Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Server 2008 R2 Certificate Services

Answered Server 2008 R2 Certificate Services

  • Freitag, 8. Februar 2013 01:18
     
     
    Anmelden
    0

    We currently have a windows server 2003 Domain but i am looking to install a server 2008 R2 2 teir PKI infrastructure. Our Forest root domain is empty and the Cert servers will be installed in a child domain. Are there any issues i need to address to do this? We want to get our certs working on 2008 R2 before we upgrade our domain to 2008. I am also looking for some articles so I get it done right. Any help or suggestions would be greatly appreciated.

    Thanks.

    Russ

    • Verschoben pbbergsMVP Dienstag, 12. Februar 2013 18:57
    •  
     

Alle Antworten

  • Freitag, 8. Februar 2013 01:34
     
     Beantwortet
    Anmelden
    0
    hi russ, this link should guide you through installation. http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx if you are on a 2003 schema you can only install the certificate services and the web enrollment. the domain functional level or forest functional level can stay on 2003. regards, lutz
     
  • Freitag, 8. Februar 2013 01:47
     
     
    Anmelden
    0
    I am assuming I can still set up a 2 tier structure? But during the Setup I specify Server 2003 and not Server 2008? 

    Russ


     
  • Freitag, 8. Februar 2013 03:57
     
     Beantwortet
    Anmelden
    0

    Hi Russ,

    a 2 tier architecture is recommended over an single root and issuing CA.

    I would also recommend to do the install with 2008 R2 and not 2003 because the support for 2003 is ending soon and 2008 R2 gives you a few nice addons. e.g. certificate autoenrollment with the Windows Standard edition instead of the Enterprise edition.

    Regards,

    Lutz

     
  • Freitag, 8. Februar 2013 20:31
     
     
    Anmelden
    1
    and although standard edition supports certificate templates, you can only use the default templates in AD and you cannot add your custom templates
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:     http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:     http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:     http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------    <>

    "LutzMH" wrote in message news:5d403148-4302-4d29-9240-03a50b29fbe9@communitybridge.codeplex.com...

    Hi Russ,

    a 2 tier architecture is recommended over an single root and issuing CA.

    I would also recommend to do the install with 2008 R2 and not 2003 because the support for 2003 is ending soon and 2008 R2 gives you a few nice addons. e.g. certificate autoenrollment with the Windows Standard edition instead of the Enterprise edition.

    Regards,

    Lutz

    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
     
  • Freitag, 8. Februar 2013 22:17
     
     
    Anmelden
    0
    Thanks for all the info I really appreciate it. Is there a reference for building a 2 tier 2008 R2 CS structure in 2003. I know some things in the 2003 schema are not supported  but I am looking for the gotchas.

    Russ

     
  • Freitag, 8. Februar 2013 22:31
     
     Beantwortet
    Anmelden
    1

    with a 2003 schema you cannot install the web enrollment services and the web enrollment policy. Web enrollment and the CA service will work. 

    GPO settings and autoenrollment is also independent from the schema version.

    • Als Antwort markiert Russmcintire Montag, 4. März 2013 22:28
    •  
     
  • Samstag, 9. Februar 2013 04:03
     
     
    Anmelden
    0
    Is there an issue with putting the CDP and AIA on the Enterprise CA?

    Russ

     
  • Samstag, 9. Februar 2013 04:08
     
     
    Anmelden
    0
    No, that is something you should have an a issuing CA.
    • Als Antwort vorgeschlagen LutzMH Samstag, 9. Februar 2013 21:57
    • Nicht als Antwort vorgeschlagen pbbergsMVP Dienstag, 12. Februar 2013 18:57
    •  
     
  • Samstag, 9. Februar 2013 21:57
     
     
    Anmelden
    0

    Hi Jorge,

    that is not correct for a Windows 2008 R2 PKI. Even the Windows Server 2008 R2 Standard edition can use custom certificate templates for (auto)-enrollment. That was not the case with Windows Server 2003 Standard but it is for Windows Server 2008 R2 Standard. I have just double-checked it in my lab.

    Regards,

    Lutz

     
  • Montag, 11. Februar 2013 21:49
     
     
    Anmelden
    0
    Thank you for all the information. I am currently setting this up according to the Step by Step guide. I will follow up latrer today.

    Russ

     
  • Montag, 11. Februar 2013 22:52
     
     
    Anmelden
    0
    Even though my schema is 2003 and my Cert servers are 2008 Can I use the Online responder service? In addition, I need to install the Network Policy Access Server. should these roles be installed on the issuing CA since the root CA will be off the network?

    Russ


     
  • Dienstag, 12. Februar 2013 18:27
     
     
    Anmelden
    0
    Yes, that is working. Just a side note: OCSP is not available in the Windows Standard server, you need the Enterprise or Datacenter edition. Regards, Lutz
     
  • Freitag, 15. Februar 2013 19:05
     
     
    Anmelden
    0
    Sorry about the long time to follow up. I have my root and subordinate CA set up and all seems to be good except for 1 thing. I originally had a web server set up for the AIA and CDP. I moved the AIA and CDP to the subordinate CA and now in the Enterprise PKI, I show the AIA and CDP locations for the issuing CA are correct and I have "unable to download" for AIA and CDP location 2 for the rootCA.  How can I go about correcting this?
    • Bearbeitet Russmcintire Freitag, 15. Februar 2013 19:16
    •  
     
  • Freitag, 15. Februar 2013 23:40
     
     
    Anmelden
    0

    OK, I figured it out but I am not sure it is right. Here is what I did to fix it:

    I looked at the paths for both the erroring AIA and CDP and I copied the appropriate certificates to to the

    "C:\Windows\System32\certsrv\CertEnroll" folder. i refershed the Enterprise PKI and the error disappeared.

    My concern is that when I when I do a new CRL it publishes to the correct place. ANy ideas?

    Russ

     
  • Samstag, 16. Februar 2013 04:56
     
     
    Anmelden
    0

    Hi, so if you publish the CRL from the Enterprise CA where the web server for the CDP is running as well, then make sure that the option in Certification Authority console in the properties for your CA in the Extensions tab is correct. Check that "Publish CRLs to this location" is enable for the entry c:\windows\system32\certsrv\certenroll\.......

    Per recommendation the Root CA is offline, so you need to copy the CRL file manually to the folder with the correct name. The Root CA CRL is usually 3-6 months valid, so it is not a daily task, but put a reminder in your calendar. :-)

    Sorry for the delay in my answer but not all planes have a Internet connection yet.

    - Lutz

     
  • Montag, 18. Februar 2013 23:07
     
     
    Anmelden
    0

    Ok, Here is what I have each publishing:

    Enterprise CA:

    Delta CRL Allowed

    c:\windows\system32\CertSrv\CertEnroll\<CaName>\<CRLNameSuffix><DeltaCRLAllowed>.crl

    ldap://CN=<CATruncatedName><CRLNameSuffix>,etc...<CDPObjectClass>

    file://\\servername.domain\CertEnroll\<CaName>\<CRLNameSuffix><DeltaCRLAllowed>.crl

    RootCA

    Delta CRL Allowed

    c:\windows\system32\CertSrv\CertEnroll\<CaName>\<CRLNameSuffix><DeltaCRLAllowed>.crl

    ldap://CN=<CATruncatedName><CRLNameSuffix>,etc...<CDPObjectClass>

    http://servername.domain/CertEnroll/<CaName>/<CRLNameSuffix><DeltaCRLAllowed>.crl

    My AIA info is much the same.

    Looking at this it seems my CDP is in Active Directory. Is this correct?

    Russ

     
  • Dienstag, 19. Februar 2013 01:01
     
     Beantwortet
    Anmelden
    0

    Hi Russ,

    you made excellent progress. The LDAP CDP is in Active Directory, the HTTP CDP is on a web server.

    I usually disable delta CRLs because they do not help you that much especially if you do not revoke a lot (really a lot) of certificates. IN your case make sure that you update the delta CRL file as well, not just the base CRL file.

    Hope that helps,

    Lutz

    • Als Antwort markiert Russmcintire Montag, 4. März 2013 22:28
    •  
     
  • Dienstag, 19. Februar 2013 22:41
     
     
    Anmelden
    0
    We really wont be revoking a lot. To disable delta CRL's do I just uncheck the "publish DeltaCRL's to this location" for all CDP's?

    Russ

     
  • Montag, 4. März 2013 22:30
     
     
    Anmelden
    0
    Thank you for all the help with this. Sorry it took so long to back. I marked your answers as correct as they were super helpful.

    Russ