1

Cross-Forest Certificate Enrollment using Certificate Enrollment Web

Services

OverviewThis session will discuss services originally added into Windows Server® 2008 R2 and then improved upon in Windows Server® 2012 and Windows® 8 that allow for cross-forest certificate enrollment

and renewal. You will learn how to deploy certificates between Active Directory Domain

Services (AD DS) forests using Certificate Enrollment Web Services.

By Kurt Hudson

Senior Technical

Writer

Microsoft

2

Example Configuration

Certificate Templateswith CES URI

Certificate

GPO URI CEP1

HTTPS

HTTPS

RPC/DCOM

LDAP

DNS name resolution between forests is required

3

Cross-Forest Requirements0 HTTPS access between the forests0 DNS name resolution between the forests0 Certificate clients must trust root certification authority (CA). Part of typically

setup in home forest, but not in foreign forest.0 Enterprise CA

0 Appropriately configured and issued Certificate Templates0 CES user account needs read permission to CA0 CES user account need to be member of IIS_USRS

0 User credentials to obtain a certificate0 Certificate could be manually transferred to other forest and used for authentication

between forests0 Certificate Enrollment Web Service, which also requires SSL cert0 Certificate Enrollment Policy Web Service, which also requires SSL cert0 URI of the Certificate Enrollment Policy Web Service application – distributed in

Group Policy Object (GPO), added to local policy, or manually entered0 If using renewal-only mode, then you need to run command Certutil -config

"APP1.corp.contoso.com\IssuingCA-APP1" -setreg policy\EditFlags +EDITF_ENABLERENEWONBEHALFOF on CA

4

Key-based Renewal Additional Requirements

0Windows Server 2012 0 Certification authority0 Certificate Enrollment Policy Web Service0 Certificate Enrollment Web Service

0 Windows 8 or Windows Server 2012 certificate clients0Certificate Enrollment Policy Web Service configured

for key-based renewal0Certificate templates issued that are configured to allow

key-based renewal

5

Key-Based Renewal0Specific Certificate Template Requirements

6

Certificate Enrollment Policy Web Service Installation

Install-AdcsEnrollmentPolicyWebService -AuthenticationType <type> -KeyBasedRenewal -SSLCertThumbprint <thumbprint>

(dir -dnsname <dnscomputername>).ThumbprintIn key-based renewal mode, the policy server URIs will show

only the key-based renewal enabled templates

AD CS Deployment Cmdlets in Windows PowerShell

The Windows PowerShell cmdlet must be used when you want to deploy multiple enrollment policy virtual applications on the same server.

7

Certificate Enrollment Web Service Installation

0 Install-AdcsEnrollmentWebService 0 -CAConfig “<config>" 0 -SSLCertThumbprint <thumbprint>

0 (dir -dnsname <dnscomputername>).Thumbprint 0 -AuthenticationType <type> (Username, Certificate, Kerberos)0 -RenewalOnly (only for renewal only mode)0 -AllowKeyBasedRenewal (only for key-based renewal)

The Windows PowerShell cmdlet must be used when you want to deploy multiple enrollment policy virtual applications on the same server.

AD CS Deployment Cmdlets in Windows PowerShell

8

Testing Key-Based Renewal

From the certificate client run these command from Windows PowerShell:0Cd Cert:\LocalMachine\My 0Dir | format-list 0 certutil -f –policyserver * -policycache delete0 certreq -machine -q -enroll -cert <thumbprint> renew0Dir | format-list0 Is there a new thumbprint? If yes, success!

9

Registry Locations for Policy Servers on the Client

0 HKEY_LOCAL_MACHINE\SOFTWARE0 \Policies\Microsoft\Crytography\PolicyServers for enrollment policies shown as

Configured by your administrator0 \Microsoft\Crytography\PolicyServers for enrollment policies listed as Configured by you

10

Troubleshooting 1/6

0CA invalid or incorrect 0Add root CA to Trusted Roots

11

Troubleshooting 2/6

0 Template is issued 0 Connectivity

0 https0 DNS can resolve URI

0 Certificate type: are you requesting the right type?0 User0 Service0 Computer

0 Template Settings0 Read permissions0 Enroll permissions0 Ensure that you are not trying key-

based renewal URI expecting a template that is not configured for key-based renewal

0 Compatibility tab (more later)

0Cannot see certificate templates from client

0Things to check

12

Troubleshooting 3/6

0Validate Server• Error: This ID conflicts with

an existing ID• Resolution: Change

Application Settings ID of one of the conflicting virtual applications

13

Troubleshooting 4/6

0 Issuing CA is running Windows Server 20120 Issuing CA name has spaces0Problem: Creates a Certificate Enrollment Web Services URL

with spaces instead of %20 (see error below)0Detailed workaround

Implementing Certificate Enrollment Web Services in Windows Server® 2012 that uses an Issuing CA with spaces in the name

14

Troubleshooting 5/6

0 The Compatibilities tab is supposed to make life easier for the administrator – it disables settings that don’t work for specified CAs or clients.

0 One issue is that when Windows Server 2012 CA is selected, then Windows 7 and Windows Server 2008 R2 clients don’t see the template. Resolution, set CA to Windows Server 2008 R2 in order to service those clients.

15

Troubleshooting 6/6

0When you make changes to your configuration0Restart IIS (iireset)

0 Certificate Enrollment Web Services server0 Certificate Enrollment Policy Services server

0Delete client policy enrollment server cacheCertutil -f -policyserver * -policycache delete

0May have to clear registry locations on client0May have to update URIs in Group Policy0Ensure that your CRL is up-to-date certutil -crl

16

Additional Information Links

0Certificate Enrollment Web Services in Active Directory Certificate Services

0AskDS Blog: Certificate Enrollment Web Services0Test Lab Guide: Deploying an AD CS Two-Tier PKI

Hierarchy0Test Lab Guide: Demonstrating Certificate Key-Based

Renewal0Test

Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services