{"id":2805,"date":"2014-10-20T08:15:19","date_gmt":"2014-10-20T13:15:19","guid":{"rendered":"http:\/\/www.poweradmin.com\/blog\/?p=2805"},"modified":"2015-04-24T14:58:18","modified_gmt":"2015-04-24T19:58:18","slug":"deploying-active-directory-certificate-services-and-online-responder","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/deploying-active-directory-certificate-services-and-online-responder\/","title":{"rendered":"Deploying Active Directory Certificate Services and Online Responder"},"content":{"rendered":"

\"deploying<\/span>Certificate Services has become one of the core components of any Active Directory infrastructure<\/a>. A certification authority (CA) issues digital certificates to testify the authenticity of <\/span>applications, users and computers. Digital certificates can be issued, revoked and renewed based on the necessities of the company. When deciding to deploy AD CS within your organization, you will need <\/span>to take into consideration several factors:<\/span><\/p>\n

What kind of CA are you going to deploy? \u2013 There are two CAs that can be deployed on a Windows Server: Enterprise CA or Stand-Alone CA. You should always opt for the Enterprise CA whenever possible because it offers increased capabilities. It integrates into AD and uses Group Policy to replicate certificate trust list to users and computers. Revocation lists are also published to AD, Auto-enrollment feature is supported, certificates are generated based on the information stored in AD and security checks are made when users send certificate requests. Most of these features are not supported by the Stand-Alone CA and all of these operations must be done manually by System Administrators.<\/span><\/p>\n

There may be times in which you\u2019d want to revoke certain certificates so that they are not trusted anymore. Information that a certificate has been revoked is published in so called certificate revocation list (CRL). The location of any CRL is included in the digital certificate so any entity can verify the validity of a digital certificate. You can specify a custom location for your CRL that is accessible by users and computers.<\/span><\/p>\n

When publishing huge CRLs to a certain location, delays may occur when there is an increased usage of network resources. These problems may arise when numerous users try to login using smart cards or use digital certificates. To overcome this problem Microsoft created Online Responders which are used to validate request sent by network users. Instead of downloading huge CRLs, a user will send a request to the local OCSP service to verify the authenticity of an entity. You can deploy one Online Responder to verify the revocation status for one or multiple CAs.<\/span><\/p>\n

In this article we will learn how to install and configure an Active Directory Certificate Services<\/i> and configure an Online Responder Server<\/i>. For this demonstration I will be using a Windows Server 2012<\/a> Virtual Machine hosted in my VMware testing environment. Let\u2019s start by installing the Certification Authority and Online Responder services. Log in on the server with Administrator credentials, open the Server Manager<\/i> console and click on Add Roles and Features<\/i> button. From the available roles list select Active Directory Certificate Services<\/i> and click on the Next<\/i> button:<\/span><\/p>\n

\"Active<\/span><\/p>\n

Make sure that Certification Authority<\/i> and Online Responder<\/i> services are checked:<\/span><\/p>\n

\"Certification<\/span><\/p>\n

Check out the confirmation page to ensure everything will be installed as desired and press the Install<\/i> button. Once the install operations is completed you will need to start the post configuration Wizard<\/i> from the Server Manager<\/i> console. We will start by configuring the Certification Authority<\/i> service. From the setup type of the CA, select the Enterprise CA<\/i> and the Root CA<\/i> since this is the first CA deployed in our PKI (Public Key Infrastructure)<\/i>.<\/span><\/p>\n

In the following section we will need to create a new private key, make sure that the RSA#Microsoft Software Key Storage Provider cryptographic provider<\/i> is selected, that the key<\/i> is set to 2048<\/i> and the hash<\/i> algorithm<\/i> for signing certificates is set to SHA1<\/i>:<\/span><\/p>\n

\"Cryptography<\/span><\/p>\n

In the following section we have to specify the name for our Certification Authority. You can configure the common name<\/i> and the distinguished name suffix<\/i>:<\/span><\/p>\n

\"Certification<\/span><\/p>\n

Set the validity period<\/i> of the Certification Authority (CA) to five years or whatever period you desire:<\/span><\/p>\n

\"CA<\/span><\/p>\n

In the last section of the AD CS Configuration Wizard you\u2019ll need to type in the certificate database location and certificate database log location:<\/span><\/p>\n

\"AD<\/span><\/p>\n

The configuration Wizard for the Online Responder is instant, you just need to start it and click on Configure:<\/i><\/span><\/p>\n

\"Onlnie<\/span><\/p>\n

Once the OCSP service is configured, we need to configure our OCSP Response Signing template<\/i>. Open Certification Authority<\/i> console, navigate to the Certificate Templates section<\/i>, right click<\/i> it and select Manage<\/i> from the menu:<\/span><\/p>\n

\"Configure<\/p>\n

Now right click<\/i> the OCSP Response Signing<\/i> certificate and click on Properties<\/i>. Navigate to the Security<\/i> tab, add the Server hosting the OCSP service and set the permissions to Read<\/i>, Enroll<\/i> and Autoenroll<\/i>.<\/span><\/p>\n

\"OCSP<\/span><\/p>\n

Return to the Certification Authority console, right click the CA name<\/i> and click on Properties<\/i>. Navigate to the Extensions<\/i> tab<\/i>, select Authority Information Access (AIA)<\/i> extension<\/i> and click on the Add<\/i> button:<\/span><\/p>\n

\"CA<\/p>\n

Type http:\/\/srv2.ppscu.com\/ocsp<\/span>, where srv2.ppscu.com<\/span> is the FQDN of my OCSP server. Make sure to check Include in the online certificate status protocol (OCSP) extension<\/i>:<\/span><\/p>\n

\"SRV2-CA<\/span><\/p>\n

The CA will be restarted once the AIA extension is added. Return to the Certification Authority console, right click<\/i> Certificate Templates and select New -> Certificate Template to Issue<\/i>. From the available templates select the OCSP Response Signing<\/i> template:<\/span><\/p>\n

\"OCSP<\/span><\/p>\n

Our configuration is almost completed, we just need to enable Autoenrollment feature<\/i> from the Group Policy<\/a> Management Console<\/i>. Edit<\/i> the Default Domain Policy<\/i> or create a new<\/i> GPO<\/i> and expand Computer Configuration\/Policies\/Windows Settings\/Security Settings\/Public Key Policies<\/i> and enable the Certificate Services Client \u2013 Auto-Enrollment <\/i>policy:<\/span><\/p>\n

\"Certificate<\/span><\/p>\n

Once the policy is enabled, close GPM console and force a group policy update by typing gpupdate \/force<\/i> from command prompt. Your CA is now configured with an Online Responder<\/i> enabled to service certificate requests. That\u2019s about it for this article folks. Make sure you follow all steps precisely to be sure that your infrastructure will be configured accordingly. Please share your thoughts about this article and don\u2019t forget to enjoy your day!<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Certificate Services has become one of the core components of any Active Directory infrastructure. A certification authority (CA) issues digital certificates to testify the authenticity of applications, users and computers. Digital certificates can be issued, revoked and renewed based on the necessities of the company. When deciding to deploy AD CS within your organization, you […]<\/p>\n","protected":false},"author":4,"featured_media":2824,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,9,8],"tags":[],"class_list":["post-2805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-how-to","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=2805"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2805\/revisions"}],"predecessor-version":[{"id":3450,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/2805\/revisions\/3450"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/2824"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=2805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=2805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=2805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}