Active Directory Certificate Services and Rights Management

Active Directory Certificate Services and Rights Management
ADCS (Active Directory Certificate Services) 

When you install the Active Directory Certificate Services, you create an additional name for the Zertifierungsstelle. The name cannot be changed  after the installation  (LORPKI) 

Add Role – Active Directory Certificate Services
Four types of roles 

  • Zertifierungsstelle
  • Here is acting the most important role service, which is the basis of certificate services. It is repsonsible for the build and the management of certificates
  • Zertifierungsstellen – Web enrollment
  • When installed, this service can procure certificates with the the Web address http:// <server> / certsrv
  • Online responder
  • Registrierungsdient for network devices 

the ADCS can be installed as  "Standalone" or "entrerprise"  modus

If entrerprise is selected, Certificate Services are integrated into Active Directory.

Select this option if the cA is a memeber of a doamin nd can use Directory Service to issue and manage certificates
To create certificates correctly for the server without issue  , the server  needs to be a member of the Cert Publishers group. This group is located in the Builtin OU. (runs automatically)
The Certificate Templates are managed with the snap-in certificate templates. This starts when you choose in the context menu certificate templates in the admin console Zertifierungsstelle . 
Each Zertifierungsstelle has its own security administration, which is accessed from the context menu in the properties on the Security tab. Certificates are created on the basis of the certificate templates to Certificate Services, the data and the name of the applicant are read out automatically from Active Directory. 
Standalone CA
Select this option if this CA does not use Directory service data to issue or manage certificates. A standalone CA can be a memeber of a domain 
is used to issue  S / MIME or SSL Certificates if no admin directory assistance is needed . It runs completely independent from the Active Directory
Configuring the Online Certificate Status Protocol
If a Certificate Authority, CA is used in the company, it’s worth to configure the Online Certificate Status Protocol (OCSP). detailed information about the current status of the certification request are available for the client.

Online Responder management can be started from the Administrative Tools program group.
When you install the responder role of the online service, you should manage the OCSP response signing in the certificate template console ..
The next step must be the configuration of the Certificate Authority yet.
You opening the snap-in to manage Zertifierungsstelle and go to the properties of Zertifierungsstelle in the console.
Select the Extensions tab.
In the Select Option field extensions from the access point information.
Click Add
Would like to place the address of the OCSP server is the default http://lorSrv001/ocsp
Confirm the location Dilaogfeld Add OK

Creating a restricted configuration in the administrative console of the Online Responder
Open the Online Responder snap in (Start / Run / oscp.msc
Click in the console tree, lock configuration
Click the Actions pane lock configuration, add, and enter the necessary data. In the third window, click Select Certificate for an existing enterprise CA.

Security for certification bodies to manage.

Sign on the animal card certificate management to control the rights of groups (rights should not be assigned to individual users.

Installing the Entreprise Root CA

Cet article a été publié dans Microsoft - Admin Directory. Ajoutez ce permalien à vos favoris.

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:


Vous commentez à l'aide de votre compte Déconnexion /  Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion /  Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion /  Changer )


Connexion à %s