Today I happened to read about Active Directory Certificate Services while setting up certificate based authentication between SCOM agents in DMZ and the management servers. I felt I should jot down the stuff I’ve read about AD CS in layman terms so that it helps a newbie (like me) to quickly get started with Certificate Services.
What is Active Directory Certificate Services?
Active Directory Certificate Services provide services to issue and manage digital certificates used by either software applications, computers or users to ensure authenticity between the two communicating parties.
It involves a Certificate Authority which will receive certificate requests, verify the information in the request and identity of the requestor and issue the certificates. It can also revoke the issued certificates if needed and it publishes the revoked certificates to a location called Certificate Distribution Point (CDP) and periodically updates clients with the changes made to Certificate Revocation List (CRL).
How do I install Certificate Authorities?
Certificate Authorities are generally maintained by third party Certificate Authorities like VeriSign, GoDaddy, Comodo, etc. However, for internal use, CAs can be installed by the individual firms within their domain or forest. Internal CAs are cheaper to configure and unlike certificates issued by external CA, there is no cost for certificates issued by internal CAs.
CA is a windows component in Windows 2003 Server which can be installed through Add/Remove Components feature in Add or Remove Programs wizard. And in Windows 2008 servers, it is a server role that can be installed through Server Manager.
Are there any types of CAs?
Yes, CAs are of two types – Enterprise CA and StandAlone CA.
- Enterprise CA allows creation of custom templates for certificates but StandAlone CA do not.
- Enterprise CA let you leverage AD services (e.g., Kerberos authentication and Group Policy) to automate many of the tasks associated with PKI.
- Computers part of a domain automatically trust certificates issued by the enterprise CA in the domain. In case of StandAlone CA, you must explicitly add the CA’s self-signed certificate (Root Certificate) to the Trusted Root CAs store on each computer in the domain.
- Enterprise CA allow you to automate certificate request and approval process whereas the certificate requests have to be manually approved for issuing a certificate in case of StandAlone CA.
- Enterprise CA stores its certificate information in AD and they have to be configured as domain controllers.
- StandAlone CA stores its certificate data in a shared folder which can be accessed through a Web URL (Default: http://<CAServerName>/CertSrv).
- Also, Enterprise CAs have been tested for clustered installations.
What are the methods available to request a certificate?
A certificate can be requested from Certificate Authority in three methods:
- Using Certificate wizard that comes in IIS 6.0 and using Server Certificates feature in IIS7
- Using web URL of CA (Default: http://<CAServerName>/CertSrv)
- Creating a INF file with the certificate properties and submitting the request using CertReq.exe command line tool.
What are the consoles available for managing Certificate Servers and Clients?
Certification Authority console: It is a MMC snap-in used to configure CA properties, issue and manage certificates, publish CRLs, etc.
Certificates Console: The MMC snap-in allows you to browse the certificates stores (Personal, Trusted Root CA, Third-Party Root CA, etc.) of a user or a computer and import/delete certificates.
Certificate Templates console: The MMC snap-in allows you to create and manage certificate templates.
***Liked it? Click the facebook like button below and share it with your friends!!