Configuring a Secure Socket Layer (SSL) Certificate Template for Web Server

Author Uwe GradeneggerPosted on Categories Certificate usageTags , , , , , ,

Below is a guide to configuring a web server template with recommended settings.

This step requires Enterprise Administrator or appropriately delegated rights to create and edit certificate templates.

Certificate template configuration

The certificate template is configured via the Certificate Template Management Console (certtmpl.msc).

The default certificate template "Web Server" is used as a starting point and a copy of it is created.

Compatibility" tab

We intend, Key Storage Provider (KSP) to be used. For this, it is necessary to set the compatibility settings for the certificate authority and certificate recipient to "Windows Vista" or "Windows Server 2008".

General" tab

A meaningful name is used in the "General" tab. The certificate validity should not be higher than two years.

Apple meanwhile enforcesthat web server certificates are not valid for more than two years (825 days).

Chrome and Safari the certificate validity meanwhile even to only one year. (398 days), but internal Certification Authorities are explicitly excluded from this restriction.

The "Renewal Period" is not relevant, since automatic renewal is not possible with this form of certificate submission.

Request Handling" tab

In the "Request Handling" tab, the Purpose must be adapted to the key algorithm to be used. The background to this is that different requirements are placed on the "Key Usage" extension of the certificate depending on the key type (See RFC 5246 and RFC 4492).

Key algorithmValue
RSASignature and Encryption
ECDSASignature
ECDHSignature and Encryption

Cryptography" index card

In the "Cryptography" tab, the "Key Storage Provider" category must now be selected and the respective key algorithm.

The Microsoft Software Key Storage Provider should be selected as the provider if it is not intended to store the keys, for example, with a Trusted Platform Module (TPM) to protect

If a Cryptographic Service Provider (CSP) is to be used, the "Microsoft RSA SChannel Cryptographic Provider"must be used. This only supports AT_KEYEXCHANGE, so the Purpose must be set to "Signature and Encryption" in the "Request Handling" tab. In principle, a key storage provider should be preferred if possible.

The choice of provider only affects certificate requests that read the certificate template during the request (i.e., manual or automatic certificate requests via autoenrollment).

Subject Name" tab

In the "Subject Name" tab, make sure that the "Supply in the request" option is selected (default setting). This causes that the applicant can determine the identity in the certificate. This is necessary because websites often use an alias that cannot be mapped as a Kerberos identity. Accordingly, the identity of the requester and that of the website differ from each other.

Since the previous setting involves a security risk (the requester could request certificates for any subject names), it is mandatory that the "CA certificae manager approval" option be set in the "Issuance Requirements" tab. This ensures that the certificate request is not issued directly, but instead ends up in the "Pending Requests" folder, where a certificate manager can check them.

If you uncheck the box for "CA certificate manager approval", a warning message will also appear.

Security" tab

In the "Security" tab, the desired person or user group can now be granted the "Enroll" right.

Since the certificate template is configured so that incoming certificate requests end up in the "Pending Requests" folder and must first be reviewed and approved by a certificate manager, granting the "Enroll" right as in this example is not a security risk.

Further safety hardening

Restricting the requestable certificate content (for example, which domain names can be requested) and ensuring that the correct key algorithm is used can be done with the TameMyCerts Policy Module for the Certification Authority be ensured.

Apply for a web server certificate

The procedure for applying is described in the article "Manually requesting a web server certificate" described.

Related links:

External sources

14 thoughts on “Konfigurieren einer Secure Socket Layer (SSL) Zertifikatvorlage für Web Server”

  1. Pingback: Installation of a Certificate Enrollment Web Service (CES) | Uwe Gradenegger
  2. Pingback: Installation of a Certificate Enrollment Policy Web Service (CEP) - Uwe Gradenegger
  3. Pingback: Inspect a certificate request (CSR) - Uwe Gradenegger
  4. Pingback: Enabling Secure Sockets Layer (SSL) for the Network Device Enrollment Service (NDES) - Uwe Gradenegger
  5. Pingback: Using Microsoft Network Load Balancing (NLB) for Certificate Enrollment Web Services (CEP, CES) - Uwe Gradenegger
  6. Pingback: Installing the Certification Authority Web Registration (CAWE) - Uwe Gradenegger
  7. Pingback: Manual application for a web server certificate - Uwe Gradenegger
  8. Pingback: The role configuration for the Certificate Enrollment Policy Web Service (CEP) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)" - Uwe Gradenegger
  9. Pingback: Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) - Uwe Gradenegger
  10. Pingback: Basics: The Key Usage Certificate Extension - Uwe Gradenegger
  11. Pingback: Basics: Name Constraints - Uwe Gradenegger
  12. Pingback: Issue certificates with shortened validity period - Uwe Gradenegger
  13. Pingback: A policy module to tame them: Presentation of the TameMyCerts Policy Module for the Microsoft Certification Authority - Uwe Gradenegger
  14. Pingback: Chrome and Safari limit SSL certificates to one year validity - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish