Tuesday, May 09, 2006

Setting up auto enrollment for email certificates using active directory

You need to have server 2003 enterprise for auto enrollment. First install certificate services (since we already had a CA I made a subordinate CA.)
Now you want to create your KRA’s or key recovery agents.

First, we need to enable a Key Recovery Agent. A Key Recovery Agent is a highly trusted person which is responsible for recovering lost or damaged archived certificates for users.

We must issue a Key Recovery Agent certificate for this user. To do this:

Start the Windows 2003 CA console

Issue a new template named Key Recovery Agent

Request this certificate for the user who becomes the Key Recovery Agent

Manually Issue the Key Recovery Agent Certificate at the CA

Figure 1 shows the issued Key Recovery Agent Certificate for the user Administrator.

Figure 1: Issued Key Recovery Agent certificate


The Windows 2003 CA will not automatically issue this certificate to the user who requests the Key Recovery Agent certificate. The CA Administrator must manually Issue the certificate in the Microsoft CA MMC under Pending Requests.

Enable the CA for key archiving (you get here by in certification authority snap in, r-click your cert server and then properties)

Now it is time to enable the CA for Key Archiving. Start the Microsoft CA MMC and navigate to the CA properties – Recovery Agents.Because Key Reovery is a very security sensible process, you can specify how many Recovery Agents are required to Archive keys. Click Add to import the Key Recovery Agent certificate. Click OK and restart the CA service.

Now it is time to duplicate an e-mail Certificate Template at the Windows 2003 CA. The question is why? The default e-mail Certificate Template doesn't allow the archiving of the subject's private key. Start the Microsoft CA MMC, navigate to Certificate Templates and rightclick Manage – Select the Exchange User Certificate Template and click Duplicate and name the new template.

Now you have to configure the following settings for this template: (I also checked do not automatically reenroll if a duplicate certificate exists, this will keep someone from logging on a different computer and receiving a new cert and getting their mail all messed up because they would have incompatible keys and their email would get encrypted with the wrong ones possibly.

Publishing all certificates in Active Directory is required, because the “Global Address List” of Exchange Server 2003 is based on AD. If you have configured this feature, all certificates are available in Active Directory.

In “Request Handling Properties” you have to choose signature and encryption and you should configure key archiving to provide key recovery. In addition to this, enrolling the certificate without requiring user input is the proposed solution.

Inclusion of the email-name in the subject of your template is required and absolutely necessary.

To make sure that the old Exchange User template would never be used again you should configure it so that this new template supersedes the old one.

To configure automatic enrollment for this new template you have to make sure that the user group has the rights to read, enroll and autoenroll this certificate. After this procedure you just have to configure this template as a new template of the certificate authority. This can be done using the CA snapin.

I created a group called email encryption that I then added members to provide them with certs.

Next you want to set up group policy to allow auto-enrollment

Configuring Certificate Services for Autoenrollment

Autoenrollment is a useful feature of certification services in Windows XP and Windows Server 2003, Standard Edition. Autoenrollment allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject.

No comments: