AD Certificate Services and CA Web Enrollment
Active Directory Certificate Services equips a server with the ability to establish and manage certificate authority (CA) and certificates. Depends on what services will be installed in a server, AD certificate services also provides enrollment services to help the interaction between clients and CA regarding certificates. One of them is the CA Web Enrollment.
CA Web Enrollment will act as a proxy to client computers for obtaining certificates. Normally, a user has to be inside the domain to receive the certificate. With this feature, a client could access the web service through the web browser to manually request a certificate to the CA. After the request is sent, CA could establish certificate to the request and put it on the web enrollment page for the client to download.
A server who runs CA web enrollment doesn’t have to be a CA. The benefit of sepearting the service is to balance the web traffic of the servers. Clients also don’t need too contact the CA directly as the HTTPS request will be processed by the web enrollment pages first than passing it to the AD and then CA.
Key Archival and Key Recovery Agent
One of the feature a AD certificate services have is the key archival. The purpose of it is to archive the users private key in the CA database in case the user loses its encryption certificate. Losing the private key, means you can no longer have access to files that has already been encrypted by that specific private key. Key archival help keeps track of all of those digital certificate safely in the CA database and can generate it again for clients who lost its encryption certificate.
Basically after the CA exchanges certificate with the client, it generates the public and private keys in the client machine. The client then sends its private key with CA’s exchange certificate which is used to decrypt this private key so that only the CA can decrypt it. The CA will now validate the private key received if it has the same request signature. After that’s done, the role of key recovery agents come in.
Key recovery agent (KRA) is a certificate that is assigned to only a specific users as it has essential function in the key archival process. The received encryption certificate will be encrypted with the 3DES algorithm with additions of KRA public keys encryption. A minimal of one KRA is needed for a key archival process to be enabled.
User Certificates
User certifcates contains various kinds of certificate that the systems in a network would need to gain access to a certain feature. Basically, it is to ensure that the computer communicating with the AD is the correct one as assigned by the certificate services. These user certificates sign and encrypt public keys in the communication to prove their validity.
There are also several templates of user certificates that could be established. These templates will help the administrator to categorize which users will have their assigned roles and authorization. It is also highly customizable to the needs of the network.
The certificates that users has enrolled in will be the key to identify the user roles and purposes. Some roles given are simple such as normal user or basic EFS, and some has an important roles like key recovery agent which is crucial for an archival system. Each of these has different levels of authorization to the AD systems. For example, a smart card logon certificate will allow access for people who has a smart card and provide its assigned authentication and encryption.
Marcellus's Blog 