Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
3K
0
0
0
Stéphane Thirion
Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
  • Microsoft
  • PowerShell

Active Directory Certificate Services [Part1]

  • April 17, 2017
  • Rodolphe Herpeux
Binary matrix with glowing security lock
Total
0
Shares
0
0
0
0
0
0
0

In this post, I will tell you the information to prepare for the installation of a future two-tier PKI infrastructure.

What is it AD CS Services

Active Directory Certificate Services (AD CS) provide customizable services for issuing and managing certificates that are used in software security systems that use public key technologies.

Features of AD CS services

  • Certification authorities: Root and secondary certification authorities are used to issue certificates to users, computers, and services, as well as to manage the validity of certificates.
  • Registration of certification authority via the Web: registration via the Web allows users to connect to a certification authority using a Web browser to request certificates and retrieve revocation lists from Certificates.
  • Online Responder: The Online Responder service accepts revocation status requests for specific certificates, evaluates the status of these certificates, and returns a signed response containing the requested information about the certificate status.

The applications supported by the AD CS services include the S/MIME (Secure/Multipurpose Internet Mail Extensions) extensions, secure wireless networks, virtual private networks (VPNs), Internet Protocol security (IPSEC), the EFS files, smart card logon, SSL/TLS (Secure Socket layer/Transport layer Security), and digital signatures.

Standards PKC

Availability of infrastructure

The PKI infrastructure is separated into different components, each with its own service-level agreement (SLA).

  • Enrolment: This feature is considered non-critical within the infrastructure in terms of the use of certificates. A failed enrolment can always be postponed.
  • Revocation: This feature is critical. A compromise certificate must be revoked as quickly as possible. The SLA for this feature also depends on the status check feature due to the fact that the revocation information is given by the CRL (or the token of an OCSP responder if available).
  • Status check: Checking the status of a certificate depends on the availability of a valid CRL. This means that at minima a CRL file must be available and valid. For this, the CRL will be generated each day for a period of validity of 7 days.

What you need before start installation ?

Before start installation you need to take more informations to set your CA environnement. These settings are needed to prepare correctly your documents and your installation.

Define attributs for CA Root

First, define correctly the differents attributs of the CA Root :

Define Path CRL and AIA

Define attributs for Enterprise Subordinate CA

Define Path CRL and AIA

How to define the DN of certificates

You can help you with this array to define correctly your certificates DN :

Firewall rules

This array define the rules to activate on security firewall of your compagny.

To avoid opening all dynamic RPC ports, you can set the certificate authority’s DCOM port.

Fixed DCOM port :

If you want to set the CA server to use a static DCOM port, follow these steps :

  • Connect to the CA server with an account with local Administrator privileges
  • Open the “Component Services” MMC (DCOMCNFG)
  • In the left panel, unwind Component Services, Computers, My computer, and click DCOM Config
  • In the right pane, select “CertSrv Request” and right click and select “Properties”
  • In the “Endpoints” tab, click the “ADD” button
  • Select “Use Statistic endpoint” and add the port you want, example “49152” and, double-click OK
  • Restart the service of the Certificate Authority :
    • net stop certSvc
    • net start certsvc
  • To check the listening port, run the command “netstat-anob”, check the port linked to the “certsrv” process

 

Now that we have defined all of the prerequisites, you still have to define the infrastructure of your PKI two levels. The Root CA is not resource consuming and can be turned off at the end of the installation. It is autonomous and should not have an IP address in practice.
The point of attention comes to the intermediate CA. You must define in relation to the number of users, devices, the size of the CRL file. Whether you want to install all of your components on the same server or, if you want to separate the roles and for example install one or more IIS servers separately from the PKI.
I did not mention an element that simplifies the query of the CRL, the OCSP service. If you want to integrate this feature, you will need to set the service access URL.
We are ready to move on to the installation of our 2 tier PKI infrastructure. I would detail the installation of the components in a next post.

 

 

 

 

Total
0
Shares
Tweet 0
Share 0
Share 0
Share 0
Share 0
Share 0
Share 0
Related Topics
  • Certificat
  • PKI
Rodolphe Herpeux

Previous Article
  • Microsoft
  • PowerShell
  • Scripting
  • Windows 2012R2
  • Windows 2016

Script to promote DC with constraints

  • April 15, 2017
  • Rodolphe Herpeux
View Post
Next Article
  • Citrix
  • Events

FCUGC – 3ème edition

  • April 29, 2017
  • Stephane Thirion
View Post
You May Also Like
View Post
  • VMware
  • vSphere
  • Windows 2022

Migrating FSMO roles Windows 2022 Server

  • Stephane Thirion
  • January 3, 2022
View Post
  • Azure
  • Azure
  • PowerShell
  • Scripting
  • Security

Export all Admin Roles and members from Azure AD

  • Rodolphe Herpeux
  • March 25, 2021
View Post
  • RDS
  • Security
  • Windows 2016

RDS access to applications with second authentication factor by smartcard

  • Rodolphe Herpeux
  • January 7, 2021
View Post
  • Windows 2016
  • Windows 2019

Migration farm ADFS operating system Windows server 2016 to Windows server 2019

  • Rodolphe Herpeux
  • January 6, 2021
View Post
  • Windows 2016

Migrate ADFS configuration Database from WID to MS-SQL

  • Rodolphe Herpeux
  • January 5, 2021
View Post
  • ArchY.net Site
  • Azure
  • Citrix
  • Cloud
  • Experience
  • Microsoft
  • News
  • Office365
  • Raidho
  • VMware

Mettre en place une solution de travail à distance (RemoteOffice / Remoteworking) 2/2

  • Stephane Thirion
  • March 24, 2020
View Post
  • Amazon
  • Citrix
  • Cloud
  • Experience
  • Microsoft
  • News
  • Office365
  • Raidho
  • Security
  • VMware

Mettre en place une solution de travail à distance (RemoteOffice / Remoteworking) 1/2

  • Stephane Thirion
  • March 22, 2020
View Post
  • Citrix
  • Citrix Virtual Apps and Desktops
  • Microsoft
  • PowerShell
  • Scripting
  • Windows 2016
  • Windows 2019
  • XenApp
  • XenDesktop

Enable SSL on Citrix Virtual Apps and Desktops 1912(+) XML Service

  • Stephane Thirion
  • February 13, 2020
vmware
Coinbase – Affiliated link
Blog Stats
  • 1,237,089 hits
Categories
  • Amazon (1)
  • Apple (20)
    • iOS (5)
    • Mac OSx (11)
  • ArchY.net Site (30)
  • Azure (8)
  • Certifications (3)
  • Citrix (207)
    • ADC (1)
    • Citrix Virtual Apps and Desktops (3)
    • NetScaler (12)
    • Password Manager (3)
    • Personal vDisk (5)
    • Power and Capacity Management (3)
    • Provisioning Services (22)
    • Receiver (29)
    • ShareFile (8)
    • Single Sign On (3)
    • SmartAuditor (2)
    • Storefront (12)
    • Synergy (25)
    • User Profile Management (2)
    • VDI (7)
    • WebInterface (21)
    • XenApp (84)
    • XenApp Plugin (3)
    • XenClient (10)
    • XenDesktop (55)
    • XenServer (42)
  • Cloud (12)
  • Crystal Ball (2)
  • CTP (13)
  • Docker (2)
  • Events (35)
    • E2E – PubForum (9)
    • Geek Speak (3)
  • Experience (53)
  • Kubernetes (2)
  • Licensing (3)
  • Linux (12)
  • Microsoft (145)
    • Azure (8)
    • Office365 (4)
    • PowerShell (18)
    • RDS (5)
    • Windows 10 (6)
    • Windows 2003 (21)
    • Windows 2008 (20)
    • Windows 2008 R2 (54)
    • Windows 2012 (13)
    • Windows 2012R2 (13)
    • Windows 2016 (18)
    • Windows 2019 (4)
    • Windows 2022 (1)
    • Windows 7 (27)
    • Windows 8 (19)
    • Windows Virtual Desktop (1)
    • Windows XP (11)
  • News (5)
  • Raidho (2)
  • Raspberry (3)
  • Scripting (13)
  • Security (4)
  • Slide Deck (1)
  • Thin Clients (3)
  • Twitter (1)
  • Ubiquiti (1)
  • Uncategorized (12)
  • VMware (27)
    • VMWare WorkStation (2)
    • vSphere (15)
Stéphane Thirion
Don't Follow the Trend

Input your search keywords and press Enter.

 

Loading Comments...