Customizing Windows PKI – Some Tipps and Tricks

Installing a PKI infrastructure is a good idea as more and more servers and applications need certificates. Most of these certificates need not to be issued by a public certificate authority as only used by internal clients or clients under control of the corporate IT.

The base architecture of setting up a corporate PKI is described here:

While the setup of a certificate authority is just to add the corresponding server roles on the server, this article will show some small but essential custom settings, which should be made on the certificate authority server, which finally issues the certificates to the clients.  

Certificate templates can be used to easily create standard certificates for all kind of usage. Most common and most used certificates are user, computer and webserver certificates. Each client, which has permissions on a template can easily request a certificate based on such a template for his own use.

Although windows certification services have a lot of predefined templates, it makes sense to customize some of them to keep the things better under control. As far as a certificate is issued, it can be used for everything what is allowed by the template, and the default settings makes it difficult to decide, for what they are finally used and if it is easily possible to revoke them if needed.

Every template has a preset of common settings, the most important settings are:
The subject name
Additional alternative subject names (for SAN certificates )
A lifetime
Information for what the certificate can be used
Encryption methods and keys

While default templates cover most of the needs, they have some essential lacks as they can not be changed. Therefore customized templates have the following advantages:
Every property in the template can be changed
Usage can be limited to the intended purpose
Allows single name or SAN certificates
They have additional properties
They have extended permissions

NOTE: You need an Enterprise Server Edition to customize templates.

To create a customized template,
open the MMC
add the Certificate Templates snap in
select an existing template, which fits your basic needs
right click - "Duplicate Template"
provide a new name and change the properties

I usually create:

A customized "Computer" certificate template
Permissions: Auto-Enroll for Domain-Computer (or dedicated computer group)
Request Handling: "Build from this Active Directory information":
"Subject Name Format" set to "Common name"
Include in alternative subject name:  “DNS name”
Superseded Templates: Computer

A customized "User" certificate template
Permissions: Auto-Enroll for Domain-User (or dedicated user group)
Extensions - Application Policy Setting: "Encrypted File System" is removed
Superseded Templates: User

For Encrypted File System (EFS) I use a dedicated template to keep control over the user, who can encrypt hard disc and files.

A customized "Web-Server" template
Permissions: Enroll for Web-Servers (or dedicated computer group)
Subject Name: "Suply in the request"  and "Use subject information ... for renewal requests"
Superseded Templates:  Webserver

This setting allows the request of SAN certificates, were all needed names can be suplied in the request itself. Once applied, they renew automatically.

All templates in the Certificate Templates MMC snap in are stored in Active Directory and can be seen from any server with the certificate management features installed. For editing and publishing, you need a Windows Enterprise server with installed Certificate Role Services installed:
open the MMC
add the Certificate Authority snap in
expand the folder and select "Certificate Templates"
right click - "New - Certificate Template to Issue"
select the template, you want to publish

Also you may remove all templates from the Certificate Authority snap in, which should not be issued.

Another change you should make is to change the revocation list settings for the CA itself.
The default setting is to make a LDAP request to find the revocation list. This works for internal clients, but it is not the worst idea to use HTTP instead, because this can be easily  published also to external clients and services.

Go to your Certificate Authority snap in, right click on the name of your CA and select properties and select "Extensions". There you find the extensions:
CRL Distribution point (CDP)
Authority Information Access (AIA)

The default settings are:

ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>

ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

Each line has settings, i.e if the information should be put into the certificate.

If you want to use HTTP instead of LDAP:
Select the LDAP line, right click properties
disable "Include in CRLs.
disable "Include in the CDP extension
disable "Include in the IDP extension..." (if enabled)
Select the HTTP line, right click properties
enable "Include in CRLs.."
enable "Include in the CDP extension..."
enable "Include in the IDP extension..." (if it was enabled above)

If you want to use HTTP beside LDAP, where LDAP should be tried first:
Enable the settings as described above for LDAP

If you want to use HTTP beside LDAP, where HTTP should be tried first:
Remove the LDAP and HTTP lines
Readd HTTP line (as defined above)
Readd LDAP line (as defined above)
Enable the settings as described above for HTTP
Enable the settings as described above for LDAP

In the default settings for AIA and CDP, you see that each line starts with <ServerDNSName> what is a placeholder for the server name of the certificate authority server. If the certificate authority is later moved to a different server, all issued certificates still have the old server name as source for the revocation list in it. You can neutralize the name by using a CNAME DNS record, which points to your certification authority server and use this CNAME instead of the placeholder.

The line looks then like:
instead of

If the certification authority is later moved, you just need to change the CNAME DNS record to keep them valid.  
To verify that everything is ok, you can use a MMC and add the Enterprise PKI snap in.
There you can see all settings and if they are resolvable.

If your templates are now, how they should be, you can activate auto enrollment. Best way is to create a dedicated policy, because some of the settings can never be deleted again.
Also you should create separate policies for Win 7 / Win2008 and WinXP / Win2003 machines. Also it can make sense to create dedicated policies for computers and users.

To create a new policy
Open Group Policy MMC on a DC
Create a new policy
Goto Computer or Users (dependend what you want to create)
Goto policies – windows settings – security settings – public key policies

There you find a lot of settings, but we need only a few ones.

For Windows 7 and Windows 2008 Server and later (Users and Computers):
Select "Auto-Enrollment policy"
enable "enable auto enrollment"
enable "auto renewal"
enable "auto update"

The auto enrollment is driven by the permission settings in the templates. So no additional settings are needed.
Root certificates are distributed automatically

For Windows XP and Windows 2003 (Users and Computers):
Select "Auto-Enrollment policy"
enable "enable auto enrollment"
enable "auto renewal"
enable "auto update"

Additionally you need (only needed for Computers):
Select "Trusted Root Certificate Authorities"
Add your Root Certificate here, what you created during installing the CA

Additionally you need (for Computers):
Select "Automatic Certificate Request Settings"
Add "Computer" and "Enrollment Agent"

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.