Cuma , 19 Şubat 2021

AD CS Kurulumu – CA Kurulumu

CA, PKI AD CS olarak adlandırılan servisinin kurulumu ve konfigurasyonu hakkında vereceğim.

 

Kullanıcı hesapları, computer hesapları ve servis hesapları için kullanılan sertifikalar Windows ortamında sıkça kullanılır. Ayrıca network devicelar içinde kullanılır.

 

Standalone ve Enterprise CA olmak üzre temelde ikiye ayrılır. Standalone ca için bir domain ortamı gerekmek. Kullanıcı hesapları için sertifika requestleri manuel yapılır ayrıca bir sertifika template yapısı kullanılmaz. Auto enrollment yapısıda bulunmaz. Ancak Enterprise CA için bir AD DS ihtiyacı bulunur, GPO ile sertifikalar dağıtılabilir AD DS ile recovations yapısı kullanılabildiği gini template ve autoenrollment desteği de bulunur.

 

802.1x, EFS, Smart Card Auth (2FA), WebServer gibi çokça serviste kullanılan AD CA nin kurulum adımları aşağıdaki gibidir.

 

Domain ortamında Enterprise Admin yetkisine sahip bir account ile kurulum yapılmakatadır.

 

Machine generated alternative text:
Add Roles and Features Wizard 
Select installation type 
DESTINATION SERVER 
Before You Begin 
Installation Type 
Server Selection 
Cc:nfrmetior 
Select the installation type. You can install roles and features on a running physical computer or virtual 
machine, or on an offline virtual hard disk (VHD). 
• Role-based or feature-based installation 
Configure a single server by adding roles, role services, and features. 
O 
Remote Desktop Services installation 
Install required role services for Virtual Desktop Infrastructure (VDI) to create a virtual machine-based 
or session-based desktop deployment. 
Install 
Cancel

 

Machine generated alternative text:
Add Roles and Features Wizard 
Select destination server 
DESTINATION SERVER 
Before You Begin 
Instel'eticr Type 
Server Selection 
Server Roles 
Features 
Cc:rfrmetior 
Select a server or a virtual hard disk on which to install roles and features. 
• Select >erygr from thg Server pgp!_<br />
O<br />
Select a virtual hard disk<br />
Server Pool<br />
Filter:<br />
Name<br />
DCOI .semih.local<br />
I Computer(s) found<br />
IP Address<br />
Operating System<br />
Microsoft VVindows Server 2Crg Standard<br />
This page shows servers that are running Windows Server 2012 or a newer release of Windows Server,<br />
and that have been added by using the Add Servers command in Server Manager. Offline servers and<br />
ewly-added servers from which data collection is still incomplete are not shown.<br />
Install<br />
Cancel

 

Machine generated alternative text:
Add Roles and Features Wizard 
Select server roles 
Before You Begin 
Installation Type 
Server Selection 
Server Role: 
Features 
AD CS 
Role Services 
Confirmation 
Select one or more roles to install on the selected server. 
Roles 
ctive Directo Certificate Service 
Active Directory Domain Services (Installed) 
Active Directory Federation Services 
Active Directory Lightw'eight Directory Services 
Active Directory Rights Management Services 
Device Health Attestation 
DHCP Server 
DNS Server (Installed) 
Fax Server 
File and Storage Services (2 of 12 installed) 
Host Guardian Service 
Hyper— V 
Network Policy and Access Services 
Print and Document Services 
Remote Access 
Remote Desktop Services 
Volume Activation Services 
Web Server (IIS) (16 of 43 installed) 
Windows Deploymnent Services 
Windows Server Update Services 
DESTINATION SERVER 
Description 
Active Directory Certificate Services 
(AD CS) is used to create 
certification authorities and related 
role services that allow you to issue 
and manage certificates used in a 
variety of applications. 
Install 
Cancel

 

Machine generated alternative text:
Add Roles and Features Wizard 
Active Directory Certificate Services 
DESTINATION SERVER 
Before You Begin 
Installation Type 
Server Selection 
Server Roles 
Feetures 
AD CS 
Role Services 
Confirmation 
Active Directory Certificate Services (AD CSI provides the certificate infrastructure to enable scenarios 
such as secure wireless netvvorks, virtual private networks, Internet Protocol Security (IPSec), Network 
Access Protection (NAP), encrypting file system (EFS) and smart card log on. 
Things to note: 
• The name and domain settings of this computer cannot be changed after a certification authority 
(CA) has been installed. If you want to change the computer name, join a domain, or promote this 
server to a domain controller, complete these changes before installing the CA. For more 
information, see certification authority naming. 
Install 
Cancel

 

CA için kullanılacak features lar seçilir. Ben tüm servisleri seçiyorum. İhtiyaca göre gerekli servisler seçilerek kurulabilir. AD CS ile birlikte ISS in kuruluma da gerçekleşir.

 

Machine generated alternative text:
Add Roles and Features Wizard 
Select role services 
Before You Begin 
Installation Type 
Server Selection 
Server Roles 
Features 
CS 
Role Services 
Confirmation 
DESTINATION SERVER 
Select the mle services to install for Active Directory Certificate Services 
Role services 
Certification Authori 
Certificate Enrollment PO Ii Web Service 
Certificate Enrollment Web Service 
Certification Authority Web Enrollment 
Network Device Enrollment Service 
Description 
The Certificate Enrollment Policy 
Web Service enables users and 
computers to obtain certificate 
enrollment policy information even 
when the computer is not a member 
of a domain or a domain-joined 
computer is temporarily outside the 
security boundary of the corporate 
network. The Certificate Enrollment 
Policy Web Serv'ice works with the 
Certificate Enrollment Web Service 
to prcwide policy-based automatic 
certificate enrollment for these users 
and computers. 
Install 
Cancel

 

Kurulumdan sonra post-deployment çalıştırılır.

Machine generated alternative text:
Add Roles and Features Wizard 
Installation progress 
Wew installation progress 
o 
Feature installation 
Configuration required. Installation succeeded on DCOI semih.local. 
Active Directory Certificate Services 
DESTINATION SERVER 
Results 
Additional steps are required to configure Active Directory Certificate Services on the 
destination server 
Configure Active Directory Certificate Services on the destination server 
Certification Authority 
Online Responder 
Certification Authority Web Enrollment 
Network Device Enrollment Service 
Certificate Enrollment Policy Web Service 
Certificate Enrollment Web Service 
.NET Framework 4.7 Features 
You can close this wizard without interrupting nanning tasks. View task progress or open this 
page again by clicking Notifications in the command bar, and then Task Details. 
Export configuration settings 
Close 
Cancel

 

Machine generated alternative text:
AD CS Configuration 
Credentials 
Credentials 
Role Services 
Cc:rfrmetior 
DESTINATION SERVER 
DCOI.semih.IocaI 
Spec' 
To install the following role services you must belong to the local Administrators group: 
• Standalone certification authority 
• Certification Authority Web Enrollment 
Online Responder 
To install the following role services you must belong to the Enterprise Admins græp: 
• Enterprise certification authority 
• Certificate Enrollment Policy Web Service 
• Certificate Enrollment Web Serv'ice 
Network Device Enrollment Service 
Credentials: SEMIH\administrator 
More about AD CS Server Roles 
Previous 
Change.„ 
Next 
Configure 
Cancel

 

AD CS in her servisi ayrı olarak tek tek konfigure edebilir.

 

AD CS kurulu olmadan Network Device Enrollement ve Certificate Entollment Web Service kurulumu gerçekleştirilmemektedir.

 

Machine generated alternative text:
AD CS Configuration 
Role Services 
Cr.der-.iels 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Certificate Reguest 
Certificate Detebese 
Authentication Type for C.. 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Select Role Services to configure 
Certification Authority 
g] Certification Authority Web Enrollment 
g] Online Responder 
Network Device Enrollment Service 
Certificate Enrollment Web Service 
g] Certificate Enrollment Policy Web Service 
More about AD CS Server Roles 
Configure 
Cancel

 

Yazının başında belirttiğim gibi Enterprise veya Standalone CA kurulumdan hangisini gerçekleştireceksek ilgili CA tipi seçilir ve kurulum başlatılır.

 

Machine generated alternative text:
AD CS Configuration 
Setup Type 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Certificate Reguest 
Certificate Detebese 
Authentication Type for C.. 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Specify the setup type of the CA 
Enterprise certification authorities (CAs) can use Active Directory Domain Seæices (AD DS) to 
simpli%' the management of certificates. Standalone CAS do not use AD DS to issue or manage 
certifi cates. 
@ Enterprise CA 
Enterprise CAS must be domain members and are typically online to issue certificates or 
certificate policies. 
C) Standalone CA 
Standalone CAS can be members or a workgroup or domain. Standalone CAS do not require AD 
DS and can be used without a network connection (offline). 
More about Setup Type 
Configure 
Cancel

 

Root CA ilk kurulan CA dir. Subordinate CA ise child ca gibi düşebilirsiniz.

 

Machine generated alternative text:
AD CS Configuration 
CA Type 
Credentials 
Role Services 
Setup Type 
CA Type 
Frivete Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Authentication Type for C.. 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Specify the type of the CA 
When you install Active Directory Certificate Services (AD CS), you are creating or extending a 
public key infrastructure (PKI) hierarchy. A root CA is at the top of the PKI hierarchy and issues its 
own self-signed certificate. A subordinate CA receives a certificate from the CA above it in the PKI 
hierarchy. 
@ Root CA 
Root CAS are the first and may be the only CAS configured in a PKI hierarchy. 
C) Subordinate CA 
Subordinate CAS require an established PKI hierarchy and are authorized to issue certificates by 
the CA above them in the hierarchy 
More about CA Type 
Configure 
Cancel

 

İlk kurulumda CA için bir private key oluşturulması sağlanır. Backup\Restore veya upgrade seçeneklerinde diğer seçenek ile kurulum yapılır.

 

Machine generated alternative text:
AD CS Configuration 
Private Key 
Credentials 
Role Services 
Setup Type 
ca Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Authentication Type for C. 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Specify the type of the private key 
To generate and issue certificates to clients, a certification authority (CA) must have a private key. 
@ Create a new private key 
use this option if you do not have a private key or want to create a new private key. 
C) use existing private key 
use this option to ensure continuity with previously issued certificates when reinstalling a CA. 
O 
Select a certificate and use its associated private key 
Select this option if you have an existing certificate on this computer or if you want to 
import a certificate and use its associated private key. 
O 
Select an existing private key on this computer 
Select this option if you have retained private keys from a previous installation or want to 
use a private key from an alternate source. 
More about Private Key 
Configure 
Cancel

 

AD CS için cryptographic provider seçimi gerçekleştirilir.

 

Machine generated alternative text:
AD CS Configuration 
Cryptography for CA 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Authentication Type for C.. 
Server Certificate 
Confirmation 
Specify the cryptographic options 
Select a cryptographic provider: 
RSA#Microsoft Software Key Storage Provider 
DESTINATION SERVER 
DCOI.semih.IocaI 
Key length: 
Select the hash algorithm for signing certificates issued by this CA: 
SHA256 
SHA3U 
SHA512 
SHAI 
Allow administrator interaction when the private key is accessed by the CA. 
More about Cryptography 
Configure 
Cancel

 

Machine generated alternative text:
AD CS Configuration 
CA Name 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Authentication Type for C.. 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Specify the name of the CA 
Type a common name to identify this certification authority (CA). This name is added to all 
certificates issued by the CA. Distinguished name suffix values are automatically generated but can 
be modified. 
Common name for this CA: 
Distinguished name suffix: 
Preview of distinguished name: 
More about CA Name 
Configure 
Cancel

 

Sertifikanın kullanım alanına göre sertifikanın kaç gün\yıl ile expire olacağı seçilir. Kullaılacak senarya göre gün olarak seçilebildiği gibi genelde sunucularda 2-3 yıl olarak seçilir.

Machine generated alternative text:
AD CS Configuration 
Validity Period 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Neme 
Glidit•j Period 
Certificate Database 
Authentication Type for C.. 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Specify the validity period 
Select the validity period for the certificate generated for this certification authority (CA): 
CA expiratio 
The validity 
certificates i 
Years 
Days 
Months 
Years 
CA certificate should exceed the validity period for the 
More about Validity Period 
Configure 
Cancel

 

Machine generated alternative text:
AD CS Configuration 
CA Database 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Velidit•j Period 
Certificate Database 
Authentication Type for 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Specify the database locations 
Certificate database location: 
Certificate database log location: 
More about CA Database 
Configure 
Cancel

 

Sertifikamız domain ortamında olduğu için Windows Integrated olarak çalışması gerekmektedir. AD_Level Auth olarak kullanılır.

 

Machine generated alternative text:
AD CS Configuration 
Authentication Type for CEP 
DESTINATION SERVER 
DCOI.semih.IocaI 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificete Detebese 
Authentication Type for CM 
Server Cerzificete 
Confirmation 
Select the type of authentication 
@ Windows integrated authentication 
C) Client certificate authentication 
C) user name and password 
More about Authentication Type for CEP 
Configure 
Cancel

 

AD CS için daha sonra bir sertifika konfigurasyonu yapacağım için bu seçeneği seçiyorum.

 

Machine generated alternative text:
AD CS Configuration 
Server Certificate 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Authentlceticn Type for 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
Specify a Server Authentication Certificate 
When communicating with clients, the web service(s) uses Secure Sockets Layer (SSL) protocol to 
encrypt network traffic. 
C) Choose an existing certificate for SSL encryption (recommended) 
Issued To 
Issued By Expiration Date 
DC01.semih.local semih-DC01-CA 10/13/2021 
@ Choose and assign a certificate for SSL later 
For this role service to function, you must configure this server with a valid certificate. 
More about Server Certificate 
Configure 
Cancel

 

Machine generated alternative text:
AD CS Configuration 
Confirmation 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Database 
Authentication Type for C.. 
Server Certificate 
Confirmation 
DESTINATION SERVER 
DCOI.semih.IocaI 
To configure the following roles, mle services, or features, click Configure. 
Active Directory Certificate Services 
Certification Authority 
CA Type: 
Cryptographic provider: 
Hash Algorithm: 
Key Length: 
Allow Administrator 
Interaction: 
Certificate Validity Period 
Distinguished Name: 
Certificate Database Location: 
Certificate Database Log 
Location: 
Enterprise Root 
RSA#Microsoft Software Key Storage Provider 
SHA256 
Disabled 
1/19/2026 AM 
Certification Authority Web Enrollment 
Online Responder 
< Previous 
Next

 

Machine generated alternative text:
AD CS Configuration 
Progress 
cryptography 
CA Name 
Certifiæte 
AL -ype for 
Server Cer_ificete 
Progress 
The following roles, role services, or features are being configured: 
Configuring... 
Active Directory Certificate Services 
Certification Authority 
Certification Authority Web Enrollment 
Online Responder 
Certificate Enrollment Policy Web Service 
DESTINATION SERVER 
DCOI.semih.IocaI 
Cancel

 

İlk kurulum tamamlanmıştır.

 

Machine generated alternative text:
AD CS Configuration 
Results 
Cryptography 
CA 
Certifiæt± 
Q, -ype for C.. 
Server Cer_ificete 
Cc:rfrmetior 
Results 
DESTINATION SERVER 
DCOI.semih.IocaI 
The following roles, role services, or features were configured: 
Active Directory Certificate Services 
Certification Authority 
More about CA Configuration 
Certification Authority Web Enrollment 
More about Web Enrollment Configuration 
Online Responder 
More about OCSP Configuration 
Certificate Enrollment Policy Web Service 
Configuration succeeded 
e Configuration succeeded 
Configuration succeeded 
Configuration succeeded 
O Before clients can use this web service, a server authentication certificate must be configured 
to encrypt communication between clients and the service. use the IIS snap-in to verify the 
server authentication certificate. 
O Before clients can use the Certificate Enrollment Policy Web service, Group Policy settings must 
be applied to their computers to direct certificate enrollment requests to the web service. 
More about CEP Configuration 
Close 
Cancel

 

Machine generated alternative text:
certsrv [Certification Authority I\Revoked Certificates] 
File Action View Help 
Cetification Authority (Local) 
semih-DC01-CA-1 
Revoked Ce rtificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
Request ID 
Revocation Date 
Effective Revocation Date 
Revocation Reason 
Requester 
There are no items to show in this view.

 

Var bir klasörü aşağıdaki gibi encrypt edersem domaindeki account um otomatik olarak AD CS ten bir sertifika alacak ve alınan sertifika IE üzerinden aşağıdaki gibi görülebilecek.

 

Machine generated alternative text:
Test Properties 
Advanced Attributes 
Attribut 
Choose the settings pu want for this folder 
When you dick OK or Apply on the Proper tes dialog, you will be 
asked if you vvant the changes to affect all subfolders and fles 
as nell 
Archive and Index attributes 
Folder is ready for archiving 
Z] Allon fles in this folder to have contents indexed in addition to file 
oper tes 
Compress or Encrypt attributes 
Compress contents to save disk space 
Z] Encrypt contents to secure data

 

Machine generated alternative text:
Internet Options 
General Security Privacy Content Connections Programs 
Cert fica tes 
Certificates 
use certficates for encrypted 
Advanced 
Intended purgu)se: 
Per sonal Other People 
Issued To 
administrator 
Administrator 
Intermediate Certficabon Authorities Trusted Root Certficabor 
AutoComplete 
AutoComplete stores previous entries 
on vvebpages and suggests matches 
for you 
Feeds and Web Slices 
Feeds and Web Slices provide upda 
content from nebsites that can be 
read in Internet Explorer and other 
programs. 
Issued 8 y 
administrator 
semih0C01CA-1 
Expirabo... 
9/18/2120 
1/19/2022 
Friendly Name 
Cert ficate intended purposes 
Encrypting File System

Sertifika ayrıca aşağıdaki Issued Certificates te görülmektedir. Sertifika temlate I olarak ta Basic EFS sertifikası client için issue edilmiştir.

 

Machine generated alternative text:
certsrv - [Certification Authority I\lssued Certificates] 
File Action View Help 
Cetification Authority (Local) 
semih-DC01-CA-1 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
Request ID 
Requester Name 
SEMI H\administrator 
Binary Certificate 
- --8EGIN CERTIFICAT... 
Certificate Template 
Basic EFS (EFS) 
Serial Number 
57DDDDDD02bfd... 
Certificate Effective Date 
1/19/2021 1239 AM

 

EFS gibi sertifikaların otomatik issue edilmeyin Pending Request te beklemesi ve bir admin in bu sertifikayı issue etmesi gerekiyorsa aşağıdaki seçenek ile değişiklik yapılır.

 

Machine generated alternative text:
semih-DCOI-CA-I Properties 
Dasht 
i Local 
ii All se 
ADC 
iäi ADD 
DNS 
File a 
certsrv - [Certification Authority 
File Action View Help 
Certification Authority (Local) 
semih-DC01-CA-1 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
Extensions 
Enrollment Agents 
Storage 
Auditing 
Certificate Managem 
Recovery Agents Security 
Pohcy Module 
Descnption of active policy module 
Windows default 
Specifies how to handle certificate requests for 
Enterprise and Stand-alone CAS 
100 
@ Micmsoft Corporation Al fights reserved 
Properties 
Request Handling 
The Windows default policy module controls how this CA should handle 
certificate requests by default 
Do the following when a certificate request is received 
C) Set the certificate request status to pending The adminstrator must 
explicitly issue the certificate 
@ Follow the settings in the certificate template. f applicable 
Otherwise. automatically issue the certificate

 

Kurulmak istenen PKI altyapısına göre hangi kullanıcı\grup lara hangi yetkiler verilmek isteniyorsa securty tabında ilgili değişiklikler yapılır.

 

Machine generated alternative text:
certsrv - [Certification Authority 
File Action View Help 
Certification Authority (Local) 
semih-DC01-CA-1 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
semih-DCOI-CA-I Properties 
Extensions 
Enrollment Agents 
Group or user names: 
Storage 
Policy Module 
Certificate Managem 
Exit Module 
Auditing Recovery Agents Security 
Authenticated users 
Domain Admins (SEMIH\Domain Admins) 
Entevphse Admins (SEMIH\Entelphse Admins) 
*dministratorz (SEMIHzædministratorz) 
P emissions for Administrators 
Issue and Manage Certificates 
Manage CA 
Request Certificates 
Alo w 
Deny

 

Sertifika templatelerine göre ilgili kullanıcı\gruplar için yetki verilebilir. 802.1x sertifika ları bir IT ekibi başka bir sertifika template ini başka bir IT ekibi gibi.

Delegasyon işlemlerinin yapıldığı yerdir.

 

Machine generated alternative text:
certsrv - [Certification Authority 
File Action View Help 
Certification Authority (Local) 
semih-DC01-CA-1 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
semih-DCOI-CA I Properties 
Extensions 
Enrollment Agents 
Storage 
P ohcy Module 
Certificate Managem 
Auditing Recovery Agents 
Security 
For more information see ele ated Enrollment A ents 
@ Do not restrict enrollment agents 
C) Restrict enrollment agents 
Enrollment agents 
Certificate Templatee 
P emission e

 

AD CS üzerindeki kim hangi işlemi yaptmış gibi bir log tutmak isteniyorsa aşağıdaki events to audit ten ilgili seçenekler seçilir.

 

Machine generated alternative text:
certsrv - [Certification Authority 
File Action View Help 
Certification Authority (Local) 
semih-DC01-CA-1 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
semih-DCOI-CA-I Properties 
Extensions 
Enrollment Agents 
Storage 
P olicy Module 
Certificate Managem 
Exit Module 
Auditing 
Reco very 
To start logging events to the security Bg. you must enable the 'Audit object 
access' setting in Group Policy 
Events to audit 
[3 Back up and restore the CA database 
Change CA configuration 
Change CA security settings 
Z] Issue and manage certificate requests 
Revoke certificates and publish CRLs 
Store and retrieve archived keys 
[3 Start and stop Active Directory Certificate Services

 

Issue edilen bir sertifika aşağıdaki gibi bir ihtiyaç nedeniylr revoke edilebilir.

 

Machine generated alternative text:
certsrv - [Certification Authority I \lssued Certificates] 
File Action View Help 
Cetification Authority (Local) 
semih-DC01-CA-1 
Revoked Certificates 
Issued Certificat 
es 
Pending Requests 
Failed Requests 
Certificate Templates 
Request ID 
Requester Name 
All Tasks 
Refresh 
Help 
Binary Certificate 
--8EGIN CERTIFICAT... 
View Attributes/Extensions... 
Export Binary Data... 
Revoke Certificate 
Certificate Template 
Basic EFS (EFS) 
Serial Number 
5700000002bfd...

 

Machine generated alternative text:
certsrv - [Certification Authority -CA-Illssued Certificates] 
File Action View Help 
Cetification Authority (Local) 
semih-DC01-CA-1 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
Request ID 
Requester Name 
SEMI H\administrator 
Binary Certificate 
-BEGIN CERTIFICAT... 
Certificate Template 
Basic EFS (EFS) 
Serial Number 
57DDDDDD02bft 
Certificate Revocation 
Are you sure you want to revoke the selected certificate(s)? 
Specify a reason date and time 
Reason code 
Unspecified 
Date and Time

 

Machine generated alternative text:
certsrv [Certification Authority I\Revoked Certificates] 
File Action View Help 
Certification Authority (Local) 
semih-DC01-CA-1 
Revoked Cetificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
Request ID 
Revocation Date 
1/19/2021 1:D3AM 
Effective Revocation Date 
1/19/2021 1:02AM 
Revocation Reason 
Unspecified 
Requester Name 
SEMIH\administr... 
Binary

 

Machine generated alternative text:
Internet Options 
General Security 
Se tbngs 
Security 
Privacy 
Content 
Connections 
Programs 
Allon active content from CDs to run on My Computer* 
Allon actve content to run in fles on My Computer* 
Allon software to run or install even if the signature isinv; 
Block unsecured images with other mixed content 
Check for publisher's certificate revocaton 
Check for server certificate revocaton* 
Check for signatures on downloaded programs 
Do not save encrypted pages to disk 
Empty Temporary Internet Files folder when browser is dc 
Enable 64-bit processes for Enhanced Protected Mode* 
Enable DOM Storage 
Enable Enhanced Protected Mode* 
Enable Intearated Windows Authentcabon* 
*Takes effect after pu restart pur computer 
Restore advanced settings 
Reset Internet Explorer settings 
Resets Internet Explorer's settings to their default 
conditon 
You should only use this if your browser is in an unusable state.

 

Her CA in bir CRL URL I vardır. Buradan daha önce dağıtılan sertifikalar revoke edilmiş mi kontrol edilir.

 

 

Remove edilen sertifikalarda AD CS te publish edilir.

 

Machine generated alternative text:
certsrv [Certification Authority I\Revoked Certificates] 
File Action View Help 
Certification Authority (Local) 
semih-DC01-CA-1 
Revoked C 
Request ID 
Revocation Date 
19/2021 
Publish 
Effective Revocation Date 
1/19/2021 1:02AM 
Revocation Reason 
Uns pecfied 
Requester Name 
SEMIH\administr... 
Sinai 
All Tasks 
Issued Ce 
Pending R 
Failed Req 
Refresh 
Certificate 
Export List... 
Properties 
Help

 

Machine generated alternative text:
certsrv - [Certification Authority -CA-IlRevoked Certificates] 
File Action View Help 
Certification Authority (Local) 
semih-DC01-CA-1 
es 
Revoked Certificat 
Issued Certificates 
Pending Requests 
Failed Requests 
Certificate Templates 
Request ID 
Revocation Date 
1/19/2021 1:D3AM 
Effective Revocation Date 
1/19/2021 1:02AM 
Revocation Reason 
Uns fied 
Requester Name 
SEMIH\administr... 
Binary Certificate 
-BEGIN CERTI.. 
Certificat 
Basic EFS 
Publish CRL 
The latest published Certificate Revocation Ljst (CRL)is Qill valid Clients maynot 
receive a new CRL until after their current one expires 
Type of CRL to publish 
@ New CRL 
Issues a complete CRL. which contains upkozate revocation information 
for the CA 
C) Delta CRL only 
Issues an abbreviated version of the CRL. which contains only the updates to 
the CRL that have been made since the last time t was published

 

AD CS e web browser üzerinden http://adcsosname-veyaipadresi/certsrv ile erişilir. Bir sertifika requestinde de bulunabilir ayrıca CA Sertifikası da download edilebilir.

 

User sertifikası alınabildiği gibi ayrıca publish edilen sertifikalar da AD CS ten alınabilir.

 

 

 

 

 

Microsoft IIS üzerinden aşağıdaki adımlarla bir sertifika rewuesti yapılır. Daha sonra bu request CA üzerinden alınıp IIS teki Compate Certificate Request ile sonlandırılır.

Ayrıca bu request ile public certificate authority lerde sertifika alma ve import etme ile aynı yöntemdir.

 

Machine generated alternative text:
Internet Information Services (IIS) Manager 
View 
Help 
Server Certificates 
Use this feature to request and manage certificates that the Web server can use with websites configured for SSL. 
Start Page 
DCOI (SEMIH\admi 
Application Poo 
v „ Sites 
e Default Web 
Filter: 
Go • e Show All L Group by: No Grouping 
Issued To 
semih-DC01-CA-1 
DCOI semih.local 
Issued By 
semih-DCOI - 
CA-I 
semih-DCOI-CA 
Expiration Date 
1/19/2026 124420... 
10/13/2021 12245... 
Certificate Hash 
01371971 C02ED[ 
864S812A72F148 
Import... 
Create Certificate Request... 
Complete Certificate Request... 
Create Domain Certificate... 
Create Self-Signed Certificate... 
Enable Automatic Rebind of 
Renewed Certificate 
Help 
Request Certificate 
Distinguished Name Properties 
Specify the required information for the certificate. State/province and City/localit,' must be specfied as 
official names and they cannot contain abbreviations. 
Common name: 
Organization: 
Organizational unit: 
City/ loca 
State/ province: 
Country/region: 
WEBI .semih.locall

 

Machine generated alternative text:
Request Certificate 
Cryptographic Service Provider Properties 
Select a cryptographic service provider and a bit length. The bit length of the encryption key determines the 
certificate's encryption strength. The greater the bit length, the stronger the security. However, a greater bit 
length may decrease performance. 
Cryptographic service provider. 
Microsoft RSA SChanneI Cryptographic Provider 
Bit length: 
Previous

 

Machine generated alternative text:
Request Certificate 
File Name 
Specify the file name for the certificate request. This information can be sent to a certification authority for 
signing. 
Specify a file name for the certificate request: 
txt 
Previous 
Finish 
Cancel

 

 

Machine generated alternative text:
Microsoft Active Directory X 
Microsoft Active Directory Certificate Services — semih-DC01-CA-1 
Submit a Certificate Request or Renewal Request 
To submit a saved request to the CA, paste a base-64-encoded CMC or PKCS #10 certificate reque 
(such as a Web server) in the Saved Request box. 
Saved Request: 
Base-64-encoded 
certificate request 
(CMC or 
PKCS or 
PKCS #7): 
Certificate Tem 
koRyov0YLAGSXloga4szQYm70Q14aVyrD3h1QJNe• 
LLE1kgeGkr2ykNsy+Yi7szr4pW0app9KSLQ+SdLd' 
4wcsnopi 
JXWI 113dz IRwGbCgrrxWZbZ 
FIG6 L+rvszsr XLXOYks1M/1RaaQygcsrXd2KJl 
Administrator 
Basic EFS 
EFS Recovery Agent 
User 
Subordinate Certification Authori 
Web Server 
Additional Attributes: 
Attributes: 
VEST 
Submit >

 

 

Machine generated alternative text:
Internet Information Services (IIS) Manager 
View Help 
Start Page 
v DCOI (SEMIH\admi 
Application Poo 
v „ Sites 
Default Web 
Server Certificates 
Use this feature to request and manage certificates that the Web server can use with websites configured for SSL. 
Filter: 
Go • e Show All L Group by: No Grouping 
Issued To 
semih-DC01 -CA-I 
DCOI semih.local 
Issued By 
semih-DCOI - 
CA- 
semih- DCOI -CA 
Expiration Date 
1/19/2026 124420... 
10/13/2021 12245... 
Certificate Hash 
01371971 C02ED[ 
864S812A72F148 
Import... 
Create Certificate Request... 
Complete Certificate Request... 
Create Domain Certificate... 
Create Self-Signed Certificate... 
Enable Automatic Rebind of 
Renewed Certificate 
Help

 

Machine generated alternative text:
Internet Information Services (IIS) Manager 
View Help 
Start Page 
v DCOI (SEMIH\admi 
Application Poo 
v „ Sites 
e Default Web 
Complete Certificate Request 
SpeciW Certificate Authority Response 
Complete a previously created certificate request by retrieving the file that contains the certificate authority's 
response. 
File name containing the certification authority's response: 
Friendly name: 
WEBI 
Select a certificate store for the new certificate: 
Web Hosting 
Cancel

 

Machine generated alternative text:
Internet Information Services (IIS) Manager 
DOI 
View Help 
Server Certificates 
Use this feature to request and manage certificates that the Web server can use with websites configured for SSL. 
Start Page 
v DCOI (SEMIH\admi 
Application Poo 
v „ Sites 
Default Web 
Filter: 
Name 
Go • e Show All L Group by: No Grouping 
Issued To 
semih-DC01-CA-1 
DCOI .semih.local 
WEBI semih.local 
Content View 
Issued By 
semih-DC01-CA-1 
semih-DC01-CA 
semih-DC01-CA-1 
Expiration Date 
1/19/2026 124420... 
10/13/2021 
1/19/2023 
Certificate 
Certificate Hash 
01371971 C02ED[ 
8645812A72F148 
A957919708Dcc 
Import... 
Create Certifica 
Complete Certid 
Create Domain 
Create Self-Sigr 
View... 
Export... 
General Details Certficabon Path 
Certificate Info rmation 
This certificate is intended for the following purpose(s): 
• Ensures the identty of a remote computer 
Issued to: WEE I. semih. local 
Issued by: semih-DCO I-CA-I 
Valid from 1/19/2021 to 1/19/2023 
You have a private key that corresponds to this certficate. 
Features View 
Ready

 

Yoruma kapalı.

%d blogcu bunu beğendi: