...building hybrid clouds that can support any device from anywhere
Hello again, this is Greg Blaum. I am a Program Manager on the Windows Server and System Center CAT team. This is part 1 in a 4 part series on utilizing Windows PowerShell to automate key functionality in Active Directory Certificate Services (AD CS).
The focus of the series will be on utilizing Active Directory Certificate Services (AD CS) as an Enterprise Certificate Authority, which is tightly integrated with Active Directory Domain Services (AD DS).
This post will begin the series by providing some background on the key concepts of using AD CS. Here is a table of contents for the full series.
Table of Contents
· Part 1: Introduction
· Part 2: Automating Installation of AD CS with Windows PowerShell
· Part 3: Creating Custom Certificate Templates
· Part 4: Automating Certificate Requests with Windows PowerShell
Importance of an Enterprise Certificate Authority
An Enterprise CA is a specific type of certification authority that is tightly integrated with Active Directory Domain Services (AD DS). Because of the tight integration with AD DS, Enterprise CAs can utilize a person’s user account credentials as proof of the user’s identity. For example, when I’m authenticated on our corporate domain and request a user certificate from our Enterprise CA, the CA infrastructure will authenticate my identity in AD DS and utilize that information to determine which type of certificate I may request as well as use my identity as part of the certificate request itself. An Enterprise CA may also leverage AD Security Groups for approving or denying certificate requests.
As a service that is integrated with AD DS, Enterprise CAs also publish certificates and Certificate Revocation Lists (CRLs) to Active Directory. AD CS utilizes Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all computers and users that participate in the Active Directory domain. For issuance of certificates, an Enterprise CA will leverage certificate templates. A typical installation of AD CS as an Enterprise CA will install a number of common certificate templates (such as Web Server, IPSec, Exchange User, & Exchange Signature Only), and an AD CS administrator may customize certificate templates or create new ones. Creation of custom certificate templates will be one of the topics in this blog series.
Utilizing certificate templates with an Enterprise CA will provide the following key functionality:
Functionality that leverages Active Directory Certificate Services
Many features and roles in Windows Server, System Center, and other Microsoft products may utilize Active Directory Certificate Services in some manner. AD CS may be used to enhance security for services, devices, or user accounts. The following is a non-exhaustive list of some services that can take advantage of Active Directory Certificate Services. Many of these services can utilize Secure Socket Layer/Transport Layer Security (SSL/TLS).
Need for Automating Installation and Consumption of Active Directory Certificate Services
Due to the need for enhanced security services and the wide range of features and roles that may utilize Active Directory Certificate Services (AD CS), it is extremely beneficial to have the means to automate both the installation of AD CS and the consumption of AD CS services. Given the broad range of potential types of certificates that may be needed by Windows Server features and roles, examples of how to leverage Windows PowerShell to request and install the appropriate certificates as part of some role installations will be provided in this blog series. Stay tuned for Part 2 in this series coming soon.
Links for more information on Active Directory Certificate Services
Hi Greg, do you guys have any ETA on when you plan on publishing the remainder of the posts in this series? Thank you for choosing to write more about certificates, since while not much of it has changed since server 2003, i've found that it's still a bit tricky to get running correctly in a two-tier setup.
Personally, i thought that after following the technet guides that i had a decent understanding, but it didn't turn out that way. My issuing servers needed their certs renewed, the crl's needed to be refreshed from the root, and somehow when trying to do these things and extend the expiration date of the certs, i can't recall what the error was, but i seem to remember it being something about losing synchronization with the order of the certs.
Needless to say, i need to yank everything out and redo it all, so a new guide would be wonderful!
Waiting patiently for Part 4! Looking for methods to populate an offline request custom template with custom data