Configure NAP Certification Authority

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Health Registration Authority (HRA) must be configured with at least one certification authority (CA) from which to request health certificates on behalf of client computers. Certificates are requested when new clients connect to the network or when the health certificate validity period is about to expire on a compliant client computer. Certificates can also be removed and reissued to client computers if their health state changes while they are connected to the network. HRA will only request health certificates from the CA configured first in the order, unless that server is unavailable or has been identified as unresponsive.

Configure CAs

Use this procedure to configure CAs in HRA. CAs can be added or deleted, and their order can be modified. You can also specify the number of minutes to wait between requests before identifying a CA as unavailable. If you are using an enterprise CA, you can select the authenticated and anonymous certificate templates to use. If you are using a standalone CA with Network Access Control, you can enable client extended state information by enabling policy OIDs.

Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

Add a new CA

For optimal performance, a dedicated standalone subordinate CA should be used to issue health certificates. Fault tolerance is provided when you configure more than one CA in the HRA snap-in. Load balancing can be achieved by configuring an additional HRA with a different CA processing order. You can use the following procedure to configure CAs for use with HRA.

To add a new certification authority using the Windows interface

  1. Open the HRA console.

  2. In the console tree, right-click Certification Authority , and then click Add Certification Authority . The Add Certification Authority dialog box opens.

  3. Click Browse . The Select Certification Authority dialog box opens.

  4. Under CA , click the name of the CA that will be used to issue NAP health certificates, and then click OK twice.

  5. In the HRA console tree, click Certification Authority , and verify the name and order of configured CAs.

Note

You cannot browse to a CA from a workgroup environment.

Configure CA wait time

HRA will only attempt to obtain health certificates from the CA that is configured first in the processing order, unless that CA has been marked as unavailable. You can use the following procedure to change the number of minutes to wait before identifying a CA as unavailable.

To configure certification authority wait time using the Windows interface

  1. Open the HRA console.

  2. In the console tree, right-click Certification Authority , and then click Properties . The Certification Authorities Properties dialog box opens.

  3. Enter the number of minutes to wait between requests before identifying a CA as unavailable, and then click OK .

Configure health certificate validity period

The default validity period for health certificates is 4 hours. Clients will attempt to renew a health certificate 15 minutes prior to expiration or when a change in client health status occurs. You can use the following procedure to configure a custom validity period for health certificates.

To configure the validity time for health certificates approved by HRA using the Windows interface

  1. Open the HRA console.

  2. In the console tree, right-click Certification Authority , and then click Properties . The Certification Authorities Properties dialog box opens.

  3. Select the unit of time using the drop-down list. You can select Minutes , Hours , Days , or Weeks .

  4. After choosing a unit of time, enter the number of units desired, and then click OK .

  5. If you are using an enterprise CA, you must perform the following steps in order to override the validity period that is configured in your certificate templates.

    1. Click Start , right-click Command Prompt , and then click Run as administrator .

    2. In the command window, type Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE , and then press ENTER.

    3. In the command window, type net stop certsvc && net start certsvc , and then press ENTER.

    4. Verify that Active Directory® Certificate Services (AD CS) stops and starts successfully.

Important

The maximum health certificate validity period is determined by the CA validity period, which is set by default to 52 weeks. Use caution when configuring a validity period of less than 1 hour due to potential performance issues with the CA server. Do not use a validity period of 15 minutes or less.

Choose CA type

Use the following procedure to configure the NAP certification authority type. It is important to choose a CA type that corresponds to the CA that you configured in the preceding procedure. If you are using an enterprise CA, you must configure templates before you perform this procedure.

To choose the certification authority type using the Windows interface

  1. Open the HRA console.

  2. In the console tree, right-click Certification Authority , and then click Properties . The Certification Authorities Properties dialog box opens.

  3. If you are using a standalone CA, choose Use standalone certification authority .

  4. Do not select the check box next to Enable PolicyOIDs unless you are using client extended state information for Network Access Control.

  5. If you are using an Active Directory-integrated enterprise CA, or you are using both enterprise and standalone CAs, choose Use enterprise certification authority , and then use the drop-down list to select an Authenticated compliant certificate template and Anonymous complaint certificate template from the list of available templates. If you did not choose to allow anonymous requests for health certificates during the installation of HRA, then configuring an anonymous template in this procedure does not enable anonymous certificate requests.

Configure order or delete CAs

Use the following procedure to modify the priority of CAs used by HRA, or to remove CAs from the HRA configuration. HRA will only request certificates from the first CA configured in the list, unless that CA has been marked as unavailable.

To configure the order or to delete certification authorities using the Windows interface

  1. Open the HRA console.

  2. In the console tree, click Certification Authorities .

  3. Right-click a CA name in the list of servers. Click Move Up to increase preference for this server in the order. Alternatively, click Move Down to decrease preference for this server in the order.

  4. To delete a CA from the list, right-click the CA name, and then click Delete .

Additional references