Solved

Designing for a simple Cert Management using Windows 2008

Posted on 2009-07-02
6
557 Views
Last Modified: 2013-11-29
Hi Guys,

We have a Single Domain, Single Forest environment..Hmm..well basically two domain for the top level domain is empty (domain.local) and all objects exists into the single child domain (my.domain.local). The current domain level is Windows 2003 R2 native.

I need to install OCS 2007 and RMS services for which I was planning to use Windows 2008 inbuilt certificate services and emulate an internal PKI.

What's involved? I have three maor site locations / offices and each office has a copy of  root and domain controllers. All site locations have their set of objects represented within an OU structure within the AD.

I have read a bit of setting up a PKI structure. A root CA and underlying CA's but I need to get a bit more clarity on that design within my current AD structure.

Would someone who has been there and done that. Throw some more light into this aspect and pass me over some helpful links, even if they be borne of 'google' search'. :)

Thanks!!
0
Comment
Question by:fahim
  • 4
  • 2
6 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24765388
Most of the 'google search' documents are what I try to combat.  they usually show you the quick n dirty way to get it running that you'll probably regret 2 years later for one reason or another.

A very basic walkthrough for all the various components:
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx
http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea-3fb9d1f37063/Windows%20Server%202008%20Active%20Directory%20Certificate%20Services%20Step-By-Step%20Guide.doc

This is a decent walkthrough for a basic 2008 setup:
http://itbloggen.se/cs/blogs/kristoferohman/archive/2009/02/18/setting-up-a-tier-2-pki-structure.aspx

More info re: 2008 ADCS:
http://download.microsoft.com/download/4/7/f/47f81ee5-8593-4b39-871d-2f55eb731ad6/Certificate%20Services%20Enhancements%20in%20Longhorn%20Server.doc#_Ref132787111

Okay, so this is written against 2003, but the concepts still apply for best practices for securing, just doesn't include new stuff in 2008 which mainly means nothing about OCSP - if you are interested in that then we can discuss that too.
http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24765707
I often recommend using virtual machines (VM) to keep hardware costs down.  CA stuff is not very resource intensive in general, and if your company is only 3 sites you should be fine with your standard server hardware config.  VMs make backups a snap since you can just copy the image to another drive and you're set for offsite disaster recovery.  You can use a non-routed VM network to easily transfer CRLs from the root to the online subordinate, then you can script copying the CRL to the CDP locations from there in a batch file run as a scheduled task.

When you set up your CDP & AIA locations, remember to have at least one location accessible internally and another publicly.  Even if you only issue to your employees, this will enable users working from home, laptop users, etc. to import your root cert and then you can use your own certs for internet accessible employee and partner resources, like VPN for example.  However, do not connect your CA so that it is accessible from the internet - it should be in a DMZ of some kind.  If you need a web accessible front end for some reason, 2008 provides a web server page feature that can do that while you still protect the actual CA in the DMZ.

Some useful commands:
certutil -crl     ; creates a new .crl in system32\certsrv\certenroll
certutil -crl delate    ; creates new delta crl - delta will look like filename+.crl
certutil -backupdb   ; backs up the CA database
certutil -backupkey   ; backs up the CA private key
0
 

Author Comment

by:fahim
ID: 24779683
Thanks for the replies. One minor queru remains. As I wrote earlier that our current domain level is Windows 2003 R2 native.

If this is going to be the first server on Windows 2008, what's required? Would this me a simple member server or do I have to do some extra steps for my AD preparation before I can use 2008 for my PKI implementation?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 24818425
You can use it just fine in your 2003R2 AD as you would a 2003 CA.  Pushing to upgrade to 2008 for the CA is not as big of a deal as it was for 2003 from 2000.  You may have difficulty using the version 3 templates, however you can make a '2003 compatible' template for v2.  Both v2 and v3 templates make v3 certs, v1 templates make v1 certs (v2 was pretty much skipped over).

The biggest thing in v3 certs is support for the newer CNG algorithms like ECDSA, ECDH, and the SHA-2 suite.  However, unless you are running a purely vista/2008 and newer environment you will need to deploy a number of hotfixes for that stuff to even work and 2048 RSA is still just fine.

Here is a good base link for more information:
http://technet.microsoft.com/en-us/library/cc534992.aspx
0
 

Author Comment

by:fahim
ID: 24999043
Panoramastic,

I am facing conceptual issues and haven't been able to resolve them despite some reading, I'm sure you can help.

The needs of this Cert management infrastructure were two: namely: OCS 2007 which needs TLS certificates for both server to server and client to server communications AND Office 2007 information Rights management implmentation.

If I take one thing at a time and make things easier for me: I'll take Office communications server (OCS).

First I need to generate certificate for the OCS servers that maybe the easy part.

There is a client aspect, called as , Microsoft Office Communicator R2 client and is just like Instant Messenger. When I deploy this client on my workstation XP machines, I need to automatically initiate a certificate request to the PKI to create a public key cert for the associated OCS server's private key.

How would I automate this process?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 25283894
Sorry, been a little busy lately...  Hopefully you have already found what you were looking for

Use a certificate template and you can use the Autoenroll permission for the appropriate groups (in addition to read and enroll).  this will automate the process.  You may wish to have certificate manager approval on the template for the first issuance and not require that on renewals - or not, depending on the level of security you are looking for.

Here's an article that discusses more - hopefully that helps with that.
http://social.microsoft.com/Forums/en-US/communicationsservercertificates/thread/43e2d677-edac-4a20-a106-6f1831863616

Some stuff on RFS as related to certs, etc.:
http://technet.microsoft.com/en-us/library/cc747725(WS.10).aspx
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question