Install and Configure a Subordinate CAAfter the root CA is prepared, the subordinate CA must be installed. The following example installs and configures an enterprise subordinate CA. A standalone subordinate CA could also be installed but would not have the flexibility that an Enterprise CA has. In this example, the subordinate CA of the root CA will be the issuing CA for chicago.local. However, best practices indicate that a middle layer of intermediary subordinate CAs, which may or may not be kept offline, should be created. This layer provides flexibility, especially when organizations are large, when organizations anticipate cross-certification with partner CA hierarchies, or when the certificate usage will be large. However, it is not necessary, especially for smaller organizations, and providing instructions for the configuration of this layer would add little to this chapter. If you require a broader CA hierarchy, extensive information is available in the "Best Practices for Implementing a Windows Server 2003 Public Key Infrastructure" paper previously mentioned in this chapter. Installing the Subordinate CATo install the enterprise subordinate CA, a certificate request file must be generated on the subordinate CA computer. This request is used to manually obtain a certificate from the root CA. The certificate must then be installed on the subordinate CA. If the subordinate CA will also perform the Registration Authority role, IIS must also be installed. Enable the Use of ASP on IISWindows Server 2003 IIS installs in a locked down configuration. You must enable the use of ASP pages for the CA Web Enrollment pages to work:
Start the InstallationThe first step of the subordinate CA installation adds the files and registry keys and creates the certificate request file. If the CA that will provide the certificate is online, the CA certificate can be requested online, but that is not the case with the root CA. To start the installation and obtain a certificate request file, follow these steps:
Obtain a Root CA Certificate from the Root CAThe certificate request file must be transported manually to the root CA and used to request a CA certificate. The certificate will be added to the Pending folder of the CA:
Inspect the Subordinate CA Certificate and Obtain the Request IDThe new subordinate CA certificate should be inspected to ensure the correct CDP and AIA locations are present:
Use certreq to Retrieve a Copy of the CertificateThe CA certificate is issued to the root CA database. To complete the installation of the subordinate CA, the certificate must be placed in a file and installed on the subordinate CA. To obtain a copy of the CA certificate for the regalinn CA, use the certreq command. The root CA computer, CA name, Request ID, and a file path must be listed:
Install the CA CertificateThe CA certificate file is then used to install the CA certificate at the CA console:
NOTE: CA Certificate Automatic Publishing Because the subordinate Enterprise CA is integrated with Active Directory, the CA certificate will be automatically published to the Active Directory. Configure a Subordinate CAAfter the enterprise subordinate CA is installed, but before it issues certificates, the following tasks should be completed:
Steps 1 and 2 can be done in the same manner as they were done for the root CA. Setting auditing in Active Directory is similar to setting auditing in the Local Security Policy. It should be done in the OU in which the CA member server resides. The CRL and delta CRL publishing schedule is set by default, but you need to modify it to fit. Restrict Certificate Usage by Setting PermissionsCertificate templates are stored in the Active Directory and are managed outside of the CA. Even if some templates will not be used, permissions should be set for all templates. Many certificates can be autoenrolled and others can be requested and obtained without any need to validate the request. If a user or computer can authenticate, and the certificate is not restricted, the certificate will be issued. Restrict certificates by setting the Enroll permission on the template, by removing certificate templates from the CA console, and for V2 templates, by requiring approval before the requested certificate is issued. Information on configuring V2 templates is provided in the section, "Use Custom Templates to Configure Key Archival for EFS." Set Template PermissionsTo set permissions on certificate templates, follow these steps:
Restrict Certificate Usage by Limiting the Certificates the CA Can IssueJust as the root CA and any intermediary CAs should issue only CA certificates, the issuing CA should issue only those certificates they are authorized to issue. The certificates each CA should issue are a matter of security policy and CA hierarchy design, but no issuing CA should issue CA certificates. Removing the certificates listed in the Certificates Template node of the CA can prevent the CA from issuing them. However, any administrator with the proper privileges can add them back in. Removing the certificates, however, will prevent accidental issuance of these certificates. Audit the Enterprise CA to confirm compliance. Limit the Certificates the CA Can Issue
TIP: Templates Are Persistent Removing templates from the Certificate Templates node does not remove the certificate templates; it simply prevents the CA from issuing certificates of this type. Establish Role Separation for the Subordinate CARole separation is the process of dividing the CA administration duties among several people. To delegate administrative responsibilities, assign permissions on the CA to different custom Windows groups. To prevent an individual account from becoming a member of both groups and thus hinder role separation, enforce role separation. Role separation can be configured and enforced for all CAs. For the offline root, use local computer groups. For an Enterprise CA, use global computer groups. In an environment where a large number of certificates will be issued, you may want to further divide the role of Certificate Manager. To do so, create multiple Certificate Manager groups. Then, use the Restrict Certificate Manager CA property page to assign each group the responsibility of managing groups of users and computers. Separating Administrative Roles
Enforce Role SeparationIf role separation is not enforced, an individual account could be a member of both groups and therefore have full control of the CA. To enforce role separation, follow these steps:
TIP: Remove Role Separation If you have incorrectly enabled role separation and need to remove it, enter the following command: certutil -delreg ca\RoleSeparationEnabled Restrict Certificate ManagersTo limit certificate managers by Windows group, follow these steps:
Configure AutoenrollmentThe process by which a user or computer certificate is issued can be broken into three parts: Request A certificate is requested by some manual action, such as by using the web enrollment pages or the certificates snap-in. A certificate request may also be automatically issued when a user or computer authenticates to Active Directory. Issue A certificate request is approved, and the certificate is created. Distribution The certificate is installed in the certificate stores of the computer.
Autoenrollment, which is the performance of these activities without user intervention can be configured in many cases. In other cases, user intervention is required. Autoenrollment is configured in three places: On the Policy property page of the CA, as shown in the configuration sections of both the offline root CA and the enterprise subordinate CA. There are two choices: certificates may require a Certificate Manager approval, or they may be issued automatically. If the CA is a Windows Server 2003 Enterprise Edition Enterprise CA, certificates may be issued according to configuration of the V2 certificate. In the certificate template. In Group Policy.
For more information on capabilities for certutil, check http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_cs_certutil2.asp. Configure Autoenrollment Using Certificate TemplatesThe Certificate Templates console displays the certificates and basic information about them. A column is provided for autoenrollment status. Each certificate, as shown in Figure 13-26, is marked as either autoenrollment Allowed or autoenrollment Not Allowed. In the figure, the Key Recovery Agent certificate is marked as Allowed. This does not mean the certificate is automatically issued; in this case, it just means that the certificate can be installed without user intervention. Double-click the certificate to view it, and on the Issuance Requirements page, note that the box CA Certificate Manager Approval is checked (see Figure 13-27). If an authorized individual requests the certificate, and the CA Certificate Manager issues the certificate, the certificate is automatically installed in the user's Personal certificate store. Figure 13-26. Certificate templates are marked autoenrollment Allowed or Not Allowed.Figure 13-27. The Key Recovery certificate issuance requires CA Certificate Manager approval.Template configuration sections on several template property pages can have an impact on autoenrollment. Select these settings, as described in Table 13-2, to configure templates for autoenrollment. While only a Windows Server 2003 Enterprise Edition CA or a Windows Server 2003 Datacenter Edition CA can be used to configure the properties of the certificates, autoenrollment is possible based on template defaults and Group Policy configuration no matter which Windows CA is used. Certificate Template Permissions can also impact autoenrollment. The permissions are as follows: Read Discover the template in Active Directory. Enroll Request and receive the certificate. Full Control All actions. Autoenroll Automatically enroll. This new permission is only present on v2 templates. Templates customized by duplicating v2 templates will also have the permission. A user must have the Enroll and Autoenroll permission. Write Modify templates. TIP: Check Permissions The Enterprise CA must also have Enroll permission on the template. Typically, the Enterprise CA gets this permission because it is a member of the Authenticated Users group. If you remove the Enroll permission for the Authenticate Users group, be sure and add the Enterprise CA and provide it permissions if you want autoenrollment to occur. Configure Autoenrollment in Group PolicyGroup Policy PKI settings are configured in the Computer Configuration, Windows Settings, Security Settings, Public Key Policy and in the User Configuration path. Policies that can be configured are as follows: Encrypting File System Automatic Certificate Request Setting Trusted Root Certification Authority Enterprise Trust
At the root of the Public Key Policy folder, in the details pane, there is also an Autoenrollment policy. This policy turns on or turns off autoenrollment, as shown in Figure 13-28, for this GPO. To enable autoenrollment for users and computers, you must enable enrollment in both User Configuration and Computer Configuration paths. Figure 13-28. Turn autoenrollment on or off for a GPO.The Automatic Certificate Request Setting policies configure autoenrollment of computer certificates. Right-clicking the policy and selecting New allows the selection of a computer certificate from a wizard page, as shown in Figure 13-29, to automatically enroll authorized computers. Each policy can include only one certificate type. Figure 13-29. Configure autoenrollment of computer certificates. |