Active Directory Certificate Services [Part1]

In this post, I will tell you the information to prepare for the installation of a future two-tier PKI infrastructure.

What is it AD CS Services

Active Directory Certificate Services (AD CS) provide customizable services for issuing and managing certificates that are used in software security systems that use public key technologies.

Features of AD CS services

• Certification authorities: Root and secondary certification authorities are used to issue certificates to users, computers, and services, as well as to manage the validity of certificates.
• Registration of certification authority via the Web: registration via the Web allows users to connect to a certification authority using a Web browser to request certificates and retrieve revocation lists from Certificates.
• Online Responder: The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and returns a signed response containing the requested information about the certificate status.

The applications supported by the AD CS services include the S/MIME (Secure/Multipurpose Internet Mail Extensions) extensions, secure wireless networks, virtual private networks (VPNs), Internet Protocol security (IPSEC), the EFS files, smart card logon, SSL/TLS (Secure Socket layer/Transport layer Security), and digital signatures.

Standards PKC

Availability of infrastructure

The PKI infrastructure is separated into different components, each with its own service-level agreement (SLA).

• Enrolment: This feature is considered non-critical within the infrastructure in terms of the use of certificates. A failed enrolment can always be postponed.
• Revocation: This feature is critical. A compromise certificate must be revoked as quickly as possible. The SLA for this feature also depends on the status check feature due to the fact that the revocation information is given by the CRL (or the token of an OCSP responder if available).
• Status check: Checking the status of a certificate depends on the availability of a valid CRL. This means that at minima a CRL file must be available and valid. For this, the CRL will be generated each day for a period of validity of 7 days.

What you need before start installation ?

Before start installation you need to take more informations to set your CA environnement. These settings are needed to prepare correctly your documents and your installation.

Define attributs for CA Root

First, define correctly the differents attributs of the CA Root :

Define Path CRL and AIA

Define attributs for Enterprise Subordinate CA

Define Path CRL and AIA

How to define the DN of certificates

You can help you with this array to define correctly your certificates DN :

Firewall rules

This array define the rules to activate on security firewall of your compagny.

To avoid opening all dynamic RPC ports, you can set the certificate authority’s DCOM port.

Fixed DCOM port :

If you want to set the CA server to use a static DCOM port, follow these steps :

• Connect to the CA server with an account with local Administrator privileges
• Open the “Component Services” MMC (DCOMCNFG)
• In the left panel, unwind Component Services, Computers, My computer, and click DCOM Config
• In the right pane, select “CertSrv Request” and right click and select “Properties”
• In the “Endpoints” tab, click the “ADD” button
• Select “Use Statistic endpoint” and add the port you want, example “49152” and, double-click OK
• Restart the service of the Certificate Authority :
  • net stop certSvc
  • net start certsvc
• To check the listening port, run the command “netstat-anob”, check the port linked to the “certsrv” process

Now that we have defined all of the prerequisites, you still have to define the infrastructure of your PKI two levels. The Root CA is not resource consuming and can be turned off at the end of the installation. It is autonomous and should not have an IP address in practice.
The point of attention comes to the intermediate CA. You must define in relation to the number of users, devices, the size of the CRL file. Whether you want to install all of your components on the same server or, if you want to separate the roles and for example install one or more IIS servers separately from the PKI.
I did not mention an element that simplifies the query of the CRL, the OCSP service. If you want to integrate this feature, you will need to set the service access URL.
We are ready to move on to the installation of our 2 tier PKI infrastructure. I would detail the installation of the components in a next post.