Enterprise Certificate Authority question

  • Thread starter Thread starter T0GGLe
  • Start date Start date
T

T0GGLe

Hi,

sorry to put a dumbass question up here but i have a good look around
(imo) and i can't find information explaining
certificates/certification authority in active directory.
My questions are thus :-

What is a certification authority - what purpose does it serve?

Do you need one in AD?

What is the basic structure?

All the info i can find is regarding troubleshooting it but cannot
find info relating to a top down explanation of it as per my
questions, and would really appreciate some help on this one, even if
it's just rediection to useful info out there on the web.
Or if some clever bugger wants to flex their intellect and has a bit
of time I'd find it really handy please...
Thx.

ps the reason why i need to find out is because when i "view
containers" under the enterprisePKI snap in that comes with the 2k3
res kit and look at the CDP container tab my base crl certificate has
failed and expired, which could explain a few event log errors we've
been getting.
 
Hi,

Certificate Authority (CA) is a service that comes with Windows 2000 or
Windows 2003 (and with Windows NT it was an add-on from option pack)... It
is a service that provides certificates to users, computers and services.
Company usually decides to setup their own CA when they need to protect
their resources (network communication, access to files, ...), but they
don't want to use 3rd party commercial CA agencies (using commercial CA
agencies is usually related to high cost if company has high number of
employees that would require such certificates). Still there is nothing
stopping you from using your own CA setup on Windows server to securely
share resources with outside world (e.g. business partners)...

You have few installation options. One option (standalone CA setup) doesn't
require domain. The other option (enterprise CA setup) requires domain
(active directory). You can then combine standalone CA (usually not
connected on the network) and subordinate enterprise CA that is connected to
the network (it needs to access AD)... On this subordinate CA server all
user (and other) certificates are issued...

Here are some white papers on Microsoft PKI based on Windows 2003 server...

New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Auto-Enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Mike
 
Just to add that certificates are commonly used for EFS file encryption,
though a CA does NOT have to be available, smart cards, VPN using l2tp for
machine authentication, software signing, and email encryption and signing.
Though you commonly hear the term certificates, there are actually two types
of keys used in PKI - public and private. When a CA generates a certificate
that pair of keys is generated. The certificate as commonly referred to is
the "public" key which can be distributed freely to anyone while the private
key is sensitive an must be secured. The keypair is generated such that data
can be encrypted by the public key and ONLY the private key can decrypt the
data or the private can be used for digital signatures and only the public
key can decrypt the signature. This can be used to encrypt data including
ssl for websites, decrypt data, make sure that the source of an email is
authentic, verify the publisher of a software package, used for computer
and user authentication, etc. Another important element of certificates is
trust in that a certificate from a CA will not be trusted unless the
certificate of the CA is in the trusted root store of the users computer to
prevent a computer/user from accepting any old certificate issued. For
example you can open Internet Explorer and go to tools/internet
options/content/certificates/trusted root to see the CA's that your computer
trusts. The link below may help you understand this a bit more. --- Steve

http://www.oreillynet.com/pub/a/security/2004/09/23/vpns_and_pki.html?page=2
-- PKI brief example of use.
 
Thanks very much to the pair of you.

I am trawling through that info to try to find answers, but do you
know if active directory actually REQUIRES the issuing of
certificates? It's just that someone else set up our AD and the more
and more i look into it the more problems and diversions from best
practise i keep finding. Not that in this case the person in question
was doing something wrong, perhaps they were looking for extra
security, but when the KDC starts complaining that its certificate is
now invalid it's got us wondering what on earth is going on and what
ramifications that has.

Cheers again.
 
Sry one other thing - if i think i might have a CA server, what's the
best way to find it when you've got over 100 servers and at least half
of those are domain controllers?

Thx.


:)
 
Hi,

Active Directory does not require CA service. It can function very well
without it.

If you setup enterprise CA (CA service that integrates with active
directory) domain controllers will request a certificate to secure
communication (this is done automatically).

If such certificates were issued to domain controllers, you should be able
to delete them without any problems... To do this or to check if domain
controllers were issued certificates open Certificate MMC and select
computer account on domain controller... Expand Personal container and
Certificates... Are there any listed? If so and if you want to remove them,
mark them and click delete. You will have to do this on each domain
controller in your domain or forest.

Mike
 
To check if you have a certificate server. Check if domain controller has a
certificate. If it does open it and click on Details and look for field
called CRL Distribution Point. Look for URL (e.g. http://server.domain.com/)
This should tell you the name of the server.

http://freeweb.siol.net/mpihler/crl.jpg

Another option is to open Sites and Services MMC (e.g. on domain
controller). Make sure that you have enabled "View Services Node". To enable
it click on Active Directory Site and Services text and click on View and
"Show Services Node"

Now drill down under Services -> Public Key Services -> Certificate
Authorities. See if anything is listed in right pane...

This will only show you if enterprise version of CA was setup...

Mike
 
microsoft.public.win2000.security news group, Miha Pihler <mihap-
(e-mail address removed)> says...
To check if you have a certificate server. Check if domain controller has a
certificate. If it does open it and click on Details and look for field
called CRL Distribution Point. Look for URL (e.g. http://server.domain.com/)
This should tell you the name of the server.
Click to expand...

Actually no, this is not a reliable way to determine which server is
functioning as a CA since the CDP and AIA paths in issued certificates
can be set to any location you desire. There is no requirement that
these be hosted on the actual CA.
 
Actually no, this is not a reliable way to determine which server is
functioning as a CA since the CDP and AIA paths in issued certificates
can be set to any location you desire. There is no requirement that
these be hosted on the actual CA.
Click to expand...

I know Paul.

That is why I provided the second option. I guess I should add under first
option "If nothing was changed -- default installation"...

Mike

<snip>
 
Active Directory does not require the use of a Certificate Authority. Mike
already gave some ways to find CA and you also might want to look in AD
Users and Computers for membership of the Cert publishers group which may
not be 100 percent correct if someone added or removed servers from it but
still a place to check. However problems with certificates can cause
problems if their use is required. I would look in the mmc certificates
snapin for computers on the server giving you the error messages to see what
certificates the dc has been issued and the purposes in their properties. It
will of course have a domain controller certificate. Check the valid from
date on the certificates to see if any have expired. If they have you can
request a new certificate or renew it by right clicking the certificate and
selecting all tasks. Domain controllers will use their certificate for ssl
ldap if valid. Another possibility is that someone set the domain
controllers up to use ipsec with certificate machine authentication for
communications among themselves. You could use the support tool netdiag as
in " netdiag /test:ipsec " to see if there is an ipsec policy assigned to
the domain controller. If there, is as long as it is not a "require" policy,
communications among computers in that ipsec policy will still work. If
everything functions correctly you can ignore the errors or delete the
certificates if you no longer want to use them. I would however run the
support tool dcdiag on the domain controller in question to make sure that
it is functioning correctly as a domain controller and
communicating/replicating with other domain controllers. Support tools are
on the install disk in the support/tools folder where you will need to run
the setup program to install them as a set. Note that you can use the mmc
certificates snapin to manage/view computer certificates of remote computers
as long as you have admin rights on the target computer. -- Steve
 
inline...
mihap- said:
I know Paul.

That is why I provided the second option. I guess I should add under first
option "If nothing was changed -- default installation"...
Click to expand...
 
Ewwww.. Default installation.... Translation= Destined for failure said:
Bri
Click to expand...

:-) Agree.

Unfortunately majority of Microsoft CA server that I have seen around here
where setup as default ... :-\

Mike
 
Thanks once again everyone for your help. I know it must be a bit
frustrating talking to a CA noob and you didn't have to post so
thanks.

I'm working my way through all the info you have provided and comments
you have made to make sense of the setup on our network.

It appears that there is no CA server on our network as every server
that I go on does not have the CA authority service installed. In
terms of the "http path" in the details tab of the certificate details
described in an earlier post, all the servers that have certificates
point to one particular server...but this server does not have CA
installed. Also, when i go into sites and services, enable "services
node" (thx didn't even know about this!) and drill down this is what i
see:-

NAME TYPE
namedCA certification authority

and that's all

Now this would be great if "namedCA" ["named" is actually our company
name but I've removed it for the post] was actually a server but it's
not.What it is though is the same name that all the certificates that
these domain controllers have (could just be chance - ie same naming
convention). I was kinda expecting to see the name of the server that
was being used as the CA server or nothing
at all so was suprised to see this there.
Properties of this object give no details at all.

Any suggestions?

Ta.
 
Check Active Directory Users and Groups to find the membership of the Cert
Publishers group which would show the actual server names of computers that
may be a CA. If you do not have any server in the domain with the
Certificate Services service running as shown in services.msc then you don't
have an active CA on your network for some reason. You could try to install
a new Enterprise Root CA if you want but the process may balk if Active
Directory thinks there is still an Enterprise CA in the domain. If that
happens I am not sure what the best way to clean up the metadata but see the
link below for advice if that happens and for additional info that may be
helpful. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;555151
 
Hi,

there are no members of the cert publishers group - it's completely
blank.

I think that I am going to strip out certificates from all servers as
per the link you supplied below.

Thanks very much for all the advice again people and I'll let you know
how it goes. I'm just worried about breaking AD, you know - breaking
the servers' ability to chat to each other - but if i follow that s
doc to the letter then hopefully it'll go ok. It's not difficult to
follow and if it does what is says on the tin then i should be ok.
You've confirmeed to me that AD does not actually require a certficate
server in order to work, it's just an extra layer of security that you
can use so I'm going to do it.

Cheers

Togs.


Steven L Umbach said:
Check Active Directory Users and Groups to find the membership of the Cert
Publishers group which would show the actual server names of computers that
may be a CA. If you do not have any server in the domain with the
Certificate Services service running as shown in services.msc then you don't
have an active CA on your network for some reason. You could try to install
a new Enterprise Root CA if you want but the process may balk if Active
Directory thinks there is still an Enterprise CA in the domain. If that
happens I am not sure what the best way to clean up the metadata but see the
link below for advice if that happens and for additional info that may be
helpful. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;555151

T0GGLe said:
Thanks once again everyone for your help. I know it must be a bit
frustrating talking to a CA noob and you didn't have to post so
thanks.

I'm working my way through all the info you have provided and comments
you have made to make sense of the setup on our network.

It appears that there is no CA server on our network as every server
that I go on does not have the CA authority service installed. In
terms of the "http path" in the details tab of the certificate details
described in an earlier post, all the servers that have certificates
point to one particular server...but this server does not have CA
installed. Also, when i go into sites and services, enable "services
node" (thx didn't even know about this!) and drill down this is what i
see:-

NAME TYPE
namedCA certification authority

and that's all

Now this would be great if "namedCA" ["named" is actually our company
name but I've removed it for the post] was actually a server but it's
not.What it is though is the same name that all the certificates that
these domain controllers have (could just be chance - ie same naming
convention). I was kinda expecting to see the name of the server that
was being used as the CA server or nothing
at all so was suprised to see this there.
Properties of this object give no details at all.

Any suggestions?

Ta.
Click to expand...
Click to expand...
 
Sounds good.

I am very confident you will not have a problem. However best practice would
be to try removing the certificates on one domain controller first - not the
pdc fsmo or such, exporting them to a .pfx file [if the private keys are
exportable], back up the System State also and waiting a day or so and then
looking in Event Viewer to see if any problems are recorded. Then make a
change in Active Directory such as creating a new user on a different domain
controller and see if it replicates to the domain controller you removed the
certificates from. Even though I am confident I have learned in the past to
have a backup plan just in case. Usually such a plan takes little time, but
can save a ton of grief just in case things don't go according to plan. Good
luck. --- Steve


T0GGLe said:
Hi,

there are no members of the cert publishers group - it's completely
blank.

I think that I am going to strip out certificates from all servers as
per the link you supplied below.

Thanks very much for all the advice again people and I'll let you know
how it goes. I'm just worried about breaking AD, you know - breaking
the servers' ability to chat to each other - but if i follow that s
doc to the letter then hopefully it'll go ok. It's not difficult to
follow and if it does what is says on the tin then i should be ok.
You've confirmeed to me that AD does not actually require a certficate
server in order to work, it's just an extra layer of security that you
can use so I'm going to do it.

Cheers

Togs.


Steven L Umbach said:
Check Active Directory Users and Groups to find the membership of the
Cert
Publishers group which would show the actual server names of computers
that
may be a CA. If you do not have any server in the domain with the
Certificate Services service running as shown in services.msc then you
don't
have an active CA on your network for some reason. You could try to
install
a new Enterprise Root CA if you want but the process may balk if Active
Directory thinks there is still an Enterprise CA in the domain. If that
happens I am not sure what the best way to clean up the metadata but see
the
link below for advice if that happens and for additional info that may be
helpful. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;555151

T0GGLe said:
Thanks once again everyone for your help. I know it must be a bit
frustrating talking to a CA noob and you didn't have to post so
thanks.

I'm working my way through all the info you have provided and comments
you have made to make sense of the setup on our network.

It appears that there is no CA server on our network as every server
that I go on does not have the CA authority service installed. In
terms of the "http path" in the details tab of the certificate details
described in an earlier post, all the servers that have certificates
point to one particular server...but this server does not have CA
installed. Also, when i go into sites and services, enable "services
node" (thx didn't even know about this!) and drill down this is what i
see:-

NAME TYPE
namedCA certification authority

and that's all

Now this would be great if "namedCA" ["named" is actually our company
name but I've removed it for the post] was actually a server but it's
not.What it is though is the same name that all the certificates that
these domain controllers have (could just be chance - ie same naming
convention). I was kinda expecting to see the name of the server that
was being used as the CA server or nothing
at all so was suprised to see this there.
Properties of this object give no details at all.

Any suggestions?

Ta.
Click to expand...
Click to expand...
Click to expand...
 
Back
Top