Configure Windows based Certification Authority to issue SAN certificates

Exchange Server 2007 and Exchange Server 2010 heavily rely on certificates for the secure communications between servers and clients. Most of the exchange deployments I have seen thus far have used SAN certificates for their CAS and HT servers.

When you decide to go with a third party CA for certificate requirements you need to pay them depending upon their pricing and almost every year or depending  upon your subscription.

To avoid paying money to the third party CAs yet to keep your communications secure most of the companies prefer to deploy their own internal CAs. After you have deployed your internal CA one of the problems you normally face is with issual of a certificates that contains multiple subject names (Subject Alternative Name). Neither Windows Server 2003 nor Windows 2008/R2 are configured to issue SAN certificates by default. The default policy module that is configured during the installation of the CA keeps it disabled by default.

To allow your CA issual of certificates to the requests that contain Subject Alternate Name extension you must enable it using the CERTUTIL.EXE tool on the CA.

To enable SAN certificate issual on the CA you can follow below steps:

1. Open command prompt with elevated privilleges or an user credentials that have permissions to manage CAs.

2. Run the command certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

3. This command changes the values of EditFlags and adds SubjectAltName in registry located at SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.Policy

and the output looks like below: (Please note that the values on your CA may be different than what they look like in following example)

C:>certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SYSTEMCurrentControlSetServicesCertSvcConfiguration<Server Name>PolicyModulesC
ertificateAuthority_MicrosoftDefault.PolicyEditFlags:

Old Value:
  EditFlags REG_DWORD = 11014e (1114446)
    EDITF_REQUESTEXTENSIONLIST — 2
    EDITF_DISABLEEXTENSIONLIST — 4
    EDITF_ADDOLDKEYUSAGE — 8
    EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
    EDITF_ENABLEAKIKEYID — 100 (256)
    EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
    EDITF_ENABLECHASECLIENTDC — 100000 (1048576)

New Value:
  EditFlags REG_DWORD = 15014e (1376590)
    EDITF_REQUESTEXTENSIONLIST — 2
    EDITF_DISABLEEXTENSIONLIST — 4
    EDITF_ADDOLDKEYUSAGE — 8
    EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
    EDITF_ENABLEAKIKEYID — 100 (256)
    EDITF_ENABLEDEFAULTSMIME — 10000 (65536)
    EDITF_ATTRIBUTESUBJECTALTNAME2 — 40000 (262144)
    EDITF_ENABLECHASECLIENTDC — 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

4. Restart certification services using services manager snap in or command prompt.

5. Once the service is restarted you can request a certificate with SAN extension using web enrollment application.

Warning! You should not enable SAN extension support on your Enterprise Root CA. If you must enable it, it must be on one of the standalone CAs dedicated for issuing SAN certificates.

References:

Security best practices for allowing SANs in certificates

 

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 4

In previous three posts of this series I showed the procedures to install and do initial configurations for AD RMS and Exchange 2010. In this part of the post I will show how to configure desired permissions for each set of users using AD RMS policy templates. Like said in the third part of this post, the permissions assigned by default policy templates may not be enough sometimes; or you may need more rights be assigned to some users. To achieve this a functionality of AD RMS known as Rights Policy Templates comes into play. We will see how to configure these templates.

32. To create a new policy template: Select Rights Policy Templates from the left hand side pane and then click Create Distributed Rights Policy Template.

image

33. Create a folder named RMS_Templates at desired location. Share this folder and add Authenticated Users to View the folder content. After that add RMS Service account to give full control of this folder. Right click the Rights Policy Template node in above figure and then select properties. Read more at Creating an AD RMS Rights Policy Template

image

34. This will pop up Create Distributed Rights Policy Templates wizard on the screen. Click on the Add button on the wizard.

image

35. Provide a meaningful name and description to the new template that you are going to create and click on Add button.

image

36. Click Next button the wizard page that is shown in step 33.

37. Let’s us consider that you have a group of people where these people should only be able to view certain emails and should not be able to forward, reply or print these emails. You need to create a distribution group for such people using EMC and add all of them as members of it. After you have completed creating a group and adding appropriate people into it, you can now specify this group of individual users in AD RMS wizard that is open. Now you can select the ONLY View rights front the rights list box. If you want to configure the expiration, revocation or extension in policies you can do so using the wizard or can simply click to Finish.

image

38. You can set the expiration polices on the next page. Expiration policy settings are totally dependant of your company requirements.

image

39. On the next page you can specify the extended policies as shown in figure below. When you have OWA users it is recommended that you choose this setting. Click to Finish the wizard.

image

40. After you have completed the wizard you will see a new template in the AD RMS management snap in. To review the rights configured in this template you can simply right click it and select View Rights Summary.

image

41. Now the next and important steps are to deploy this template to the clients. There are few more steps to be configured and are beautifully explained in Technet article Configuring the AD RMS client.

42. Once you have configured the templates please do follow Configuring the AD RMS client for configuring clients. You can use group policy or Systems Centre Configuration Manager for deploying the settings to the whole organization.

43. If you have followed the article Configuring the AD RMS client correctly, you will be able to see the newly created templates in your AD RMS aware application. For an instance; outlook.

image

44. You will also see the XML templates downloaded the to %LocalAppData%MicrosoftDRMTemplates folder of the currently logged on user.

  • If you do not see the content of this folder or the folder itself you must create this folder hierarchy manually.
  • Also, the registry key HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0CommonDRM does not exist then it should be created manually to specify the value of AdminTemplatePath expandable string value.
  • The registry key for Office 2010 would change to HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0CommonDRM

Again, you must follow the article Configuring the AD RMS client.

image

In the next part of the post I will show how to use Microsoft Exchange 2010 rules to use these templates and automate the email protection to email messages and office attachments.

 

Related Posts:

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 1
Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 2

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 3