If you would like to read the other parts in this article series please go to:
- Use Windows Command Line Tools and PowerShell Cmdlets to Manage Security in Windows Server 2012 (Part 2)
- Use Windows Command Line Tools and PowerShell Cmdlets to Manage Security in Windows Server 2012 (Part 3)
Once upon a time, Windows was all about the graphical interface. For administrators, a big advantage of Windows over UNIX was not having to memorize a slew of text commands. Instead, you could click your way to the configuration you wanted. Over the years, however, more and more features were added to the operating system. This growing complexity resulted in an increasingly complex configuration process with dialog boxes hidden inside other dialog boxes, long lists of checkboxes, and management consoles that have become more and more difficult to navigate as the “tree” has grown.
Microsoft made a valiant attempt to remedy the situation with “wizards” that can walk you through the steps of a particular task process, but their magic powers extend only so far. Often we find that the wizards, in trying to cover all possible settings, prolong the process and take us through numerous pages that are irrelevant to our particular purposes. There has to be a better way.
Ironically, that better way sometimes lies in ditching the “easy” graphical UI and getting back to the basics of the command line. Many Windows Server admins have, for a long time, been turning to the underlying command line tools when they want to get something done quickly. Does anybody click through dialog boxes to find basic network adapter info when you can go to a command prompt and type ipconfig /all ?
With recent versions of Windows, Microsoft has recognized the power of the command line and toward that end, has provided more traditional command line tools as well as developing PowerShell, with its scripting language designed specifically for tasks associated with system administration. In Windows Server 2012 and 2012 R2, you have a plethora of command line tools and PowerShell cmdlets at your disposal for managing all aspects of security. In this article, we’ll begin to look at how to use those tools for managing Certificate Services and certificates.
Non-graphical ways to configure and manage Windows CAs
Active Directory Certificate Services (AD CS) provides an easy and cost-effective way for organizations to create and manage a Public Key Infrastructure to issue and use digital certificates for authentication, encryption and digital signing of documents and email. Certificate Services have been built into Windows Server since Windows 2000.
There are many new and changed functionalities for Certificate Services in Windows Server 2012. One of these is integration with Server Manager. Through Server Manager, you can launch the AD CS installation wizard and manage AD CS as a server role through the Server Manager interface. But for those who prefer the command line,
Windows Server 2012 also adds deployment and management capabilities to Windows PowerShell. You can both deploy and manage AD CS with PowerShell.
There are a number of steps involved in configuring a Windows Server to function as a CA. When you use a wizard, it will take you through each of the steps. When you use command line tools, you need to have an understanding of the steps that are involved and the proper sequence for those steps. You can find information on the process on the Windows Server 2012 web site on TechNet, in this article titled Certification Authority Guidance. It applies to both Windows Server 2012 and Windows Server 2012 R2 Preview.
Using Certutil to configure and manage Windows CAs
Certutil is a command line tool included with Windows Server that is installed when you install the Certificates Services role. It can be used to view the current configuration information for the CA, which is what it does when you run it without adding any parameters.
By using available parameters, you can use Certutil to configure Certificate Services, verify certificates and key pairs and even to back up and restore the components of the certification authority. Certutil has been around since Certificate Services was first introduced in Windows 2000 and Microsoft has increased its scope and functionality over the different versions. Some of the more commonly used parameters include the following:
- -dump Append this to dump the configuration information or files. This is the default action when you run Certutil on a server that does not have the Certificate Services role installed.
- -deny Append this to deny a pending certificate request
- -resubmit Append this to submit a pending certificate request again
- -revoke Append this to revoke a certificate
- GetCRL Append this to get a certificate revocation list (CRL)
- -CRL Append this to publish a new CRL
- -shutdown Append this to shut down the AC CS
- -backup Append this to back up the AD CS
- -restore Append this to restore the AD CS from backup
- -importPFX Append this to import a certificate and private key
- -addstore, -delstore Append these to add a certificate to or delete a certificate from the certificate store
- -CATemplates Append this to display the templates for the CA
- -verify Append this to verify a certificate, CRL or certificate chain
- -verifykeys Append this to verify a public or private key
There are many more parameters available to perform various aspects of managing the Certificate Services. For a complete list, syntax information and examples, see the TechNet library.
The TechNet Wiki contains a good blog post on using Certutil that was posted by Kurt Hudson.
Using AD CS PowerShell cmdlets to configure and manage Windows CAs
There are a number of AD CS Deployment cmdlets for installing and uninstalling the CA role service and other AD CS related services.
The CA Role Service
To configure the CA role service on the server via PowerShell, use the following cmdlet:
There are a number of parameters available, including –CACommonName<String> which specifies the certification authority common name and –CADistinguishedNameSuffix<String> which specifies the certification authority distinguished name suffix.
Use the –CAType<CAType> parameter to specify the type of certification authority you want to install. Available values include EnterpriseRootCA, EnterpriseSubordinateCA, StandaloneRootCA or StandaloneSubordinateCA.
Note that the server must be a member of an Active Directory domain in order to install the CA as an enterprise certification authority (you can install the standalone types on servers that are members of workgroups as well as on domain member servers). You must use the correct credentials to complete the installation:
- If you’re installing an enterprise CA, you must use the account credentials of a member of the Enterprise Admin group.
- If you’re installing a standalone CA in a domain, you must use the account credentials of a member of the Domain Admins group.
- When installing a standalone CA on a server that does not belong to a domain, you must use the account credentials of a member of the Administrators group.
To enter the credentials, use the following parameter:
When you’re unsure about what you’re doing, it can be a good idea to add the –Whatif parameter, which shows you what would happen if the cmdlet runs, without actually running the cmdlet, and/or the –Confirm parameter, which prompts you for confirmation before running the cmdlet.
There are a number of other parameters for this cmdlet that may apply to your situation, so before you deploy a CA using this PowerShell cmdlet, be sure to check them all out here.
Other deployment cmdlets include the following:
- Install-AdcsEnrollmentWebService This cmdlet configures the Certification Enrollment Web service, which works together with the Enrollment Policy Web service to accept certificate requests and issue certificates over HTTPS and use HTTPS to allow for certificate enrollment across forests or over the extranet to mobile users.
- Install-AdcsEnrollmentPolicyWebService This cmdlet performs configuration of the Certificate Enrollment Policy Web service. It’s installed along with the Certificate Enrollment Web Service to provide policy-based certificate enrollment without connection to the domain.
- Install-AdcsWebEnrollment This cmdlet configures the CA Web Enrollment service, which enables users and computers that aren’t domain members (and domain members that aren’t connected to the network) to enroll for certificates with the CA over the Internet or intranet using a web interface.
- Install-AdcsNetworkDeviceEnrollmentService This cmdlet configures the NDES service, which uses the Simple Certificate Enrollment Protocol (SCEP)for communication between network devices and the Registration Authority in the certificate enrollment process. SCEP allows devices that don’t have domain credentials to enroll for certificates. You can learn more about NDES here.
- Install-AdcsOnlineResponder This cmdlet configures the Online Responder service, which is used to configure and manage online certificate status protocol validation and revocation checking on the Windows network.
In addition to these cmdlets for installing the various services related to the AD CS role, there are also corresponding PowerShell cmdlets for uninstalling each. Simply substitute “Uninstall” for “Install” in each of the cmdlet names to remove the configuration information for that service.
AD CS administration
Once you have the Certificate Services role and additional role services installed and configured, you can use the AD CS administration cmdlets to perform varous administrative tasks such as adding certificate templates or CRL URIs, configuring Authority Information Access and more. These cmdlets and their specific functions are listed here.
In Part 1 of this series of articles on managing security in Windows Server 2012 using command line utilities and PowerShell, we provided an overview of how to use Certutil.exe and PowerShell cmdlets to install and manage the Certificate Services role. Next time, in Part 2, we’ll continue the discussion with additional command line tools and PowerShell cmdlets that you can use to simplify and speed up security management tasks.
If you would like to read the other parts in this article series please go to: