Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Perform function test

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

A functional test of the Certification Authority includes the following steps:

  • Verification of the connection to the private key
  • Ensure start of the certification authority service
  • Checking the event display of the certification authority
  • Test the connection to the enrollment interface of the certification authority
  • Generate and verify Certification Authority exchange certificate
  • Publish a certificate template on certification authority
  • Request a certificate from the Certification Authority
  • Revoke a certificate
  • Publish a certificate revocation list
  • Recheck the certificate

Details: Verification of the connection to the private key

In particular, if a hardware security module is used, the first thing to check is whether the connection to it works and the private key material can be used by the certification authority. The procedure for this is described in the article "Checking the connection to the private key of a certificate (e.g. when using a hardware security module)" described.

Details: Ensure the start of the certification authority service

Next, check that the Certificate Authority service starts correctly.

If you encounter problems with this step, the following articles may be helpful:

Details: Checking the event display of the certification authority

For information on the individual events, see the article "Overview of Windows events generated by the certification authority„.

First, the Windows Event Viewer on the certificate authority should be scanned for any certificate authority events that could indicate an error. For this purpose, there is a predefined view in the event viewer under "Custom Views" - "Server Roles" - "Active Directory Certificate Services", which has already defined the required filters on the event viewer.

If you encounter problems with this step, the following articles may be helpful:

Details: Testing the connection to the enrollment interface of the certification authority

First, a simple test should be performed to see if clients can connect to the certificate authority. This can be achieved with the following command line command:

certutil -config {ConfigString} -ping

The ConfigString denotes the connection information to the certification authority in the format "{Servername}\{Common-Name}".

If you encounter problems with this step, the following articles may be helpful:

Details: Generate and verify certification authority exchange certificate

To ensure that the certification authority writes the CRL Distribution Point (CDP), Authority Information Access (AIA) information and certificate policies into the issued certificates, a certificate catalyst is required, the contents of which are subsequently verified.

The subsequent check can be performed prizipiel with any certificate issued by the certification authority. However, the certification authority exchange certificate is a good choice because it is automatically generated by the certification authority and can be requested by any user in Active Directory. Thus, at this point, the need for the potentially cumbersome creation of a certificate request is eliminated for the time being.

The certificate for the certificate authority exchange can be generated with the following command line command:

certutil -cainfo xchg > test.cer

The command can be executed directly on the certificate authority as listed above. For an Active Directory integrated certificate authority, it can also be executed by another domain member if the -config switch is included with the config string (Servername\Common-Name) as an argument.

If you encounter problems with this step, the following articles may be helpful:

The certificate created with the command can now be inspected by double-clicking on it.

The following contents of the certificate must be verified:

  • Brevocation list distribution points
  • Access to job information
  • Certificate Guidelines

The CRL Distribution Point (CDP), Authority Information Access (AIA) addresses specified in the certificate can then be checked using the following command line command:

certutil -verify -urlfetch {filename}.cer

The -urlfetch switch bypasses local caching, and results in command line output instead of a graphical interface. For more information, see the article "View and clear the revocation list address cache (CRL URL Cache).„.

Due to the extensive output, it is recommended to redirect the command line output to a text file.

The command line output contains the respective check result for all addresses of all certificates in the chain. These should all have been checked successfully. Errors are output with a detailed error code describing the cause.

At the end of the command line output are the check results for certificate policy, revocation status and trust status (only in case of error).

Details: Publish a certificate template on the certification authority

In order to check the certificate authority's permissions on its pKIEnrollmentService object, and then to be able to apply for a certificate, a certificate template should now be published on the certificate authority.

If you encounter problems with this step, the following articles may be helpful:

Details: Apply for a certificate from the certification authority

To verify that the certificate enrollment policies are configured correctly and that the certificate authority can sign certificate requests, a certificate should now be requested from the previously published certificate template.

In case the Certification Authority is not able to provide the required information as described in the article "Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode" is in maintenance mode, the requesting user or computer object must temporarily be explicitly granted the "Request Certificates" right in the certification authority's security settings until maintenance mode is exited again.

If you encounter problems with this step, the following articles may be helpful:

Details: Revoke a certificate

In order to verify that the revocation of a certificate is correctly recognized by all participants in the network, the previously requested certificate should now be revoked. The procedure for revoking a certificate is described in the article "Revoking an issued certificate" described.

Details: Issue a certificate revocation list

After the certificate has been revoked, the creation of a certificate revocation list can now be tested. The procedure for issuing a certificate revocation list is described in the article "Create and publish a certificate revocation list" described.

The certificate revocation list should now be created and the serial number of the revoked certificate should be found on it again.

If you encounter problems with this step, the following articles may be helpful:

Details: Recheck the certificate

The revoked certificate should now be on the revocation list and should be recognized as revoked by the subscribers. Therefore, the steps described in the section "Certificate Authority Exchange Certificate Generated and Verified" should now be performed again to verify the addresses within the certificate.

To be on the safe side, the local cache for the locking information should be cleared beforehand, as described in the article "View and clear the revocation list address cache (CRL URL Cache). " is described.

The revocation of the certificate should now be correctly detected and reported.

If an online responder is used, it has a server-side cache so that it does not reflect the revocation of the certificate until the previous certificate revocation list has expired.

Related links:

en_USEnglish