Category: Certification Authority


The Certificate Expiration Alerter helps IT departments monitor the expiration status of all certificates issued by an internal Windows Server Certificate Authority (CA). When a certificate is about to expire, the Certificate Expiration Alerter sends an email notification with information about the certificate.

This allows the IT administrator to proactively take action and renew the certificates before they expire and prevent possible service downtimes. This article explains how to use this tool:

http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx

The tool can be downloaded from my shared box folder on the right side. called CertExpAlerter.zip

Advertisements

While it is supported to do that, its against best practices to install the CA role on a domain controller for the following reasons:

1- If you are to decommission that Domain Controller, you will have to go through the procedure of moving the CA from it first before decommissioning.

2- If you are to upgrade the version of the CA , this will require the upgrade of the OS of that domain controller, and that will require a decommission for this to take place.

3- In an Event of failure on that specific DC for any reason, restoration of the full functionality of DC and CA will be lengthy, Which could affect certification validity due to downtime.

4- Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.

5- If you have to publish your CRLs externally, that DC will be internet facing and this poses a very big security risk.

 

You might wanna take a look at these posts below that discusses the same:

1- This link to verify local admin privileges needed. Refer to Roles and Activities http://technet.microsoft.com/en-us/library/cc732590.aspx

2- Please go through these posts for additional reasons on why not to have it on a dc, please see Sander’s reply

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042

http://www.networksteve.com/forum/topic.php/Remove_Certification_Authority_from_old_(in_use)_domain_controll/?TopicId=1969&Posts=9

To enable SAN certificate issuing on the CA you can follow below steps:

1. Open command prompt with elevated privilleges or an user credentials that have permissions to manage CAs.

2. Run the command certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

3. This command changes the values of EditFlags and adds SubjectAltName in registry located at SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.Policy

and the output looks like below: (Please note that the values on your CA may be different than what they look like in following example)

C:>certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.PolicyEditFlags:

Old Value:
EditFlags REG_DWORD = 11014e (1114446)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)

New Value:
EditFlags REG_DWORD = 15014e (1376590)
EDITF_REQUESTEXTENSIONLIST — 2
EDITF_DISABLEEXTENSIONLIST — 4
EDITF_ADDOLDKEYUSAGE — 8
EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
EDITF_ENABLEAKIKEYID — 100 (256)
EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
EDITF_ATTRIBUTESUBJECTALTNAME2 — 40000 (262144)
EDITF_ENABLECHASECLIENTDC — 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

4. Restart certification services using services manager snap in or command prompt.

5. Once the service is restarted you can request a certificate with SAN extension using web enrollment application.

The Extended Validation is this feature that gives you the green bar on Internet Explorer as further identification of the web site.

There is a cool way to enable that for your internal servers. If you already have a CA in place you will need to create a new template and renew the certificate for any internal website with this new template.

So without Further adue, here is how to do it

Enabling this feature is a two step process to configure:

Create a new “Issuance Policy” on a certificate template to support EV certificates:

The below steps require you to be logged in as an Enterprise Admin unless you have modified the permissions on your certificate templates.

1. Open the Certificate Templates MMC (CertTmpl.msc).

2. Create a new Version 2 or Version 3 template (or modify an existing v2/v3 template).

3. Click on the Extensions tab.

4. Select Issuance Policies, and click on the Edit button.

5. Click the Add… button.

6. Click New… button.

7. Type in a name for the new Extended Validation Policy. The name for the policy can be anything you like. In my example I used “Contoso Extended Validation (EV)” as the name.

8. Type in the URL to the Certificate Practice Statement (CPS) for your extended validation policy.

NOTE: When you create a certificate policy you should have a practice statement defining how the certificate type is to be used, how the certificate type is approved to be issued, and what the requirements are to be fulfilled before issuance. CPS’s are beyond the scope of this blog however and you should do your due diligence in crafting a CPS.

9. The Object Identifier field will be filled out. You can of course replace this with an custom OID (that you obtained) from an internet authority that manages OIDs. Be sure to document and copy this OID for later use.

clip_image001

10. Click OK

11. Highlight the Issuance Policy you just created and click OK.

12. Do not check “Make this extension critical” and click OK.

13. Click “OK” to close the certificate template dialog box.

Create / modify a Group Policy to support the feature:

It’s actually pretty easy to setup, you will need either a Windows Server 2008R2 / Windows 7 client with RSAT tools (GPMC) installed, or a 2008R2 server with the Group Policy Management feature added .

clip_image002

It is important to note, that it is not required that you have a Windows Server 2008 R2 domain controller, you only need the ability to manage group policies from the newer operating system.

1. Launch Group Policy Management (GPMC.MSC).

2. Edit an existing policy / create a new policy.

3. Navigate to the following location: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

4. Right click on Trusted Root Certification Authorities and select Import

5. You need to import your internal Root Certification Authority certificate using the import wizard.

6. Once the Root Certification Authority certificate has been imported, right click on the certificate and select “Properties”

7. Click on the Extended Validation tab.

8. Paste in the OID from Issuance Policy you created above.

9. Click the Add OID button.

10. Click OK.

clip_image003

Have fun with Extended Validation and enjoy your green validated address bar in Internet Explorer.

 

Thanks to Rob from the AD team for this Smile.

Original Link

http://blogs.technet.com/b/askds/archive/2009/08/14/extended-validation-support-for-websites-using-internal-certificates.aspx