Important Wiki Administrator Note
(24/jun/2014)

With explicit permission of the content owners, this article is republishing information.

This article is collecting and republishing updated information on Active Directory Certificate Services (AD CS) that has been published on Technet Library before.

For various reasons the product owners and/or documentation team have transferred (part of) the content to Technet Wiki, to ease content update.

Credits: Markus Vilcinskas, Kurt Hudson, Carol Baily, Rashmi Jha

For every section that refers to Microsoft Technet Library content, the source reference has been added explicitly.

The complete list of source reference material has been added to the end of the article.

  


Introduction

Source: [TechNet], [TechNet]

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The digital certificates that AD CS provides can be used to encrypt and digitally sign electronic documents and messages. Further, these digital certificates can be used for authentication of computer, user, or device accounts on a network. Digital certificates are used to provide:

  • Confidentiality - through encryption
  • Integrity - through digital signatures
  • Authentication - by associating certificate keys with computer, user, or device accounts on a computer network.

These certificate services were available starting in Windows 2000 and continue to be available as a server role in Windows Server 2008 R2.

Important: By installing AD CS, you are either creating or extending a Public Key Infrastructure (PKI). A PKI structure that meets the requirements of most organizations is a multi-tier Certification Authority (CA) hierarchy that implements an Offline Root CA. For more information, see the PKI Design Brief Overview and the Windows PKI documentation and reference library.

The sections in this overview of AD CS are:

 

↑ Back to top


Features of AD CS in Different OS Versions

Source: [TechNet]

AD CS provides the following features:

  • Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
  • Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
  • Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
  • Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates. 

The following table describes features available to enterprise (not standalone) certification authorities:

Windows Server version and SKU

Role Services Available

Certificate Templates available

Auto-enrollment & Key Archival (comes with V2 Templates)

CA Features: SMTP Exit Module & Role Separation

Cross-forest Enrollment

(over DCOM protocol)   

Windows Web Server 2008 R2

None

NA

NA

NA

NA

Windows Server 2008 R2 Standard or Foundation

-Certification Authority (CA)

-CA Web Enrollment

-Certificate Enrollment Web Services* (policy service and enrollment service)

V1, V2*, and V3* templates

Yes*

No

No

Windows Server 2008 R2 Standard, Foundation, or Server Core ** installations

-Certification Authority (CA)*

V1, V2*, and V3* templates

Yes*

No

No

Windows Server 2008 R2 Enterprise or Datacenter

-Certification Authority (CA)

-CA Web Enrollment

-Certificate Enrollment Web Services* (policy service and enrollment service)

-Online Responder (OCSP)

-Network Device Enrollment Service (NDES)

V1, V2, and V3 templates

Yes

Yes

Yes

Windows Server 2008 R2 Enterprise, Datacenter, or Server Core ** installations

-Certification Authority (CA)*

V1, V2, and V3 templates

Yes

Yes

Yes

Windows Server 2008 Standard Edition

-Certification Authority (CA)

-CA Web Enrollment

V1 only

No

No

No

Windows Server 2008 Enterprise or Datacenter Edition

-Certification Authority (CA)

-CA Web Enrollment

-Online Responder (OCSP)

-Network Device Enrollment Service (NDES)

V1, V2, and V3 templates

Yes

Yes

No

Windows Server 2003 Standard Edition

-Certification Authority (CA)

-CA Web Enrollment

V1 only

No

No

No

Windows Server 2003 Enterprise or Datacenter Edition

-Certification Authority (CA)

-CA Web Enrollment

(NDES available as “MSCEP” via resource kit)

V1 and V2 templates

Yes

Yes

No

 Windows Server 2012 Datacenter and standard (including Server Core and Minimal Server Interface)  -Certification Authority (CA)

-CA Web Enrollment

- Certificate Enrollment Web Services (both policy and enrollment service)

-Online Responder (OCSP)

-Network Device Enrollment Service

V1, V2, V3, V4 Yes Yes Yes; also new for Windows Server 2012 and Windows 8 certificate clients is the ability to automatically renew certificates using Certificate Enrollment Web Services when not joined to the same domain using key-based renewal.

* new for Windows Server 2008 R2

** the SMTP Exit Module is not supported on Server Core installations

 

↑ Back to top


Benefits of AD CS

You can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives you a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

  

↑ Back to top


Active Directory Certificate Services Role

The AD CS server role in the Windows Server 2008 and Windows 2008 R2 operating systems provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies. In addition to binding the identity of a person, device, or service to a corresponding private key, AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.

  

↑ Back to top


Plan Before Installing

Anyone considering installing AD CS, should be aware of PKI hierarchies first. For a quick introduction, see PKI Design Brief Overview and  basic PKI planning. You can learn more about planning a PKI Hierarchy or CA Hierarchy from various places on the Internet or in the Windows Server 2008 PKI and Certificate Security book by Brian Komar.

   

Cryptography Next Generation

Source: [TechNet], [TechNet]

Cryptography Next Generation (CNG) in the Windows Server® 2008 operating system provides a flexible cryptographic development platform that allows IT professionals to create, update, and use custom cryptography algorithms in cryptography-related applications such as Active Directory® Certificate Services (AD CS), Secure Sockets Layer (SSL), and Internet Protocol security (IPsec). CNG implements the U.S. government's Suite B cryptographic algorithms, which include algorithms for encryption, digital signatures, key exchange, and hashing.

CNG provides a set of APIs that are used to:
  • Perform basic cryptographic operations, such as creating hashes and encrypting and decrypting data.
  • Create, store, and retrieve cryptographic keys.
  • Install and use additional cryptographic providers.

CNG has the following capabilities:

  • CNG allows customers to use their own cryptographic algorithms or implementations of standard cryptographic algorithms. They can also add new algorithms.
  • CNG supports cryptography in kernel mode. The same API is used in both kernel mode and user mode to fully support cryptography features. Secure Sockets Layer/Transport Layer Security (SSL/TLS) and IPsec, in addition to startup processes that use CNG, operate in kernel mode.
  • The plan for CNG includes acquiring Federal Information Processing Standards (FIPS) 140-2 level 2 certification together with Common Criteria evaluations.
  • CNG complies with Common Criteria requirements by using and storing long-lived keys in a secure process.
  • CNG supports the current set of CryptoAPI 1.0 algorithms.
  • CNG provides support for elliptic curve cryptography (ECC) algorithms. A number of ECC algorithms are required by the United States government's Suite B effort.

  

Online Certificate Status Protocol Support: Online Responder

Source: [TechNet]

Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information.

The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be.

In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. For example:

  • Clients connect to the network remotely and either do not need nor have the high-speed connections required to download large CRLs.
  • A network needs to handle large peaks in revocation checking activity, such as when large numbers of users log on or send signed e-mail simultaneously.
  • An organization needs an efficient means to distribute revocation data for certificates issued from a non-Microsoft CA.
  • An organization wants to provide only the revocation checking data needed to verify individual certificate status requests, rather than make available information about all revoked or suspended certificates.

Network Device Enrollment Service

Source:  [Technet, Changes in Functionality from Windows Server 2003 with SP1 to Windows Server2008], for download at: http://www.microsoft.com/en-us/download/details.aspx?id=11534

The Network Device Enrollment Service (NDES) is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a certification authority (CA).

NDES operates as an Internet Server Application Programming Interface (ISAPI) filter on Internet Information Services (IIS) that performs the following functions:

  • Generates and provides one-time enrollment passwords to administrators.
  • Receives and processes SCEP enrollment requests on behalf of software running on network devices.
  • Retrieves pending requests from the CA.

 

Web Enrollment

Source: [TechNet]

Certificate Web enrollment has been available since its inclusion in Windows® 2000 operating systems. It is designed to provide an enrollment mechanism for organizations that need to issue and renew certificates for users and computers that are not joined to the domain or not connected directly to the network, and for users of non-Microsoft operating systems. Instead of relying on the autoenrollment mechanism of a certification authority (CA) or using the Certificate Request Wizard, the Web enrollment support provided by a Windows-based CA allows these users to request and obtain new and renewed certificates over an Internet or intranet connection.

For more information, see Web Enrollment and Setup Certification Authority Web Enrollment Support on TechNet.

 

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service

Source: [TechNet]

The certificate enrollment Web services are available starting with Windows Server 2008 R2 AD CS role services. These enable policy-based certificate enrollment over HTTP by using existing methods such as autoenrollment. The Web services act as a proxy between a client computer and a CA, which makes direct communication between the client computer and CA unnecessary, and allows certificate enrollment over the Internet and across forests.

For more information see Certificate Enrollment Web Services on the askds blog or Certificate Enrollment Web Services in Windows Server 2008 R2 (download).

  

Policy Settings

Source: [Technet]

Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location. Configuring the settings by using Group Policy can effect changes throughout the entire domain. The following are a few examples where administrators can use the new certificate-related settings to:

  • Deploy intermediate certification authority (CA) certificates to client computers.
  • Ensure that users never install applications that have been signed with an unapproved publisher certificate.
  • Configure network timeouts to better control the chain-building timeouts for large certification revocation lists (CRLs).
  • Extend CRL expiration times if a delay in publishing a new CRL is affecting applications. 

  

Restricted Enrollment Agent

Source: [TechNet]

The restricted enrollment agent is a new functionality in the Windows Server 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users. The following sections describe this change and its implications.

Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations.

On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.

  

Enterprise PKI (PKIView)

Source: [TechNet

Monitoring and troubleshooting the health of all certification authorities (CAs) in a public key infrastructure (PKI) are essential administrative tasks facilitated by the Enterprise PKI snap-in. Originally part of the Microsoft® Windows Server® 2003 Resource Kit and called the PKI Health tool, Enterprise PKI is a Microsoft Management Console (MMC) snap-in for the Windows Server 2008 and Windows Server 2008 R2 operating systems. Because it is part of the core operating system, you can use Enterprise PKI after server installation by simply adding it to an MMC console. It then becomes available to analyze the health state of CAs installed on computers running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

Enterprise PKI provides a view of the status of your network's PKI environment. Having a view of multiple CAs and their current health states enables administrators to manage CA hierarchies and troubleshoot possible CA errors easily and effectively. Specifically, Enterprise PKI indicates the validity or accessibility of authority information access (AIA) locations and certificate revocation list (CRL) distribution points.

For each CA selected, Enterprise PKI indicates one of the CA health states listed in the following table.

Indicator CA state
Question mark CA health state evaluation
Green indicator

CA has no problems

Yellow indicator CA has a non-critical problem
Red indicator CA has a critical problem
Red cross over CA icon CA is offline

Once you add the Enterprise PKI snap-in to the MMC, three panes appear:

  • Tree. This pane displays a tree representation of your enterprise PKI hierarchy. Each node under the Enterprise PKI node represents a CA with subordinate CAs as child nodes.
  • Results. For the CA selected in the tree, this pane displays a list of subordinate CAs, CA certificates, CRL distribution points, and AIA locations. If the console root is selected in the tree, the results pane displays all root CAs. There are three columns in the results pane:
    • Name. If the Enterprise PKI node is selected, the names of the root CAs under the Enterprise PKI node are displayed. If a CA or child CA is selected in the tree, then the names of CA certificates, AIA locations, and CRL distribution points are displayed.
    • Status. A brief description of CA status (also indicated in the tree by the icon associated with the selected CA) or the status of CA certificates, AIA locations, or CRL distribution points (indicated by status text descriptions, examples of which are OK and Unable to Download) is displayed.
    • Location. AIA locations and CRL distribution points (protocol and path) for each certificate are displayed. Examples are file://, HTTP://, and LDAP://.
  • Actions. This pane provides the same functionality found on the Actions, View, and Help menus.

    Depending on the item selected in either the tree or results pane, you can view more details about CAs and CA certificates including AIA and CRL information in the actions pane. You can also manage the enterprise PKI structure and make corrections or changes to CA certificates or CRLs.

 

↑ Back to top


Hardware and software considerations

AD CS requires Windows Server 2008 or Windows Server 2008 R2 and for enterprise roles Active Directory Domain Services (AD DS) is also required. While AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, which is recommended. Other servers could be configured as Online Responders, and still other servers acting as Web enrollment portals. CAs can be set up on servers running a variety of operating systems, including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server (although Windows 2000 is no longer supported by Microsoft). Not all operating systems support all features or design requirements (as discussed previously), and creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment.

 

↑ Back to top


See also

 

↑ Back to top


Source references

 

↑ Back to top


Additional Resources