Friday, 14 March 2014

Active Directory Certificate Service (ADCS)


Active Directory Certificate Service (ADCS)
Topics Covered
Introduction to Certificate Service
Introduction to PKI
Installation of AD CS
Creating Certificate Templates
Installation web server certificate for SSL

Introduction to Certificate service
Windows Server 2008 Certificate Services provides customizable services for creating and
managing public key certificates used in software security systems employing public key
technologies. Organizations use certificates to enhance security by binding the identity of a
person, device, or service to a corresponding private key. However, in order to realize the
enhanced security made possible by certificates, organizations need a cost effective, efficient,
secure way to manage the distribution and use of certificates. Certificate Services is the
Windows Server 2008 service that provides the core functionality for Windows Server 2008
CAs. Certificate Services provides customizable services for managing certificates for a
particular CA and for the enterprise.
Certificate Service in Windows 2008 is based on Active Directory. In Windows 2008 it is called
as Active Directory Certificate Service (AD CS). Prior to Windows 2008 i.e. in Windows 2003
server it was just called as Certificate Service.
AD CS includes various new features like
• Web Enrollment
• Auto Enrollment
• Online Responder Service
• New templates
• Network Device Enrollment, etc.
What is use of Certificate Service (CS)
Certificate Service is used to
• Encrypt data files
• Encrypt remote communication
• Secure emails
• Secure logons using smart card
• protect data from tempering, etc.
What is Certificate
A certificate is a file that contains
• A public key for encryption
• A digital signature for identity verification
• A name, which can refer to a person, a computer or organisation
• A validity period

• The location of a revocation center
• A certificate issued by a server called as Certificate Authority (CA)
What is Certificate Authority (CA)
A CA is a trusted party which is responsible for issuing and validating the identity of a
certificate. A certificate is generated by CA using a private key, which is a part of while Public
Key Infrastructure(PKI).
Common Certificate Services Scenarios
Managing certificates and CAs involves the following processes:
Issuing certificates to users and computers : The issuance process includes obtaining and
validating information about the intended recipient of the certificate, placing policy restrictions
designated by the organization in certificates that are issued, and publishing the certificates to a
directory.
Managing certificate lifetimes : Because all certificates have a limited life, certificates need to
be renewed or allowed to expire. The renewal process is similar to the issuance process, but
typically involves fewer security checks. Thus, when an organization develops its renewal
strategy, it should balance security concerns against potential disruptions to users.
Revoking certificates and verifying revocation status : Some certificates need to be
invalidated before their expiration date. Effective certificate revocation and revocation
verification processes are critical to the security of an organization’s public key infrastructure
(PKI).
Certificate Service and its application compatibility
Certificate service can be used in wide variety of application like :
• Wireless Networking : Certificate are used by wireless client and access point to
determine unauthorized users
• VPN : Certificates are used for client authentication in VPN network and also for secure
communication
• Digital Signing : certificates are used to verify the identity of users in application likes
email, etc.
• Data security : Certificates are useful for data security like Encryption of data, Drivers
signing, etc.

• Authentication : certificates are use for authentication of users.
Introduction to PKI
Public Key Infrastructure(PKI) is an architecture or technology which allows for secure
communication using two keys (i.e. Public key and Private Key). The keys are distributed with
the help of Digital certificates. These certificates store public key and private keys. Digital
certificates are issued by a server called as Certificate Authority (CA). PKI is the most secure
method of communication, authentication, etc.
To understand PKI we need to first understand 3 terms
1) Cryptography : It is the science of making or altering data greater than the potential value
gained
2) Cryptosystems : It is a system that provides techniques for mangling a message into a
apparently intelligible form and then recovering it from the mangled form
3) CipherText : The data encrypted by cryptography is called as ciphertext.
All cryptosystems are based on 3 cryptographic algorithms
1) Message Digest (MD-2, MD2-4-5, SHA, SHA-1, …)
• Maps variable length plaintext into fixed length ciphertext
• No key usage, computationally infeasible to recover the plaintext
2) Secret Key (Blowfish, DES, IDEA, RC2-4-5, Triple-DES, …)
• Encrypt and decrypt messages by using the same Secret Key
3) Public Key (DSA, RSA, …)
• Encrypt and decrypt messages by using two different Keys: Public Key, Private
Key (coupled together)

Let us see how Public key Infrastructure Works
The magic of PKI occurs through the use of extremely long prime numbers, called keys. Two
keys are - a private key, which only you have access to, and a public key, which can be
accessed by anyone. The two keys work together, so a message encrypted with the private key
can only be decrypted with the public key and vice versa. The more digits in these keys, the more
secure the process.
Let's look at how all this works together in a simple transaction. Bob wants to send Alice a
confidential e-mail. Bob would use Alice's public key, stored in her certificate, to encrypt the
message. When Alice receives the message, she uses her private key to decrypt it. Because no
one else possess Alice's private key, only she can decrypt the message.
The process is similar in complex transactions. Let's say Bob wants to let Alice order products
from his Web site. When Alice is ready to buy, Bob requests that she prove her identity. Alice
signs the order with her private key, which was issued by a certificate authority we'll call
TrustCo. She then sends the package consisting of the order and the digital signature to Bob.
Bob needs to get Alice's and TrustCo's digital certificate to verify the signature. He validates
Alice's certificate by verifying TrustCo's signature (remember TrustCo signs Alice's public key,
thus forming the certificate), and then uses Alice's certificate to validate the signature on the
order. If all those tests pass, Alice is actually Alice.
Types of certification authorities
A certification authority (CA) accepts a certificate request, verifies the requester's information
according to the policy of the CA, and then uses its private key to apply its digital signature to
the certificate. The CA then issues the certificate to the subject of the certificate for use as a
security credential within a public key infrastructure (PKI). A CA is also responsible for
revoking certificates and publishing a certificate revocation list (CRL).

A CA can be an outside entity, such as VeriSign, or it can be a CA that you create for use by
your organization by installing AD CS. Each CA can have distinct proof-of-identity
requirements for certificate requesters, such as a Windows Server 2008 family domain account,
employee badge, driver's license, notarized request, or physical address. Identification checks
such as this often warrant an onsite CA, so that organizations can validate their own employees
or members.
Microsoft enterprise CAs use a person's user account credentials as proof of identity. In other
words, if you are logged on to a Windows Server 2008 family domain and request a certificate
from an enterprise CA, the CA knows that you are who the Active Directory service says you
are.
AD CS support two types of CA
Standalone CA : A CA that is not necessarily integrated with AD DS. A standalone CA are CA
running on member server or standalone server in a network. Standalone CA are often used as
internal root CA and are taken offline for security purpose after they have been used to generate
certificate for subordinate server.
Enterprise CA : This CA is integrated with AD CS. Enterprise CA are usually member server
and are use to issues certificate to subordinate CA.

Installation of Active Directory Certificate Service
To set up an enterprise root CA
1. Log on to SRV-CA server as a domain administrator.
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. In the Roles Summary section, click Add roles.
4. On the Select Server Roles page, select the Active Directory Certificate Services check
box. Click Next two times.
5. On the Select Role Services page, select the Certification Authority check box, and
then click Next.

6. On the Specify Setup Type page, click Enterprise or Standalone as per your
requirement, and then click Next.
7. On the Specify CA Type page, click Root CA, and then click Next.

8. On the Set Up Private Key and Configure Cryptography for CA pages, you can
configure optional configuration settings, including cryptographic service providers.
However, for basic testing purposes, accept the default values by clicking Next twice.
9. In the Common name for this CA box, type the common name of the CA, RootCA1,
and then click Next.

10. On the Set the Certificate Validity Period page, accept the default validity duration for
the root CA, and then click Next.
11. On the Configure Certificate Database page, accept the default values or specify other
storage locations for the certificate database and the certificate database log, and then
click Next.
12. After verifying the information on the Confirm Installation Options page, click Install.
13. Review the information on the confirmation screen to verify that the installation was
successful.

Certificate Authority Console
Creating Certificate Templates
Windows 2008 certificate service includes a bunch of certificate templates. The templates are
like Web Server templates, user template, computer template, domain controller template, EFS
template, smart card login template, etc. We you use this templates to distribute certificate or we
can create new template based on this existing template. Now in our case we will create a
duplicate template for Web server and use this template to assign certificate to web site.
Steps for create a new duplicate template
1. Open the Certificate Authority snap-in
2. Right-click on Certificate template and select “Certificate Template”
3. Now the Certificate Templates snap-in window appears on screen.
4. In the details pane, right-click an existing certificate (i.e Web Server template) that will
serve as the starting point for the new certificate, and then click Duplicate Template.
5. Choose whether to duplicate the template as a Windows Server 2003–based template or a
Windows Server 2008–based template.
6. On the General tab, enter the Template display name and the Template name, and then
click OK.

7. Define any additional attributes for the newly created certificate template.
8. Go to Security tab and apply “Enroll” permission to “authenticated user”.
Certificate Revocation List (CRL)
Certificate Revocation List(CRL) is a list of certificates that have been revoked and therefore
should not be relied upon. There are N number of reasons for a certificate to be revoked like
• Unspecified certificate
• key Compromise
• Tampering of Certificate
• Superseded
• Certificate Hold
• Privileged withdrawn, etc
A CRL is generated and published periodically. A CRL is always issued by the CA which issues
the corresponding certificate. All CRL have a lifetime during which they are valid. This
timeframe is generally 24 hours or less.
If you are using Active Directory Certificate Services, you must configure the CA that issues the
certificates to the server with additional certificate revocation list (CRL) distribution settings.
The CA which stores the CRL is called as CRL Distribution Point (CDP). CDP is an online and
publicly accessible point where Certificate revocation lists are kept. It is an house where the
entire list or only a sub set of the revoked certificates.
Online Responder
An Online Responder (OR) is a trusted server that receives and responds to individual client
request for information about the status of a certificate. OR is a new feature introduced in
Windows 2008 Server. It is an advancement to CRL Distribution Point (CDP) where client has to
manually download the entire list of CRL.
The use of OR is one of two common methods for checking the validity of certificates. OR
receivies and responds only to individual requests from client for information about status of a
certificate. OR can process certificate request more efficiently than CRL
• Client who connects to the network remotely need high-speed connection to download
CRLs
• A network needs to handle large peaks of revocation checking, such as large number of
user sending signed mails.

Components of Online Responder
OR Service : The OR service decodes a revocation status request and sends reply to the client
OR : IT is a CA on which OR service is installed.
OR Web Proxy : The service interface for OR is implemented in IIS. The web proxy received
and decodes the request and cache response for a period of time.
OR Array : IT is a group of multiple OR to provide redundancy and load balancing
OCSP : Online Certificate Status Protocol - A protocol which allows a client to submit a
certificate status request to OR by using HTTP protocol. IT is a communication protocol
between Client and Server.
How Online Responder works
• When a client attempts to verify a certificate, the client first checks its local memory and
cache to find the revocation data.
• If noting is found, a request is send to OR by using HTTP protocol.
• The OR Web proxy decode and verify the request. If the request is valid, it forwards the
request to OR service.
• The OR service takes the requests and checks its local CRL and replies with answer to
the web proxy
• The web proxy then encode the answer and send it back to the client.

No comments:

Post a Comment