Windows AD Certificate Services Family---Deployment and Management certificate templates (1)

Source: Internet
Author: User
Tags cas

A certificate is a set of small amounts of data that contains several of its own information. This data can include its own email address, name, certificate usage type, expiration date, AIA and CDP location URLs. Certificates can also contain key pairs, and private and public keys in key pairs are used for authentication, digital signing, and encryption. A key pair is generated when the certificate is used in the following conditions:

    1. When the content is encrypted by the public key, it can only be decrypted by the private key

    2. When the content is encrypted by the private key, it can only be decrypted by the public key

    3. A separate key pair, no other key is found for the same relationship

    4. Within a reasonable time, the private key cannot be inferred from the public key, and vice versa

During the registration process, the key pair is generated on the client, and then the public key is sent to the CA along with the certificate signing request, and the CA authenticates the certificate signing request, signs the public key sent with the certificate with the CA's private key, and then sends the signed public key back to the requester. This process ensures that the private key cannot be detached from the system (or smart card), and because the certificate's public key is CA-Signed, the certificate is a certificate that is trusted by the CA. A certificate provides a mechanism for obtaining trust between the public key and the private key corresponding to the entity itself.

We can think of a certificate as a driver's license, and many companies recognize a driver's license as a form of authentication because the issuer of the driver's license is trustworthy. The company understands the process by which someone wants to get a driver's license, so they trust the identity of the person driving the driver to the issued object, so the driver's license is recognized as an effective authentication, and the certificate trust is built in a similar way.


Certificate Templates

Certificate templates allow administrators to customize the way certificates are distributed, define certificate purposes, and use types through certificate licensing. Administrators can create templates and then quickly deploy templates to the enterprise through built-in GUI or command management tools.

Each template-related DACL (Dynamic access Control list) defines which security principal has permission to read and configure the template, which security entity can enroll certificates or Autoenroll certificates based on a template. Certificate templates and their permissions are defined in the AD domain and can take effect in the forest. If there are multiple enterprise CAs in the ad forest, modification of permissions affects all CA servers.

When you define a certificate template, the definition of the certificate template must be available to all CAs in the forest. This requirement can be achieved by saving the certificate template information in the AD domain's configuration partition, which is replicated with the AD domain's replication schedule, and the certificate template may not take effect on all CAS until replication is complete. The storage and replication of certificates are automatic and do not require manual intervention.

Note: Before WINDOWS2008R2, only Enterprise Edition Server systems support certificate template management, and after windows2008r2, certificate templates can also be managed in Standard Edition.

The Windows2012 CA supports four versions of the certificate template, and the three versions of the certificate template are used in previous server systems, and the new version 4th certificate template is included in Windows2012. The version of the certificate template corresponds to the server system version, which corresponds to version 1, version 2, version 3, version 4, respectively, 2000,2003,2008,2012.

In addition to the server system version, the certificate template has some differences in functionality:

    1. Windows2000 the Advanced Server system supports version 1 certificate templates. The only modifications that version 1 certificate templates can perform are permissions that allow or disallow certificate template enrollment, and when you install an enterprise CA, the version 1 certificate template is created by default. Since July 13, 2010 Microsoft has no longer supported the WINDOWS2000 server operating system. The

    2. WINDOWS2003 Enterprise Edition Server system supports version 1 and version 2 certificate templates. In version 2 of the certificate template we have been able to define several settings ourselves, the default installation will bring a few default version 2 template. You can add a version 2 template according to the needs of the enterprise, or you can copy the version 1 template to create a new version 2 template, and then modify the new version 2 template and permissions settings, when the new template is added to the WINDOWS2003 enterprise CA, they use version 2 by default.

    3. The
    4. Windows2008 Enterprise Edition Server system supports version 3 certificate templates, which also support version 1 and version 2 certificate templates. The version 3 certificate template for the WINDOWS2008 enterprise CA can support several features, such as CNG. CNG supports suite B encryption algorithms, such as elliptic curve ciphers. In Windows2008 Enterprise Edition, you can copy the default version 1 and version 2 templates and upgrade them to the version 3 template. The

    5. Windows2008 provides 2 new certificate templates by default: Kerberos authentication and OCSP response signing. WINDOWS2008R2 systems can also support these certificate templates, and when you use version 3 certificate templates, you can use CNG encryption and hashing algorithms for certificate requests, certificate issuance. The

    6. WINDOWS2012 supports all versions of certificate templates from 1 to 4. These certificate templates are available only for Windows2012 and Win8, and in order to help administrators separate the features supported by each operating system version, a new compatibility label is added to the Certificate Template Properties tab. It identifies the option to be unavailable in the certificate template properties, depending on the certificate client and the operating system version selected by the CA. Version 4 certificate templates also support CSP and key storage providers, and you can configure them to use the same key to request renewals.

Certificate templates can only be upgraded in a CA-upgraded environment, such as a CA that is upgraded from WINDOWS2008R2 to Windows2012, open the CA Manager console after the CA upgrade is complete, and then click Yes in the upgrade prompt to upgrade the certificate template.


Configure Certificate Template Permissions

To configure certificate template permissions, you need to define a DACL on the security label for each certificate template. The certificate template is assigned permission to define a user or group to perform read, modify, enroll, or Autoenroll actions on this certificate template.

We can assign the following permissions to the certificate template:

    1. Full Control. Full Control permissions run a security principal to the all properties of the template, including the permissions of the certificate template itself and the security descriptor of the certificate template.

    2. Read. Read allows the user or computer to view the certificate template when the certificate is registered, and the Certificate Server needs to have read permissions to find the certificate template in the ad domain.

    3. Write. Writes properties that allow the user or computer to be a template, including the permissions that the template itself is assigned.

    4. Registered. Registration allows a user or computer to enroll a certificate based on the certificate template, but to enroll the certificate you must also have Read permission for the certificate template.

    5. Automatic registration. Autoenrollment allows users or computers to receive certificates through autoenrollment, which requires that the user or computer must also have read and Enroll permissions for the certificate template.

The best way to empower a certificate template is to assign permissions only to global or universal groups, because certificate template objects are stored in the configuration naming context of the ad domain, and you should try to avoid assigning permissions to individual users or computers.

In addition, we'd better give the Authenicated Users group read access to the certificate template so that users and computers in the AD domain can view the certificate template, which also allows the certificate template to be viewed by a CA running on the system context of the computer account when the certificate is assigned. But do not give this group the registration permission, so the configuration will not have a security problem.


Configure settings for certificate templates

In addition to configuring security settings for certificate templates, you can configure several additional settings for each certificate template. Note, however, that the number of configurable options depends on the version of the certificate template, such as the version 1 certificate template, which does not allow the modification of settings other than security, whereas later versions of the certificate template can be configured with more options available.

WINDOWS2012 will bring several default certificate templates, primarily for these purposes: Code signing (for digital signature software), EFS (for encrypting data), enabling users to register with smart cards. If you want to customize a template in the enterprise, you need to copy the template and then configure it. For example, you can configure the following settings:

    1. Configure the format and content of the certificate based on the purpose of the certificate. Note: The purpose of a certificate may be related to a user or computer based on the type of security deployment that is required to use the PKI

    2. Configure the process of creating and submitting a valid certificate request

    3. CSP Support

    4. Secret key length

    5. Validity

    6. Registration process or Registration application

Also, you can define a certificate purpose in certificate settings. Certificate templates can have the following 2 types of uses:

    1. Single use. Single-purpose certificates are used for a single purpose, such as allowing users to register with smart cards. The enterprise uses a single-purpose certificate to resolve situations where the configuration in the deployed certificate is different from the other certificates. For example, if all users receive a certificate for smart card login, but some groups receive a certificate for EFS, the enterprise typically separates the certificates and templates to ensure that the user receives only the required certificates.

    2. Multi-purpose. A multipurpose certificate can be used for multiple purposes at the same time, and these purposes are usually irrelevant. Some templates are multi-purpose by default, such as user templates, and enterprises often modify the template for some new purpose, for example, if the enterprise intends to issue certificates for 3 purposes, they can be combined into a certificate template, which simplifies management and maintenance work.


Selection of certificate Template updates

Most enterprise CA schemas each work feature has a certificate template, such as a certificate template for file encryption and another for code signing. There may also be templates that cover multiple functions for most general group objects.

As an IT administrator, we may be able to modify an existing certificate template because the certificate template may not be set correctly, or there are some issues when it was originally issued. Sometimes we may also need to merge multiple existing templates into a single template.

We can update the certificate template by modifying or replacing the existing template:

    1. Modify the initial certificate template. When modifying the certificate template for version 2, version 3, and version 4, we need to make changes to the template and apply it to the template, and all certificates issued by the CA based on this template will contain the configuration you modified after processing is complete.

    2. Replaces an existing certificate template. There may be multiple certificate templates in the enterprise CA schema to provide the same or similar functionality. In this case, we can substitute or replace multiple certificate templates with a single certificate template. We only need to specify in the certificate template console to replace the existing certificate template with the new certificate template, another benefit of replacing the template is that the new certificate will be used when the certificate expires.


This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1616360

Windows AD Certificate Services Family---Deployment and Management certificate templates (1)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.