Windows AD Certificate Services Family---deployment CA (2)

Role-based management in AD CS enables administrators to delegate users and groups to the built-in CA role with pre-set permissions. Each role can perform one or more of the set tasks, and the following table identifies the roles and groups that are based on role management:

TD width= "223" valign= "top" > Auditor

roles/groups	purpose
CA admin	admin ca
Certificate manager	issuance and management certificate
		operating system role
management audit and security event log
registrant	Read and register

Role-based management combines the operating system role and the AD CS role, providing a complete, segmented management solution for the CA. You no longer need to assign local administrator rights to multiple IT personnel to administer the CA, and you only need to assign roles to achieve the minimum permissions that meet the task, which improves the security of the enterprise.

Role-based management also reduces the amount of work an administrator has to grant to other managers, because all authorization processes only need to add users to the corresponding group or role.

Managing CA Security

To manage and configure role-based management for CAS and to manage the security of CAs, you can select the properties of the certificate Authority in the admin console that is opened by the Certsrv.msc command and manage it through the list of security. The following types are security permissions that we can set at the CA object level:

1. Read. The security principal assigned to this permission can locate the CA in the ad domain, and if you are deploying a stand-alone CA, the security principal can access the CA through the Web console or service.

2. Issue and manage certificates. The security principals assigned this permission can approve and deny certificate requests pending, and they also have permissions to revoke and issue certificates, specify revocation justification, revoke revocation status, and read all issued certificates and export them to a file.

3. Manage the CA. The security principals assigned this permission can manage and configure CA-level options, but they cannot manage certificates and can only administer CAs.

4. Request a certificate. The security principals that assign this permission can issue certificate requests to this CA, but this does not mean that they can enroll for certificates, be able to enroll in certificates, and are specified at the certificate template level.

Permission types can be consulted:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/59/72/wKioL1TTOAPzfiQ1AAVIpUaUPjs929.jpg "title=" QQ picture 20150205172434.jpg "alt=" Wkiol1ttoapzfiq1aavipuaupjs929.jpg "/>

You can see that the Administrators group has permissions to issue and manage certificates and to manage CAs.

In combination with the security permissions defined on the Access control list of the CA object, you can also apply the Certificate manager option in the CA Properties window to qualify the security principals when you configure them to issue and manage certificates only on specific certificate templates. For example, if you want to assign permissions to user Bob to issue and manage user certificates only, you need to add Bob to the ACL and assign the issue and manage certificate permissions to Bob, but you need to restrict Bob's permissions to the user certificate template through the Certificate Manager option. Because you don't want Bob to be able to issue and manage all certificates, as shown in:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/59/75/wKiom1TTNZewV6lFAAZ2mr2-qMQ303.jpg "title=" QQ picture 20150205171801.jpg "alt=" Wkiom1ttnzewv6lfaaz2mr2-qmq303.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/59/72/wKioL1TTN5CyJZgyAAVXqf5U3s4822.jpg "title=" QQ picture 20150205172245.jpg "alt=" Wkiol1ttn5cyjzgyaavxqf5u3s4822.jpg "/>

Configuring CA policies and Exit modules

A more advanced deployment of the CA structure is the integration of CAs with another PKI-related service, which requires the configuration and management of policies and exit modules on the CA. Whether it is a stand-alone CA or an enterprise CA, any CA has a policy and exit module, each CA uses the default policy and exit modules, and generally we do not need to configure these modules. If you want to manage policy and exit modules, we can do this through the CA Administrator console, but we still need to use the certutil command to configure the more complex configuration.

What is a policy module?

The policy module determines the actions that are performed after the CA receives a certificate request, and you can configure a default policy that allows each request to be suspended until the administrator approves or rejects the request. If a certificate template is set up to allow the policy module to issue certificates, the default policy module can be used to issue certificates. But you can also install a custom policy module that performs other tasks when the CA receives a certificate request. For example, if you installed Microsoft Forefront Identity Manager Certificate Management (FIM cm) in an internal PKI, the FIM CM 2010 Policy Module forwards the request to the FIM cm 2010, after the process is processed on the FIM, the certificate is issued or the request is rejected. The FIM CM 2010 policy module can also specify a signing certificate thumbprint for clients that have passed the certificate request, each of which is passed to the FIM process before being issued with a request signed by the FIM CM 2010 policy module using the specified thumbprint. This is just one example of a custom policy module, and other third-party applications may use their own defined policy modules.

What is an exit module?

Unlike the policy module, the exit module is used after the certificate is issued, which determines the actions that are performed after the certificate is issued. The most common action is to send a message or publish a certificate to a file system, even if each CA uses the default exit module, these actions can be executed.

Also you can define an exit module yourself, we borrow the example of a policy module, if you deploy FIM CM 2010 in your company and deploy a custom exit module on the CA, specify that each running SQL Server role computer is forwarded with the issued certificate data in this exit module. If you write information about such a certificate, FIM cm can view and monitor the issued certificate without interfering directly with the CA database.

A CA can use multiple exit modules at the same time, the policy module does not, and the CA can only apply one active policy module at a time.

If you want to issue a certificate each time you send a message to a specific address, you must configure these settings through certutil, because these settings are not configurable in the CA management console. First, you must specify the SMTP server used to send the message, and we can use the following command to implement:

Certutil-setreg EXIT\SMTP\<SMTP Server name >

The SMTP server name must be an FQDN. Then you must specify the e-mail address of the event and notification, which we can do with the following command:

Certutil-setreg exit\smtp\crlissued\to<e-mailstring>

Note: The CA's exit module is configured to send messages as an event that cannot be authenticated by SMTP, and if your SMTP server requires authentication, you must execute the following command on the CA server:

Certutil-setreg Exit\smtp\smtpauthenticate 1

certutil-setsmtpinfo< User name >

The user name here is the user name that can be authenticated on the SMTP server, and this command prompts you for a user password.

In addition to sending notification messages when a certificate is issued, you can also set up an exit module to send notifications when the following event occurs:

The certificate request is in a pending state

The certificate request was denied

Certificate is revoked

CRL is issued

CA Service Started

CA Service stopped

If you want to configure an exit module to publish a certificate to the file system, you can use the CA management console to open the properties of the exit module, and then enable the option "allow the certificate to be published to the file system" and restart the CA, as shown in:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/59/77/wKioL1TULLXBV9C4AAQif8byDcs133.jpg "title=" QQ picture 20150206104836.jpg "alt=" Wkiol1tullxbv9c4aaqif8bydcs133.jpg "/>

Certificates issued from a CA are copied to the C:\windows\system32\certenroll folder of the CA server in a. cer format file, but implementing this requires that the requestor of the certificate must include CertFile in their request: The property of True.

Backup and restore of CAs

The CA server in your enterprise may be running for many years, and someday you may want to upgrade the hardware or operating system of the CA server, but because CAs are important throughout the enterprise IT environment, you must define a backup and restore process. When migrating the CA role, it is also necessary to make an up-to-date backup available to the CA.

Note: Unlike other services, which are not simply installed on a new computer and can continue to work normally, it is important to retain the identity of the CA when you move the CA from one server to another, so that you can use the same CA identity for your new hardware or system.

CA Backup

Even if you do not intend to do a migration to the CA, you should also make a backup of the CA, the backup of the CA is different from the backup we usually make, the CA backup needs to be implemented by the following steps:

1. If you are preparing to back up an enterprise CA, click the certificate template in the CA console, and then record the name listed in the certificate template. These templates are stored in the ad domain, so you don't need to back them up. You have to be clear about what templates are being published by the CA, because you have to manually add those templates after the migration.
   

2. In the CA console, right-click the CA name, select "All Tasks", and then click "Backup CA" to open the CA Backup Wizard, in the Backup Wizard you need to select the backup CA's private key, CA certificate, certificate database, and certificate database log. You can also specify a suitable storage location for the backup content, and for security reasons, it is best to set the password to protect the CA private key.

3. After you complete the backup, you should open Registry Editor and locate and export the following subkey for the registry:

   Hkey_local_machine\system\currentcontrolset\services\certsvc\configuration
   

Note: We recommend that you save the registry key export file to a folder that is backed up by the CA.

4. After doing the above, once you want to migrate the CA to another computer, you need to uninstall the CA from the old server, and then rename or disconnect the old server from its network connection.

CA Restore

A CA's restore typically occurs when the current CA must be repaired or when it needs to be migrated to another server.

To restore a CA, follow these steps:

1. Install the AD CS role on the target computer. Choose to install a stand-alone CA or enterprise CA, depending on the type of CA you need to migrate. When you see the "Specify the private key Type" page, click "Use an existing private key" and select "Select a certificate and use its associated private key", which allows you to continue using the old server's certificate on the new CA server.

2. On the "Existing certificate" page, click Import, enter the storage path of the. p12 file when the backup CA is entered, then enter the password set at backup, then click Confirm, when you are prompted with "public key and private key pair", make sure that the existing key is selected, if you want to use the same root CA certificate, this step is critical.

3. When you go to the "Certificate Database" page, specify the same location as the old server to hold the certificate database and the certificate database log, after these steps are complete, click "Configure" and wait for the installation wizard to complete.

4. After the installation is complete, open the service plug-in for the AD CS service and restore the settings of the old server.

5. Locate the registry file that was exported when you backed up, and then double-click Import it into the registry.

6. After restoring the registry settings, open the CA management console, right-click the CA name, click "All Tasks", then click "Restore CA", the CA Restore Wizard appears, in the wizard you can select "Private key and CA certificate" and "certificate database and Certificate database log", This is to specify the object you want to restore. Next, enter a backup folder location and confirm that the restored settings are not a problem. The "issue log" and "Pending request" in the Restore settings should be "show".

7. When the restore is complete, select Restart AD CS service.

8. If you are restoring an enterprise CA, you will need to confirm that the certificate template saved in the ad domain previously recorded is visible on the new CA and is available.
   

This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1612368

Windows AD Certificate Services Family---deployment CA (2)