00*CorporateRootCA
&3-0'=crt
0.A33A/00/ 0,:1- P6 3F77- concorp-
ca-00*CorporateRootCA&/'=crt
0.A33A/00/ 33:0, A6 3F/44 concorp-
01A/1A/00/ 30:07 A6 3F41/ connoam-ca-00*CONNOA6-CA-00=reR
- File&s' 30F30. $;tes
/ Dir&s' 1F1-3F3,3F10. $;tes free
142
'elations#ip of t#e !onfiguration
!ontainer and !ertificate Store
)he table in this section describes the relationship bet#een the information that is stored
in the configuration container of Active Directory and the certificate store. )ypicallyC parts
of the configuration information are replicated to the client@s certificate store.
)he default vie# of the Certificates MMC does not display the physical structure of the
certificate store. )o vie# the physical structure of the certificate storeC follo# this
procedure:
(. .pen Certificates.
)o do thisC click StartC click 'unC in the (pen bo0C type certmgr9mscC and then press
/1)/-.
%. 3erify that the local computer@s certificates and the current user@s certificate are
displayed in the console tree.
'. !n the console treeC click !ertificate %4ocal !omputer&.
<. .n the 0iew menuC click (ptionsC and select the P#ysical certificates store check
bo0.
,ote
Any information that is stored in a registry container has an impact on only the
local client. -egistry containers never receive information from the Active
Directory configuration conte0t. )he Intermediate !ertificate ut#orities E
@roup Policy container is not used in the client certificate store.
Certificates that are stored in the Active Directory Configuration container *$ites and
$ervices+ are deployed to all clients across the forest. Certificates that are deployed
through domain security are deployed only in the domain. !f a certificate is registered in
the Configuration container and the Domain $ecurity ?roup olicy obAect *?.+C a
certificate may occur t#ice on the client. )o prevent confusion #ith e0pired or invalid
certificatesC you must ensure that certificates are correctly published.
Eou can vie# the Active Directory configuration conte0t through the Active Directory $ites
and $ervices MMC.
"able 22 !ertificate !ontainers and !ertificate Stores
143
ctive $irectory !onfiguration container !lient certificates store
ctive $irectory Sites and Services MM!
!n the console treeC navigate to Certification
Authorities:
-omain.ameBConfiguration $ervicesBublic
Key $ervicesBCertification Authorities
/nterprise CAs are installed and
automatically published to this location. CA
certificates may also be added manually
through the certutil Edspublis# command.
4ocal !omputer
!n the console treeC navigate to
Certificates:
)rusted -oot Certificate
AuthoritiesB/nterpriseBCertificates
Sites and Services MM!
!n the console treeC navigate to A!A:
-omain.ameBConfigurationB$ervicesBublic
Key $ervicesBA!A
)his container also contains qualified
subordination certificates *cross;certificates+
that are controlled by the template that is
used to generate CA certificates.
4ocal !omputer
Certificates:
!ntermediate Certificate
AuthoritiesB/nterpriseBCertificates
"indo#s %&&&C "indo#s FC or "indo#s
$erver %&&' clients automatically
do#nload the content from the
configuration containerK "indo#s %&&&
clients do not support cross;certificates
$omain Security Settings MM!
!n the console treeC navigate to )rusted -oot
Certification Authorities:
Computer ConfigurationB"indo#s
settingsB$ecurity $ettingsBublic Key
oliciesB)rusted -oot Certification Authorities
4ocal !omputer
Certificates:
)rusted -oot Certificate
AuthoritiesB?roup olicyBCertificates
$omain Security Settings MM!
!n the console treeC navigate to /nterprise
)rust:
Computer ConfigurationB"indo#s
$ettingsB$ecurity $ettingsBublic Key
oliciesB/nterprise )rust
4ocal !omputer
!n the console treeC navigate to ?roup
olicy:
/nterprise )rustB?roup olicy
144
$efault ! !ertificate and !'4 Storage
During the installation of the root CAC the root certificate is saved to the follo#ing
locations:
BB9ocalhostBCertenroll
BB9ocahostBCertconfig
)he Certificates ME store of the local computer
)he )rusted -oot Certification Authorities container in the local computer registry
)he initial C-9 is published in the follo#ing locations:
)he !ntermediate Certification Authorities container in the registry of the local
computer
)he CA certificate of the stand;alone CA is stored in the follo#ing locations:
BB9ocahostBCertconfig
Certificates store of the local computer. )o look at the storeC do one of the follo#ing:
!n the Certificates MMCC in the console treeC double;click !ertificates %4ocal
!omputer&C double;click 'egistryC and then click !ertificates.
!omputer&C double;click Intermediate !ertification ut#oritiesC double;click
'egistryC and then click !ertificates.
)he C-9 of the root CA should be stored in the follo#ing locations:
Certificates store of the local computer. )o look at the storeC do the follo#ing:
'egistryC and then click !ertificate 'evocation 4ist
)he C-9 of the stand;alone CA is stored in the follo#ing locations:
2ile share BB9ocalhostBCertenroll
Certificates store of the local computer. )o look at the storeC do the follo#ing:
145
'egistryC and then click !ertificate 'evocation 4ist
Mapping !ustom (bAect Identifiers to
-riendly ,ames
"hen a certificate is enrolled and that certificate carries a custom obAect identifier and the
policy informationC an enrolled certificate@s purpose may display an obAect identifier
instead of a friendly description.
)his occurs because the template that is used for certificate enrollment cannot translate
the obAect identifier into a friendly name. Because of thisC custom obAect identifiers are
mapped to friendly names through the obAect identifier *also kno#n as .!D+ container in
the Active Directory. )he mapping must be done in the 3% template that #ill use the
custom obAect identifier. )o translate the obAect identifier into a friendly name:
(. .pen the Certificate )emplates MMC.
)o do thisC click StartC click 'unC in the (pen bo0C type certtmpl9mscC press /1)/-C
and then open any 3% template.
%. Click the )*tensions tab.
'. Click the pplication Policies e0tension.
<. Click )ditC click ddC and then click ,ew.
4. )ype both the friendly name and related obAect identifier numberC and then click (K.
!Policy9inf Synta*
)he purpose of the CAolicy.inf configuration file and its synta0 is described in "indo#s
$erver %&&' $erver >elp.
!f a CAolicy.inf file e0istsC it supersedes the default configuration that is used to install a
CA or rene# its CA certificate.
146
Sample !Policy9inf -ile for
!orporate'oot!
Eou can use the samples in this section for the root CAs CAolicy.inf file. 3erify that the
parameters in the PCertsrvI$erverQ section are the same as your requirementsC according
to the C$.
,ote
)he parameters specified in the PCertsrvI$erverQ section must be greater or must
match the key length and validity period used during CA setup other#ise the
value specified in the capolicy.inf #ill be ignored.
6nfortunately the keynames are different for "indo#s %&&& and "indo#s $erver %&&'.
>o#everC the "indo#s $erver %&&' Certification $erver is able to interpret the old
"indo#s %&&& synta0.
A CApolicy.inf file for a "indo#s %&&& root CA #ould look like this:
KDersionL
%ignature@ GS"in!ows N)SG
KCertsr#*%er#erL
Renewal8e;:engt<@104.
RenewalDali!it;Perio!nits@Jears
RenewalDali!it;Perio!@/0
KCR:Distri$utionPointL
KAut<orit;?nformationAccessL
A CApolicy.inf file for a "indo#s %&&' $erver root CA #ould look like this:
KDersionL
KCertsr#*%er#erL
Renewal8e;:engt<@104.
RenewalDali!it;Perio!@Jears
RenewalDali!it;Perio!nits@/0
KCR:Distri$utionPointL
KAut<orit;?nformationAccessL
As you can seeC the -ene#al3alidityeriod and -ene#al3alidityeriod6nits parameters
are s#itched in "indo#s $erver %&&' to make them more consistent.
!f you are using a "indo#s %&&& CAC see article %,74%8C DC-9 Distribution oint
/0tension !s 1ot $uppressed by the Capolicy.inf 2ileCD in the Microsoft Kno#ledge Base.
147
Sample !Policy9inf -ile for Intermediate!.
)his section contains a sample for the subordinate CAs CAolicy.inf file.
)he obAect identifiers and the 6-9s are provided only as an e0ample. Eou should replace
the obAect identifier values #ith obAect identifiers that belong to your organi=ation and
verify that the 6-9s are pointing to a location that is accessible.
)he CAolicy.inf file synta0 in "indo#s %&&& and "indo#s $erver %&&' are basically the
sameC e0cept that the PCApolicyQ sectionC #hich #as valid in "indo#s %&&&C is no#
Policy$tatement/0tensionQ.
.n a "indo#s %&&& CAC the CAolicy.inf file should look like the follo#ing sampleC
e0cept that the italici=ed items are placeholders. )he placeholders should be replaced
#ith the information for your specific situation.
KDersionL
%ignature@ GS"in!ows N)SG KCApolic;L
Policies @ All?ssuancePolic;
Critical @ FA:%2
KAll?ssuancePolic;L
O?D @ /=0=/4=7/=0
2or a "indo#s $erver %&&' CAC the CAolicy.inf file should look like the follo#ing
sampleC #here the italici=ed items are placeholders.
KDersionL
K Polic;%tatement2Mtension L
Policies @ All?ssuancePolic;
Critical @ FA:%2
KAll?ssuancePolic;L
O?D @ /=0=/4=7/=0
Sample !Policy9inf -ile for !orporate)nt.!
-or t#e Windows 2000 -amily
KDersionL
KCApolic;L
Policies @ :egalPolic;F :imite!sePolic;
K:egalPolic;L
O?D @ 3=3=3=3=3=3=3=3=3
R: @ G<ttp:AAwww=contoso=comApkiAPolic;A%:egalPolic;=aspG
R: @ Gftp:AAftp=contoso=comApkiAPolic;A%:egalPolic;=tMtG
K:imite!sePolic;L
O?D @ /=/=/=/=/=/=/=/=/
148
R: @ G<ttp:AAwww=contoso=comApkiAPolic;A%:imite!sePolic;=aspG
R: @ Gftp:AAftp=contoso=comApkiAPolic;A%:imite!sePolic;=tMtG
-or t#e Windows Server 2003 -amily
KDersionL
KPolic;%tatement2MtensionL
Policies @ :egalPolic;F :imite!sePolic;
K:egalPolic;L
O?D @ 3=3=3=3=3=3=3=3=3
R: @ G<ttp:AAwww=contoso=comApkiAPolic;A%:egalPolic;=aspG
R: @ Gftp:AAftp=contoso=comApkiAPolic;A%:egalPolic;=tMtG
K:imite!sePolic;L
O?D @ /=/=/=/=/=/=/=/=/
R: @ G<ttp:AAwww=contoso=comApkiAPolic;A%:imite!sePolic;=aspG
R: @ Gftp:AAftp=contoso=comApkiAPolic;A%:imite!sePolic;=tMtG
!'4 $istribution Point 'eplacement
"o7en
-eplacement tokens are used to retain the configuration of distribution points fle0ible.
Eou can use replacement tokens in the CAolicy.inf file and in the Certification Authority
MMC in ! )*tensions.
A replacement token consists of the percent sign and a number. )his behavior occurs if
you use replacement tokens in the Certificate $ervices MMC or if you use them in a
certutil command. !f replacement tokens are used in a batch fileC and you use the
percent sign *N+C you must use another escape sign #hen neededC because the
"indo#s shell typically interprets a percent sign as a command;line parameter.
)he mapping of replacement tokens is different in versions of "indo#s later than
"indo#s %&&& $erver. 2or more information and a list of replacement tokens that are
valid on computers that are running "indo#s %&&&C see Article %8'((,C /rror Message: A
-eplacement )oken /ntered Does 1ot Match Any -ecogni=ed )oken in the Microsoft
Kno#ledge Base.
Eou can use the follo#ing tokens for !'4$istributionPointC
ut#orityInformationccessC and !ross!ertificate$istributionPoints)*tension
6-9s.
"able 23 !'4 $istribution Point 'eplacement "o7ens
149
"o7en name $escription Windows 2000
map value
Windows Server
2003 map value
$erverD1$1ame )he D1$ name of
the CA server
N( N(
$erver$hort1ame )he 1etB!.$ name
of the CA server
N% N%
Ca1ame )he name of the CA N' N'
CertI$uffi0 )he rene#al
e0tension of the CA
N< 1HA
Certificate1ame 1HA N<
DomainI1ame )he location of the
domain root in
Active Directory
N4 1HA
*1ot used+ 1HA N4
ConfigurationContainer )he location of the
configuration
container in Active
Directory
N5 N5
CA)runcated1ame )he Dsaniti=edD
name of the CAC '%
characters #ith a
hash on the end
N7 N7
C-91ame$uffi0 )he rene#al
e0tension for the
C-9
N8 N8
DeltaC-9Allo#ed N,
CD.bAectClass N(&
CA.bAectClass N((
)he Certification $erver setup process replaces all FnumberF sequences #ith the
appropriate value.
150
!'4 Publis#ing Properties
)he Publis# !'4s to t#is location flag is used to identify the locations to #hich the CA
should publish *or place+ the physical C-9s #hen the CA publishes a C-9 either
automatically or manually. )his flag specifies only #here C-9s are published. !t is also
used by the certutil9e*e Edspublis# command #hen you manually publish C-9s to
Active Directory. Both the Publis# !'4 and Publis# $elta !'4 flags on the -evoked
Certificates roperties page are responsible for turning the publishing activity on and off.
)he Publis# !'4s to t#is location flag indicates the locations that the CA should
attempt to use to publish the C-9. )his flag does not configure the server to conduct the
publishing activityC but only sets it up so that the CA can determine the appropriate
locations to #hich to publish #hen publishing occurs. 1ote that actual publishing activity
is governed by the 'evo7ed !ertificates properties.
)he Include in all !'4s flag specifies that the Active Directory publication location
should be included in the C-9 itself. )his information is useful for publishing offline C-9s
to Active Directory by using the Certutil.e0e tool. )o use thisC at a command promptC type
certutil Edspublis#C and then press /1)/-.
)he Include in !$P e*tension of issued certificates flag is used by clients to find the
C-9 distribution point location for the C-9. Eou should al#ays specify this flag unless you
do not #ant to use client;side checking or application revocation checking for issued
certificates.
)he Include in !'4s9 !lients use t#is to find $elta !'4s flag is used by clients to
determine if a delta C-9 e0ists and #here it is located. )he location may or may not be
the same as the C-9 location. )he delta C-9 location is identified in the C-9 by use of
the fres#est!'4 e0tension in the C-9 obAect itself.
Eou may #ant to have a base C-9 in an 9DA location in Active Directory and a delta
C-9 at an alternate >)) location because of the differences in replication. !f the delta
C-9 #ill be issued at an interval that is shorter than the replication convergence time for
your forestC the delta C-9 should not be published to Active Directory. !n many Active
Directory net#orksC it may take hours for Active Directory obAects to fully replicate
throughout the net#ork. 2or delta C-9s that may have a lifetime only of a fe# hoursC the
replication latency often means that Active Directory clients receive a delta C-9 obAect
that has already e0pired by the time it reaches the client. Eou can avoid this latency by
publishing the delta C-9 to an >)) location that is serviced by fault;tolerant "eb
serversC #here all clients can immediately retrieve a fresh delta C-9.
"able 23 !'4 Publis#ing Properties
151
$isplay name $escription $ecimal value 8e*adecimal value
ublish C-9s to
this location
6sed by the CA to
determine #hether to
publish base C-9s to
this 6-9
( &0&&&&&&&(
!nclude in the C-9
distribution point
e0tension of issued
certificates
6sed by clients during
revocation checking to
find base C-9 locations
% &0&&&&&&&%
!nclude in PbaseQ
C-9s
6sed by clients during
revocation checking to
find delta C-9 locations
from base C-9s
< &0&&&&&&&<
!nclude in all C-9s 1ot used during
revocation checking.
$pecifies #here to
publish in Active
Directory #hen
publishing manually
using certutil
1dspublis#. Can be
used by an offline CA to
specify the 9DA 6-9
for manually publishing
C-9s. Must also set the
e0plicit configuration
container in the 6-9 or
set the $S!onfig$,
value in the registry:
certutil Esetreg
caJ$S!onfig$, !,B
8 &0&&&&&&&8
(5 &0&&&&&&(&
'% &0&&&&&&%&
ublish delta C-9s
to this location
6sed by the CA to
determine #hether to
publish delta C-9s to
this 6-9
5< &0&&&&&&<&
152
I Publis#ing Properties
)he table sho#s the publishing properties for the Authority !nformation Access *A!A+.
"able 26 I Publis#ing Properties
$isplay name $ecimal value 8e*adecimal value
!nclude in the A!A e0tension
of issued certificates
( &0&&&&&&&(
!nclude in the online
certificate status protocol
*.C$+ e0tension
% &0&&&&&&&%
Sample Script to !onfigure
!orporate'oot!
)he script in this section applies the most important configuration changes to a "indo#s
$erver %&&' CA for the Corporate-ootCA computer.
Important
Because percent *N+ variables are handled differently in batch files and at a
command promptC you must use t#o percent signs *NN+ if you run this sample
script from a batch fileC as described. !f certutil is called from a command prompt
and not from a batch fileC only use only one percent sign *N+C not t#o percent
signs *NN+.
R26
R26 CA configuration script for a "in!ows %er#er /007 CA
R26
R26 )<e naming conteMt applies to t<e in!i#i!ual organiOations Acti#e
Director;
R26 configuration
R26
%2) m;ADnamingconteMt@DC@concorpFDC@contosoFDC@com
R26
R26 )<is #aria$le !irects to t<e E))P pu$lication location t<at is use!
153
for
R26 t<e CR: an! A?A pu$lication
R26
%2) m;<ttpP8?#root@<ttp:AAwww=contoso=comApki
R26
R26 (ecause CR:s an! CA certificates are pu$lis<e! in t<e
organiOations Acti#e
R26 Director;F no specific :DAP ser#er name is pro#i!e!=
R26 %et an !e!icate! ser#er-name instea!
R26 if a known ser#er s<oul! pro#i!e t<e CR:s an! A?As
R26
%2) m;:DAPser#er@
R26
R26 6ap t<e namespace of Acti#e Director;
R26
certutil=eMe -setreg ca\D%ConfigDN
GCN@ConfigurationFCm;ADnamingconteMtCG
R26
R26 Configure CR: an! A?A CDP
R26
R26 (; !efaultF Certutil creates a registr; #alue of t;pe R29*%B if a
string is
R26 specifie! as a parameter= %ome registr; #alues are eMpecte! as
R29*6:)?*%B= )o
R26 create a R29*6:)?*%B instea! of a R29*%BF a!! a \n to t<e en! of
an; #alue t<at
R26 $ecomes part of t<e R29*6:)?*%B
R26
G3:C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC7CC-CC4=crl\n/:Cm;<ttp
P8?#rootCACC7CC-CC4=crl\n30:l!ap:AACm;:DAPser#erCACN@CC,CC-FCN@CC/F
CN@CDPFCN@Pu$lic 8e; %er#icesFCN@%er#icesFCC.CC30G
G3:C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC3*CC7CC1=crt\n/:Cm;<ttp
P8?#rootCACC3*CC7CC1=crt\n/:l!ap:AACm;:DAPser#erCACN@CC,FCN@A?AF
CN@Pu$lic 8e; %er#icesFCN@%er#icesFCC.CC33G
R26
R26 Configure CR: pu$lication
R26
R26
R26 Disa$le Delta CR: pu$lication
R26
R26
R26 %et t<e #ali!it; perio! for issue! certificates
R26
R26
154
R26 Restart t<e CA ser#er ser#ice
R26
R26
R26 Repair CA file s;stem s<ares an! ??% #irtual roots
R26
certutil -#root
R26
R26 Repu$lis< t<e CR:
R26 )<e CR: pu$lis<ing ma; imme!iatel; not work
R26 after ;ou restart t<e CA ser#er ser#ice= ?f t<is $e<a#ior
R26 occursF tr; t<e certutil TCR: comman! at a comman!
R26 prompt again=
R26
certutil -CR:
R26
R26 )est if CAPolic;=inf file eMists
R26
?F 2U?%) C%J%)26ROO)C\capolic;=inf 9O)O 2NDCF9
2CEO "arningF no capolic;=inf file use!
:2NDCF9
)he follo#ing script applies the same configuration as the previous scriptC but it
configures a "indo#s %&&& CA. -emember that the delta C-9 configuration parameter is
not supported in a "indo#s %&&& CA environment. )o perform the certutil E2'4 and
certutil Evroot commandsC you must run the version of certutil that is included #ith
"indo#s $erver %&&' on the "indo#s %&&& CA computer.
R26
R26 CA configuration script for a "in!ows /000 CA
R26
for
R26
R26
R26 Director;F no specific :DAP ser#er name is pro#i!e!= %et a
!e!icate! ser#er
R26 name instea!F if a known ser#er s<oul! pro#i!e t<e CR:s an! A?As=
R26
%2) m;:DAPser#er@
R26
R26
certutil -setreg polic;\FileRe#ocationCR:R: G\n
Cm;<ttpP8?#rootCACC7CC-=crl\n
155
l!ap:AACm;:DAPser#erCACN@CC,CC-FCN@CC/FCN@CDPFCN@Pu$lic 8e; %er#icesF
CN@%er#icesFCC.HcertificateRe#ocation:istH$aseHo$>ectclass@
certutil -setreg polic;\File?ssuercertR: G\n
certutil -setreg polic;\?ssuercertR: Cm;<ttpP8?#rootCACC3*CC7CC1=crtG
l!ap:AACm;:DAPser#erCACN@CC,FCN@A?AFCN@Pu$lic 8e;
certificationAut<orit;
R26
R26
R26
R26
R26
R26 Disa$le issuer name an! issuer serial num$er
R26
certutil -setreg polic;\2!itFlags -2D?)F*2NA(:2A8??%%2RNA62
certutil -setreg polic;\2!itFlags -2D?)F*2NA(:2A8??%%2R%2R?A:
R26
R26
R26
R26 Repair CA files-s;stem s<ares an! ??% #irtual roots
R26
certutil -#root
R26
R26 Pu$lis< t<e CR: wit< t<e up!ate! CDP an! naming information=
R26 ?t mig<t <appen t<at CR: pu$lis<ing fails imme!iatel;
R26 after t<e CA ser#er ser#ice <as $een restarte!= ?f t<is
R26 is t<e caseF tr; certutil TCR: at a comman! prompt again=
R26
certutil -CR:
Sample Script to !onfigure
Intermediate!
)he follo#ing script applies the most important configuration changes to a "indo#s
$erver %&&' CA for the !ntermediateCA computer.
156
R26
R26
R26 )<e naming conteMt applies to t<e in!i#i!ual organiOations Acti#e
Director;
R26 configuration
R26
%2) m;ADnamingconteMt@DC@concorpFDC@contosoFDC@com
R26
for
R26
R26
R26 Director;F no specific :DAP ser#er name is pro#i!e!= %et an
!e!icate! ser#er
R26 name instea!F if a known ser#er s<oul! pro#i!e t<e CR:s an! A?As=
R26
%2) m;:DAPser#er@
R26
R26 6ap t<e namespace of Acti#e Director;
R26
certutil=eMe -setreg ca\D%ConfigDN
GCN@ConfigurationFCm;ADnamingconteMtCG
R26
R26
R26 (; !efaultF Certutil creates a registr; #alue of t;pe R29*%B if a
string is
R29*6:)?*%B=
R26 )o create a R29*6:)?*%B instea! of a R29*%BF a!! a \n to t<e en!
of an; #alue
R26 t<at $ecomes part of t<e R29*6:)?*%B
R26
G3:C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC7CC-CC4=crl\n/:Cm;<ttp
P8?#rootCACC7CC-CC4=crl\n30:l!ap:AACm;:DAPser#erCACN@CC,CC-FCN@CC/F
G3:C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC3*CC7CC1=crt\n/:Cm;<ttp
P8?#rootCACC3*CC7CC1=crt\n/:l!ap:AACm;:DAPser#erCACN@CC,FCN@A?AF
CN@Pu$lic 8e; %er#icesFCN@%er#icesFCC.CC33G
R26
R26
certutil -setreg CA\CR:Perio!nits 70
157
R26
R26 Disa$le Delta CR: pu$lication
R26
R26
R26
R26
R26 ?nclu!e certificate policies in certificate reRuest
R26
certutil -# -setreg polic;\2na$leReRuest2Mtensionlist GV/=0=/4=7/G
R26
R26
R26
R26
R26
R26
R26
certutil -#root
R26
R26 is t<e caseF tr; certutil TCR: at a comman! prompt again=
R26
certutil -CR:
)he follo#ing script applies the same configuration as the previous script but the
follo#ing script configures a "indo#s %&&& CA. -emember that the delta C-9
configuration parameter is not supported in a "indo#s %&&& CA environment. )o use the
certutil E2'4 and certutil Evroot commandC you must run the "indo#s $erver %&&'
version of the certutil utility on the "indo#s %&&& CA computer.
R26
R26
for
R26
R26
158
!e!icate! ser#er
R26 name instea! if a known ser#er s<oul! pro#i!e t<e CR:s an! A?As=
R26
%2) m;:DAPser#er@
R26
R26
R26 (; !efaultF certutil creates a registr; #alue of t;pe R29*%B if a
string is
R29*6:)?*%B= )o
R26 create a R29*6:)?*%B #alue instea! of a R29*%B #alueF a!! \n to
t<e en! of an;
R26 #alue t<at $ecomes part of R29*6:)?*%B=
R26
certutil -setreg polic;\FileRe#ocationCR:R: \n
certutil -setreg polic;\File?ssuercertR:
GC"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC3*CC7CC1=crt\n
l!ap:AACm;:DAPser#erCACN@CC,FCN@A?AFCN@Pu$lic
8e; %er#icesFCN@%er#icesFCC.HcACertificateH$aseHo$>ectclass@
R26
R26
R26
R26
R26
R26 ?nclu!e certificate policies in certificate reRuest
R26
certutil -# -setreg polic;\2na$leReRuest2Mtensionlist GV/=0=/4=7/G
R26
R26
R26
159
R26
R26
R26
R26
certutil -#root
R26
R26 Repu$lis< t<e CR:=
R26 is t<e case tr; certutil TCR: at a comman! prompt again=
R26
certutil -CR:
Sample Script to !onfigure t#e
)nterpriseSub!
)he follo#ing script applies the most important configuration changes to a "indo#s
$erver %&&' CA for the /nterprise$ubCA computer.
Important
Because percent *N+ variables are handled differently in batch files and at a
command promptC you must use t#o percent signs *NN+ if you run this sample
script from a batch fileC as described. !f certutil is called from a command prompt
and not from a batch fileC only use one percent sign *N+C not t#o *NN+.
R26
R26
for
R26 CR: an! A?A pu$lication
R26
R26
organiOationWs Acti#e
R26 Director;F no specific :DAP ser#er name is pro#i!e!=
R26
%2) m;:DAPser#er@
R26
160
R26
certutil -setreg CA\CR:Pu$licationR:s G.0:
C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC7CC-CC4=crl\n.:Cm;<ttp
P8?#rootCACC7CC-CC4=crl\n,4:l!ap:AACm;:DAPser#erCACN@CC,CC-FCN@CC/F
certutil -setreg CA\CACertPu$licationR:s G3:
C"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC3*CC7CC1=crt
n/:Cm;<ttpP8?#rootCACC3*CC7CC1=crt\n/:l!ap:AACm;:DAPser#erCACN@CC,F
CN@A?AFCN@Pu$lic 8e; %er#icesFCN@%er#icesFCC.CC33\G
R26
R26
R26
R26
R26
R26
R26
R26 Create "e$ #irtual roots an! file s<ares
R26
certutil=eMe -#root
R26
R26
certutil -CR:
)he follo#ing script applies the same configuration as the previous scriptC but it
configures a "indo#s %&&& CA. -emember that the delta C-9 configuration parameter is
not supported in a "indo#s %&&& CA environment. )o use the certutil E2'4 and certutil
Evroot commandsC you must run the version of the !ertutil9e*e utility that is included
#ith the "indo#s $erver %&&' operating system on the computer serving as the
"indo#s %&&& CA.
R26
R26
for
R26
R26
organiOationWs Acti#e
161
!e!icate! ser#er
R26 name instea! if a known ser#er s<oul! pro#i!e t<e CR:s an! A?As=
R26
%2) m;:DAPser#er@
R26
R26
certutil -setreg polic;\FileRe#ocationCR:R: G\n
certutil -setreg polic;\File?ssuercertR:
GC"?ND?RC\s;stem7/\Cert%r#\Cert2nroll\CC3*CC7CC1=crt\n
l!ap:AACm;:DAPser#erCACN@CC,FCN@A?AFCN@Pu$lic 8e;
R26
R26
R26
R26 Disa$le !elta CR: pu$lication
R26
R26
R26
R26
R26
R26
R26 Create "e$ #irtual roots an! file s<ares
R26
certutil=eMe -#root
R26
R26
certutil -CR:
162
ppendi* B> Parameters for a "#ree1"ier
! "opology
)his section describes all of the parameters that are required to set up a three;tier CA
topology. !t is recommended that the values are agreed bet#een the departments in the
organi=ation *!) departmentC legal departmentC and so on+.
)he parameters in this section are in the sequence in #hich they are used during the
setup. )he heading describes the parameter@s name and the table contains detailed
information about the parameter.
Important
Make sure that you have predefined all of the parameters in this sectionC
because every value is mandatory.
'oot! !onfiguration Parameters
)his section provides a list of parameters that must be defined during the setup
procedure for a stand;alone offline root CA. )he sample values are related to the sample
configuration that is e0plained in the previous section.
-egistry references follo# the synta0 that is used by the certutil command. )o get more
information about the registry valuesC at a command promptC type certutil Egetreg 1G and
press /1)/-.
'enewal Key 4engt# %! !ertificate&
Description !t is recommended that the key length does
not e0ceed <&,5 bits because this is the
ma0imum interoperable key length #ith
most programs and K! providers. )he
rene#al key length must not be shorter than
the key length that you chose during the CA
installation procedure.
$ample value <&,5
Defined at CAolicy.inf
$tored at -ene#ed CA certificate
!mpacts )he root CA key material
163
'enewal 0alidity Period %! !ertificate&
Description Describes the lifetime of a CA certificate
that is a rene#al of a previous CA
certificate. !t is recommended that root CAs
be configured #ith a longer lifetime than any
other CA in the hierarchy because this
configuration reduces the administrative
burden that is caused by rene#ing all
certificates that are singed by the CA@s
certificate.
$ample value (&%&
$tored at CA certificate that is related to the date and
time #hen the certificate #as enrolled
!mpacts )he CA root certificate and all certificates
that #ill be signed by the root
'enewal 0alidity Period 2nits %! !ertificate&
Description Defines the measurement related to the
validity time. 3alid values are yearsC
monthsC or days. 2or a CA certificate
lifetime the usual unit is years.
$ample value Eears
$tored at CA certificate related to the date and time
#hen the certificate has been enrolled
!mpacts )he CA root certificate and all certificates
that #ill be signed by the root
!ertificate 'evocation 4ist %!'4& $istribution Point %! certificate&
164
Description A C-9 distribution point must not be
configured to be contained in the self;signed
root CA certificate. Most applications do not
check revocation on root CA certificatesK
thereforeC C-9 distribution point e0tensions
are not necessary or recommended. !t is
also senseless to set a C-9 distribution
point for a root certificate because there is
no higher instance that could revoke the
root certificate.
$ample value 1one
$tored at CA certificate
!mpacts )he attribute setting in the CA root
certificate and all applications that verify the
root CA@s validity
ut#ority Information ccess %I& %! certificate&
Description An A!A must not be specified for a root CA
certificate. )his is because the A!A points to
the location of the certificate that #as used
for signing this certificate. $ince a root CA is
self;signedC you do not need to specify an
A!A.
$ample value 1one
!mpacts All applications that verify the root CA@s
validity
!SP %! !ertificate&
165
Description )he C$ is responsible for generating the certificates key material
and the certificate generation.
$ample value Microsoft $trong Cryptographic rovider
Defined at CA !nstallation "i=ard
$tored at 2or the "indo#s %&&& $erver family and the "indo#s $erver %&&'
family:
CA -egistry:
8K4MJSystemJ!urrent!ontrolSetJServicesJ!ertSvcJ!onfiguration
J",.ameJ!SPJProvider
!mpacts CA certificate
8as# lgorit#m
Description Defines the hash algorithm that is used for hashing and signing certificate
contents.
$ample
value
$>A;(
Defined at CA installation #i=ard
$tored at CA registry:
8K4MJSystemJ!urrent!ontrolSetJServicesJ!ertSvcJ!onfigurationJJ",.ame
J!SPJ8as#lgorit#m
Key 4engt# %! !ertificate&
Description Defines the comple0ity of the key material
assigned to the CA certificate. !t is
recommended that the key length does not
e0ceed <&,5 bits because this is the
ma0imum interoperable key length today
#ith most applications and K! providers.
$ample value <&,5
166
$tored at Certificate request and is only used
temporarily
!mpacts )he -oot CA key material that could be
stored #ithin a >$M or encrypted on the
CAs hard drive
!ommon ,ame
Description )he common name must not e0ceed 5< characters in length. !t is
important to remember that each space in the name #ill actually use
three characters in the total length because of ho# escape characters
are #ritten *N%&+.
$ample value Corporate-ootCA
$tored at -egistry:
J",.ameJ!ommon,ame
!mpacts )he common name becomes part of the certificate issuer name and is
also part of the C-9 and A!A if replacement tokens are used. )he
common name is used by several variables that are used to set the
C-9 and A!A.
$istinguis#ed ,ame Suffi*
Description )he name maps to the namespace that is used by the
domain #here the CA belongs to. $ince the -oot;CA is
configured as a stand;alone CAC the distinguished
name should be mapped to the same namespace that
#ill be used for the enterprise CA.
$ample value DCLconcorpCDCLcontosoCDCLcom
Defined at CA configuration that takes place after the installation
167
$tored at "indo#s %&&& and "indo#s %&&'
-egistry:
8K4MJSystemJ!urrent!ontrolSetJServicesJ!ertSvc
J!onfiguration J",.ameJ$S!onfig$,
!mpacts )he distinguished name becomes part of the certificate
issuer name and is also part of the C-9 and A!A if
replacement tokens are used. !t is also used by
several variables that are used to set the C-9 and A!A.
0alidity Period %! !ertificate&
Description )he parameter defines ho# long from no#
the CA certificate #ill be validC depending
on the validity period units
$ample value %
$tored at CA certificate related to the date and time
#hen the certificate has been enrolled
!mpacts )he CA certificate and the validity time of all
certificates that are signed by the -oot CA
certificate.
! $atabase Pat#
Description Defines #here the CA@s database is located in the root
CA@s file system.
$ample value C:BCertlog
$tored at "indo#s %&&& and "indo#s %&&'
-egistry:
J!onfiguration J",.ameJ$B$irectory
168
!mpacts )he CA must be able to get the appropriate path name
from the registry #hen the CA starts up.
! 4og -ile Pat#
Description Defines #here the CA@s transaction log;files are
located in the CA@s file system.
$tored at "indo#s %&&& and "indo#s %&&' $erver families:
-egistry:
J!onfiguration J",.ameJ$B4og$irectory
!mpacts )he CA must be able to get the appropriate path name
from the registry #hen the CA starts up.
S#ared -older
Description Defines #here the CA@s transaction log;files are
located in the root CA@s file system.
$ample value BBPVlocalhostQWBCertConfig
$tored at "indo#s %&&& and the "indo#s %&&' $erver family
-egistry:
J!onfiguration J",.ameJ!onfiguration$irectory
!mpacts ClientsC those are not able to receive the CA certificate
through group policies and need to import the
certificate manually.
!ertificate 'evocation 4ist %!'4& $istribution Point
169
Description Defines the 6-9s #here the client #ill find the certificate revocation
list that is related to the certificate. )he C-9 distribution point of a root
CA should be empty.
$ample value PemptyQ
Defined at Certification Authority MMC
$tored at "indo#s %&&& $erver family:
-egistry:
8K4MJSystemJ!urrent!ontrolSetJServicesJ!ertSvcJPolicy
J-ile'evocation!'42'4
-egistry:
JPolicyJ4$P'evocation!'42'4
-egistry:
JPolicyJ'evocation!'42'4
"indo#s $erver %&&':
-egistry: 8K4MJSystemJ!urrent!ontrolSetJServicesJ!ertSvc
J!onfiguration J",.ameJ!'4Publication2'4s
!mpacts Any userC computerC serviceC or program that verifies the root
certificate
ut#ority Information ccess %I&
Description Defines the 6-9s #here the client can locate the
certificate@s issuer certificate. Because a root CA
issues the CA certificate to itselfC you do not need to
specify an issuer. )he A!A of a root CA should be
empty.
$ample value PemptyQ
170
$tored at "indo#s%&&& $erver family:
-egistry:
J!onfigurationJPolicy J-ileIssuer!ert2'4
-egistry:
J!onfigurationJPolicy J4$P-ileIssuer!ert2'4
-egistry:
J!onfigurationJPolicyJIssuer!ert2'4
-egistry:
J!onfiguration J",.ameJ!!ertPublication2'4s
!mpacts Any userC computerC serviceC or program that verifies
the root certificate
!'4 Publication Interval
Description )he value controls the C-9 validity time and the C-9
publication cycle. According to the valueC the C-9 is
published on a regular basis. !ts validity time is set to
the publication time and date and the defined value.
$ample value (8& days
$tored at -egistry:
J!onfigurationJ",.ameJ!'4period
-egistry:
J!onfigurationJ",.ameJ!'4period2nits
!mpacts CA C-9 publication algorithm and any userC computerC
serviceC or program that verifies the C-9.
171
$elta !'4 Publication Interval
Description Defines similar to the C-9 publication interval and the publication
interval of the delta C-9. 2or an offline CAC it is recommended that
you disable delta C-9 publication.
$ample value & *#hich is equal to disabled delta C-9 publication+
$tored at "indo#s %&&&:
1ot available
"indo#s $erver %&&'
-egistry:
J",.ameJ!'4$eltaPeriod
-egistry:
J",.ameJ!'4$eltaPeriod2nits
!mpacts Any client that can verify the certificate validity through delta C-9s
0alidity period
Description Defines the period of time that a certificate that #as issued by the CA is
valid. )he validity period cannot e0tend the certificate validity beyond the
certificate of the issuing CA.
$ample value 4 years
$tored at -egistry:
8K4MJSystemJ!urrent!ontrolSetJServicesJ!ertSvcJ!onfigurationJ",
.ameJ0alidityPeriod2nits
-egistry:
8K4MJSystemJ!urrent!ontrolSetJServicesJ!ertSvcJ!onfigurationJ",
.ameJ0alidityPeriod
172
!mpacts )he validity time of any certificate that #ill be issued from that stand;alone
CA.
Intermediate ! !onfiguration Parameters
)his section provides a list of parameters that must be defined during the setup
procedure for a stand;alone offline root CA. )he sample values are related to the sample
configuration that is e0plained in the previous section.
! Policy
Description Defines the 6-9 or the te0t that applies to the CA@s
policy. )he policy describes different types of rulesC
such as ho# the CA is operatedC #hich legal policies
are validC and so on.
$ample value .!D L (.(.(.(.(.(.(.(.(
6-9 L
http:HH###.contoso.comHpkiHolicyH6$9egalolicy.asp
6-9 L
Dftp:HHftp.contoso.comHpkiHolicyH6$9egalolicy.t0tD
!mpacts All certificates that are directly or indirectly signed by
this CA certificate
!SP %! !ertificate&
Description ?enerates the certificate@s key material and the certificate generation.
$tored at CA -egistry:
173
8as# lgorit#m
Description Defines the hash algorithm that is used for
hashing and signing certificate contents.
$ample value $>A;(
$tored at CA registry: ",.ameJ!SPJ8as#lgorit#m
that is assigned to the CA certificate. !t is
e0ceed <&,5 bitsC because this is the
most applications and K! providers. )he
key length of a subordinate CA is typically
shorter than the key length of its parent CA.
$ample value %&<8
$tored at Certificate request and is only temporarily
used
!mpacts )he root CA key material that could be
stored in an >$M or encrypted on the CAs
hard disk
!ommon ,ame
174
important to remember that each space in the name uses three
characters in the total of the overall length because of the escape
character sequence *N%&+.
$ample value !ntermediateCA
$tored at -egistry:
J",.ameJ!ommon,ame
C-9 and A!A.
! $atabase Pat#
Description Defines #here the CA@s database is located in the CA@s file system.
$tored at -egistry:
J$B$irectory
!mpacts )he CA must be able to obtain the appropriate path name from the
registry #hen the CA starts.
! 4og -ile Pat#
Description Defines #here the CA@s transaction log files are located in the CA@s file
system.
$ample value D:BCertlog
175
$tored at -egistry:
J$B4og$irectory
S#ared -older
Description Defines #here the CA@s transaction log files are located in the root
CA@s file system.
$ample value BBV9ocalhostWBCertConfig
$tored at -egistry:
J!onfiguration$irectory
!mpacts Clients that cannot receive the CA certificate through group policies
and need to manually import the certificate.
Description )he name maps to the name space that is used by the domain to
#hich the CA belongs. Because the intermediate CA is configured as
a stand;alone CAC the distinguished name should be mapped to the
same name space that #ill be used for the enterprise CA.
$ample value Domain ControllerDCLconcorpCDCLcontosoCDCLcom
Defined at CA configuration that occurs after the installation procedure
$tored at -egistry:
J",.ameJ$S!onfig$,
!mpacts )he distinguished name becomes part of the certificate issuer name
and is also part of the C-9 and A!A if replacement tokens are used. !t
is also used by several variables that are used to set the C-9 and
A!A.
176
!'4 $istribution Point
Description Defines the 6-9s #here the client can locate the certificate
revocation list *C-9+ that is related to the certificate.
$ample value http:HH###.contoso.comHpkiHN'N8N,.crl
ldap:HHHC1LN7N8CC1LN%CC1LCDCC1Lublic Key
Defined at CA MMC
$tored at !n "indo#s %&&&:
-egistry:
-egistry:
J4$P'evocation!'42'4
-egistry:
J'evocation!'42'4
!n "indo#s $erver %&&':
-egistry: CA1ameJ!'4Publication2'4s
certificate
Description Defines the 6-9s #here the client can locate the certificate@s
issuer certificate. Because a root CA issues the CA certificate
to itselfC no issuer needs to be specified.
$ample value http:HH###.contoso.comHpkiHN(IN'N<.crt
ldap:HHHC1LN7CC1LA!ACC1Lublic Key
177
-egistry:
J-ileIssuer!ert2'4
-egistry:
J4$P-ileIssuer!ert2'4
-egistry:
JIssuer!ert2'4
-egistry: ",.ameJ!!ertPublication2'4s
certificate
Description Also controls also the C-9 validity time
$ample value (8& days
$tored at -egistry:
J",.ameJ!'4period
-egistry:
J",.ameJ!'4period2nits
!mpacts CA C-9 publication algorithm and any userC computerC serviceC or
program that verifies the C-9.
$elta !'4 Publication Interval
178
$ample value & *#hich is equal to disabled delta C-9 publication+
1ot available.
"indo#s $erver %&&'
-egistry:
-egistry:
0alidity Period
Description Defines the period of time that a certificate that #as issued by the CA
is valid. )he validity period cannot e0tend the certificate validity
beyond the certificate of the issuing CA.
$ample value % years
$tored at "indo#s %&&& and "indo#s $erver %&&'
-egistry:
J",.ameJ0alidityPeriod2nits
-egistry:
J",.ameJ0alidityPeriod
179
!mpacts )he validity time of any certificate that #ill be issued from that stand;
alone CA.
Issuing ! !onfiguration Parameters
!SP %! !ertificate&
Description )he C$ is responsible for generating the certificate@s key material
and certificate generation.
$tored at -egistry:
8as# lgorit#m
Description Defines the hash algorithm that is used for hashing and signing
certificate contents.
$ample value $>A;(
$tored at CA registry:
J",.ameJ!SPJ8as#lgorit#m
180
that is assigned to the CA certificate. !t is
e0ceed <&,5 bits because this is the
most applications and K! providers. )he
key length of a subordinate CA is typically
shorter than the key length of its parent CA.
$ample value %&<8
$tored at Certificate request and is only used
temporarily
!mpacts CA key material
!ommon ,ame
important to remember that each space in the name uses three
characters in the total of the overall length because of the escape
character sequence *N%&+.
$ample value Corporate/ntCA
$tored at "indo#s %&&& and "indo#s $erver %&&':
-egistry:
J",.ameJ!ommon,ame
C-9 and A!A.
! $atabase Pat#
Description Defines #here the CA@s database is located in the CA@s file system.
181
$tored at -egistry:
J$B$irectory
! 4og -ile Pat#
Description Defines #here the CA@s transaction log files are located in the root
CA@s file system.
$tored at -egistry:
J$B4og$irectory
S#ared folder
Description Defines #here the CA@s transaction log files
are located in the root CA@s file system. )he
shared folder is not required for an
enterprise CA.
$ample value BB9ocalhostBCertConfig
$tored at 6ser;defined location during installation
!mpacts Clients that cannot receive the CA certificate
through group policies and need to manually
import the certificate.
182
Description )he name space is automatically mapped to the Active Directory
namespace. )he value is predefined because of the domain
membership of the CA.
$ample value C1LConfigurationCDCLconcorpCDCLcontosoCDCLcom
Defined at Automatically defined
$tored at -egistry:
J",.ameJ$S!onfig$,
!mpacts )he distinguished name becomes part of the certificate issuer name
and is also part of the C-9 and A!A if replacement tokens are used. !t
is also used by several variables that are used to set the C-9 and
A!A.
!'4 $istribution Point
Description Defines the 6-9s #here the client can locate the certificate revocation
list that is related to the certificate.
$ample value http:HH###.contoso.comHpkiHN'N8N,.crl
ldap:HHHC1LN7N8CC1LN%CC1LCDCC1Lublic Key
183
$tored at "indo#s %&&&:
-egistry:
-egistry:
J4$P'evocation!'42'4
-egistry:
J'evocation!'42'4
-egistry:
J",.ameJ!'4Publication2'4s
certificate
Description Defines the 6-9s #here the client can find the
certificate@s issuer certificate.
$ample value http:HH###.contoso.comHpkiHN(IN'N<.crt
ldap:HHHC1LN7CC1LA!ACC1Lublic Key
184
-egistry:
J!onfigurationJPolicyJ-ileIssuer!ert2'4
-egistry:
J!onfigurationJPolicyJ4$P-ileIssuer!ert2'4
-egistry:
J!onfigurationJPolicyJIssuer!ert2'4
-egistry:
J!onfigurationJ",.ameJ!!ertPublication2'4s
!mpacts Any userC computerC serviceC or program that verifies
the root certificate
Description Also controls the C-9 validity time
$ample value 7 days
$tored at -egistry:
J",.ameJ!'4Period
-egistry:
J",.ameJ!'4Period2nits
!mpacts CA C-9 publication algorithm and any userC computerC serviceC or
computer that verifies the C-9.
$elta !'4 publication interval
185
$ample value ( day
$tored at -egistry:
-egistry:
ppendi* !> dditional Information
2or additional informationC see the follo#ing articles.
%,'8(, >o# to -emove a -oot Certificate from the )rusted -oot $tore on the Microsoft
Kno#ledge Base
"indo#s F >ome age on the Microsoft "eb site
K! /nhancements in "indo#s F rofessional and "indo#s $erver %&&' on the
Microsoft "eb site
"indo#s F )echnical -esources on the Microsoft "eb site
-2C %7,7: Certificate Management Messages over CM$ on the !nternet /ngineering
)ask 2orce "eb site
"hite aper: D)roubleshooting Certificate $tatus and -evocationD on the Microsoft
)ech1et "eb site
"hite aper: lanning and !mplementing Cross;Certification and :ualified $ubordination
6sing "indo#s $erver %&&' on the Microsoft )ech1et "eb site
"hite aper: !mplementing and Administering Certificate )emplates in "indo#s $erver
%&&' on the Microsoft )ech1et "eb site
186
"hite aper: Key Archival and Management in "indo#s $erver %&&' on the Microsoft
"eb site
"hite aper: "indo#s $erver %&&' K! .perations ?uide on the Microsoft )ech1et "eb
site
Certificate Autoenrollment in "indo#s $erver %&&' on the Microsoft )ech1et "eb site
187

Best Practices For Implementing A Microsoft Windows Server 2003 Public Key Infrastructure

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Best Practices For Implementing A Microsoft Windows Server 2003 Public Key Infrastructure

Enviado por

Direitos autorais:

Formatos disponíveis

Best Practices for Implementing a

Microsoft Windows Server 2003 Public

Você também pode gostar