AD CS Procedures

Install and configure AD CS with Windows Server Enterprise

If you are using Windows Server Core, see Install and configure AD CS with Windows Server Core.
To create an AD-integrated CA, that is, an Enterprise CA, an account with Enterprise Administrator level privileges is required for the role configuration.

  1. Join the domain.

  2. Select Start > Server Manager to open Server Manager.

  3. Select Manage, then select Add Roles & Features. The Before you begin window opens. Select Next.

  4. On the Select installation type window, make sure the default Role or Feature Based Installation is selected. Select Next.

  5. On Server selection, select a server from the server pool. Select Next.

  6. On the Select server roles window, select the Active Directory Certificate Services role.

  7. When prompted to install Remote Server Administration Tools, select Add Features. Select Next.

  8. On the Select features window, select Next.

  9. On the Active Directory Certificate Services window, select Next.

  10. On the Select role services window, the Certification Authority role is selected by default. Select Next.

  11. On the Confirm installation selections window, verify the information, then select Install.

  12. When the installation is complete, select the Configure Active Directory Certificate Services on the destination server link.

  13. On the Credentials window, make sure that Administrator’s credentials is displayed in the Credentials box. If not, select Change and specify the appropriate credentials. Select Next.

  14. On the Role Services window, select Certification Authority. This is the only available selection when the certification authority role is installed on the server. Select Next.

  15. On the Setup Type window, select the appropriate CA setup type for your requirements. Select Next.

  16. On the CA Type window, Root CA is selected by default. Select Next.

  17. On the Private Key window, leave the default selection to Create a new private key selected. Select Next.

  18. On the Cryptography for CA window, select the appropriate nShield cryptographic provider along with the key type, key length and suitable hash algorithm:

    • RSA #nCipher Security World Key Storage Provider

    • ECDSA_P256 #nCipher Security World Key Storage Provider

    • ECDSA_P384 #nCipher Security World Key Storage Provider

    • ECDSA_P521 #nCipher Security World Key Storage Provider

    If OCS or Softcard protection is used, select the Allow administrator interaction when the private key is accessed by the CA option.

  19. Select Next.

  20. On the CA Name window, give the appropriate CA name. Select Next.

  21. On the Validity Period window, enter the number of years for the certificate to be valid. Select Next.

  22. On the CA Database window, leave the default locations for the database and database log files. Select Next.

  23. On the Confirmation window, select Configure.

  24. If you select nCipher cryptographic service provider on the Cryptography for CA window, the nCipher key storage provider-create a key wizard prompts you to create a new key. Select Next and OK. Select a way to protect the new key. Select Next.

    If either Softcard or OCS (token) protection was chosen when the CSP /CNG providers were installed using the wizards, you will be prompted to either enter Softcard Passphrase / PIN or present the OCS and credential. There will be no prompt if Module protection was chosen.
    If you are using a FIPS 140-2 Level 3 Security World, you will need to present either a card from the ACS or OCS for FIPS authorization before the AD CS key can be generated, irrespective of your chosen protection method.

  25. When the passphrase(s) has been successfully presented, close the wizard.

    The Progress window opens during the configuration processing, then the Results window opens. Select Close. If the Installation progress window is still open, select Close on that window also.

  26. Register nFast Server as a dependency of AD CS with the ncsvcdep tool in the nfast/bin directory; this is needed as the nShield service must have started before CA, otherwise the nShield CNG providers will fail.

    Run the command:

    >ncsvcdep -a certsvc

  27. Verify that the CA service has started successfully by running the following command on the command line. Use Windows key + R to open the Run dialog, and type cmd to open the command prompt.

    Run the command:

    >sc query certsvc

    Output:

    SERVICE_NAME        : certsvc
TYPE                : 110 WIN32_OWN_PROCESS (interactive)
STATE               : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE     : 0 (0x0)
SERVICE_EXIT_CODE   : 0 (0x0)
CHECKPOINT          : 0x0
WAIT_HINT           : 0x0

Install and configure AD CS with Windows Server Core

If you are using Windows Server Enterprise, see Install and configure AD CS with Windows Server Enterprise.

  1. Join the domain by running the command:

    > netdom join $(hostname) /domain:<full_DNS_domain_name> /userd:<user_name> /passwordd:<password>

  2. Restart the machine after joining the domain by running the command:

    > shutdown /r /t 0

  3. Enable WOW64 if you are working with 32-bit applications.

  4. Run PowerShell as admin user.

  5. Install CA binaries via PowerShell, by running the command:

    > Add-windowsfeature ADCS-Cert-Authority --IncludeManagementTools

  6. Configure CA via PowerShell, by running the command:

    > Install-AdcsCertificationAuthority –AllowAdministratorInteraction –caType EnterpriseRootCA –CryptoProviderName ECDSA_P256#HSM_KSP_NAME –KeyLength 256 –HashAlgorithmName SHA256

    Example:

    > Install-AdcsCertificationAuthority –AllowAdministratorInteraction –caCommonName "Fips-128-Module-CA-1" –caType EnterpriseRootCA –CryptoProviderName "RSA#nCipher Security World Key Storage Provider" –KeyLength 2048 –HashAlgorithmName SHA256

  7. When the confirmation message appears, type A and press Enter.

Verify that the CA service has started successfully

To verify that the CA service has started, open a command prompt and run the command:

> sc query certsvc

The expected output is:

SERVICE_NAME        : certsvc
TYPE                : 110 WIN32_OWN_PROCESS (interactive)
STATE               : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE     : 0 (0x0)
SERVICE_EXIT_CODE   : 0 (0x0)
CHECKPOINT          : 0x0
WAIT_HINT           : 0x0

Configure auto-enrollment group policy for a domain

To complete the integration procedures, you must configure auto-enrollment as a group policy:

  1. On the domain controller, select Start > Administrative Tools > Group Policy Management.

  2. Select Forest, then select your Domain and expand it.

  3. Double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  4. Right-click the Default Domain Policy GPO, then select Edit.

  5. In the Group Policy Management Editor, select Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  6. Double-click Certificate Services Client - Auto-Enrollment.

  7. In Configuration Model, select Enabled to enable auto-enrollment. Select the following options:

    • Renew expired certificates, update pending certificates, remove and revoke certificates.

    • Update certificates that use certificate template.

  8. Select Apply and OK to accept your changes and close the Editor.

Configure the HSM with Certificate Services

Configure Certificate Services with a new key

To install the Certificate Server using the nShield HSM Key Storage Provider (KSP):

  1. Install and configure the HSM hardware and software as described in Install Security World.

  2. Install Microsoft Active Directory Certificate Services as described in Install and configure AD CS with Windows Server Enterprise, with the following settings:

Configure Certificate Services using an existing private key

To install the Certificate Server using the nShield HSM KSP with an existing HSM private key:

  1. Install and configure the HSM hardware and software as described in .

  2. Install Microsoft Active Directory Certificate Services as described in Install and configure AD CS with Windows Server Enterprise.

  3. In the Private Key window, select Use existing private key, then Select an existing private key on this computer. Select Next.

  4. In the Select Existing Key window, select Change.

  5. In the Change Cryptographic Provider window, select the CSP that contains the created key. Delete the contents of the CA common name field, then select Search. The search finds the existing private key. Select the key, then select Allow administrator interaction when the private key is accessed by the CA. Select Next.

  6. In the Cryptography for CA window, select the appropriate hash algorithm. Select Next.

  7. In the CA Name window, select Next.

  8. In the Validity Period window, specify the validity period. Select Next.

  9. In the CA Database window, specify the certificate database locations and certificate database log locations. Select Next.

  10. In the Confirmation window, select Configure.

  11. Wait for the configuration to complete. After successful completion, close the AD CS configuration window.

  12. Verify that the CA service has successfully started by running the command:

    > sc query certsvc

  13. Verify the CA key by running the command:

    > certutil -verifykeys

Configure Certificate Enrollment to use CA templates on the AD CS Server

This section describes how to create certificate templates when the private key is managed using an HSM. All subscribers who enroll for a certificate based on such a template must have a client connection to the HSM.

If a CA installed on Windows Server Core is managed remotely, the snap-ins in this section must be run on a separate machine with GUI capabilities.

To integrate the CA certificate enrollment functionality with a CA private key generated by an nShield HSM:

  1. Create a CA template that uses the nShield HSM KSP:

    1. Run certtmpl.msc.

    2. Right-click the Administrator template, then select Duplicate Template. The Properties window opens, showing Compatibility tab.

    3. Select Windows Server 2016 Under Certificate Authority and Certificate Recipient drop-down box.

    4. Select the General tab. In Template Display Name, type a name for the template.

    5. Select the Request Handling tab, and in Purpose, select Signature and deselect Allow private key to be exported.

    6. Select the Cryptography tab and in the Provider category select Key storage provider.

    7. In Algorithm Name, select the algorithm from the list.

    8. Select Requests must use one of the following providers and in Providers, select nCipher Security World Key Storage Provider only.

      If CA is on Windows Server Core and you are managing it remotely using certtmpl.msc on a different PC, you need to install the nShield Key Storage Provider on the PC that is running certtmpl.msc. Otherwise, the nShield provider will not appear.

    9. In Request Hash, select a hash type.

    10. Select Subject Name tab and deselect Include e-mail name in subject name and deselect E-mail name.

    11. Select Apply and OK to save the template settings and close the Certificate Template console.

  2. Make sure the RpcLocator service is running, then run certsrv.msc.

    Windows Server Core:

    • If a CA is configured on Windows Server Core and is managed via the Microsoft Management Console (MMC) from a different machine, you might get an error which states: Cannot manage Active Directory Certificate Services. To fix this, select OK, then in the certsrv.msc console that appears, select Action → Retarget Certification Authority. In the window that appears, select Another Computer, then select Browse to find the CA you want to manage.

    • Sometimes an error appears indicating that the RPC server is unavailable. To fix this, sign in to the Windows Server Core machine and minimize the command prompt. A window prompts you to load a key. Complete the steps in the window and attempt to select the CA again from certsrv.msc.

  3. In the left-hand pane, double-click the CA name.

  4. Right-click the Certificate Template node, then select New > Certificate Template to Issue.

  5. Select the template you just created, then select OK.

  6. Request a certificate based on the template:

    1. Run certmgr.msc.

    2. In the left-hand pane, right-click the Personal node, then select All Tasks > Request New Certificate.

    3. Select Next in the first two windows.

    4. Select the template that you created, then select Enroll.

      If a CA installed on Windows Server Core is managed remotely, steps e-h may not take place. A new key is still created to be associated with the certificate. If the STATUS: Succeeded message appears, the procedure is complete.

    5. The Key Storage Provider window appears. Select Next.

    6. Insert the Administrator card(s), and enter the passphrase or pin when prompted.

    7. Proceed to create the new key to be associated with the certificate.

    8. Select the type of protection you want to use. Select Next.

    9. Depending on key protection method, enter the required credentials. The Certificate Installation Results window should show STATUS: Succeeded. Select Finish.

      If passphrase authentication is enabled, a prompt for passphrase appears.

  7. Verify that the certificate is enrolled successfully. If the certificate fails to enroll because the CA is not started or the RPC ports are blocked, the following error appears:

    Error: the RPC server is unavailable. 0x800706ba (win32: 1722 RPC_S_SERVER_UNAVAILABLE

    The enrollment wizard shows if the certificate enrollment was successful or failed. Use Details to check the main information.

Set up key use counter

Key use counter overview

Setting up key use counter is optional. If you require key use counter, follow the procedures described in this section. The procedures described in this section do not apply to most setups.

If you do not follow the procedures described in this section, key use counter is not installed. You cannot add key use counter to a key retrospectively.

The key use counter audits usage of the CA signing key. It maintains a count of how many times the key has been used. The key use counter should only be used with a root CA that has a low volume of signings where the count can be logged immediately before servicing a signature request and after the signature request has been serviced. This ensures that any illicit use of the CA is revealed through discrepancies in the counter log.

Note the following information about the key use counter:

  • The counter is in the NVRAM of the HSM. To access the key count value in NVRAM, users must present the ACS to the HSM.

  • The counter is a 64-bit integer counter associated with a single private key.

  • The counter is started at zero.

  • If the maximum count is reached, the counter restarts at zero.

  • The counter can exist only on one HSM. If more than one HSM is attached to the server, you must select which HSM stores the counter.

  • If the module firmware is upgraded, the counter value is lost.

  • The key counter can only be set at HSM initialization. It cannot be activated after deployment.

Install Certificate Services with key use counter

To install Certificate Services with key use counter:

  1. If it is not already on your system installation, create the %SystemRoot%\capolicy.inf file, where %SystemRoot% is the system environment variable for the Windows installation folder, by default C:\WINDOWS\capolicy.inf with the following content:

    [Version]
Signature="$Windows NT$"
[certsrv_server]
EnableKeyCounting=True
    You must create the capolicy.inf file before Certificate Services is installed.

  2. Install the CA using the HSM KSP.

  3. Enable auditing for the CA service by running the command:

    > certutil -setreg ca\auditfilter 1

  4. Stop the certsvc service. Run:

    > net stop certsvc

  5. Select Start > Administrative Tools > Certification Authority, right-click the CA, then select Properties.

  6. Select the Auditing tab and check the box for Start and Stop Active Directory Certificate Services.

  7. Select Start > Administrative Tools > Local Security Policy.

    Windows Server Core:

    • You need to follow steps 7-10 on the machine that is remotely managing the Windows Server Core, export the local security policy, then import it to the Windows Server Core machine.

  8. Select Local Policy, expand it, then select Audit Policy.

  9. In the right pane, double-click Audit Object Access, then select Success and Failure.

  10. Select Apply, select OK, then close the window.

    Windows Server Core:

    • After step 10, run secpol.msc. Select Security Settings > Export Policy. Give the .inf file a name, then select Save. Transfer the file from this machine to Windows Server Core, then run the following command:

      secedit.exe /configure /db Windows\security\local.sdb /cfg C:\securitypolicy.inf

      When this command completed successfully, continue with step 11.

  11. Update the local security policies by opening a command prompt and running the command:

    > gpupdate.exe /force

  12. Restart the CA service to pick up the changes, by running the commands:

    > net start certsvc
    You will be prompted to enter the CA certificate credentials upon CA restart.

  13. Run Eventvwr.exe.

    Windows Server Core:

    Launch the Microsoft Management Console. Select File → Add/Remove Snap-in → Event Viewer → Add. In the window that appears, select Another computer, then select Browse. Enter the name of the machine, then select OK several more times. Event Viewer should now be managing the Windows Server Core machine remotely.

  14. Select Windows Logs > Security.

  15. Filter for event ID 4881 (CA startup event) or event ID 4880.

  16. Verify the CA startup event shows the PrivateKeyUsageCount property with a corresponding value.