Enterprise Certificate Authority question

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

sorry to put a dumbass question up here but i have a good look around
(imo) and i can't find information explaining
certificates/certification authority in active directory.
My questions are thus :-

What is a certification authority - what purpose does it serve?

Do you need one in AD?

What is the basic structure?

All the info i can find is regarding troubleshooting it but cannot
find info relating to a top down explanation of it as per my
questions, and would really appreciate some help on this one, even if
it's just rediection to useful info out there on the web.
Or if some clever bugger wants to flex their intellect and has a bit
of time I'd find it really handy please...
Thx.

ps the reason why i need to find out is because when i "view
containers" under the enterprisePKI snap in that comes with the 2k3
res kit and look at the CDP container tab my base crl certificate has
failed and expired, which could explain a few event log errors we've
been getting.
15 answers Last reply
More about enterprise certificate authority question
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Just to add that certificates are commonly used for EFS file encryption,
    though a CA does NOT have to be available, smart cards, VPN using l2tp for
    machine authentication, software signing, and email encryption and signing.
    Though you commonly hear the term certificates, there are actually two types
    of keys used in PKI - public and private. When a CA generates a certificate
    that pair of keys is generated. The certificate as commonly referred to is
    the "public" key which can be distributed freely to anyone while the private
    key is sensitive an must be secured. The keypair is generated such that data
    can be encrypted by the public key and ONLY the private key can decrypt the
    data or the private can be used for digital signatures and only the public
    key can decrypt the signature. This can be used to encrypt data including
    ssl for websites, decrypt data, make sure that the source of an email is
    authentic, verify the publisher of a software package, used for computer
    and user authentication, etc. Another important element of certificates is
    trust in that a certificate from a CA will not be trusted unless the
    certificate of the CA is in the trusted root store of the users computer to
    prevent a computer/user from accepting any old certificate issued. For
    example you can open Internet Explorer and go to tools/internet
    options/content/certificates/trusted root to see the CA's that your computer
    trusts. The link below may help you understand this a bit more. --- Steve

    http://www.oreillynet.com/pub/a/security/2004/09/23/vpns_and_pki.html?page=2
    -- PKI brief example of use.

    "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    news:5a657c10.0410120807.d0e5c87@posting.google.com...
    > Hi,
    >
    > sorry to put a dumbass question up here but i have a good look around
    > (imo) and i can't find information explaining
    > certificates/certification authority in active directory.
    > My questions are thus :-
    >
    > What is a certification authority - what purpose does it serve?
    >
    > Do you need one in AD?
    >
    > What is the basic structure?
    >
    > All the info i can find is regarding troubleshooting it but cannot
    > find info relating to a top down explanation of it as per my
    > questions, and would really appreciate some help on this one, even if
    > it's just rediection to useful info out there on the web.
    > Or if some clever bugger wants to flex their intellect and has a bit
    > of time I'd find it really handy please...
    > Thx.
    >
    > ps the reason why i need to find out is because when i "view
    > containers" under the enterprisePKI snap in that comes with the 2k3
    > res kit and look at the CDP container tab my base crl certificate has
    > failed and expired, which could explain a few event log errors we've
    > been getting.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    Certificate Authority (CA) is a service that comes with Windows 2000 or
    Windows 2003 (and with Windows NT it was an add-on from option pack)... It
    is a service that provides certificates to users, computers and services.
    Company usually decides to setup their own CA when they need to protect
    their resources (network communication, access to files, ...), but they
    don't want to use 3rd party commercial CA agencies (using commercial CA
    agencies is usually related to high cost if company has high number of
    employees that would require such certificates). Still there is nothing
    stopping you from using your own CA setup on Windows server to securely
    share resources with outside world (e.g. business partners)...

    You have few installation options. One option (standalone CA setup) doesn't
    require domain. The other option (enterprise CA setup) requires domain
    (active directory). You can then combine standalone CA (usually not
    connected on the network) and subordinate enterprise CA that is connected to
    the network (it needs to access AD)... On this subordinate CA server all
    user (and other) certificates are issued...

    Here are some white papers on Microsoft PKI based on Windows 2003 server...

    New features:
    http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
    Operations guide:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
    Managing PKI:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
    Best Practices:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
    Auto-Enrollment:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
    Certificate templates -
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
    Key archival -
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
    Advanced certificate enrollment:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
    web enrollment:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
    EFS:
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
    CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

    Mike

    "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    news:5a657c10.0410120807.d0e5c87@posting.google.com...
    > Hi,
    >
    > sorry to put a dumbass question up here but i have a good look around
    > (imo) and i can't find information explaining
    > certificates/certification authority in active directory.
    > My questions are thus :-
    >
    > What is a certification authority - what purpose does it serve?
    >
    > Do you need one in AD?
    >
    > What is the basic structure?
    >
    > All the info i can find is regarding troubleshooting it but cannot
    > find info relating to a top down explanation of it as per my
    > questions, and would really appreciate some help on this one, even if
    > it's just rediection to useful info out there on the web.
    > Or if some clever bugger wants to flex their intellect and has a bit
    > of time I'd find it really handy please...
    > Thx.
    >
    > ps the reason why i need to find out is because when i "view
    > containers" under the enterprisePKI snap in that comes with the 2k3
    > res kit and look at the CDP container tab my base crl certificate has
    > failed and expired, which could explain a few event log errors we've
    > been getting.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks very much to the pair of you.

    I am trawling through that info to try to find answers, but do you
    know if active directory actually REQUIRES the issuing of
    certificates? It's just that someone else set up our AD and the more
    and more i look into it the more problems and diversions from best
    practise i keep finding. Not that in this case the person in question
    was doing something wrong, perhaps they were looking for extra
    security, but when the KDC starts complaining that its certificate is
    now invalid it's got us wondering what on earth is going on and what
    ramifications that has.

    Cheers again.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Sry one other thing - if i think i might have a CA server, what's the
    best way to find it when you've got over 100 servers and at least half
    of those are domain controllers?

    Thx.


    :)
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    Active Directory does not require CA service. It can function very well
    without it.

    If you setup enterprise CA (CA service that integrates with active
    directory) domain controllers will request a certificate to secure
    communication (this is done automatically).

    If such certificates were issued to domain controllers, you should be able
    to delete them without any problems... To do this or to check if domain
    controllers were issued certificates open Certificate MMC and select
    computer account on domain controller... Expand Personal container and
    Certificates... Are there any listed? If so and if you want to remove them,
    mark them and click delete. You will have to do this on each domain
    controller in your domain or forest.

    Mike

    "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    news:5a657c10.0410130100.10ffe890@posting.google.com...
    > Thanks very much to the pair of you.
    >
    > I am trawling through that info to try to find answers, but do you
    > know if active directory actually REQUIRES the issuing of
    > certificates? It's just that someone else set up our AD and the more
    > and more i look into it the more problems and diversions from best
    > practise i keep finding. Not that in this case the person in question
    > was doing something wrong, perhaps they were looking for extra
    > security, but when the KDC starts complaining that its certificate is
    > now invalid it's got us wondering what on earth is going on and what
    > ramifications that has.
    >
    > Cheers again.
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    To check if you have a certificate server. Check if domain controller has a
    certificate. If it does open it and click on Details and look for field
    called CRL Distribution Point. Look for URL (e.g. http://server.domain.com/)
    This should tell you the name of the server.

    http://freeweb.siol.net/mpihler/crl.jpg

    Another option is to open Sites and Services MMC (e.g. on domain
    controller). Make sure that you have enabled "View Services Node". To enable
    it click on Active Directory Site and Services text and click on View and
    "Show Services Node"

    Now drill down under Services -> Public Key Services -> Certificate
    Authorities. See if anything is listed in right pane...

    This will only show you if enterprise version of CA was setup...

    Mike

    "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    news:5a657c10.0410130124.38e07841@posting.google.com...
    > Sry one other thing - if i think i might have a CA server, what's the
    > best way to find it when you've got over 100 servers and at least half
    > of those are domain controllers?
    >
    > Thx.
    >
    >
    > :)
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <#NRhQ7QsEHA.160@TK2MSFTNGP11.phx.gbl>, in the
    microsoft.public.win2000.security news group, Miha Pihler <mihap-
    news@atlantis.si> says...

    > To check if you have a certificate server. Check if domain controller has a
    > certificate. If it does open it and click on Details and look for field
    > called CRL Distribution Point. Look for URL (e.g. http://server.domain.com/)
    > This should tell you the name of the server.
    >

    Actually no, this is not a reliable way to determine which server is
    functioning as a CA since the CDP and AIA paths in issued certificates
    can be set to any location you desire. There is no requirement that
    these be hosted on the actual CA.

    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    <snip>

    > > To check if you have a certificate server. Check if domain controller
    has a
    > > certificate. If it does open it and click on Details and look for field
    > > called CRL Distribution Point. Look for URL (e.g.
    http://server.domain.com/)
    > > This should tell you the name of the server.
    > >
    >
    > Actually no, this is not a reliable way to determine which server is
    > functioning as a CA since the CDP and AIA paths in issued certificates
    > can be set to any location you desire. There is no requirement that
    > these be hosted on the actual CA.

    I know Paul.

    That is why I provided the second option. I guess I should add under first
    option "If nothing was changed -- default installation"...

    Mike

    <snip>
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Active Directory does not require the use of a Certificate Authority. Mike
    already gave some ways to find CA and you also might want to look in AD
    Users and Computers for membership of the Cert publishers group which may
    not be 100 percent correct if someone added or removed servers from it but
    still a place to check. However problems with certificates can cause
    problems if their use is required. I would look in the mmc certificates
    snapin for computers on the server giving you the error messages to see what
    certificates the dc has been issued and the purposes in their properties. It
    will of course have a domain controller certificate. Check the valid from
    date on the certificates to see if any have expired. If they have you can
    request a new certificate or renew it by right clicking the certificate and
    selecting all tasks. Domain controllers will use their certificate for ssl
    ldap if valid. Another possibility is that someone set the domain
    controllers up to use ipsec with certificate machine authentication for
    communications among themselves. You could use the support tool netdiag as
    in " netdiag /test:ipsec " to see if there is an ipsec policy assigned to
    the domain controller. If there, is as long as it is not a "require" policy,
    communications among computers in that ipsec policy will still work. If
    everything functions correctly you can ignore the errors or delete the
    certificates if you no longer want to use them. I would however run the
    support tool dcdiag on the domain controller in question to make sure that
    it is functioning correctly as a domain controller and
    communicating/replicating with other domain controllers. Support tools are
    on the install disk in the support/tools folder where you will need to run
    the setup program to install them as a set. Note that you can use the mmc
    certificates snapin to manage/view computer certificates of remote computers
    as long as you have admin rights on the target computer. -- Steve


    "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    news:5a657c10.0410130100.10ffe890@posting.google.com...
    > Thanks very much to the pair of you.
    >
    > I am trawling through that info to try to find answers, but do you
    > know if active directory actually REQUIRES the issuing of
    > certificates? It's just that someone else set up our AD and the more
    > and more i look into it the more problems and diversions from best
    > practise i keep finding. Not that in this case the person in question
    > was doing something wrong, perhaps they were looking for extra
    > security, but when the KDC starts complaining that its certificate is
    > now invalid it's got us wondering what on earth is going on and what
    > ramifications that has.
    >
    > Cheers again.
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    inline...
    In article <ufp9pRRsEHA.2688@TK2MSFTNGP14.phx.gbl>, mihap-
    news@atlantis.si says...
    > <snip>
    >
    > > > To check if you have a certificate server. Check if domain controller
    > has a
    > > > certificate. If it does open it and click on Details and look for field
    > > > called CRL Distribution Point. Look for URL (e.g.
    > http://server.domain.com/)
    > > > This should tell you the name of the server.
    > > >
    > >
    > > Actually no, this is not a reliable way to determine which server is
    > > functioning as a CA since the CDP and AIA paths in issued certificates
    > > can be set to any location you desire. There is no requirement that
    > > these be hosted on the actual CA.
    >
    > I know Paul.
    >
    > That is why I provided the second option. I guess I should add under first
    > option "If nothing was changed -- default installation"...
    Ewwww.. Default installation.... Translation= Destined for failure <G>
    Bri
    >
    > Mike
    >
    > <snip>
    >
    >
    >
  11. Archived from groups: microsoft.public.win2000.security (More info?)

    > Ewwww.. Default installation.... Translation= Destined for failure <G>
    > Bri

    :-) Agree.

    Unfortunately majority of Microsoft CA server that I have seen around here
    where setup as default ... :-\

    Mike
  12. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks once again everyone for your help. I know it must be a bit
    frustrating talking to a CA noob and you didn't have to post so
    thanks.

    I'm working my way through all the info you have provided and comments
    you have made to make sense of the setup on our network.

    It appears that there is no CA server on our network as every server
    that I go on does not have the CA authority service installed. In
    terms of the "http path" in the details tab of the certificate details
    described in an earlier post, all the servers that have certificates
    point to one particular server...but this server does not have CA
    installed. Also, when i go into sites and services, enable "services
    node" (thx didn't even know about this!) and drill down this is what i
    see:-

    NAME TYPE
    namedCA certification authority

    and that's all

    Now this would be great if "namedCA" ["named" is actually our company
    name but I've removed it for the post] was actually a server but it's
    not.What it is though is the same name that all the certificates that
    these domain controllers have (could just be chance - ie same naming
    convention). I was kinda expecting to see the name of the server that
    was being used as the CA server or nothing
    at all so was suprised to see this there.
    Properties of this object give no details at all.

    Any suggestions?

    Ta.
  13. Archived from groups: microsoft.public.win2000.security (More info?)

    Check Active Directory Users and Groups to find the membership of the Cert
    Publishers group which would show the actual server names of computers that
    may be a CA. If you do not have any server in the domain with the
    Certificate Services service running as shown in services.msc then you don't
    have an active CA on your network for some reason. You could try to install
    a new Enterprise Root CA if you want but the process may balk if Active
    Directory thinks there is still an Enterprise CA in the domain. If that
    happens I am not sure what the best way to clean up the metadata but see the
    link below for advice if that happens and for additional info that may be
    helpful. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;555151

    "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    news:5a657c10.0410150249.2e05880d@posting.google.com...
    > Thanks once again everyone for your help. I know it must be a bit
    > frustrating talking to a CA noob and you didn't have to post so
    > thanks.
    >
    > I'm working my way through all the info you have provided and comments
    > you have made to make sense of the setup on our network.
    >
    > It appears that there is no CA server on our network as every server
    > that I go on does not have the CA authority service installed. In
    > terms of the "http path" in the details tab of the certificate details
    > described in an earlier post, all the servers that have certificates
    > point to one particular server...but this server does not have CA
    > installed. Also, when i go into sites and services, enable "services
    > node" (thx didn't even know about this!) and drill down this is what i
    > see:-
    >
    > NAME TYPE
    > namedCA certification authority
    >
    > and that's all
    >
    > Now this would be great if "namedCA" ["named" is actually our company
    > name but I've removed it for the post] was actually a server but it's
    > not.What it is though is the same name that all the certificates that
    > these domain controllers have (could just be chance - ie same naming
    > convention). I was kinda expecting to see the name of the server that
    > was being used as the CA server or nothing
    > at all so was suprised to see this there.
    > Properties of this object give no details at all.
    >
    > Any suggestions?
    >
    > Ta.
  14. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    there are no members of the cert publishers group - it's completely
    blank.

    I think that I am going to strip out certificates from all servers as
    per the link you supplied below.

    Thanks very much for all the advice again people and I'll let you know
    how it goes. I'm just worried about breaking AD, you know - breaking
    the servers' ability to chat to each other - but if i follow that s
    doc to the letter then hopefully it'll go ok. It's not difficult to
    follow and if it does what is says on the tin then i should be ok.
    You've confirmeed to me that AD does not actually require a certficate
    server in order to work, it's just an extra layer of security that you
    can use so I'm going to do it.

    Cheers

    Togs.


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<xSYbd.133833$He1.35560@attbi_s01>...
    > Check Active Directory Users and Groups to find the membership of the Cert
    > Publishers group which would show the actual server names of computers that
    > may be a CA. If you do not have any server in the domain with the
    > Certificate Services service running as shown in services.msc then you don't
    > have an active CA on your network for some reason. You could try to install
    > a new Enterprise Root CA if you want but the process may balk if Active
    > Directory thinks there is still an Enterprise CA in the domain. If that
    > happens I am not sure what the best way to clean up the metadata but see the
    > link below for advice if that happens and for additional info that may be
    > helpful. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;555151
    >
    > "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    > news:5a657c10.0410150249.2e05880d@posting.google.com...
    > > Thanks once again everyone for your help. I know it must be a bit
    > > frustrating talking to a CA noob and you didn't have to post so
    > > thanks.
    > >
    > > I'm working my way through all the info you have provided and comments
    > > you have made to make sense of the setup on our network.
    > >
    > > It appears that there is no CA server on our network as every server
    > > that I go on does not have the CA authority service installed. In
    > > terms of the "http path" in the details tab of the certificate details
    > > described in an earlier post, all the servers that have certificates
    > > point to one particular server...but this server does not have CA
    > > installed. Also, when i go into sites and services, enable "services
    > > node" (thx didn't even know about this!) and drill down this is what i
    > > see:-
    > >
    > > NAME TYPE
    > > namedCA certification authority
    > >
    > > and that's all
    > >
    > > Now this would be great if "namedCA" ["named" is actually our company
    > > name but I've removed it for the post] was actually a server but it's
    > > not.What it is though is the same name that all the certificates that
    > > these domain controllers have (could just be chance - ie same naming
    > > convention). I was kinda expecting to see the name of the server that
    > > was being used as the CA server or nothing
    > > at all so was suprised to see this there.
    > > Properties of this object give no details at all.
    > >
    > > Any suggestions?
    > >
    > > Ta.
  15. Archived from groups: microsoft.public.win2000.security (More info?)

    Sounds good.

    I am very confident you will not have a problem. However best practice would
    be to try removing the certificates on one domain controller first - not the
    pdc fsmo or such, exporting them to a .pfx file [if the private keys are
    exportable], back up the System State also and waiting a day or so and then
    looking in Event Viewer to see if any problems are recorded. Then make a
    change in Active Directory such as creating a new user on a different domain
    controller and see if it replicates to the domain controller you removed the
    certificates from. Even though I am confident I have learned in the past to
    have a backup plan just in case. Usually such a plan takes little time, but
    can save a ton of grief just in case things don't go according to plan. Good
    luck. --- Steve


    "T0GGLe" <erectmember@gmail.com> wrote in message
    news:dc6e2dd4.0411050411.4ef939f3@posting.google.com...
    > Hi,
    >
    > there are no members of the cert publishers group - it's completely
    > blank.
    >
    > I think that I am going to strip out certificates from all servers as
    > per the link you supplied below.
    >
    > Thanks very much for all the advice again people and I'll let you know
    > how it goes. I'm just worried about breaking AD, you know - breaking
    > the servers' ability to chat to each other - but if i follow that s
    > doc to the letter then hopefully it'll go ok. It's not difficult to
    > follow and if it does what is says on the tin then i should be ok.
    > You've confirmeed to me that AD does not actually require a certficate
    > server in order to work, it's just an extra layer of security that you
    > can use so I'm going to do it.
    >
    > Cheers
    >
    > Togs.
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:<xSYbd.133833$He1.35560@attbi_s01>...
    >> Check Active Directory Users and Groups to find the membership of the
    >> Cert
    >> Publishers group which would show the actual server names of computers
    >> that
    >> may be a CA. If you do not have any server in the domain with the
    >> Certificate Services service running as shown in services.msc then you
    >> don't
    >> have an active CA on your network for some reason. You could try to
    >> install
    >> a new Enterprise Root CA if you want but the process may balk if Active
    >> Directory thinks there is still an Enterprise CA in the domain. If that
    >> happens I am not sure what the best way to clean up the metadata but see
    >> the
    >> link below for advice if that happens and for additional info that may be
    >> helpful. --- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;555151
    >>
    >> "T0GGLe" <jehova1@dsl.pipex.com> wrote in message
    >> news:5a657c10.0410150249.2e05880d@posting.google.com...
    >> > Thanks once again everyone for your help. I know it must be a bit
    >> > frustrating talking to a CA noob and you didn't have to post so
    >> > thanks.
    >> >
    >> > I'm working my way through all the info you have provided and comments
    >> > you have made to make sense of the setup on our network.
    >> >
    >> > It appears that there is no CA server on our network as every server
    >> > that I go on does not have the CA authority service installed. In
    >> > terms of the "http path" in the details tab of the certificate details
    >> > described in an earlier post, all the servers that have certificates
    >> > point to one particular server...but this server does not have CA
    >> > installed. Also, when i go into sites and services, enable "services
    >> > node" (thx didn't even know about this!) and drill down this is what i
    >> > see:-
    >> >
    >> > NAME TYPE
    >> > namedCA certification authority
    >> >
    >> > and that's all
    >> >
    >> > Now this would be great if "namedCA" ["named" is actually our company
    >> > name but I've removed it for the post] was actually a server but it's
    >> > not.What it is though is the same name that all the certificates that
    >> > these domain controllers have (could just be chance - ie same naming
    >> > convention). I was kinda expecting to see the name of the server that
    >> > was being used as the CA server or nothing
    >> > at all so was suprised to see this there.
    >> > Properties of this object give no details at all.
    >> >
    >> > Any suggestions?
    >> >
    >> > Ta.
Ask a new question

Read More

Enterprise Certification Windows