Browse All Articles > Customizing Windows PKI – Some Tipps and Tricks
Installing a PKI infrastructure is a good idea as more and more servers and applications need certificates. Most of these certificates need not to be issued by a public certificate authority as only used by internal clients or clients under control of the corporate IT.
The base architecture of setting up a corporate PKI is described here:
Quick-Steps-How-to-implement-your-own-Windows-PKI
While the setup of a certificate authority is just to add the corresponding server roles on the server, this article will show some small but essential custom settings, which should be made on the certificate authority server, which finally issues the certificates to the clients.
A.) CERTIFICATE TEMPLATES
Certificate templates can be used to easily create standard certificates for all kind of usage. Most common and most used certificates are user, computer and webserver certificates. Each client, which has permissions on a template can easily request a certificate based on such a template for his own use.
Although windows certification services have a lot of predefined templates, it makes sense to customize some of them to keep the things better under control. As far as a certificate is issued, it can be used for everything what is allowed by the template, and the default settings makes it difficult to decide, for what they are finally used and if it is easily possible to revoke them if needed.
Every template has a preset of common settings, the most important settings are:
While default templates cover most of the needs, they have some essential lacks as they can not be changed. Therefore customized templates have the following advantages:
NOTE: You need an Enterprise Server Edition to customize templates.
To create a customized template,
I usually create:
A customized "Computer" certificate template
A customized "User" certificate template
For Encrypted File System (EFS) I use a dedicated template to keep control over the user, who can encrypt hard disc and files.
A customized "Web-Server" template
This setting allows the request of SAN certificates, were all needed names can be suplied in the request itself. Once applied, they renew automatically.
B.) PUBLISHING TEMPLATES
All templates in the Certificate Templates MMC snap in are stored in Active Directory and can be seen from any server with the certificate management features installed. For editing and publishing, you need a Windows Enterprise server with installed Certificate Role Services installed:
Also you may remove all templates from the Certificate Authority snap in, which should not be issued.
C.) REVOCATION SETTINGS
Another change you should make is to change the revocation list settings for the CA itself.
The default setting is to make a LDAP request to find the revocation list. This works for internal clients, but it is not the worst idea to use HTTP instead, because this can be easily published also to external clients and services.
Go to your Certificate Authority snap in, right click on the name of your CA and select properties and select "Extensions". There you find the extensions:
The default settings are:
For AIA
C:\Windows\System32\certsrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
For CDP
C:\Windows\System32\certsrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Each line has settings, i.e if the information should be put into the certificate.
If you want to use HTTP instead of LDAP:
If you want to use HTTP beside LDAP, where LDAP should be tried first:
If you want to use HTTP beside LDAP, where HTTP should be tried first:
D.) NEUTRALIZE REVOCATION URL
In the default settings for AIA and CDP, you see that each line starts with <ServerDNSName> what is a placeholder for the server name of the certificate authority server. If the certificate authority is later moved to a different server, all issued certificates still have the old server name as source for the revocation list in it. You can neutralize the name by using a CNAME DNS record, which points to your certification authority server and use this CNAME instead of the placeholder.
The line looks then like:
http:///MyCertServer.domain.com/CertEnroll/...
instead of
http:///<ServerDNSName>/CertEnroll/...
If the certification authority is later moved, you just need to change the CNAME DNS record to keep them valid.
To verify that everything is ok, you can use a MMC and add the Enterprise PKI snap in.
There you can see all settings and if they are resolvable.
E.) AUTOENROLLMENT
If your templates are now, how they should be, you can activate auto enrollment. Best way is to create a dedicated policy, because some of the settings can never be deleted again.
Also you should create separate policies for Win 7 / Win2008 and WinXP / Win2003 machines. Also it can make sense to create dedicated policies for computers and users.
To create a new policy
There you find a lot of settings, but we need only a few ones.
For Windows 7 and Windows 2008 Server and later (Users and Computers):
The auto enrollment is driven by the permission settings in the templates. So no additional settings are needed.
Root certificates are distributed automatically
For Windows XP and Windows 2003 (Users and Computers):
Additionally you need (only needed for Computers):
Additionally you need (for Computers):
The base architecture of setting up a corporate PKI is described here:
Quick-Steps-How-to-implement-your-own-Windows-PKI
While the setup of a certificate authority is just to add the corresponding server roles on the server, this article will show some small but essential custom settings, which should be made on the certificate authority server, which finally issues the certificates to the clients.
A.) CERTIFICATE TEMPLATES
Certificate templates can be used to easily create standard certificates for all kind of usage. Most common and most used certificates are user, computer and webserver certificates. Each client, which has permissions on a template can easily request a certificate based on such a template for his own use.
Although windows certification services have a lot of predefined templates, it makes sense to customize some of them to keep the things better under control. As far as a certificate is issued, it can be used for everything what is allowed by the template, and the default settings makes it difficult to decide, for what they are finally used and if it is easily possible to revoke them if needed.
Every template has a preset of common settings, the most important settings are:
The subject name
Additional alternative subject names (for SAN certificates )
A lifetime
Information for what the certificate can be used
Encryption methods and keys
While default templates cover most of the needs, they have some essential lacks as they can not be changed. Therefore customized templates have the following advantages:
Every property in the template can be changed
Usage can be limited to the intended purpose
Allows single name or SAN certificates
They have additional properties
They have extended permissions
NOTE: You need an Enterprise Server Edition to customize templates.
To create a customized template,
open the MMC
add the Certificate Templates snap in
select an existing template, which fits your basic needs
right click - "Duplicate Template"
provide a new name and change the properties
I usually create:
A customized "Computer" certificate template
Permissions: Auto-Enroll for Domain-Computer (or dedicated computer group)
Request Handling: "Build from this Active Directory information":
"Subject Name Format" set to "Common name"
Include in alternative subject name: “DNS name”
"Subject Name Format" set to "Common name"
Include in alternative subject name: “DNS name”
Superseded Templates: Computer
A customized "User" certificate template
Permissions: Auto-Enroll for Domain-User (or dedicated user group)
Extensions - Application Policy Setting: "Encrypted File System" is removed
Superseded Templates: User
For Encrypted File System (EFS) I use a dedicated template to keep control over the user, who can encrypt hard disc and files.
A customized "Web-Server" template
Permissions: Enroll for Web-Servers (or dedicated computer group)
Subject Name: "Suply in the request" and "Use subject information ... for renewal requests"
Superseded Templates: Webserver
This setting allows the request of SAN certificates, were all needed names can be suplied in the request itself. Once applied, they renew automatically.
B.) PUBLISHING TEMPLATES
All templates in the Certificate Templates MMC snap in are stored in Active Directory and can be seen from any server with the certificate management features installed. For editing and publishing, you need a Windows Enterprise server with installed Certificate Role Services installed:
open the MMC
add the Certificate Authority snap in
expand the folder and select "Certificate Templates"
right click - "New - Certificate Template to Issue"
select the template, you want to publish
Also you may remove all templates from the Certificate Authority snap in, which should not be issued.
C.) REVOCATION SETTINGS
Another change you should make is to change the revocation list settings for the CA itself.
The default setting is to make a LDAP request to find the revocation list. This works for internal clients, but it is not the worst idea to use HTTP instead, because this can be easily published also to external clients and services.
Go to your Certificate Authority snap in, right click on the name of your CA and select properties and select "Extensions". There you find the extensions:
CRL Distribution point (CDP)
Authority Information Access (AIA)
The default settings are:
For AIA
C:\Windows\System32\certsrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
For CDP
C:\Windows\System32\certsrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Each line has settings, i.e if the information should be put into the certificate.
If you want to use HTTP instead of LDAP:
Select the LDAP line, right click properties
disable "Include in CRLs.
disable "Include in the CDP extension
disable "Include in the IDP extension..." (if enabled)
disable "Include in CRLs.
disable "Include in the CDP extension
disable "Include in the IDP extension..." (if enabled)
Select the HTTP line, right click properties
enable "Include in CRLs.."
enable "Include in the CDP extension..."
enable "Include in the IDP extension..." (if it was enabled above)
enable "Include in CRLs.."
enable "Include in the CDP extension..."
enable "Include in the IDP extension..." (if it was enabled above)
If you want to use HTTP beside LDAP, where LDAP should be tried first:
Enable the settings as described above for LDAP
If you want to use HTTP beside LDAP, where HTTP should be tried first:
Remove the LDAP and HTTP lines
Readd HTTP line (as defined above)
Readd LDAP line (as defined above)
Enable the settings as described above for HTTP
Enable the settings as described above for LDAP
D.) NEUTRALIZE REVOCATION URL
In the default settings for AIA and CDP, you see that each line starts with <ServerDNSName> what is a placeholder for the server name of the certificate authority server. If the certificate authority is later moved to a different server, all issued certificates still have the old server name as source for the revocation list in it. You can neutralize the name by using a CNAME DNS record, which points to your certification authority server and use this CNAME instead of the placeholder.
The line looks then like:
http:///MyCertServer.domain.com/CertEnroll/...
instead of
http:///<ServerDNSName>/CertEnroll/...
If the certification authority is later moved, you just need to change the CNAME DNS record to keep them valid.
To verify that everything is ok, you can use a MMC and add the Enterprise PKI snap in.
There you can see all settings and if they are resolvable.
E.) AUTOENROLLMENT
If your templates are now, how they should be, you can activate auto enrollment. Best way is to create a dedicated policy, because some of the settings can never be deleted again.
Also you should create separate policies for Win 7 / Win2008 and WinXP / Win2003 machines. Also it can make sense to create dedicated policies for computers and users.
To create a new policy
Open Group Policy MMC on a DC
Create a new policy
Goto Computer or Users (dependend what you want to create)
Goto policies – windows settings – security settings – public key policies
There you find a lot of settings, but we need only a few ones.
For Windows 7 and Windows 2008 Server and later (Users and Computers):
Select "Auto-Enrollment policy"
enable "enable auto enrollment"
enable "auto renewal"
enable "auto update"
The auto enrollment is driven by the permission settings in the templates. So no additional settings are needed.
Root certificates are distributed automatically
For Windows XP and Windows 2003 (Users and Computers):
Select "Auto-Enrollment policy"
enable "enable auto enrollment"
enable "auto renewal"
enable "auto update"
Additionally you need (only needed for Computers):
Select "Trusted Root Certificate Authorities"
Add your Root Certificate here, what you created during installing the CA
Additionally you need (for Computers):
Select "Automatic Certificate Request Settings"
Add "Computer" and "Enrollment Agent"
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)