Processing Domain Controller Certificates
Applies To: Windows Server 2003 with SP1
Due to differences in the Certificate Services components in Windows 2000 and Windows Server 2003, the issuing process for domain controller certificates depends on the certificate template version and the specific certificate template. Since the processes and steps required are different, both types are outlined separately in the following sections.
Certificate Templates
The Windows 2000 and 2003 Server enterprise certification authority (CA) supports the concept of certificate templates. Certificate templates define how an enterprise CA should process a certificate request and generate a specific certificate type when issued. A difference exists between the Domain Controller certificate templates in a Windows 2000 and Windows Server 2003 Active Directory environment. It is necessary to understand the differences before you submit the certificate request to a CA. For a broader discussion on certificate templates, see the following references.
Implementing and Administering Certificate Templates in Windows Server 2003 at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Selecting Certificate Templates at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/depkit/C71D2CD3-82EF-4E3C-8746-1340D0EF4E9A.mspx
Windows 2000 Certificate Templates
A Windows 2000 CA provides only one certificate template for domain controller certificates: Domain Controller. It may be manually or automatically enrolled through Automatic Certificate Request Service (ACRS) settings in Group Policy. The certificate template name is hard-coded in the operating system and it must be used to enroll Windows 2000 domain controllers. In Windows 2000, you cannot modify certificate templates and thus, only the Domain Controller template may be used.
With a domain controller certificate that was issued by a Windows 2000 CA, a domain controller can use the certificate for any of the following purposes.
Provide mutual authentication for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) or smart card logon.
Encrypt Active Directory replication traffic if SMTP replication is enabled.
Enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) connections to Active Directory.
Authenticate using SSL client authentication for an application that requires this functionality.
If Windows 2000 style auto-enrollment (ACRS in Group Policy) is enabled in a connected environment, a Windows 2000 domain controller will auto-enroll certificates based on the Domain Controller template.
Windows Server 2003 Certificate Templates
In contrast to a Windows 2000 enterprise CA, a Windows Server 2003 enterprise CA provides three templates for domain controller certificates. In Windows Server 2003, the Domain Controller certificate template is known as a V1 certificate template and exists to support auto-enrollment for Windows 2000 domain controllers. The two other certificate templates are Directory E-mail Replication and Domain Controller Authentication. Both certificate templates are V2 templates, which implies they can be modified, duplicated, and used for the new style certificate auto-enrollment.
Windows XP and Windows Server 2003 systems that are joined to an Active Directory domain support a more advanced auto-enrollment mechanism than previously available in Windows 2000. To support a Windows 2000 computer in a mixed environment with Windows XP and Windows Server 2003 systems, both methods are supported by a Windows Server 2003 CA. For more information about the new style auto-enrollment, see the white paper at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/plan/autoenro.mspx
The capabilities of the Windows 2000 V1 Domain Controller certificate template have been divided into two V2 certificate templates to provide more specific functionality. Instead of having one multi-purpose domain controller certificate that can be used for almost everything, the Domain Controller Authentication certificate template is tailored for smart card logon support; the Directory Email Replication certificate is made for supporting SMTP e-mail replication. Thus, if you do not require Active Directory replication via SMTP, you do not have to deploy Directory Email Replication certificates.
Note
Both certificate templates are configured by default to supersede the former Domain Controller certificate template, which will be performed when both a Windows 2000 enterprise CA and domain controller are upgraded to Windows Server 2003. For more information about superseding templates, see the Implementing and Administering Certificate Templates in Windows Server 2003 white paper at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
To summarize the previous points, the following table provides an overview of the certificate templates that are used by default in Windows 2000 and Windows Server 2003.
Domain Controller Operating System | Windows 2000 Stand-alone CA | Windows 2000 Enterprise CA | Windows Server 2003 Stand-alone CA | Windows Server 2003 Enterprise CA |
---|---|---|---|---|
Windows 2000 |
Domain Controller |
Domain Controller |
Domain Controller |
Domain Controller |
Windows Server 2003 |
Domain Controller |
Domain Controller |
Domain Controller |
|
These same templates can also be used for domain controller offline certificate enrollment. In the case of a Windows Server 2003 enterprise CA, it will also be required to customize the Domain Controller certificate template. For more information about this process and requirements, see Certificate Template Configuration.
Using Version 2 Templates with Windows 2000 Computers
In a mixed environment where you may support or have multiple operating system versions installed, your choice of template version may be limited by the client operating system. Only Windows XP client systems are able to enroll for version 2 templates through the Certificates MMC Snap-In. Windows 2000 clients are not able to display or enroll for version 2 templates through the Certificates MMC Snap-In or automatic certificate request settings in Group Policy. Nevertheless, a Windows 2000 computer can be used to enroll for user certificates that are based on version 2 templates through the Windows Server 2003 Web enrollment pages. As an alternative, you could install certreq.exe on a Windows 2000 computer and request certificates based on version 2 templates manually using that method.
Domain Controller Certificate Details
Since many of the offline domain controller enrollment processes involve complex, manual procedures, the following section is provided to assist in understanding the most important characteristics of a domain controller certificate as a reference.
Certificate Purpose | Domain Controller | Domain Controller Authentication | Directory E-mail Replication |
---|---|---|---|
Domain controller authentication–A domain controller can prove its identity to another party, such as a client computer, during smart card logon. |
Yes |
Yes |
No |
SSL–If a Web server is installed on the domain controller, the Web server can leverage the domain controller certificate to establish SSL connections with clients. This also supports LDAP over SSL connections to the domain controller. |
Yes |
Yes |
No |
Client authentication (SSL)–This would be used if the computer acts as an SSL client to another application on a separate server. |
Yes |
Yes |
No |
E-mail encryption–SMTP e-mail can be encrypted and signed with this certificate. |
Yes |
No |
Yes |
A certificate that was issued by a CA based on the Domain Controller certificate template has the following characteristics.
The subject contains the domain controllers FQDN prefix with the “CN=” relative distinguished name element.
The certificate purposes (also known as extended key usage) are set to “Client Authentication (1.3.6.1.5.5.7.3.2)” and “Server Authentication (1.3.6.1.5.5.7.3.1)”. The numbers in parentheses are the corresponding standard object identifier for each certificate purpose.
The common name of the template is set to “DomainController”.
The Subject Alternative Name contains the domain controller’s GUID in object identifier 1.3.6.1.4.1.311.25.1 and the FQDN of the domain controller.
A certificate that was issued based on the Domain Controller Authentication certificate template has the following characteristics.
The subject of the certificate is empty.
The certificate purposes (also known as extended key-usage) are set to “Client Authentication (1.3.6.1.5.5.7.3.2)”, “Server Authentication (1.3.6.1.5.5.7.3.1)”, and “Smart Card Logon (1.3.6.1.4.1.311.20.2.2)”. The numbers in parentheses are the corresponding object identifier for each certificate purpose.
The common name of the template is set to “Domain Controller Authentication” or the name of the template that was specified in the certificate request for this certificate type.
The Subject Alternative Name extension contains the domain controller’s fully qualified DNS name of the domain controller.
A certificate that was issued based on the Directory Email Replication certificate template has the following characteristics.
The subject of the certificate is empty.
The certificate purpose (also known as extended key-usage) is set to “Directory Service Email Replication (1.3.6.1.4.1.311.21.19)”. The numbers in parentheses are the corresponding object identifier for each certificate purpose.
The common name of the template is set to “DirectoryEmailReplication” or the name of the template that was specified in the certificate request for this certificate type.
The Subject Alternative Name extension contains the domain controller’s GUID in object identifier 1.3.6.1.4.1.311.25.1 and the FQDN of the domain controller.
Windows Server 2003 Certificates and Publishing in Active Directory
Certificates, which are enrolled from an enterprise CA with the Domain Controller or the Directory Email Replication certificate template, are published by default into the requester’s object in Active Directory. When a certificate is auto-enrolled, the requestor is naturally a domain controller. These certificate templates publish certificates in Active Directory primarily to facilitate encrypted replication of Active Directory content with SMTP; both replication partners must have access to the public key (certificate) of their replication partner.
Only enterprise certification authorities publish certificates in Active Directory as an automatic process. If you enroll a Domain Controller certificate manually from a stand-alone CA, you must publish the certificate manually in Active Directory. Remember that stand-alone CAs do not offer the Domain Controller Authentication and Directory Email Replication certificate template format(s), so regardless of the CA version, you can only issue Domain Controller certificates from a stand-alone CA.
By default, certificates that have been built with the Domain Controller Authentication certificate template are not published in Active Directory because smart card logon requires the domain controller’s certificate in Active Directory. Therefore, it is not recommended that Domain Controller Authentication certificates be published in Active Directory by manipulating the default Domain Controller Authentication certificate template.
Windows 2000 Server CA Configuration
By default, a Windows 2000 Server CA does not permit subject alternative names that are specified in a certificate request to be accepted and inserted in the issued certificate. This applies for both stand-alone and enterprise CAs. This functionality is required to submit and process offline domain controller certificate requests. To permit this functionality, the CA configuration must be modified.
Important
Changing the CA configuration of the CA to permit subject alternative names in certificate requests will be a global setting and is not limited to a single template. Once this setting is enabled, the CA will accept attributes for subject alternative names for all certificate requests.
To change the CA configuration to accept subject alternative names in requests, perform the following steps.
Log on to the CA as Administrator.
At a command-line prompt, type
CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
This enables the CA to accept the "Subject Alternative Name" to be submitted in the request. If you submit more offline domain controller requests to this CA, you do not have to set the parameter again. It persists until it is manually reset to the default setting by an administrator. To reset the CA to the default setting, type the following at a command-line prompt.
CERTUTIL -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
Note
This setting will affect all certificate requests that are submitted to your CA. Any certificate request that provides a SubjectAltName2 will be recognized and processed by the CA.
The following command will display the configuration parameters (EditFlags) that have been set before and after the change. You can verify the parameters explicitly with the following command.
CERTUTIL -getreg policy\EditFlags
To enable the changes in all subsequently issued certificates, restart the certification authority service. To restart the CA, type the following at a command prompt, and then press Enter.
NET STOP certsvc & NET START certsvc
Issuing Domain Controller Certificates with a Windows 2000 CA
A CA that is installed on a Windows 2000 computer can issue domain controller certificate requests for both Windows 2000 and Windows Server 2003 domain controllers.
With a Windows 2000 CA, no option is available to customize the Domain Controller certificate template. However, as a limited option, you may set the validity time of a domain controller certificate on a specific CA. For information about how to change the validity time, see the Microsoft Knowledge Base article HOW TO: Change the Expiration Date of Certificates That Are Issued by a Windows Server 2003 or a Windows 2000 Server Certification Authority at https://support.microsoft.com/default.aspx?id=254632
Windows 2000 Stand-alone CA
To issue domain controller certificates, it does not matter if the stand-alone CA is a domain member or a member of a workgroup. With both configurations, domain controller certificates can be issued. A stand-alone CA does not support certificate templates, therefore, no choice is required in this regard. A stand-alone CA will process a certificate request according to the information supplied in the request.
To issue a certificate for domain controllers from a Windows 2000 CA, you can use one of two approaches.
Prepare a certificate request with the Windows Server 2003 version of certreq.exe that includes the domain controllers GUID and its DNS name in the subject alternative name.
Use a generic certificate request and add the certificate extensions to the certificate request while it is pending at the CA.
In the first case where you have included the subject alternative name in the certificate request, it is not required to set the certificate request status to pending before issuing the certificate.
Since this white paper illustrates how to include the subject alternative name in the certificate request in Certificate Template Configuration, the following section explains how to manipulate a pending request. You may use the following procedure with a different set of command-line parameters for other certificate types as well.
Note
From a technical viewpoint, both methods result in the same certificate being issued. However, it is more convenient to include extensions in the certificate request because no additional manipulation of a pending request is required. This method, however, does require the Windows Server 2003 version of certreq.exe to be used.
Windows 2000 CA Configuration
Once you have set the EditFlag (see Windows 2000 Server CA Configuration), you should verify that the policy module will put all certificates into a pending mode before they are issued. To confirm the request handling of the CA, perform the following steps.
Log on to the computer where the Windows Server 2000 stand-alone CA is installed.
Open the Certification Authority MMC Snap-In.
In the left pane, select the CA object and select Properties on the Action menu.
In the Policy Module tab, click Properties.
Verify that the policy module of the stand-alone CA is set to the following value.
Set the certificate request status to pending.
Note
A stand-alone CA sets the certificate request status to pending by default.
Click OK twice to confirm the setting and close the Properties page.
Close the Certification Authority MMC Snap-In.
Issuing a Domain Controller Certificate
Compared to a Windows 2003 CA, it is more complicated to issue certificates that require a given set of subject alternative names in the certificate. Unfortunately, unlike a Windows Server 2003 CA, you cannot specify certificate extensions such as the subject alternative name when you submit the certificate. The Windows 2000 CA does not support such functionality. To work around this limitation, you must include the certificate extensions in the certificate request or perform the certificate enrollment process in three distinct steps, with an optional fourth step.
The certificate request is submitted.
Certificate extensions are set in the pending certificate request.
The certificate is approved and issued.
The certificate can be manually verified for accuracy.
The following steps show how to submit the request, process the request, verify the request, and issue the certificate. In this case, the certificate request does not include the certificate extensions.
Submit the Certificate Request
Log on to the computer where the Windows Server 2000 stand-alone CA is installed.
Copy the certificate request (<dcname>.req) and the batch script (<dcname>-req.bat) that were previously created on the domain controller (see Creating an Offline Certificate Request) into a working file folder on the CA.
At a command-line prompt, use the <dcname>-req.bat script to run the required certreq command. The batch file will simply submit the certificate request to the CA with the following command.
certreq -attrib "CertificateTemplate:DomainController" <dcname.req>
A window will appear where you can select the CA that will issue the certificate. Select the Windows 2000 issuing CA and click OK.
Note the RequestID that is shown after the command has finished.
Process the Certificate Request
The next step is to set the certificate extensions in the pending certificate request using either the Windows 2000 or the Windows Server 2003 version of certutil.
Important
The following command will override any existing information in the certificate request that matches the given object identifier. If you have specified, for example, a subject alternative name as part of the certificate request, the subject alternative name will be overridden with this command.
Copy the <dcname>.asn file from the domain controller to the CA computer.
At a command-line prompt, run the following command.
certutil -setextension <RequestID> 2.5.29.17 1 @<dcname>.asn
The subject alternative name, which is identified by the object identifier 2.5.29.17, is set with the attributes that are defined in the <dcname>.asn file. The fourth parameter that is set to “1” marks the extension as critical. For a description of the file structure of the ASN file, see Appendix 5: ASN.1 File Structure.
Verify the Pending Certificate Request
You may verify the pending certificate request to validate that the extensions are properly inserted in the certificate request. If something is not correct or if the certificate request does not meet your requirements, you can validate the information at this point to ensure accuracy. Unfortunately, the Windows 2000 CA does not support viewing the properties of a pending certificate request in the Certification Authority MMC Snap-In. To verify that the certificate will be issued with the correct certificate template, you can use either the Windows 2000 or Windows Server 2003 version of certutil.
From a command-line prompt, run the following command.
certutil -view -restrict RequestID=<RequestID> -out RequestAttributes
Replace the <RequestID> with the RequestID that was recorded previously.
The command output should look similar to the following:
Row 1: Request Attributes: "CertificateTemplate:DomainController"
To view the request attributes of all pending certificate requests, run the following command.
certutil -view -restrict disposition=9 -out RequestID,RequestAttributes
Verify that the certificate extensions have been set correctly. Type the following command at a command-line prompt.
certutil -view -restrict RequestID=<RequestID> -out ext:2.5.29.17
Replace the <RequestID> with the RequestID that was recorded previously. The “2.5.29.17” value represents the object identifier of the certificate extension that you are referencing. If you do not know the exact object identifier of your extension, use “all” instead of the specific object identifier. For example:
certutil -view -restrict RequestID=<RequestID> -out ext:all
Ensure that the extension you have configured in the previous section appears in the pending certificate request.
Note
All of the certutil -view commands may be used to query the certification authority database on a Windows 2000 or Windows Server 2003 CA. Once you understand the schema, you can query the database providing the appropriate field names. You can also use certutil -view -? for more samples to query the database.
Issue and Retrieve the Certificate
Next, you must issue the pending certificate. For this section, you can use either the Windows 2000 or Windows Server 2003 version of certutil.
To issue the pending request, open the MMC snap-in. Run certsrv.msc at a command-line prompt, and then press Enter.
In the left pane, click the Pending Certificates container.
In the right pane, select the certificate that corresponds to the RequestID recorded previously.
On the Action menu, select All Tasks – Issue.
Alternatively, you can issue certificates from the command line with the following command.
certutil –resubmit <RequestID>
Replace <RequestID> with the RequestID value that was recorded previously by the certreq command.
Once the certificate has been issued, you must store the certificate as a file to transfer it to the domain controller. The following command will create two certificate files. The CER file contains only the domain controller certificate; the P7B file contains the domain controller certificate and all of its parent certificates. At a command-line prompt, run the following command.
CERTREQ -retrieve <RequestID> <dcname>.cer <dcname>.p7b
Replace <RequestID> with the RequestID that was used in the previous commands.
A window appears where you can select the CA that has issued the certificate.
Select the issuing CA and click OK.
Store the retrieved certificates on a diskette or other medium to transfer to the domain controller.
Log off the CA.
To install the certificate on the domain controller, see Domain Controller Certificate Installation.
Windows 2000 Enterprise CA
Unfortunately, domain controller certificates cannot be issued manually from a Windows 2000 enterprise CA for the following reasons.
A Windows 2000 CA supports only hard-coded certificate templates so that you cannot duplicate and customize the default certificate template. If the original domain controller certificate was manipulated, it would affect all other domain controllers that are able to connect to the CA and use auto-enrollment to request certificates.
A Windows Server 2000 CA issues certificates immediately without pending. Since the submission interface on the CA has limited functionality in Windows 2000 and, therefore, certificate manipulation is required in a pending state, support for offline domain controllers is particularly problematic.
Therefore, if support for offline certificate request processing is required, it is recommended that you install a Windows 2000 stand-alone CA or a Windows Server 2003 CA.
Issuing Domain Controller Certificates with a Windows Server 2003 CA
A Windows Server 2003 enterprise CA may support V2 templates and pending requests on a per template basis, as well as support for submitting request attributes in enrollment request from both enterprise and stand-alone CAs. Therefore, the following sections document the unique procedures for each CA type. V2 templates are only available if the CA was installed on Windows Server 2003, Enterprise Edition.
Windows Server 2003 Stand-alone CA
A stand-alone CA issues certificates based on fixed rules similar to those in templates. As described previously, a stand-alone CA issues certificates similar to the Domain Controller certificate template; thus, you cannot enroll Directory Email Replication or Domain Controller Authentication certificates with this CA type.
When issuing certificates manually, it does not matter if the stand-alone CA is a member of a domain or a workgroup. Both configurations are supported, and since the subject alternative name information was included in the certificate request when reqdccert.vbs was run, it is not required to place the certificate requests in a pending state to process them correctly.
To issue a domain controller certificate from a stand-alone Windows Server 2003 CA, perform the following steps.
Log on to the CA computer.
Copy the certificate request and the batch script (<dcname>-req.bat) that was created on the domain controller previously into a working folder on the CA.
From a command-line prompt, run the <dcname>-req.bat script to perform the certreq command. The script will request a certificate based on the DomainController certificate template because no other template exists for this purpose.
The bat-file contains the following command.
CERTREQ -attrib "CertificateTemplate:DomainController" <requestfile>
A window will appear where you can select the CA that will issue the certificate. Select the issuing CA and click OK.
Make a note of the RequestID that is shown after the command has finished. This value will be needed later.
If the enrollment handling is set to the default configuration on a stand-alone CA, you will have to approve and issue the pending certificate. If the CA is configured to issue certificates automatically, continue to step 15.
To verify and issue the pending request, open the MMC snap-in.
In the left pane, click the Pending Certificates container.
In the right pane, select the certificate that corresponds to the RequestID noted in step 5.
On the Action menu, select All Tasks - View Attributes/Extensions.
A window opens that displays the request properties. Click the Extensions tab.
Verify the value of the Subject Alternative Name tag. It should display the hexadecimal encoded GUID and the FQDN of the domain controller.
Click OK to close the window.
With the certificate request still selected in the right pane, choose All Tasks - Issue on the Action menu.
Alternatively, you can issue certificates from the command-line prompt with the following command.
certutil –resubmit <RequestID>
Replace the <RequestID> variable with the RequestID that was noted in step 5.
Once the certificate has been issued, you will have to store the certificate as a file to transfer it to the domain controller. The following command will create two certificate files. The CER file contains only the domain controller certificate; the P7B file contains the domain controller certificate and all of its parent certificates. At a command-line prompt, run the following command.
CERTREQ -retrieve <RequestID> <dcname>.cer <dcname>.p7b
Replace the <RequestID> variable with the RequestID that was used in the previous commands.
A window will appear where you can select the CA that has issued the certificate. Select the issuing CA and click OK.
Store the retrieved certificates on a diskette or other medium to transfer to the domain controller.
Log off the CA.
Next, continue to Domain Controller Certificate Installation.
Windows Server 2003 Enterprise CA
An enterprise CA maintains and uses certificate templates in Active Directory for all certificate request processing and issuance. Therefore, domain controller certificates are formatted and issued based on the templates that are available and assigned to a CA. In the case of offline domain controller certificates, modification of the default certificate templates in Active Directory is necessary to support the enrollment processing.
Since the following section requires V2 templates, it is assumed that the enterprise CA was installed on a server with Windows Server 2003, Enterprise Edition.
Certificate Template Creation
In the following steps, duplicates of the existing Domain Controller certificate templates are created to support offline request processing. The following are the two primary reasons for modifications.
By default, the offline Directory Email Replication certificate template publishes certificates in Active Directory. Normally, this would be satisfactory; however, the CA publishes an issued certificate into the certificate requestors Active Directory object and not into the certificate subject’s Active Directory object. When a certificate request is submitted manually, the requestor is always the account of the user who created the certificate request. Thus, the CA would publish a domain controller certificate in the administrator’s Active Directory user object. To work around this issue, a new certificate template is created that does not require the CA to publish the domain controller certificate in Active Directory. For information about manual certificate publication, see Publishing Domain Controller Certificates.
Both Directory Email Replication and Domain Controller Authentication certificate templates require a special template flag to enable offline request processing. To leave the existing templates intact for all normal domain controller certificates processing, duplicates are made of both templates with the special settings.
Note
It is recommended that you do not manipulate the Directory Email Replication and Domain Controller Authentication default templates. They are used for auto-enrollment by Windows Server 2003 domain controllers that can connect to the enterprise CA. Modification of these templates may cause an interruption of service for auto-enrollment of connected domain controllers.
Perform the following steps to duplicate the default Domain Controller certificate templates.
Log on with Enterprise Admin permissions to a domain computer that has Windows Server 2003 Administration Tools (AdminPak.msi) installed and is a member of the forest where the enterprise CA is installed. Any computer joined to the Active Directory forest can be used to maintain certificate templates since they are stored in Active Directory. Connectivity to a CA is not required at this point. By default, only members of the Enterprise Administrators group have permission to change certificate templates.
Click the Start button, and then point to Run. Type certtmpl.msc and press Enter.
The certificate Templates MMC Snap-In opens. In the right pane, select the Directory Email Replication template.
On the Action menu, select Duplicate template.
The Properties window of the new template appears. On the General tab, type Offline Directory Email Replication as Template display name. Click to clear the Publish certificate in Active Directory check box.
Technically, any template name may be used; however, a meaningful label is recommended.
Click the Subject Name tab. Click to select the Supply in the request option and click OK.
In the right pane, select the Domain Controller Authentication template.
On the Action menu, select Duplicate template.
The Properties window of the new template appears. In the General tab, type Offline Domain Controller Authentication as Template display name. The Publish certificate in Active Directory check box is already clear because, by default, authentication certificates are not published in Active Directory.
Click the Subject Name tab. Click to select the Supply in the request option and click OK.
Close the Certificate Templates MMC Snap-In.
Certificate Template Configuration
Note that the template change is not required for CAs running Windows Server 2003 Service Pack 1 or later. If you have installed Windows Server 2003 Service Pack 1 or a later version on your CA, continue to Issuing a Domain Controller Certificate.
Typically, an enterprise CA will read information that is stored in several certificate attributes from the requestor’s object in Active Directory. For example, the domain controller’s common name or its GUID are derived from the domain controller’s computer object and inserted into a certificate when a new domain controller certificate is manually or automatically enrolled through normal processes. If a domain controller certificate is requested manually through an offline or asynchronous process, all information that is required in the certificate must be explicitly specified in the certificate request.
When the certificate request is submitted to the CA, the request contains a field with the certificate template’s common name, which is subsequently used by the CA to determine the enrollment and issuance policies. One such policy is whether the request may define the subject and the subject alternative name. By default, these attributes must not be set in a certificate request, and the CA will ignore such information in a request. It is important to note that auto-enrollment requires that the request not contain the subject information to process requests properly.
To configure the CA to allow the subject alternative name to be specified in certificate requests, the certificate templates that have been created in a previous section must be modified. Fortunately, this is a one-time operation, and it is not necessary to undo the change after a domain controller certificate has been enrolled. The template change will replicate normally such as any other attribute value change in your Active Directory environment and will not generate any schema changes.
To configure and apply the template modification before issuing an offline domain controller certificate, perform the following steps.
Log on as the Enterprise Administrator to a computer that is a member of the forest where the enterprise CA was installed.
Make the script available to your local computer as shown in FixDCtemplate.vbs.
Run the following script with the specified parameters.
fixdctemplate.vbs <Templatename>
Replace <Templatename> with the template’s common name OfflineDirectoryEmailReplication. (Do not use blank spaces.)
For more information about all the steps performed by the script, see FixDCtemplate.vbs.
Run the following script again with the specified parameters.
fixdctemplate.vbs <Templatename>
In this case, replace <Templatename> with the template’s common name OfflineDomainControllerAuthentication. (Do not use blank spaces.)
Log off the computer.
Windows Server 2003 CA Configuration
In the previous section, the certificate templates have been created and configured. Once the changes in Active Directory have been replicated throughout the forest, the CA will be able to access and use these templates. However, in order for the CA to use and issue certificates based on the templates, the templates must be manually published on each CA before they will be available.
Perform the following steps to publish a template in an enterprise CA.
Log on to the computer where the CA was installed as a local computer administrator.
Open the MMC snap-in.
Expand the CA object in the right pane and select Certificate Templates.
On the Action menu, select New - Certificate Template to Issue.
The template selection window appears. Press and hold the <CTRL> key and select the templates Offline Directory Email Replication and Offline Domain Controller Authentication.
Click OK to add the templates to the CA.
Both templates will appear in the right pane of the MMC snap-in.
Close the MMC snap-in.
Issuing a Domain Controller Certificate with a Windows Server 2003 CA
The steps to issue a domain controller certificate from a Windows Server 2003 enterprise CA are similar to the Windows Server 2003 stand-alone CA procedures. However, since the Windows Server 2003 enterprise CA supports the new Directory Email Replication and Domain Controller Authentication certificate templates, these templates are used instead of the Domain Controller template.
Depending on the specific certificate template that is used, different attributes are specified as the subject alternative name. The Directory Email Replication requires the domain controllers GUID and its fully qualified DNS name (FQDN) in this extension. The Domain Controller Authentication template requires the FQDN only to be included in the subject alternative name extension. Therefore, you will find that the INF file and the certificate request look different for both certificate types.
Important
For offline domain controller certificate requests, never use the Domain Controller certificate template because a Windows Server 2003 CA supersedes that template with the Directory Email Replication and Domain Controller Authentication certificate templates. You will receive error 0x80094803 if you use the Domain Controller certificate template.
To issue a domain controller certificate from a Windows Server 2003 enterprise CA, perform the following steps.
Log on to the CA computer.
Copy the certificate request and the batch script (<dcname>-req.bat) that was created on the domain controller in a previous step into a working folder on the CA.
From a command-line prompt, use the <dcname>-req.bat script to run the certreq command. The script will request a certificate based on the given certificate template.
The bat file contains the following command if the Directory Email Replication certificate template is used.
CERTREQ -attrib "CertificateTemplate:<TemplateName>" <requestfile>
A window will appear where you can select the CA that will issue the certificate.
Select the issuing CA and click OK.
If you have changed the default enrollment handling in one of the Domain Controller certificate templates or in the CA policy module configuration, make a note of the RequestID that is shown after the previous command has finished to issue the pended certificate. Otherwise, a Save window appears where you can set the name of the certificate file. Type the name of the certificate and click OK. Continue to step 9.
If the certificate request was pended, run the following command at a command-line prompt. Otherwise, continue to step 7.
certutil –resubmit <RequestID>
Replace <RequestID> with the RequestID that was recorded previously.
Once the certificate is issued, you have to store it as a file to transfer it to the domain controller. The following command will create two certificate files. The CER-file contains only the domain controller certificate; the P7B file contains the domain controller certificate and all of its parent certificates. At a command-line prompt, run the following command.
CERTREQ -retrieve <RequestID> <dcname>.cer <dcname>.p7b
Replace <RequestID> with the RequestID that was used in the previous commands.
A window will appear where you can select the CA that has issued the certificate. Select the issuing CA and click OK.
Store the retrieved certificates on a diskette or other medium to transfer to the domain controller.
Log off the CA.