Configuring and Using Active Directory Certificate Services

After you have deployed your servers, you still need to complete several configurations to begin using them to issue and manage certificates to users and devices. Several activities are required:

Use the buttons below to navigate through the lesson

  • To issue and maintain certificates, you must finalize the configuration of your issuing CAs.
  • For your online responder to issue responses to requests, you must finalize the configuration of the online responder.
  • To support network device enrollments, you must finish the configuration of the NDES on an issuing CA.
  • After all of these configurations are completed, you must test your CA operations to ensure that everything is working correctly.

Finalizing the configuration of an issuing CA includes the following actions:

  • Creating a certificate revocation configuration
  • Configuring and personalizing certificate templates with specific attention to the following factors:
  • If you want to use the EFS to protect data, you must configure certificates for use with EFS. This also involves planning for the recovery agent or the agent that will be able to recover data if a user’s EFS key is lost.
  • If you want to protect your wireless networks with certificates, you must configure wireless network certificates. This will enforce strong authentication and encrypt all communications between wireless devices.
  • Configuring enrollment and issuance options
  • You perform each of these actions on the issuing CA itself or remotely through a workstation, using the Remote Server Administration Tools (RSAT).

Creating a Revocation Configuration for a CA

Revocation is one of the only vehicles available to you to control certificates when they are misused or when you need to cancel deployed certificates. This is one reason your revocation configuration should be completed before you begin to issue certificates. To create a revocation configuration, perform the following actions:

  • Specify Certificate Revocation List (CRL) distribution points.
  • Configure CRL and Delta CRL overlap periods.
  • Schedule the publication of CRLs.

On the issuing CA (SRV2) open the Certificate Authority. Right click the issuing CA name. Select Properties. Select Extensions tab. Ensure CRL Distribution Point (CDP) is selected. Select both Publish CRL’s and Delta CRL’s to this location. Click OK.

Creating a Revocation Configuration for a CA

Now, move on to configuring CRL and Delta CRL overlap periods. This is performed with the Certutil.exe command.
1. On the issuing CA, open an elevated command prompt and execute the following commands:
certutil -setreg ca\CRLOverlapUnits value
certutil -setreg ca\CRLOverlapPeriod units
certutil -setreg ca\CRLDeltaOverlapUnits value
certutil -setreg ca\CRLDeltaOverlapPeriod units

Value is the value you want to use to set the overlap period, and units is in minutes, hours, or days. For example, you could set the CRL overlap period to 24 hours and the Delta CRL publication period to 12 hours. For this, you would use the following commands:
certutil -setreg ca\CRLOverlapUnits 24
certutil -setreg ca\CRLOverlapPeriod hours
certutil -setreg ca\CRLDeltaOverlapUnits 12
certutil -setreg ca\CRLDeltaOverlapPeriod hours

Type command certutil -setreg ca\CRLOverlapUnits 24
And press Enter.

Type command certutil -setreg ca\CRLDeltaOverlapUnits 12
And press Enter.

Type command certutil -setreg ca\CRLOverlapPeriod hours
And press Enter.

Close the command prompt and return to the Issuing CA Certification Authority. On the issuing CA (SRV2) open the Certificate Authority. Firstly stop the CA service. Next start the CA service. Right click the CA name. Select Properties. On the CRL Publishing Parameters tab, configure the CRL and Delta CRL publication periods. By default, both values are set to one week and one day, respectively. If you expect to have a high throughput of certificates and need to ensure high availability of the CRLs, decrease both values. If not, keep the default values. The revocation configuration is complete. Click OK.