Tuesday, July 6, 2010

Active Directory Certificate Services: Issuing Common Certificate Types on Standalone CAs (Part 1)

Background

Active Directory Certificate Services can be used to generate a number of certificates with different purposes. Active Directory Certificate Services gives four options for installation: Standalone CA or Enterprise CA and Root or Subordinate. Enterprise CAs are only possible within an Active Directory Domain Services infrastructure. A full discussion of an enterprise PKI infrastructure is not given here, but can be found in any of the books on PKI or on Microsoft Technet.
These CAs allow multiple types of certificates to be automatically issued through a process known as autoenrollment. Users can also submit requests through a web enrollment interface or send a request to a CA administrator. Autoenrollment requires the creation and maintenance of one or more certificate templates that the issuing CAs (typically subordinate CAs) issue based on the requests that they receive. Many templates come with ADCS and correspond to different purposes, such as securing connections between clients and servers (ex. IPSec and SSL), authenticating individuals and computers (ex. smart card certificates and client certificates), and encrypting data (ex. Encrypting File System certificates).
Standalone CAs can issue the same types of certificates that enterprise certification authorities can, but they do so without the use of autoenrollment and certificate templates. Users can send requests to a CA administrator or submit the request through web enrollment. All of the information used to specify the certificate's purpose is included in the request. Searching a couple of search engines like Google and Bing, it becomes apparent that if an organization lacks an enterprise CA, then they may not have a handy resource to determine which extensions are required if they need to create a custom request manually on a system. This post will provide the extensions that are required for various certificate templates installed with ADCS.
The following is a list of most of the certificate templates installed with a Windows Server 2008 R2 Enterprise Edition Enterprise Certification Authority and their extensions.
Name
Template Name
Subject Type
Purpose (if applicable)
Basic ConstraintsKey UsageEnhanced Key Usage
Administrator
Administrator
User
Signature and Encryption
The subject is an end-entity.Signature Requirements: Digital Signature
Allow key exchange only with key encryption.
Critical Extension.
Microsoft Trust List Signing
Encrypting File System
Secure Email
Client Authentication
Authenticated Session
ClientAuth
User
Signature
The subject is an end-entity.Digital signature
Critical extension
Client Authentication
Basic EFS
EFS
User
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
Encrypting File System
CEP Encryption
CEPEncryption
Computer
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
Certificate Request Agent
Code Signing
CodeSigning
User
Signature
The subject is an end-entity.Digital signature
Critical extension
Code Signing
Computer
Machine
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension
Client Authentication
Server Authentication
Domain Controller
DomainController
Directory e-mail replication
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension
Client Authentication
Server Authentication
EFS Recovery Agent
EFSRecovery
User
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
File Recovery
Enrollment Agent
EnrollmentAgent
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Certificate Request Agent
Enrollment Agent (Computer)
MachineEnrollmentAgent
Computer
Signature
The subject is an end-entity.Digital signature
Critical extension.
Certificate Request Agent
Exchange Enrollment Agent (Offline Request)
EnrollmentAgentOffline
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Certificate Request Agent
Exchange Signature Only
ExchangeUserSignature
User
Signature
The subject is an end-entityDigital signature
Critical extension.
Secure Email
Exchange User
ExchangeUser
User
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
Secure Email
IPSec
IPSECIntermediateOnline
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
IP security IKE intermediate
IPSec (Offline Request)
IPSECIntermediateOffline
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
IP security IKE intermediate
Root Certification Authority
CA
Certification authority (CA)
The subject is a certification authority (CA).
Critical extension.
Digital signature
Certificate signing
CRL signing
Critical extension.
None
Router (Offline request)
OfflineRouter
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Client Authentication
Smartcard Logon
SmartcardLogon
User
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Client Authentication
Smart Card Logon
Smartcard User
SmartcardUser
User
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Secure Email
Client Authentication
Smart Card Logon
Subordinate Certification Authority
SubCA
Certification authority (CA)
The subject is a certification authority (CA).
Critical extension.
Digital signature
Certificate signing
CRL signing
Critical extension.
None
Trust List Signing
CTLSigning
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Microsoft Trust List Signing
User
User
User
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Encrypting File System
Secure Email
Client Authentication
User Signature Only
UserSignature
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Secure Email
Client Authentication
Web Server
WebServer
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Server Authentication
There are several templates that have additional extensions. These will be covered in a different article.
  • CA Exchange
  • Cross Certification Authority
  • Directory Email Replication
  • Domain Controller Authentication
  • Kerberos Authentication
  • Key Recovery Agent
  • OCSP Response Signing
  • RAS and IAS Server
  • Workstation Authentication

2 comments:

  1. Thanks for sharing such a detailed and informative blog on digital certificate.Also its good to keep categorization as you mentioned above i.e. four options for installation: Standalone CA or Enterprise CA and Root or Subordinate if it serve different purpose

    ReplyDelete