다음을 통해 공유

Certificate Authority (Root and Issuing CA): Steps for Private Key usage Count

  • 아티클
 

Key use counter increments

The key use counter increments depend on the type of CA (such as offline or online issuing) and the cryptographic operations that are executed by the CA to service a certificate signature request (CSR). The key counter is incremented by values that range from 0 to 3. The CA audit logs record the key use count whenever CA is started or stopped.

Install Certificate Services with key use counting

To install Certificate Services with key use counting:

 

1 CAPolicy

If it is not already in your system installation, create the file %SystemRoot%\capolicy.inf

(where %SystemRoot% is the system environment variable for the Windows installation folder by default C:\WINDOWS\capolicy.inf) with the following content:

 

[Version]

Signature="$Windows NT$"

[certsrv_server]

EnableKeyCounting=True

 

Note You must create the capolicy.inf file before Certificate Services is installed.

 

2 Install the CA using the KSP

 

3 Enable auditing for the CA service

Using the command:

certutil -setreg ca\auditfilter 1

 

Right-click the CA and click PProperties.

 Click the Auditing tab and check the box for Start and Stop Active Directory Certificate Services.

4. Audit policy

** **Select Start > Administrative Tools > Local Security Policy.

 Go to Local Policy, expand it and select strong>AAudit Policy.

 In the right pane, double-click Audit Object Access and select Success and Failure.

Click Apply and OK and close the window.

5 Update the local security policies

By opening a command prompt and running the command:

gpupdate.exe /force

 

6 Restart the CA service to pick up the changes

by using the commands:

net stop certsvc

net start certsvc

 

7 Run Eventvwr.exe

Select Windows Logs > Security.

Filter for event ID 4881 (CA startup event) or event ID 4880.

Verify the CA startup event shows the PrivateKeyUsageCount property with a corresponding value. Make a note of this value.

 

8 Restart the Certificate Server

By using the commands:

net stop certsvc

net start certsvc

 

9 Verify that the event viewer contains a new CA startup event (event ID 4881).

 Verify that the PrivateKeyUsageCount/strong> property value has not changed.