3 6 0 CHAPTER 7 Active Directory Certifi cate Services
FIGURE 7-9 Backing up the CA.
You can restore a private key and CA certifi cate by using the CA console or the certutil
command. To restore using the CA console, right-click the CA, select All Tasks, and then select
Restore CA. This starts the Certifi cation Authority Restore Wizard. You can choose to restore
the private key and CA certifi cate and the certifi cate database and database log. During
the restoration process, you are asked for the password that was supplied when the original
backup of the private key and CA certifi cate was taken. AD CS is stopped while you are per-
forming the restoration process and restarts automatically after the restoration is successful.
If the restoration process is unsuccessful, you must restart AD CS manually. To restore AD CS
from the command line, issue the certutil –restore BackupDirectory command.
If you are restoring Certifi cate Services from scratch on a new computer with the same
name as the original CA, fi rst import the CA certifi cate and private key to the local machine
store and verify that CAPolicy.inf is imported to the %Winddir% folder. Add the AD CS role,
selecting Use Existing Private Key and the original CA’s certifi cate.
MORE INFO MORE ON CA BACKUP AND RECOVERY
For more on archiving encryption keys, consult Chapter 14, “Planning and Implementing
Disaster Recovery,” in Windows Server 2008 PKI and Security, by Brian Komar (Microsoft
Press, 2008).
MORE INFO
MORE ON CA BACKUP AND RECOVERY
For more on archiving encryption keys, consult Chapter 14, “Planning and Implementing
Disaster Recovery,” in
Windows Server 2008 PKI and Security
, by Brian Komar (Microsoft
Windows Server 2008 PKI and Security, by Brian Komar (Microsoft Windows Server 2008 PKI and Security
Press, 2008).
Lesson 1: Managing and Maintaining Certifi cate Servers CHAPTER 7 361
EXAM TIP
Remember which steps you must perform before you take a standalone root CA offl ine.
PracticE Installing a CA and Assigning Administrative Roles

In this practice, you install an enterprise root CA in the contoso.internal domain and then
confi gure a key recovery agent.
ExErcisE 1 Install an Enterprise Root CA
In this exercise, you install Active Directory Certifi cate Services on server Glasgow. Glasgow
then functions as an enterprise root CA.
1. Log on to server Glasgow, using the Kim_Akers user account.
2. Open the Server Manager console. Right-click the Roles node, and then select Add
Roles.
This launches the Add Roles Wizard.
3. On the Before You Begin page, click Next.
4. On the Select Server Roles page, select the Active Directory Certifi cate Services check
box, and then click Next. Review the information on the Introduction To Active Direc-
tory Certifi cate Services page, and then click Next.
5. On the Role Services page, select the Certifi cation Authority and Certifi cation Author-
ity Web Enrollment check boxes.
6. When you select the Certifi cation Authority Web Enrollment items, you are prompted
by the Add Role Services dialog box. Click Add Required Role Services, and then click
Next.
7. On the Specify Setup Type page, verify that Enterprise is selected, and then click Next.
8. On the Specify CA Type page, select Root CA, and then click Next.
9. On the Set Up Private Key page, select Create A New Private Key, and then click Next.
10. On the Confi gure Cryptography For CA page, change the character length to 4096 and
select the Use Strong Private Key Protection Features Provided By The CSP check box,
as shown in Figure 7-10, and click Next.
3 6 2 CHAPTER 7 Active Directory Certificate Services
FIGURE 7-10 Configuring cryptography settings.
11. On the Configure CA Name page, verify that the common name is set to Contoso-
GLASGOW-CA and the distinguished name suffix is set to DC=Contoso,DC=internal,
and then click Next.
12. Verify that the validity period is set to 5 years, and then click Next.

13. Verify the certificate database location, and then click Next.
14. Review the information on the Confirm Installation Selections page, and then click
Next twice. Click Install to install Active Directory Certificate Services and support role
services from the Web Server (IIS) role. Click Close to dismiss the Add Roles Wizard
when the installation completes.
ExErcisE 2 Configure Enterprise Root CA Settings
In this exercise, you configure key archival settings and assign administrative roles.
1. Log on to Glasgow, using the Kim_Akers user account.
2. Open the Certification Authority console from the Administrative Tools menu. Click
Continue to dismiss the User Account Control dialog box.
3. Expand the Contoso-Glasgow-CA node, and then right-click the Certificate Templates
node. Select New, and then select Certificate Template To Issue.
4. From the list of available certificate templates, select Key Recovery Agent, as shown in
Figure 7-11, and then click OK.
Lesson 1: Managing and Maintaining Certificate Servers CHAPTER 7 363
FIGURE 7-11 Enabling the KRA template.
5. From the Start menu, click Run, type mmc, and then click OK. Dismiss the UAC dialog
box and add the Certificates snap-in for your user account.
6. Expand the Certificates – Current User node.
7. Right-click the Personal store, select All Tasks, and then select Request New Certificate.
In the Certificate Enrollment Wizard, select the Key Recovery Agent check box and click
Enroll. Click Finish when the certificate installation completes.
8. Return to the Certificate Authority console and select the Pending Requests node. In
the details pane, right-click the pending certificate request, select All Tasks, and then
select Issue.
9. In the Certification Authority console, right-click Contoso-GLASGOW-CA, and then
select Properties.
10. On the Recovery Agents tab, select Archive The Key, and then click Add. Select the
certificate issued to Kim Akers, and then click OK. Click Apply. In the dialog box asking
whether you want to restart Active Directory Certificate Services, click Yes.

11. Open Active Directory Users And Computers. Create a new global security group
called KRA_CertManagers in the Users container. Close Active Directory Users And
Computers.
12. In the Certificate Authority console, right-click Contoso-GLASGOW-CA, and then select
Properties.
13. On the Security tab, click Add. Add the KRA_CertManagers group, as shown in Figure
7-12, and assign the group the Allow Issue And Manage Certificates permission. Click
Apply.
3 6 4 CHAPTER 7 Active Directory Certificate Services
FIGURE 7-12 Assigning the Cert Manager role.
14. On the Certificate Managers tab, select Restrict Certificate Managers. Verify that the
CONTOSO\KRA_CertManagers group is listed and, in the Certificate Templates area,
click Add.
15. In the Enable Certificate Templates dialog box, select the Key Recovery Agent tem-
plate, and then click OK.
16. In the Certificate Templates list, select <All>, and then click Remove. Verify that the CA
Properties dialog box matches Figure 7-13, and then click OK.
FIGURE 7-13 Certificate Managers configuration.
Lesson 1: Managing and Maintaining Certifi cate Servers CHAPTER 7 365
Lesson Summary
n
Enterprise CAs are tightly integrated into AD DS. They can use custom certifi cate tem-
plates, and you can confi gure them to auto-enroll certifi cates. Standalone CAs cannot
use custom certifi cate templates, and certifi cate request data must be entered manu-
ally rather than automatically extracted from AD DS.
n
You can take a standalone root CA offl ine and physically secure it. You cannot take
an enterprise root CA offl ine. An enterprise CA can be a subordinate of a standalone
root CA.
n

You must confi gure key archiving on the CA and from within a certifi cate template.
You can confi gure a key recovery agent (KRA) by issuing a user a key recovery agent
certifi cate.
n
You can back up certifi cate services by using a normal system state backup, by using
the Certifi cation Authority Console, or by using the certutil.exe command-line utility.
n
The Certifi cate Manager role allows users granted the role the ability to issue and man-
age certifi cates. The CA Administrator role allows users to start and stop Certifi cate
Services, confi gure extensions, assign roles, and defi ne key recovery agents.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing and Maintaining Certifi cate Servers.” The questions are also available on the com-
panion DVD if you prefer to review them in electronic form.
NOTE ANSWERS
Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
1. You are planning the deployment of Active Directory Certifi cate Services in your
Windows Server 2008 functional level forest. You want to be able to take the root CA
offl ine but also integrate Certifi cate Services fully with AD DS. Which of the following
deployments should you recommend for the fi rst CA in your organization?
A. Enterprise root CA
B. Enterprise subordinate CA
C. Standalone root CA
D. Standalone subordinate CA
2. On which of the following versions of Windows Server 2008 can you install an enter-
prise subordinate CA?
NOTE
ANSWERS
NOTE ANSWERSNOTE

Answers to these questions and explanations of why each answer choice is right or wrong
are located in the “Answers” section at the end of the book.
3 6 6 CHAPTER 7 Active Directory Certificate Services
A. Windows Web Server 2008
B. Windows Server 2008 Standard
C. Windows Server 2008 Enterprise
D. Windows Server 2008 Datacenter
3. You want to implement key archiving in your organization. Two users will have the
responsibility for restoring private keys from the certificate server’s database. Which
step must you take to ensure that these users will be able to restore archived keys?
A. Ensure that you issue the users a certificate with the Key Recovery Agent OID.
B. Ensure that you issue the users a certificate with the Enrollment Agent OID.
C. Ensure that you issue the users a certificate with the Subordinate Certification
Authority OID.
D. Ensure that you issue the users a certificate with the EFS Recovery Agent OID.
E. Ensure that you issue the users a certificate with the OCSP Response Signing OID.
4. Your CA hierarchy will involve an offline standalone root CA with three enterprise sub-
ordinate CAs. You have just installed AD CS on the standalone root CA. Which of the
following steps must you take prior to issuing signing certificates to the enterprise sub-
ordinate CAs? (Choose four. Each correct answer presents part of a complete solution.)
A. Change the CRL distribution point URL.
B. Change the AIA distribution point URL.
C. Add the standalone root CA certificate to the enterprise root store in AD DS.
D. Set the standalone root CA to offline mode.
E. Configure the AIA points in AD DS, using certutil.exe.
5. You want to ensure that the SSLCertManagers group is the only group able to issue
certificates based on the Web Server template from a specific issuing CA. When you
navigate to the Certificate Managers tab on the CA in question, the SSLCertManagers
group is not present in the Certificate Managers list. Which step should you take to
resolve this problem?

A. Assign the SSLCertManagers group the Request Certificates permission on the
Security tab of CA properties.
B. Assign the SSLCertManagers group the Manage CA permission on the Security tab
of CA properties.
C. Assign the SSLCertManagers group the Issue and Manage Certificates permission
on the Security tab of CA properties.
D. Edit the Web Server certificate template properties. Assign the SSLCertManagers
group the Read permission to this template.
E. Edit the Web Server certificate template properties. Assign the SSLCertManagers
group the Write permission to this template.
Lesson 2: Managing and Maintaining Certifi cates and Templates CHAPTER 7 367
Lesson 2: Managing and Maintaining Certifi cates and
Templates
This lesson discusses managing certifi cate revocations, including publishing certifi cate revoca-
tion lists and confi guring online responders, and the different methods of enrollment, such
as Web and automatic enrollment. The lesson also covers certifi cate templates, which enable
you to create advanced digital certifi cates that might be a better fi t for your organization
than the default certifi cate templates that ship with Windows Server 2008.
After this lesson, you will be able to:
n
Manage certifi cate revocations and confi gure online responders.
n
Manage certifi cate templates.
n
Manage and automate certifi cate enrollments.
Estimated lesson time: 40 minutes
Managing and Maintaining Certifi cate Revocation Lists
Certifi cate revocation lists are just what they sound like: lists of revoked certifi cates. You trust
a certifi cate issued by a CA because you trust the policies under which the CA issues certifi -
cates. If you did not trust the CA, you would not trust any certifi cates issued by that CA. A

certifi cate revocation list shows you which certifi cates issued by the CA are no longer trust-
worthy. There are many reasons a certifi cate might be placed on a CRL list, such as a signing
certifi cate issued to a subordinate CA being revoked because the subordinate CA has been
compromised, but the primary statement made by a certifi cate being placed on a CRL list is
“This certifi cate is no longer trustworthy.”
Each time a new certifi cate is encountered, or an existing certifi cate is used, a check is
made to see whether that certifi cate is listed on the issuing CA’s CRL list. If the CA is part of a
hierarchy, another check occurs to see whether the upstream CA that issued the signing cer-
tifi cate still trusts the CA that issued the certifi cate against which the check is occurring. This
is because you should not trust a certifi cate issued by an untrustworthy CA! The location of
the CRL is included with the certifi cate so that the software performing the CRL check knows
where to access this information. The name for the location of the CRL is the CRL distribution
point. It is possible for you to designate multiple CRL distribution points for a single CA.
CRL Distribution Points
You can confi gure the CRL distribution point for a specifi c certifi cate server by modifying
the properties listed on the Extensions tab of the issuing CA’s properties. To edit CRL distri-
bution point information, you must assign the user the CA Administrator role as described
in Lesson 1. As shown in Figure 7-14, you can specify CRL distribution points as HTTP, FTP, or
After this lesson, you will be able to:
n
Manage certifi cate revocations and confi gure online responders.
n
Manage certifi cate templates.
n
Manage and automate certifi cate enrollments.
Estimated lesson time: 40 minutes
3 6 8 CHAPTER 7 Active Directory Certificate Services
Lightweight Directory Access Protocol (LDAP) addresses or by file and folder location. Note
that any changes to a certificate server’s CRL distribution points do not apply retroactively.
This information is included in the certificate at the time of issue. If you change the CRL dis-

tribution point, clients checking previously issued certificates will be unable to locate the new
distribution point. If it becomes necessary to change a distribution point, develop a transi-
tion strategy that either keeps the old distribution point available over the lifetime of already
issued certificates or renews all existing certificates with the updated CRL distribution point
information.
FIGURE 7-14 Editing the CRL distribution point.
CRLs are a single file that, over time, can become very large. This size is important because
each time a client performs a check, it has to download the full CRL if it does not already
have a copy in its cache. If you frequently update your CRL, clients must always download the
entire CRL because it will not already be present in their cache. As a way of dealing with this
problem, it is possible for you to publish a smaller CRL, known as a delta CRL. The delta CRL
includes information only about certificates revoked since the publication of the CRL. The
client downloads the delta CRL and appends it to the CRL in its cache. Because delta CRLs are
smaller, you can publish them more often with less of an impact on the certificate server than
would occur if you published the full CRL by using a similar schedule.
To configure the CRL and delta CRL publication interval, open the Certificate Authority
console, right-click the Revoked Certificates node, and then select Properties. This displays the
Revoked Certificate Properties dialog box shown in Figure 7-15. The default CRL publication
interval is one week, and the default delta CRL publication interval is one day. Use the certutil
–CRL command to force the publication of a new CRL or delta CRL.
Lesson 2: Managing and Maintaining Certifi cates and Templates CHAPTER 7 369
FIGURE 7-15 Revoking a certificate.
Overlap periods describe the amount of time after the end of a published CRL’s lifetime
that the CRL is still considered valid. Consider increasing the overlap period if you are using
multiple CRL distribution points (CDPs) and replication of CRL data does not occur immedi-
ately, such as if you use a distributed fi le system (DFS) share as a CDP and it takes a signifi cant
amount of time for replication to complete. You can confi gure overlap periods for both CRLs
and delta CRLs by using the certutil –setreg ca\CRLOverlapUnits command.
MORE INFO CONFIGURING CERTIFICATE REVOCATION
For more information on confi guring certifi cate revocation, see the following TechNet

article: />-8606-c0a4fdca9a251033.mspx?mfr=true.
Authority Information Access
The authority information access (AIA) extension contains the URLs at which the issuing CA’s
certifi cate is published. The client uses these URLs when creating a certifi cate chain to retrieve
the CA certifi cate if it does not have a copy of this certifi cate in a copy of the client cache.
Modify the AIA extension to an alternate location if you want to take the CA offl ine. You must
also export the CA certifi cate and place it in this alternate location to support certifi cate chain
requests. The AIA also contains the URL of any online responders that you have confi gured to
support revocation checks. You learn more about online responders later in this lesson.
Revoking a Certifi cate
A user must hold the Certifi cate Manager role to be able to revoke certifi cates. Just as you
should not issue certifi cates in an arbitrary manner, you should not revoke certifi cates in an
arbitrary manner. If possible, your organization should develop a certifi cate revocation policy
MORE INFO
CONFIGURING CERTIFICATE REVOCATION
For more information on confi guring certifi cate revocation, see the following TechNet
article:
/>-8606-c0a4fdca9a251033.mspx?mfr=true
.
3 7 0 CHAPTER 7 Active Directory Certificate Services
that clearly details the reasons and situations for which issued certificates are revoked. These
policies are a necessity for organizations that might be legally liable for the consequences of
certificate revocation. For example, if a CA issues an SSL certificate to an e-commerce site,
revoking that certificate will have an impact on the function of that business. If the revoca-
tion cannot be justified, your organization can be legally liable for loss of income. To revoke
a certificate, right-click it in the list of issued certificates in the Certification Authority console
and, from All Tasks, select Revoke Certificate. As Figure 7-16 shows, a dialog box asks you to
provide a reason when you revoke a certificate. You can provide the following reasons:
n
Key Compromise Select this reason if you suspect that the private key associated

with the certificate has been compromised. Use this reason to revoke all keys related to
a laptop that had been lost or stolen, for instance.
n
CA Compromise Select this reason if you suspect that a subordinate CA has been
compromised and want to revoke that CA’s signing certificate. This invalidates all cer-
tificates issued by that CA, including the certificates of any CA below it in the hierarchy.
n
Change of Affiliation Select this reason when the person to whom you issued the
certificate leaves or changes his or her role within your organization.
n
Superseded Select this reason when an updated certificate has been issued, perhaps
with improvements to the certificate template, and you want to invalidate any previ-
ously issued certificates used for the same purpose.
n
Cease of Operation Select this reason when revoking a computer certificate assigned
to a computer that is being decommissioned. For example, your organization is
decommissioning an e-commerce Web site because of a brand-name change, and you
want to revoke the SSL certificate assigned to that site.
n
Certificate Hold Select this reason to place certificates on hold status. This means
that the certificate is not validated, but it also has not been fully revoked. It is possible
to undo this status by assigning the RemoveFromCRL status, which can be assigned
only to certificates placed on hold.
n
Unspecified This reason is assigned when a specific revocation code is not applicable.
The drawback of this category is that it does not allow auditors to determine why a
particular certificate has been revoked if that decision is queried later.
FIGURE 7-16 Certificate Revocation Wizard.
Lesson 2: Managing and Maintaining Certificates and Templates CHAPTER 7 371
Remember that a revocation does not take effect until you publish the CRL or delta CRL.

This does not mean that you should automatically force the publication of a new CRL every
time you revoke a certificate, but you should make the people responsible for revoking cer-
tificates aware that there is a delay before the revocation will propagate out to the CRL.
Managing and Maintaining Online Responders
When a CRL check occurs, and the CRL does not exist in the client’s cache, the entire CRL
must be downloaded as well as the most recent delta CRL. The longer a CA has been active,
the larger the CRL will be. During peak activity, for example, when a large number of users are
logging on using smart cards, significant delays can occur due to bandwidth limitations. By
implementing the Online Certificate Status Protocol (OCSP), you can deal with this problem.
A traditional revocation check involves accessing the entire CRL. An online responder
check responds directly to requests about the status of specific certificates. Rather than
transmitting all the data in the CRL across the network, only data about a specific certificate is
transmitted. A single CA’s revocation data can be distributed across multiple online respond-
ers in a responder array. Similarly, a single online responder or array can provide revocation
status data for certificates issued by multiple CAs. Implementing Online Responders signifi-
cantly reduces delays that occur due to CRL checks.
You can install the Online Responder role service only on computers running Windows
Server 2008. Microsoft recommends that you not deploy the Online Responder role service
on the computer that hosts the CA, although it is possible do to so; this is the likely configura-
tion in small AD CS deployments. Deploy the Online Responder role service after you have
deployed your initial CA infrastructure but prior to issuing any certificates. This ensures that
an online responder, rather than traditional CDPs, handles all revocation checks.
To deploy an online responder, ensure that you have configured and enabled an OCSP
response signing certificate template on the CA online responder servers. You must also use
auto-enrollment to issue OCSP response signing certificates to all computers that host the
Online Responder role service. An online responder that services multiple CAs needs OCSP
response signing certificates for each CA it services. You must also modify the CA’s AIA exten-
sion by adding the URL for the online responder.
You use the Online Responder management console, shown in Figure 7-17, to manage
the Online Responder role service. You can use this console to create revocation configura-

tions for every CA and CA certificate serviced by the responder. A revocation configuration
includes all information necessary to reply to requests from clients about certificates issued
from a specific CA. It is necessary to ensure that an online responder has a key and signing
certificate for each CA it supports.
3 7 2 CHAPTER 7 Active Directory Certifi cate Services
FIGURE 7-17 Online Responder management console.
MORE INFO MORE ON CERTIFICATE REVOCATION AND ONLINE RESPONDERS
For a more detailed look at revoking certifi cates and the Online Responder role service,
consult Chapter 10, “Certifi cate Revocation,” in Windows Server 2008 PKI and Security, by
Brian Komar (Microsoft Press, 2008).
Quick Check
1. What is the difference between a CRL and a delta CRL?
2. Which types of addresses can you use to specify CDPs?
Quick Check Answers
1. A CRL contains a list of all revoked certifi cates. A delta CRL contains a list of cer-
tifi cates revoked since the publication of the last full CRL.
2. CDPs can be specifi ed using HTTP, FTP, and LDAP addresses or by fi le and folder
location.
Managing Certifi cate Templates
Certifi cate templates defi ne the format and content of certifi cates issued by enterprise
certifi cate authorities. A template determines which user or computer accounts can enroll
for a certifi cate, and it defi nes the enrollment process (automatic, manual, or enrollment
with authorized certifi cates). A discretionary access control list (DACL) is associated with each
certifi cate template, which governs which users and groups have permission to access and
MORE INFO
MORE ON CERTIFICATE REVOCATION AND ONLINE RESPONDERS
For a more detailed look at revoking certifi cates and the Online Responder role service,
consult Chapter 10, “Certifi cate Revocation,” in
Windows Server 2008 PKI and Security
, by

Windows Server 2008 PKI and Security, by Windows Server 2008 PKI and Security
Brian Komar (Microsoft Press, 2008).
Quick Check
1
. What is the difference between a CRL and a delta CRL?
2
. Which types of addresses can you use to specify CDPs?
Quick Check Answers
1
. A CRL contains a list of all revoked certifi cates. A delta CRL contains a list of cer-
tifi cates revoked since the publication of the last full CRL.
2
. CDPs can be specifi ed using HTTP, FTP, and LDAP addresses or by fi le and folder
location.
1
2
1
2
Quick Check
1
Lesson 2: Managing and Maintaining Certificates and Templates CHAPTER 7 373
configure the template. Certificate templates are stored within AD DS. A modification to
a template will replicate through the directory to all enterprise CAs in the forest. Only the
Enterprise and Datacenter editions of Microsoft Windows Server 2003 and Windows Server
2008 support customizable certificate templates.
Although Windows Server 2008 ships with a number of certificate templates that you can
deploy to meet a general set of needs, the settings on the default set of certificates might not
precisely suit your needs for digital certificates in your own environment. By creating your
own certificate templates, you can address your organization’s needs more directly.
There are three versions of the certificate template, two of which you can create for use

with Windows Server 2008 Enterprise. Version 1 templates are compatible with Windows
2000 Server, Windows Server 2003, and Windows Server 2008 CAs. You cannot modify
or remove a version 1 template. When you create a duplicate of a version 1 template, the
duplicate becomes a version 2 or 3 template to which you can make modifications. You can
customize version 2 templates, and they are compatible with Windows Server 2003 and
Windows Server 2008 Enterprise and Datacenter CAs. Version 3 certificate templates sup-
port Windows Server 2008 features such as Cryptography Next Generation (CNG) and Suite
B cryptographic algorithms such as elliptic curve cryptography. You can use only version 3
certificate templates with enterprise CAs installed on Windows Server 2008.
You create a new template by creating a duplicate of an existing template that best
matches the function of what you want to achieve with the new digital certificate type. For
example, if you want to create a more advanced type of EFS certificate, you duplicate the EFS
certificate template. When you duplicate the template, you are asked whether you want to
set the minimum supported CA as Windows Server 2003 Enterprise or Windows Server 2008
Enterprise, as shown in Figure 7-18.
FIGURE 7-18 Selecting template compatibility.
After you have selected the minimum supported CA, enter a name for the template.
After you have set this name, you will be unable to change it. The General tab of a certificate
template’s properties enables you to specify the certificate’s validity period, renewal period,
whether to publish certificates in AD DS, whether automatic reenrollment should occur if a
valid certificate exists in AD DS, and whether to use the existing key for smart card certificate
renewal if a new key cannot be created. Figure 7-19 shows these settings.
3 7 4 CHAPTER 7 Active Directory Certificate Services
FIGURE 7-19 General tab of a certificate template’s properties.
On the Request Handling tab, shown in Figure 7-20, you can define the purpose of the
certificate. The available purposes are Signature and Encryption, Encryption, Signature, and
Signature and Smart Card Logon. If you want to use Key Recovery in your environment for
this certificate type, enable the Archive Subject’s Encryption Private Key option. This enables
designated key recovery agents to recover the private key if necessary. You learned about key
recovery agents in Lesson 1. You can also use the options on this tab to determine the level of

user input when the private key is used and whether the private key can be exported.
FIGURE 7-20 Certificate template request handling.
On the Cryptography tab, you can specify the algorithm and key size. You can also specify
whether any cryptographic provider on the subject’s computer, or a specific provider, is used
Lesson 2: Managing and Maintaining Certificates and Templates CHAPTER 7 375
for the certificate request. On the Subject Name tab, you can specify whether the CA extracts
the certificate’s subject name from Active Directory information or whether the subject sup-
plies this information in the certificate request. On the Issuance Requirements tab, you can
specify whether a user who holds the Certificate Manager role must approve the certificate.
You can also configure whether more than one digital signature is required before enrollment
can occur. If more than one signature is required, auto-enrollment is not possible for this tem-
plate. Use this setting when multiple people must authorize the issuing of a certificate.
On the Superseded Templates, you can specify existing templates that the new template
replaces. You must ensure that any templates specified perform the same function as the new
template. The Extensions tab, shown in Figure 7-21, enables you to configure the application
policies, certificate template information, issuance policies, and key usage. Application poli-
cies define the purposes for which the certificate can be used, certificate template information
provides data on the OID of the certificate, issuance policies describe the rules implemented
when issuing the certificate, and key usage is a restriction method that determines what a
certificate can be used for.
FIGURE 7-21 Certificate template extensions.
The Security tab, shown in Figure 7-22, enables you to specify the accounts and groups
that can enroll and auto-enroll certificates issued from the template. You can also use this
dialog box to block specific accounts and groups from enrolling or auto-enrolling. Finally, you
can use this dialog box to specify which accounts and groups are able to make modifications
or view the certificate template itself.
To configure a CA to issue a custom template or a template that it does not already issue
that is stored within AD DS, open the Certificate Authority console, right-click the Certificate
Templates node, select New, and then select Certificate Template To Issue. From the Enable
Certificate Templates dialog box, shown in Figure 7-23, select the templates you want the

CA to issue, and then click OK. You can also use the Templates node of the Certificate
3 7 6 CHAPTER 7 Active Directory Certifi cate Services
Authority console to remove templates from a CA, stopping that CA from issuing certifi cates
of that type.
FIGURE 7-22 Certificate template security.
FIGURE 7-23 Select templates to issue.
MORE INFO MORE ON CERTIFICATE TEMPLATES
For more information on implementing and administering certifi cate templates, see
the following TechNet link: />/library/9354c9b0-f4da-440c-8b2c-fb84c534e0351033.mspx?mfr=true.
MORE INFO
MORE ON CERTIFICATE TEMPLATES
For more information on implementing and administering certifi cate templates, see
the following TechNet link:
/>/library/9354c9b0-f4da-440c-8b2c-fb84c534e0351033.mspx?mfr=true
.
Lesson 2: Managing and Maintaining Certificates and Templates CHAPTER 7 377
Managing Enrollment
Enrollment is the process through which users or computers acquire certificates. Traditionally,
there have been two certificate enrollment methods: the Certificates console and Web enroll-
ment. Through the Certificates console, you can run the Certificate Enrollment Wizard. The
wizard provides a list of all certificates for which the security principal is eligible, as shown in
Figure 7-24. You can run the Certificates console for your user account, a service account, or a
computer account with the list of available certificates reflecting the context in which you run
the wizard. You learn about Web enrollment later in this lesson.
FIGURE 7-24 Certificate Enrollment Wizard.
Auto-enrollment
Although you can implement enrollment by using the Certificates console, the enrollment
process is cumbersome to nontechnical users. Auto-enrollment enables you to deploy
certificates automatically to users, computers, and service accounts in your organization.
It minimizes the necessity for user interaction, greatly simplifying the process of certificate

deployment.
You must configure a certificate template to support auto-enrollment. Only level 2 and
level 3 certificate templates support auto-enrollment. Configure a template to support auto-
enrollment by modifying the permissions on the certificate template’s Security tab, giving
the desired user or group accounts the Autoenroll permission. Figure 7-25 shows that the
Accountants group has the Autoenroll permission to the Advanced User certificate template.
After configuring a certificate template’s permissions to support autoenrollment, you
must configure the Default Domain policy for all domains in your forest to support auto-
enrollment. Do this by configuring the Certificate Services Client – Autoenrollment policy, as
shown in Figure 7-26. This policy setting is available in both the Computer Configuration and
User Configuration sections of a GPO and whether you enable the policy in either section
depends on the types of certificates you are attempting to deploy automatically. You can also
3 7 8 CHAPTER 7 Active Directory Certificate Services
use the auto-enrollment policy to configure automatic renewal of expired certificates, updat-
ing certificates that use superseded templates. It is also possible, when configuring the policy
for User certificates, to display expiration notifications.
FIGURE 7-25 Configuring auto-enrollment in the template.
FIGURE 7-26 Auto-enrollment Group Policy.
Lesson 2: Managing and Maintaining Certifi cates and Templates CHAPTER 7 379
MORE INFO MORE ON CONFIGURING AUTO-ENROLLMENT
For more information on confi guring autoenrollment, see the following TechNet docu-
ment:
Web Enrollment
You can confi gure Web enrollment to enable users of Microsoft Internet Explorer 6.x or later
to use a Web application to submit certifi cate requests. Web enrollment enables users to
request certifi cates and review the status of existing requests, gain access to the CRL and
delta CRL, and perform smart card enrollment. Web enrollment enables you to provide a
certifi cate enrollment mechanism for users and computers that are not part of an Active
Directory environment. Web enrollment also provides certifi cate enrollment functionality
to users of non-Microsoft operating systems. Users of alternative browsers must fi rst create

a PKCS #10 certifi cate request and then submit that request through the Web enrollment
application. After a request has been processed, a user can reconnect to the Web enrollment
application and download and install the issued certifi cates.
You can confi gure a server to support Web enrollment by installing the Certifi cation
Authority Web Enrollment role service. You can install this role service on the same com-
puter as the CA or on a separate host. When you collocate Web enrollment with the CA, the
wizard automatically confi gures the role service to support the local CA. When installed on
a separate host, you must provide additional details to pair the Web application with a CA.
Although you can install Web enrollment on enterprise CAs, you cannot use it with version 3
certifi cate templates. Also, you cannot request computer certifi cates through Web enrollment
against a Windows Server 2008 CA.
MORE INFO MORE ON CONFIGURING WEB ENROLLMENT
To learn more about confi guring Web enrollment support for Windows Server 2008 CAs,
see the following TechNet link:
Enrollment Agents
Restricted enrollment agents are users who are able to enroll for a certifi cate on behalf of
another client. Restricted enrollment agents often enroll smart card certifi cates for other
users. For example, staff in the HR department might be designated enrollment agents
because they need to issue smart cards as part of the process of preparing all the resources
a new employee needs to start work. Enrollment agents can perform only enrollment
tasks; they cannot approve pending requests or revoke existing certifi cates. This means an
enrollment agent can be a normal user account, and you do not have to assign one of the
Certifi cate Services roles.
MORE INFO
MORE ON CONFIGURING AUTO-ENROLLMENT
For more information on confi guring autoenrollment, see the following TechNet docu-
ment:
/>.
/>MORE INFO
MORE ON CONFIGURING WEB ENROLLMENT

To learn more about confi guring Web enrollment support for Windows Server 2008 CAs,
see the following TechNet link:
/>.
/> 3 8 0 CHAPTER 7 Active Directory Certifi cate Services
To prepare a user to function as a restricted enrollment agent, issue that user an enroll-
ment agent certifi cate. Two types of enrollment agent template are available on Windows
Server 2008 CAs, one for computer certifi cates and one for user certifi cates. Confi gure
enrollment agents for specifi c certifi cate templates on the Enrollment Agents tab of the CA
properties. Figure 7-27 shows that the Sam Abolrous user account is an enrollment agent for
the Smartcard User certifi cate template.
FIGURE 7-27 Configuring enrollment agents.
MORE INFO MORE ON ENROLLMENT AGENTS
To learn more about enrollment agents, see the following link on TechNet: http://technet2
.microsoft.com/windowsserver2008/en/library/56d66319-2e49-447b-92a3
-1ca2a674fb8d1033.mspx?mfr=true.
MORE INFO MORE ON SMART CARD ENROLLMENT
For a more detailed look at smart card enrollment, see Chapter 21, “Deploying Smart
Cards,” in Windows Server 2008 PKI and Security, by Brian Komar (Microsoft Press, 2008).
Network Device Enrollment Service
The Network Device Enrollment Service enables you to deploy and manage certifi cates to
routers, switches, and wireless access points that would otherwise not have Active Directory
accounts. The Network Device Enrollment Service sends Simple Certifi cate Enrollment
Protocol (SCEP) requests on behalf of each device to a Windows Server 2008 CA, retrieves
MORE INFO
MORE ON ENROLLMENT AGENTS
To learn more about enrollment agents, see the following link on TechNet:
http://technet2
.microsoft.com/windowsserver2008/en/library/56d66319-2e49-447b-92a3
-1ca2a674fb8d1033.mspx?mfr=true
.

MORE INFO
MORE ON SMART CARD ENROLLMENT
For a more detailed look at smart card enrollment, see Chapter 21, “Deploying Smart
Cards,” in
Windows Server 2008 PKI and Security
, by Brian Komar (Microsoft Press, 2008).
Windows Server 2008 PKI and Security, by Brian Komar (Microsoft Press, 2008).Windows Server 2008 PKI and Security
Lesson 2: Managing and Maintaining Certifi cates and Templates CHAPTER 7 381
issued certifi cates, and then forwards them to the network device. The number of network
devices that can participate in the enrollment process at any one time is fi ve.
MORE INFO NETWORK DEVICE ENROLLMENT SERVICE
For more information about the Network Device Enrollment Service, see the following
TechNet link: />-ab45-494d-a07e-d0b9696a651e1033.mspx?mfr=true.
EXAM TIP
Understand the benefi ts of using Online Responder as opposed to using a CRL.
PracticE Certifi cate Templates and Auto-enrollment
In this practice, you confi gure a custom certifi cate template and confi gure the certifi cate
revocation infrastructure.
ExErcisE 1 Creating a Certifi cate Template for System Health Certifi cates
In this exercise, you create a certifi cate template for system health certifi cates. You deploy
these certifi cates when implementing NAP with IPsec enforcement. NAP issues these cer-
tifi cates to compliant computers, and they authenticate connection security policies. You
manually enroll NAP-exempt clients with these certifi cates.
1. Log on to server Glasgow, using the Kim_Akers user account.
2. Use Active Directory Users And Computers to create a new security group called
Non_NAP_Secure_Computers.
3. From the Start menu, click Run, type mmc, and then click OK.
After dismissing the User Account Control dialog box, Microsoft Management Console
opens.
4. From Add/Remove Snap-in, add the Certifi cate Templates snap-in to the console.

5. Select the Certifi cate Templates node. Right-click the Workstation Authentication tem-
plate, and then select Duplicate Template.
6. In the Duplicate Template dialog box, select Windows Server 2008, Enterprise Edition,
and then click OK.
7. On the General tab, enter System Health Authentication in the Template Display
Name text box. Select the Publish Certifi cate In Active Directory check box. Verify that
the dialog box matches what you see in Figure 7-28, and then click Apply.
MORE INFO
NETWORK DEVICE ENROLLMENT SERVICE
For more information about the Network Device Enrollment Service, see the following
TechNet link:
/>-ab45-494d-a07e-d0b9696a651e1033.mspx?mfr=true
.
3 8 2 CHAPTER 7 Active Directory Certificate Services
FIGURE 7-28 Creating a system health authentication template.
8. Click the Extensions tab. Select Application Policies, and then click Edit. In the Edit
Application Policies Extension dialog box, click Add.
9. From the list of application policies, select System Health Authentication, and then
click OK. Verify that the Edit Application Policies Extension dialog box matches Figure
7-29, and then click OK. Click OK again to return to the Properties Of New Template
dialog box.
FIGURE 7-29 Configure the Application Policies extension.
10. On the Security tab, click Add. In the Select Users, Computers, Or Groups dialog box, in
the Enter The Object Names To Select text box, type Non_NAP_Secure_Computers,
and then click OK. Assign this group the Allow Enroll permission, and then click OK.
Lesson 2: Managing and Maintaining Certificates and Templates CHAPTER 7 383
11. Open the Certification Authority console from the Administrative Tools menu. Click
Continue to dismiss the User Account Control dialog box.
12. Expand the contoso-GLASGOS-CA node. Right-click the Certificate Templates node,
select New, and then select Certificate Template To Issue.

13. In the Enable Certificate Templates dialog box, select the System Health Authentication
template, and then click OK.
ExErcisE 2 Configure CRL Settings and Online Responder
In this exercise, you configure CRL settings and set up an online responder.
1. Log on to server Glasgow with the Kim_Akers user account.
2. Open the Server Manager console. Right-click Active Directory Certificate Services
under the Roles node, and then select Add Role Services.
3. On the Select Role Services page, select the Online Responder role service check box,
and then click Next. Click Install to install the Online Responder role service and click
Close when the role service installation process completes.
4. Add the Certificate Templates snap-in to a custom MMC. Edit the properties of the
OCSP Response Signing Template. On the Security tab, click Add. Click Object Types,
select the Computers check box, and click OK. Enter Glasgow as the object name and
click OK. Give the Glasgow Computer account the Allow Enroll permission, and then
click OK.
5. Open the Certificate Authority console from the Administrative Tools menu. Right-click
the Certificate Templates node, and then select New and Certificate Template To Issue.
Select the OCSP Response Signing template, and then click OK.
6. Add the Certificates console, set to the local Computer Account, to a custom MMC.
Right-click the Personal store, select All Tasks, and then select Request New Certificate.
7. From the list of certificates, select the OCSP Response Signing certificate check box,
and then click Enroll. Click Finish to dismiss the Certificate Enrollment Wizard.
8. In the Certificate Authority console, right-click Contoso-GLASGOW-CA, and then select
Properties. On the Extensions tab, select Authority Information Access (AIA) from the
Select Extension drop-down list.
9. Click Add. In the Add Location dialog box, type ernal
/ocsp, and then click OK.
10. Select the Include In The AIA Extension Of Issued Certificates and Include In The Online
Certificate Status Protocol (OCSP) Extension check boxes, as shown in Figure 7-30, and
then click OK.

3 8 4 CHAPTER 7 Active Directory Certificate Services
FIGURE 7-30 Configuring extensions.
11. Click Yes in the Certification Authority dialog box that asks whether you want to restart
Active Directory Certificate Services.
12. In the Certification Authority console, right-click the Revoked Certificates node and
then select Properties. Change the CRL publication interval to 2 weeks and the Delta
CRL publication interval to 2 days, and then click OK.
Lesson Summary
n
You cannot customize Level 1 certificate templates, but you can use them on Windows
2000 Server, Windows Server 2003, and Windows Server 2008 CAs. You can use level 2
certificate templates on Windows Server 2003 and Windows Server 2008 CAs and you
can customize them. You can use level 3 certificate templates only on Windows Server
2008 CAs, and you can use advanced cryptographic methods such as elliptic curve
cryptography.
n
By configuring template permissions, you can specify which security principals can
enroll or auto-enroll a particular certificate. You can also specify which security princi-
pals can modify a particular template.
n
Auto-enrollment is a process by which you can deploy certificates automatically to
security principals without intervention on the part of the user or an administrator.
n
You can install Web enrollment on a CA or on a separate host. It enables clients using
Microsoft and non-Microsoft operating systems to submit certificate requests as well
as retrieve certificates generated by approved requests.
n
Restricted enrollment agents can create certificate enrollments on behalf of other
users. This is most often used by users who are responsible for enrolling other users
with smart card certificates.