Basic Administrative Tasks
Applies To: Windows Server 2003 with SP1
For day to day tasks, it is usually preferable to create a standard procedure. A procedure is usually organization-dependent as the processes and people differ from organization to organization. There are usually common practices employed by most organizations when doing the common day to day administrative tasks.
Adding Certificate Templates to a CA
A certificate template profiles certificates based on their intended use. When requesting a certificate from a Microsoft certification authority (CA), depending on their access rights, the certificate requester will be able to select from a variety of certificate types that are based on certificate templates, such as User and Basic EFS. The certificate template saves users from low-level, technical decisions about the type of certificate that they need. Instead, they can rely on the judgment of their administrators and use the template name that indicates the purpose of the certificate. If none of the preset certificate templates meets your needs, you can create new certificate templates and customize them for a variety of different uses.
Note
In addition to assigning the correct permissions for enrollment on a certificate template in Active Directory; you also need to add the template to the list of certificate templates a CA can issue if you want your users to start enrolling for this template.
Note
Only Windows Server 2003 and Windows 2000 Enterprise CAs can issue certificates based on certificate templates; stand-alone CAs cannot use certificate templates.
Note
You need to be part of the Enterprise Admins or the Domain Admins, or you need to have enough permissions to write to the Certificate Templates container in Active Directory.
To change the permissions on a certificate template for user enrollment
Right-click the Certificate Templates node in the Certification Authority snap-in and select Manage.
Double-click a certificate template.
On the Security tab, check the Allow boxes for the Read and Enroll permissions.
To add a certificate template to a CA
Right-click the Certificate Templates node in the Certification Authority snap-in, and on the New submenu, select Certificate Template to Issue.
Select the appropriate template and click OK.
Note
You need to be a CA Administrator to add templates to the CA.
Delegating Administration of Certificate Templates
Although most of the CA-related tasks are achieved through the administration of the CA itself, certain tasks are controlled through Active Directory, such as administration of Certificate Templates.
To delegate the administration of Certificate Templates
Right-click the Certificate Templates node in the Certification Authority snap-in and select Manage.
Double-click a certificate template.
On the Security tab, check the Allow boxes for the Read and Write permissions.
Issuing Certificates
There are some questions you need to answer and document before issuing a certain certificate. These questions are more relevant to how the certificate is issued from an operational side rather than a technical side.
Does my organization currently employ a Certificate Practice Statement (CPS) for this CA? If it does, did the requester meet all the requirements for enrollment?
Are there special requirements that the person issuing the certificate (such as being an Officer) that I must fulfill as an administrator?
Are there any documented operational procedures for my organization that I must follow when issuing certificates (such as backup)?
Are there any special attributes that must be included in the certificate that are not included in the request (such as Certificate Policy)?
When these questions are answered, and all the requirements are fulfilled, issue the certificate by logging on as a user with Certificate Manager (CA Officer) permissions:
Left-click the Pending Requests node in the Certification Authority snap-in.
Right-click the request, then select Issue on the All Tasks submenu.
If one of the requirements is not met, you can either ensure that requirements are met (such as making the user supply more authentication information) then issuing the certificate, or you can deny the request.
To deny the request
Left-click the Pending Requests node in the Certification Authority snap-in.
Right-click the request, then select Deny on the All Tasks submenu.
In either case, make sure you document your actions and the answers to all four questions.
Important
The policy module will always re-process requests that are pended and if template, configuration, or user group information has changed after the request was originally submitted, the policy module will re-evaluate the request on the new information only.
Note
To re-submit a failed request and issue the failed request, a user must have both the CA Officer and CA Admin permissions on the CA. Obviously, this capability will not be possible when role separation is enabled on the CA.
Revoking Certificates
Although certificates are usually used to enhance the trust in an organization, removing the trust from a certain certificate is sometimes required. Before you revoke a certificate, make sure you answer and document the following questions:
What is the reason for revoking this certificate?
Who requested the revocation of this certificate?
Will I ever need this certificate again (such as verification of signatures or decryption of messages)? If yes, what is the need (that is, verification of signatures, decryption of messages, normal usage)?
Are there special requirements for the person revoking the certificate (such as being an Officer) that I must fulfill as an administrator?
Are there any documented operational procedures for my organization that I must follow when revoking certificates (such as backup)?
When all of these questions are answered, and all the requirements are fulfilled, revoke the certificate.
To revoke the certificate
Left-click the Issued Certificates node in the Certification Authority snap-in.
Right-click the certificate and select Revoke Certificate on the All Tasks submenu.
Choose the correct reason for revocation and click Yes.
Make sure you document your actions and the answers to all five questions.
Note
If you answered yes to question 3, and the need will be full or normal usage, make sure you choose Certificate Hold as the reason. This is the only reason that could allow a revoked certificate to be unrevoked.
If you revoke a certificate and the reason is Certificate Hold, and you decide later that you want to unrevoke the certificate, you need to answer and document the following questions:
Why am I revoking this certificate?
Who requested this task?
Are there special requirements from the person unrevoking the certificate (such as being an Officer) that I must fulfill as an administrator?
Are there any documented operational procedures for my organization that I must follow when revoking certificates (such as backup)?
Does my organization currently employ a Certificate Practice Statement (CPS) for this CA, and if it does, did the requester meet all the requirements for unrevoking the certificate?
When all of these questions are answered, and all the requirements are fulfilled, unrevoke the certificate.
To unrevoke the certificate
Left-click the Revoked Certificates node in the Certification Authority snap-in.
Right-click the revoked certificate, and select Unrevoke Certificate on the All Tasks submenu.
Make sure you document your actions and the answers to all four questions.
Note
Unrevoking a certificate is considered dangerous if misused. Ensure proper operations and documentation when you unrevoke a certificate.