- Public Key Infrastructure Part 1 – introduction to encryption and signature
- Public Key Infrastructure Part 2 – main components
- Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services
- Public Key Infrastructure Part 4 – Configure CRL
- Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory
- Public Key Infrastructure Part 6 – Manage certificate templates
- Public Key Infrastructure Part 7 – Enrollment and Autoenrollment
- Public Key Infrastructure Part 8 – OCSP responder
- Public Key Infrastructure Part 9 – Management accounts
- Public Key Infrastructure Part 10 – Best practices about PKI
In the previous parts of this series, I have talked about encryption and signature algorithms and why Public Key Infrastructure exists. Next I have shown you step by step how to install a simple Public Key Infrastructure with basic configuration. To finish I have spoken about CRL. Now it is time to view how work Certificate Services (ADCS) behind the graphical shell. There is a lot of fun stuff as registry keys, the certutil tool and Active Directory objects. To make things more fun, I have made a screenshot of everything (or almost).
Active Directory objects
To view objects related to ADCS in Active Directory, open ADSIEdit.msc and create a new connection as below.
Navigate to CN=Public Key Services,CN=Services,CN=Configuration,DC=Your,DC=Domain
The first objects called NTAuthCertificates contains CA Certificates that can issue certificates for authentication as Smart Cart Logon. This object can contain multiple CA Certificates.
Next there is the AIA container. This container store CA Certificate of each CA. You can the add certificate manually with certutil command for offline Root CA for example.
If you edit an object, you should have similar information as below. The attribute CACertificate contains the CA certificate in binary format. In my example I have three certificates. It is because when I have made the how to install Active Directory Certificate Services, I have renewed three times the CA Certificate (some mistakes :p).
Next you have the CDP container that containers CRL and Delta CRL.
If you edit an object you can see that the CRL is stored also in binary format.
Next the Certificate Templates containers store template definitions used to deliver certificates. For more information about certificate templates, see next parts of this series.
The Certification Authorities container stores Root CA certificate. It can be published manually for offline Root CA for example.
The Enrollment Services container stores enterprise CA certificate. This information is used by clients to find enterprise CA when they make enrollment and to know which CA host the certificate template that clients need.
The KRA containers (Key Recovery Agent) store the certificate of the recovery agent. When a CA issues a certificate based on the Key Recovery Agent Template, this certificate is added in the KRA containers.
To finish OID container stores object identifier definition describing some custom policies and certificate templates.
Now let’s go see the important registry keys that configure your CA. For that open HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\<YourCAName>. If you want backup your CA, I recommend you to protect this key. This key contains lot a CA settings.
The first are the CA common configuration:
- CACertHash: hash of your CA Certificate
- CACertPublicationURLs: AIA extension configuration
- CAServerName: FQDN of your CA
- CAType: Root CA (0) or Sub CA (1)
- CommonName: CN of your CA.
Next you have CRL parameters as CRL validity period, CRL overlap etc. I will present you some of them:
- CRLPeriod: Time unit used by CRLPeriodUnits
- CRLPeriodUnit: value of the CRL validity period
- CRLPublicationURLs: CRL Distribution Point extension setting
Next you have information about Active Directory:
- DSConfigDN: Distinguished Name (DN) to configuration partition
- DSDomainDN: DN to domain of the CA.
Next, you have information about Key Recovery Agent. You can see that my CA has no recovery agent.
To finish, there are default values of the validity period for the issued certificates:
- ValidityPeriod: Time unit used by ValidityPeriodUnits
- ValidityPeriodUnit: value of the certificate validity period
The objective of this part is not to show you all possibilities of certutil command but make you understand that this tool is the best friend of CA Administrator. Many settings presented above can be set by this command. For example registry settings can be set with this command:
Certutil –setreg CA\<ValueName> <Data> Certutil –setreg CA\CRLPeriodUnits 5
Certification Authorities must be protected by a backup. Certutil enables you to backup the private key and the database and restore them. Useful after a disaster:
Certutil –BackupDB C:\MyBackupFolder Certutil –BackupKey C:\MyBackupFolder Certutil –RestoreDB C:\MyBackupFolder Certutil –RestoreKey C:\MyBackupFolder\CAName.p12
You can also manually publish the CA Certificate and CRL using Certutil –dspublish
If you have to manage a PKI, I recommend you to watch deeper this tool which can save your life.