Manage Certificate Revocations

IT Certification

The certificate revocation is allows you to control certificates. The certificates may become invalid at times because either they expire or they are compromised. Certificate was revoked due to a compromise. The certificate server maintains a list of revoked certificates and publishes at specified intervals in a CRL (Certificate Revocation List). This list ensures that the certificate presented is valid and in the certificate chain. A certificate manager can revoke a certificate through the CA console.

The high level steps to create a revocation configuration of CA include the specification of CRL distribution points, Configuration of Delta CRL overlap periods, and schedule the publication of CRLs.

To specify the CRL Distribution points, you need to:
  1. Click Start->Settings->Administrative Tools->Certificate Authority
  2. Right-click the Root CA and select Properties from the menu that appears. The properties window of the Root CA appears.
  3. Click Extensions tab and verify that Select Extensions dropdown list contains a set of CRL distribution points, as shown in Figure 7-17.
  4. Ensure that the options Publish CRLs to this location and Publish Delta CRLs to this location are enabled.
  5. Click OK.If you have made any change then you will have to stop and restart the AD CS service.
    Figure 7-17

    Now you should configure the CRL and Delta CRL overlap periods. To configure them you need to use the certutil command.

  6. Type the following commands on the issuing CA at the elevated command prompt:
    • certutil -setreg CA\CRLOverlapPeriod <value in minutes, hours or days>
    • certutil -setreg CA\CRLPeriodUnits <value in number>
    • certutil -setreg CA\CRLDeltaOverlapPeriod <value in minutes, hours or days>
    • certutil -setreg CA\CRLDeltaPeriodUnits <value in number>


    • certutil -setreg CA\CRLOverlapPeriod «Hours»
    • certutil -setreg CA\CRLOverlapUnits 24
    • certutil -setreg CA\CRLDeltaOverlapPeriod «Months»
    • certutil -setreg CA\CRLDeltaOverlapUnits 12
  7. Stop and then restart the certification service by typing the commands:
    • net stop certsvc
    • net start certsvc

    You should now configure the publication of the CRLs. To configure the publication of CRLs, you need to go to the Certification Authority console again.

  8. Click Start->Settings->Administrative Tools->Certificate Authority
  9. Expand the Root CA, right-click the Revoked Certificates node and then select Properties from the menu that appears. The Revoked Certificates Properties window appears, as shown in Figure.
  10. Configure the CRL publication interval and Publish Data CRLs interval as desired or accept the default values. Before configuring the interval, you should know that to ensure the high availability of the CRLs, you need to decrease the values because the decreases interval will ensure high throughput and availability of certificates, as shown in Figure 7-18:
    Figure 7-18
  11. Click OK. The revocation configuration is complete.

If you are using classic CRL, then you may have to face a number of problems related to the growing number of CRLs. This is because as the number of certificates grows, the number of revoked certificates will also increase. As a result, the CRL file will just grow large and the clients will have to spend a long time to download the CRL files.

To resolve such problem, you can set up additional CA’s but this will not actually solve the problem. To solve this problem you should consider the implementation of an OCSP (Online Certificate Status Protocol), which can be done through Online Responder service.

The certificate templates are the certificates that you want to use with your applications. A number of certificates templates are offered to you to by AD CS. The certificate templates are configurable and can be personalized. To use templates, you need to be connected to DC so that templates can be published to AD DS. If you are not connected to DC then you need to connect to the DC through the Server Manager before continuing to configure templates.

To configure certificate templates, you need to:
  1. Click Start->Settings->Control Panel->Administrative Tools-> Server Manager->Roles->Active Directory Certificate Services->Certificate Templates, <server name> as shown in Figure 7-7.A list of templates appear on the details pane
    Figure 7-7
  2. Right-click the template that you want to use and select Duplicate Template from the menu that appears, as shown in Figure 7-8:
    Figure 7-8

    The Duplicate Template window appears, as shown in Figure 7-9.

  3. Select the version of Windows Server to support. Select Windows Server 2008 unless you are working in a mixed PKI hierarchy and then click OK.
    Figure 7-9

    The Properties of New Template window appears, as shown in Figure 7-10. The General tab displays a default name for the duplicate template.

  4. Provide a meaningful name to the template in the Template display name field.
    Figure 7-10
  5. Click Request Handling tab and select Include symmetric algorithms allowed by the subject, Archive subject’s encryption private key, and Use advanced Symmetric algorithm to send the key to the CA options, as shown in Figure 7- 11:
    Figure 7-11

    You can configure the other tabs as per your requirements.

  6. Click OK.The configuration of a template often requires some other activities or other templates also to be configured. For example, if you are configuring Basic EFS template then you should also configure EFS Recovery Agent Template. For a complete help on the template that you want to configure you should view the online help for the AD CS.

    Once your template is ready, you must issue the template to enable CA to issue certificates based on it.

  7. Go to Server Manager->Roles->Active Directory Certificate Services- >
    ->Certificate Templates
  8. Right-click Certificate Templates and then select New->Certificate Template to Issue. The Enable Certificate Templates dialog box appears.
  9. Select the templates that you want to issue by using CTRL+Click and then click OK.

Active Directory Certificate Service (AD CS) provides a number of customizable services related to public key infrastructures and certificates used in software security systems. It is comprised of components such as certificate authorities, CA web enrollment, online responder, and network device enrollment service.

It allows you to encrypt data files, encrypt remote communications, secure email messages, secure logons, secure servers, secure wireless communications, and protect all data from tampering. The AD CS can run in both corporate network and outside the corporate network. It can be integrated with AD DS to provide automated certificate enrollment.

AD CS deployments are hierarchical in nature and form a chain of trust from lowest to
top most point of a hierarchy. AD CS supports two CA types:

Install AD CS as a Standalone Root CA

  1. Click Start-> Administrative Tools->Server Manager-> Roles Summary-> Add Roles
  2. Click Next on the first page of the Add Roles Wizard that appears.
  3. Select Active Directory Certificate Services and then click Next on the Select Server Roles page that appears.
  4. Select Certification Authority on the Select Role Services page and click Next. Because this is a root CA you need not assign other services and roles to it, as shown in Figure 7-1:
    Figure 7-1
  5. Select Standalone on the Specify Setup Type page that appears and click Next.
  6. Select Root CA on the Specify CA Type page that appears and click Next.
  7. Select Create a new private key radio button on the Set Up Private Key and then select Next.You need to create a new private key because you are creating a new root CA. If you are reinstalling a CA due to some reason then you can select the existing key option.The Configure Cryptography for CA page appears with a number of cryptography options to configure.

    CSP are the engines that MS crypto API uses to generate key pair for the root CA CSP can be software or hardware based. For example The RSA#Microsoft Software Key Storage Provider CSP is software based and RSA#Microsoft Smart Card Storage Provider CSP is hardware based.

  8. Select the suggested cryptographic service provider from the Select the cryptographic service provider (CSP) dropdown.The Key character length field allows you to select the length of the cryptography keys in pair. Before selecting the key length, you must know that longer the key length the more processing time the server will take
  9. Select the appropriate key length from the Key character length field.The Hash algorithms are used to produce and assign hash value on the keys in pair. The hash value on key pairs ensures that the no tempering has been done with the data in the transit.
  10. Select the SHA1 hash algorithm from the Select the hash algorithm for signing certificates issued by this CA dropdown to ensure the backward-compatibility with old versions.The Use strong private key protection features provided by the CSP option further ensures the protection of the root CA. This is because if this option is selected the CA will require only administrative access to work with, as shown in Figure 7-2.
  11. Keep Use strong private key protection features provided by the CSP option deselected for this example and click Next
    Figure 7-2
  12. Modify the Common name of the CA in the Common name for this CA field and leave the Distinguished name suffix field as is. For this example modify the name to Inscription-Root-CA, as shown in Figure 7-3.The common name that you specify here will be embedded in each subordinate certificate issued by the name.
  13. Click Next.
    Figure 7-3
  14. Modify the validity period of the CA in the Select validity period for the certificate generated for this CA fields if required on the Set Validity Period page, as shown in Figure 7-4 and then click Next.
    Figure 7-4
  15. Accept the default values for the certification database or modify them if required on the Configure Certificate Database page, as shown in Figure 7-5 and click Next.
    Figure 7-5
  16. Click Install on the Confirm Installations Selections pageThe installation process starts and you will now never be able to change the name of the server unless you uninstall AD CS first.