Set Up Active Directory Certificate Services

If you want to use Endpoint Cloud's Data Loss Prevention features, you must first set up Active Directory Certificate Services. These services allow:

  • Encryption certificates to be issued to devices
  • Encryption certificate information to be published to Active Directory Domain Services (AD DS)
  • A copy of the security certificates to be stored on the Certificate Authority (CA).

The Active Directory Domain Services should be set up and configured by a certified AD administrator.

To set up AD DS, follow the instructions in these two steps:

  1. Step 1: Set Up an Enterprise Root CA.
  2. Step 2: Set up Certificate Services to issue EFS.


Step 1: Set Up an Enterprise Root CA

An enterprise root CA is the anchor of trust for the basic lab setup. It will be used to issue certificates to the Online Responder and client computer, and to publish certificate information to Active Directory Domain Services (AD DS).


Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

To set up an enterprise root CA:

  1. Log on to your domain controller as a domain administrator.
  2. Click Start > Administrative Tools > Server Manager.
  3. In the Roles Summary section, click Add roles.
  4. On the Select Server Roles page, select the Active Directory Certificate Services check box.
  5. Click Next two times.
  6. On the Select Role Services page, select the Certification Authority check box, and then click Next.
  7. On the Specify Setup Type page, click Enterprise, and then click Next.
  8. On the Specify CA Type page, click Root CA, and then click Next.
  9. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.
  10. In the Common name for this CA box, type the common name of the CA, RootCA1, and then click Next.
  11. On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.
  12. On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.
  13. After verifying the information on the Confirm Installation Options page, click Install.
  14. Review the information on the confirmation screen to verify that the installation was successful.

Step 2: Set up Certificate Services to issue EFS

If you are going to use Endpoint Cloud's Data Loss Prevention feature, it is important that your Certificate Authority (CA) is set up to issue EFS certificates. If this is not setup properly, the certificates will be self-signed and will only exist on the user's computer and the Endpoint Cloud server. It is important that the certificates also exist on the CA for retrieval in an emergency.

  1. Make sure that there are no self-signed certificates on the user’s computer. (Start > Run > certmgr.msc).
  2. Go to your CA server, open Group Policy Management and edit the policy that applies to your domain.
  3. Browse to Public Key Policies.
  4. Right-click Encrypting File System and select Properties.
  5. Select Allow under File encryption using EFS.
  6. Select the Certificates tab.
  7. Deselect the option to Allow self-signed certificates.
  8. Do a ‘gpupdate /force’.
  9. Reboot the user computer.
  10. Now when you encrypt files on the user’s computer and go back to the Personal Certificates, you should see an EFS certificate that has been issued by your CA.