In the first part of the article, we explained the usage purposes of certificate services and the new improvement that comes with Windows Server 2008 R2 operating system. In addition to these, we installed certificate authority server and online provider services.  In this part , we will associate the two services with each other and create certificate templates. We will also generate certificates for computers/users and revoke them as well.

As we finished the CA and online responder service installations, the first thing that we have to do is to configure the CA to support online responder services. This includes configuring certificate templates and issuance properties for OCSP Response Signing certificates and then completing additional steps on the CA to support the Online Responder and certificate issuance. But before that we have to activate the auto-enrollment feature in Active Directory. Auto-enrollment is a feature for computers, users or services to receive a certificate automatically without an interaction. If we don’t activate this feature for an Enterprise CA server, generating and renewing actions may not work as expected in the future.

For this purpose we logon to an Active Directory Domain Controller machine as a Domain or Enterprise Administrator and open Group Policy  Management interface (Start -> Administrative Tools -> Group Policy Management). On the left side, we open  Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies container and double click  Certificate Services Client – Auto Enrollment on the right side. We select Enabled from the list and fill the two checkboxes under it.

After this domain policy configuration, we can keep up the real job. To configure the templates, we open the certificate templates snap-in (Start -> Administrative Tools -> Server Manager -> Roles -> Active Directory Certificate Services -> Certificate Templates). We right click the OCSP Response Signing  template and choose Duplicate Template  (Figure 1). We give a descriptive name to the new template (Figure 2) and click the Security tab. We press Add… button and find the Online Responder server name (mstipca01). After adding it to the list, we give this computer account the Read, Enroll and Autoenroll rights (Figure 3). With this setup, we make the Online Responder server to enroll certificates automatically.

Figure 1: Creating a new template

Figure 2: Naming the new template

Figure 3: Giving the Read, Enroll and Autoenroll rights to the server

For Certificate Services to support Online Responder services, we have to make two key changes  in Certificate Authority snap-in. These are; adding the location of the Online Responder to the authority information access extension of issued certificates and enabling the certificate templates that we configured in the previous procedure for the CA.

For this purpose we open the Certificate Authority snap-in (Start -> Administrative Tools -> Certification Authority) and right click the name of CA (MstipRootCA01) on the left side. We click  Properties on the Action menu. On the Properties page, we click Extensions tab and click Authority Information Access (AIA) of the Select Extension list. By pressing Add… button, we enter the location of revocation data for users. This location is http://mstipca01/ocsp in our scenario (Figure 4). When we press OK button, we return to the previous window. We fill “Include in the online certificate status protocol (OCSP) extension”  checkbox here (Figure 5). We press the Yes button on the warning message box that we face.

Figure 4: OCSP location URL

Figure 5: Identifying the OCSP location

After this configuration, we right click Certificate Templates on Certificate Authority snap-in and select  New Certificate Templates to Issue. We choose OCSP Response Signing Mstip in the Enable Certificate Templates window and press OK button (Figure 6). To control the addition, we open the  Certificate Templates and check whether our template is there or not.

Figure 6: Addition of templates for new certificates that will be published

After finishing the two key changes, we have two additional steps left for ending the PKI infrastructure creation. The first one is Creating a Revocation Configuration and the second one is Verifying AD CS Setup Functions Properly. A revocation configuration includes all of the settings that are needed to respond to status requests regarding certificates that have been issued by using a specific CA key.  These configuration settings include the CA certificate, the signing certificate for the Online Responder, and the locations to which clients are directed to send their status requests.

Before creating a revocation configuration, lets verify that whether signing certificates are configured correctly or not. For this purpose, we first restart our CA server (mstipca01). After logon to the server as an administrator, we open the Certificates snap-in for the local computer account (Start -> Run -> mmc -> File -> Add/Remove Snap-in… -> Certificates -> Computer Account -> Local Computer). Under Personal Certificates we check whether a certificate with OCSP Signing purpose is there or not (Figure 7). We right click the certificate and select All Tasks -> Manage Private Keys. We add Network Service under Group or user names field of Security tab on the opening window. After that we give Full Control permission to this account (Figure 8) and press the OK button for two times.

Figure 7: Checking the template under personal certificates

Figure 8: Giving Full Control permissions to Network Services account

After this control job, we can start to the creation of revocation configuration step. For this purpose we have to finish four sub-steps. These are; Identify the CA certificate for the CA that supports the Online Responder, identify the CRL distribution point for the CA, select a signing certificate that will be used to sign revocation status responses and Select a revocation provider, the component responsible for retrieving and caching the revocation information used by the Online Responder.

First, we open the Online Responder snap-in (Start -> Administrative Tools -> Online Responder Management) and after right click the Revocation Configuration, select Add Revocation Configuration (Figure 9). On  Name the Revocation Configuration page, we enter a descriptive name for the revocation configuration (i.e. mstipca01RevocationConf) and press the Next button. We choose Select a certificate from an existing enterprise CA on Select CA certificate Location page and press Next button. On the next page, the name of the CA must be shown as mstipca01.mstip.com in  the Browse CA certificates published in Active Directory field. If it is not, we press Browse button and find the name of our CA server and press Next (Figure 10).

Figure 9: Addition of revocation configuration

Figure 10: Addition of CA

On Select Signing Certificate  page, we do not touch the default Automatically select signing certificate value. In addition, Auto-Enroll for an OCSP signing certificate  must be selected. After we verify that our CA server is in the Certification Authority field and our newly created  template (OCSPResponseSigningMstip) is in Certificate Template list, then we press Next button (Figure 11). We press Provider button on Revocation Provider page. After verify the values on Revocation Provider Properties page, we press OK button (Figure 12). On the next page, we finalize the configuration by pressing Finish button. It is also a good practise to check the status information of the revocation configuration.

Figure 11: Signing certificate selection

Figure 12: Revocation provider properties

Finally it is time to check whether our new AD CS infrastructure is working corectly or not :) . For this purpose, we create certificate templates for domain computers and users on our CA server (Figure 13) and give them the necessary permissions (read, enroll and autoenroll). These templates will be issued to the computers and users automatically. For testing, we run certutil –pulse command on a client machine after the certificates are published in AD (Figure 14). (Note: we can find the certutil.exe file from Windows 2003 Server AdminPack for Windows XP machines).  After running the command, we open the Certificates snap-in on the client machine and check whether the certificate is issued to the user or not (Figure 15).

Figure 13: Selecting the certificate template to issue and permission configuration

Figure 14: certutil –pulse command run on a client machine

Figure 15: The issued certificate under personal certificates container

For testing the revocation process, we open the Certificate Authority snap-in on CA server and select a certificate to revoke from Certification Authority (Computer)/CA name/Issued Certificates. In Action menu, we choose Revoke Certificate under  All Tasks (Figure 16). We select a reason for revocation and press Yes button.

Figure 16: Certificate revocation

We go to Certification Authority (Computer)/CA name/Revoked Certificates and from Action menu we select Publish under All Tasks (Figure 17).

Figure 17: Publishing new CRL

We select our CA in Certification Authority snap-in and open Properties from Action menu. We verify that the CRL Distribution Point (CDP) is selected in Select extension list in Extensions tab (Figure 18). We remove the CRL distribution points by selecting them and pressing Remove button. Then we press Yes button and restart the AD CS service (Figure 19).

Figure 18: Removing CRL distribution points

Figure 19: Confirmation of removal

After the removal of CRL distribution points, we repeat the first two action, which are creating the certificate template and running certutil –pulse command on client computer. Then we control whether client computer gets the revocation configuration information correctly or not. For this purpose, we export the certificate under Certificates snap-in. I export the certificate to c:\after_CRL_chenge.cer . Then it is sufficient to write certutil –url c:\after_CRL_chenge.cer on the command prompt. URL Retrieval Tool window is opened and we press Retrieve button while CRLs (From CDP) is selected.  Then we check the status of URL as it is seen in Figure 20 and 21 (Figure 20 is retrieved from the issued certificate before removal process). As it is expected, there is no URL for CRL in Figure 21 (because we remove them all).

Figure 20: Before CRL distribution points removal

Figure 21: After CRL distribution points removal

This is the end of this article. We installed, configured and tested a certificate services infrastructure from scratch throughout this two-part article series. I hope it would be helpful. Bye for now.

1. Installation and Configuration of Active Directory Certificate Services on Windows Server 2008 R2 – 1
2. Smart Card For Active Directory Logons
3. Step by step installation of Sharepoint Server 2007 on Windows Server 2008 R2 and MS SQL 2008 – 2