Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services (Part 2 of 2)

[Part 1 for Steps 1 to 4]

5. Set certificate revocation policies

Revocation is an important part of PKI to ensure the validity of certificates. There are two components to make the process work. A list, or more specifically Certified Revocation List (CRL), as the criteria to identify an invalid certificate needs to be published and distributed. And an Online Responder to make revocation checking data available to client.

For configuring the distribution of CRL, the properties of Revoked Certificates folder of CA console is where the CRL parameters are. On the subordinate CA, the CRL settings are shown as the following.

clip_image002

The CRL is published to designated Certificate Revocation Location (CRL) when setting up the root CA server earlier. And in this case, it is place in a folder under wwwroot at https://subCA.yc.corp/certdata/ as shown below. The directory browsing is here turned on for listing out the content in the certdata folder.

clip_image004

Next, the Online Responder service is a role service to the AD CS role and makes certificate revocation checking data accessible to clients. On the subordinate CA server, one can use Server Manager to add the service as shown below.

clip_image005

Once Online Responder is configured, use the CA console to examine the subordinate CA’s properties. Click the Extensions tab and add a new AIA distribution location to https://subCA.yc.corp/ocsp.

clip_image007

Next configure the OCSP Response singing certificate template and enable Authenticated Users to enroll by following the process below.

clip_image009

Then publish/enable the template as illustrated below.

clip_image011

clip_image012 Open the Online Responder console, add revocation configuration of the subordinate CA, and enroll for an OCSP Response certificate as depicted by the following screen flow.

   

clip_image014

clip_image016

clip_image018

clip_image020

clip_image022

clip_image024

clip_image026

clip_image028

clip_image030

 

At this time, certificate revocation settings are in place.

6. Configure and verify private key archive and recovery

Recovering a private key is a process that needs to be well tested and documented accordingly. The process includes assigning a certificate for a recover agent, i.e. a certificate administrator, and enable specific certificate template to allow archiving a private key. These are the main tasks:

  • (a) Configure CA to issue Key Recovery Agent (KRA) certificate
  • (b) Request KRA certificate
  • (c) Configure CA to allow key recovery
  • (d) Configure a template for archiving key

 

(a) Configure CA to issue Key Recovery Agent (KRA) certificate

On the subordinate CA, configure and enable Key Recovery Agent, and allow only domain administrators and enterprise administrators can enroll. The process and settings are as the following.

clip_image032

clip_image034

Now the KRA template is enabled.

(b) Request KRA certificate

While logging in as a domain administrator, use the Certificate snap-in on personal store in mmc to request a KRA certificate as shown below.

clip_image036

(c) Configure CA to allow key recovery

This is set in the properties of the CA using CA console as shown below. Notice the CA needs a restart to validate the KRA certificate.

clip_image038

(d) Configure a template for archiving key

This requires defining and enabling a template with Certificate Template console. Use CA console and go to Certificate Template folder to bring up Certificate Template console. Duplicate and rename the User template and set the settings as shown below. This option, Archive subject’s encryption private key, once enabled allows the KRA to retrieve the private key from a certificate store.

clip_image040

The verification of archiving a private key is left for the reader to carry out. :) Or I may publish it in a future blog post.

Closing Thoughts

Implementing PKI is very process-heavy and it does require effort and much concentration. The key is to keep good documentation and standardize as much as possible to minimize overhead. Once PKI is in place, Virtual Smart Card which is one of my favorite features in Windows Server 2012 R2 is just around the corner.

[Part 1 for Steps 1 to 4]