Solved

Help with understanding Certificates in Active Directory Certificate Services

Posted on 2013-12-01
1
301 Views
Last Modified: 2013-12-02
http://blogs.technet.com/b/meamcs/archive/2010/12/01/auto-enrollment-avoid-the-challenges-of-making-end-users-manage-their-certificates.aspx

The articles aboves says

"When a GPO with auto-enrollment configured is applied to a client, the client downloads all published certificate templates in the forest and stores them in the local registry in the following key HKEY_CURRENT_USER/Software/Microsoft/Cryptography/Certificate TemplateCache, each Template having its own registry key
The client checks the template for Read and Autoenroll permission, if these permissions are granted the client, it generates a key pair locally
If input is required from the user a balloon appears in the system tray asking the user for input
The Client creates a Certificate request and sends this request along with its public key to the Issuing CA. The request is based on the certificate template on which the user is granted Read and Autoenroll
the Issuing CA creates a certificate that has the Clients public key, stores it and issues it to the client
If the Publish Certificate in Active Directoryoptions is chosen, the certificate is also published in Active Directory and made available for other clients in the domain
The user now has a certificate associated with its private key and can now use it."

I need the following clarification:
"the Issuing CA creates a certificate that has the Clients public key, stores it and issues it to the client"

My understanding is:
The Issuing CA creates a new Private/Public Key pair, stores it, and then issues the entire new Private/Public Key pair to the Client (using the Client's other Public Key pair received earlier to encrypt and prevent repudiation).

The Client now has a new Private/Public key pair.
All AD Domain Members automatically Trust the Root CA, and therefore that new Private/Public key pair becomes useable/valid on the Domain.
The Client can now give out the Public Key to whatever host or service application wants it to encrypt information, as well as to identify the Client.

Multiple copies of both the Private Key and its associated Public are stored on various computers.

A copy of the Private is stored on the Issuing CA server, the Client, as well as AD if the "Publish to AD" option is chosen.

Is this correct?
0
Comment
Question by:JCTDD
1 Comment
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39689684
The above is correct. I would also ensure that "Enroll" is enabled as well. There are some MS documentation which state Read and AutoEnroll are only needed but I have come across others as well which state Read, AutoEnroll and Enroll, which works for me.

I would also recommend that you create a "Key archival and recovery Agent" which is needed to recover and restore damaged or missing Private Keys.

Key archival and recovery - http://technet.microsoft.com/en-us/library/cc781351(WS.10).aspx

Will.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Compromised PC? 17 168
Change AD password via MS Access DB 2 17
Flashplayer.hta Download 1 28
Is my window10 Safe? after a malware removed by AV? 5 20
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now