Certificates in a Microsoft Windows Environment

Before you start, you have to plan your CA hierarchy. The following is only an example and may not fit for your organization.

For more information see:

• http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx: new window
• http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx: new window
• http://technet.microsoft.com/en-us/library/cc731522.aspx: new window

To carry out the following steps, you need a running Active Directory, all necessary licenses and an external web server.

Certificate Authority (CA)

In the following example, only a single root is chosen. The CA uses a SHA-512 hash algorithm, a 4096 character key and a 5-year validation time. Set the parameters according to your company guidelines.

The CRL in this example is available here (you may adapt it for your organization):
http://localhost/certenroll/<CA common name>.crl

For information about how to use your Public Key Infrastructure (PKI) with the Fabasoft Cloud, see chapter “Configure the Certificate Log-in for a Fabasoft Cloud Organization”.

The Active Directory is used for the automatic user certificate enrollment.

Install Active Directory Certificate Services

To add the “Active Directory Certificate Services” role, proceed as follows:

1. Start the “Add Roles and Features Wizard” (“Server Manager” > “Manage” > “Add Roles and Features”).
2. Carry out a Role-based or feature-based installation on the desired server.
3. Select “Active Directory Certificate Services” and follow the wizard.
   
4. As Role services select “Certification Authority” and “Certification Authority Web Enrollment” and follow the wizard.
   Note: The web enrollment is needed to provide the CRL.
   
5. Click “Install”.

Configure Active Directory Certificate Services

To configure Active Directory Certificate Services, proceed as follows:

1. Start the “AD CS Configuration Wizard” (“Server Manager” > “Notifications” > “Configure Active Directory Certificate Services”).
2. Specify the credentials to configure role services.
   
3. Select the “Certification Authority” and “Certification Authority Web Enrollment” role services.
   
4. Select Enterprise CA.
   
5. Select Root CA.
   
6. Define your desired private key settings.
   
7. Define the cryptographic options according to your company guidelines.
   
8. Enter a common name for the CA.
   
9. Define the validity period.
   
10. Define the database location.
    
11. Check the settings and click “Configure”.
    

Define an Automatic Rollout of User Certificates

To enable an automatic rollout of user certificates via group policies check the corresponding properties in the default domain policy.

Make sure that the every domain user can auto-enroll the specific certificate template.

Export Root and Issuing Certificates

Start certmgr.msc and export the root certificate (“Trusted Root Certification Authority” > “Certificates” > certificate’s context menu > “All Tasks” > “Export” > “DER encoded binary X.509”). If you have intermediate CAs, repeat the export for all these certificates.

The usage of these files is described in the next chapter.