Hi guys,
           Following on from my last post about Active Directory Directory Services, now lets move into Windows Server 2008's other Active directory based services.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) provides customisable services for creating and managing public key certificates used in software security systems that employ public key technologies.  ADCS Comprises of the following feature compnents, all configurable through Server Manager (I will run through the install procedure later on):

Certification authorities (CAs) Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.

Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates, retrieve certificate revocation lists (CRLs), and perform smart card certificate enrollment.
 
Online Responder service. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information. 
 
Network Device Enrollment Service (NDES). NDES allows routers and other network devices that do not have network accounts to obtain certificates.

Benefits of AD CS

Organisations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Among the new features of AD CS in Microsoft Windows Server2008 are:

• Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.
 
• Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.
 
• Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

Hardware and software considerations

AD CS requires Windows Server 2008 and Active Directory Domain Services (AD DS). Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals.

CAs can be set up on servers running a variety of operating systems, including Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design will require careful planning and lab testing before you deploy AD CS in a production environment.

Ok lets go through the install Procedure..

As per usual you use Server Manager to install the role, Select Add Roles, and select Active Directory Certificate Services
cert1
Welcome Page is below

cert2

i'm going to add our primary role and the feature Certificate Authority Web Enrollment (see above for description on features)
Please note when you add CAWE you will be prompted to install the required IIS Services
cert3

cert4
If you plan to install Network Device Enrollment Services, please note you need to complete Certification Authority setup before you can install & setup this service.

The next step involves involves selecting whether you use AD DS to simplify issuing of certificates or select standalone mode whereby you have a bunch of extra configuration steps.   Enterprise configuration is the recommended way of deploying certificates.  Choose next

cert5
The next step involves configuring your CA.  You can select Root CA if this is your only certificate authority or if you have another CA provider (whether it be internal or external) you can select Subordinate CA.  In this example I will be setting this server up as a Root CA Authority.

cert6
The next step involves setting up your private key.  If you dont configure a private key or select an existing key, certificates will NOT be issued to clients.  As i do not have an existing key from another CA etc, i will choose to create a new one.

cert7
Before you can issue Certificates, your Private key needs to be encrypted, this Cryptography section of the wizard involves selecting a CSP and a hash algorithm, there are a massive amount of different CSP's, so choose what is appropriate, depending on your organisation's Security policy.

cert8
I will be using Microsoft Base Cryptographic Provider 1.0 with a sha1 algorithm for this example.

cert9

The next step involves configuring your CA name, Generally you would leave all options as is, as it registers it against the server FQDN, but changing the common name is ok too.  Choose Next.
cert10
Now you need to set the Certificate expiry the client/device will have before needing to get a certificate reissued.  The default is 5 Years, which is what I have left mine at.  However in regards to best practices it should be considerably less, but this depends on your internal organisation policies.

cert11

Next you need to specify the install location of the database & logs, I am going to leave it as default, however for performance or policy reasons you may choose to change this.

cert12

Remember earlier on it asked if you wanted to install the required IIS services?  now here is where you configure the individual IIS components, choose next to the welcome page.

cert13

Generally you can leave all the default selections, however I am installing the additiona IIS 6.0 components for my exchange install later on (blog will follow!)  then choose next
cert14

Finally we are at the confirmation page, confirm everything is OK and hit next.

cert15

Installation starts.

cert16
Once completed you will see a screen like the below.

cert17

Now you will see the role under server manager (No restart is required for this role) however in my experience i have found it will not function correctly until a restart.  Additionally if you plan to install any other featured of ADCS you will need to restart prior.

cert finish

Now you will see you have access to the new Certificate Server snap in under Admin Tools.  From here you can view issued certificates, revoked certificates, pending requests, failed requests & templates.
certserv

Now, templates.... In Windows Server 2003 R3 you had the previous facilities but NOT templates, I think this is a fantastic feature that they have added, and its dead easy.  For example, I would like to setup a certificate template for Smart Card Authenticated users... EASY!  select Certificate Templates, you will see the preinstalled templates.

cert2
Right Click on Certficate Templates and choose new template, and add your required certificate for clients.

cert3

As you can see there are heaps of templates available, what I like best about it, is that once you add them they are all preconfigured, there is no additional work required! 

Now clients can connect to the servers iis web site and request new certificates if required.

cert4
All they select is 'Request a certificate, the below is displayed..

cert5
If any additional information is required it will prompt you here, but in this case i have left everything default, so the user chooses submit, therefore sending a request to the ADCS server for a new certificate, and of course it will appear under pending and or issued certificates under the certserv tool.

cert6
User gets a warning message, select YES

cert7
Certificate has been issued, select install this certificate..

cert8

another prompt..select YES

cert9

Certificate Issuing Complete

cert10

 COOL