Guide to AD Certificate Services certs on Server 2008 Enterprise?
I've been experimenting with the Active Directory Certificate Services on Server 2008 Enterprise, along with the Network Device Enrollment Service, and just noticed a buildup of certificates when using the Certificates snap-in for mmc.exe. I'm speaking
of certs in Personal -> Certificates, Trusted Root Certification Authority -> Certificates, Intermediate Certification Authority -> Certificate Revocation Authorities, and Intermediate Certification Authority -> Certificates. There are a
number of certs that either include the machine name, include a name that obviously references my company, or both. This is strictly a test server and no clients rely on it for anything. I'd like to strip out all the certificates that don't need
to be here, but can't find a guide that explains what is what. For example, I see several certs with names containing my company's name, followed by "Enterprise". I'm thinking I should keep these? Or were they installed with AD
CS, and would be reinstalled if I removed and re-added this service? I see some with MSCEP in the name, and am fairly certain these are tied to the Network Device Enrollment Service. I see others that appear in pairs, and with the same date/time
stamp. The only difference is that one has a key as part of its icon. Private key and root certificate pairs? And what about the other certs?
If someone can point me to a guide that explains what everything is, that's really all I need. (The built-in help wasn't so helpful, and I haven't been able to find any useful docs online.) Or if you can give a brief explanation here, I'd be
very appreciative. In general then, assuming I'm reinstalling the AD CS components, which certs can be deleted??
Thanks!
Todd
August 7th, 2010 1:03am
I read this a year and a half or so ago and it helped a bit, but it is
not free...
http://www.amazon.com/Windows-Server-Certificate-Security-PRO-Other/dp/0735625166/ref=sr_1_1?ie=UTF8&s=books&qid=1281149205&sr=8-1
What have you read so far, we might be able to point you to some other
stuff.
The certificates that have your company name in them will be regenerated
if you reinstall ADCS (these are the steps involving creation of the
private key, specifying the length and cryptographic service provider,
and creating the root/subordinate CA certificate).
The ones with the key indicate that you have a private key for the
certificate. If you open the properties you will see "You have a private
key that corresponds to this certificate." For me (I have a standalone
CA installed right now), the certificate with the private key attached
is for the server and has the "Server Authentication" EKU. The CA cert
does not have the private key attached to the certificate, but it is
present on the machine for signing purposes (see
http://msdn.microsoft.com/en-us/library/aa375596%28VS.85%29.aspx ).
The other certificates in the "Trusted Root Certification Authorities"
store are issued by Microsoft or as part of their Microsoft Root
Certificate Program,
http://technet.microsoft.com/en-us/library/cc751157.aspx
You can remove these, but you will potentially run into issues accessing
websites secured by SSL, installing updates and authenticating signed
software. These are all signed with a certificate whose chain ends at
one of the trusted CAs (oddly enough, not necessarily Microsoft, the
certificate for obtaining System Center Operations Manager Management
Packs ends at GTE CyberTrust Global Root).
-- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2010 6:04am
Thanks for the tips, Mike. It's late right now, and I'll re-read your reply and perhaps post more tomorrow. I use OpenSSL a lot and feel like I have a good, general understanding of PKCS...but not from a Windows Server perspective. My biggest
issue is making sure that if I delete any certs that either reference the computer name or reference my company's name, that I won't be killing the server. The "Enterprise" certs, in particular. The rest I can probably figure out if I
pay closer attention (hopefully).
Thanks again,
Todd
August 7th, 2010 8:05am
I've just started re-examining this. I uninstalled all parts of Active Directory Certificate Services (and IIS) and then deleted all certificates on the server that contained the machine name or any reference to my company. Then I reinstalled
just the Certificate Authority portion of ADCS. Reinstalling created one Personal Certificate entry, two entries in Trusted Root Certificate Authority, two entries in Intermediate Certificate Authorities -> CRL, and one entry in Intermediate Certificate
Authorities -> Certificates. The "Enterprise" certs were not remade...but either a number of reboots or a certain amount of time later, they returned, along with two more Root Certificates and two more Intermediate Certificates. (I
suppose the Root and Intermediate areas always mirror each other?) The Enterprise certs, too. The Enterprise certs seem important (still not sure what they do), but automated processes like this frustrate me.
I've noted the PKI and Certificate Authority book on Amazon, but if anyone can point me to a free web tutorial somewhere, I'm just trying to figure out what these certificate and certificate-related entries are used for.
Case in point: the two root certificates that appeared after reinstalling ADCS. One has a key icon and the other doesn't, but viewing each certificate's properties, neither ever contains the text "You have a private key that corresponds to this
certificate" on the General tab. Exporting each, the certificate with the key icon randomly gives me an option to export the private key. Other times it is treated as a simple X509 cert, with no PKCS12 export option. I'm assuming it
isn't supposed to work this way?
Any clarifications would be most appreciated!
(If this reply doesn't bump my thread to the top, I shall start a new one... :)
Free Windows Admin Tool Kit Click here and download it now
August 16th, 2010 7:40pm