Archive for August, 2014
Windows 2012 R2 Certification Authority installation guide
This step-by-step guide explains how to install and configure public key infrastructure, based on:
- Windows 2012 R2 Server core – offline Root CA
- Windows 2012 R2 domain controller
- Windows 2012 R2 standard edition – Subordinate Enterprise CA server
Offline Root CA – OS installation phase
- Boot the server using Windows 2012 R2 bootable DVD.
- From the installation option, choose “Windows Server 2012 R2 Standard (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
- 20. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
powershell
- Run the commands bellow to enable remote management of the Root CA:
Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
Note: The above command should be written in single line.
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Offline Root CA – Certificate Authority server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
powershell
- Run the command below to create CA policy file:
notepad c:\windows\capolicy.inf
- Specify the following data inside the capolicy.inf file:
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Weeks
CRLPeriodUnits=26
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
[PolicyStatementExtension]
Policies=LegalPolicy
[LegalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://www/CertEnroll/cps.asp - Run the commands below to install Certification Authority using Powershell:
Import-Module ServerManager
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line. - Run the command below to install the Root CA:
Install-AdcsCertificationAuthority -CAType StandaloneRootCA -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName <CA_Server_Name> -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"
Note 1: The above command should be written in single line.
Note 2: Replace “CA_Server_Name” with the Root CA NetBIOS name. - Run the command below to remove all default CRL Distribution Point (CDP):
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new CRL Distribution Point (CDP):
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line. - Run the command below to remove all default Authority Information Access (AIA):
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Note: The above command should be written in single line. - Run the command below to configure new Authority Information Access (AIA):
Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crt
Note: The above command should be written in single line. - Run the commands below to configure the Root CA settings:
certutil.exe -setreg CA\CRLPeriodUnits 26
certutil.exe -setreg CA\CRLPeriod "Weeks"
certutil.exe -setreg CA\CRLDeltaPeriodUnits 0
certutil.exe -setreg CA\CRLDeltaPeriod "Days"
certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
certutil.exe -setreg CA\CRLOverlapPeriod "Hours"
certutil.exe -setreg CA\ValidityPeriodUnits 20
certutil.exe -setreg CA\ValidityPeriod "Years"
certutil.exe -setreg CA\KeySize 4096
certutil.exe -setreg CA\AuditFilter 127 - Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
certutil.exe -setreg ca\DSConfigDN "CN=Configuration, DC=mycompany,DC=com"
Note 1: The above command should be written in single line.
Note 2: Replace “DC=mycompany,DC=com” according to your domain name.
certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
Note: Replace “DC=mycompany,DC=com” according to your domain name. - Run the command bellow to stop the CertSvc service:
Restart-Service certsvc
- Run the command below to publish new CRL’s:
certutil.exe -CRL
Enterprise Subordinate CA – OS installation phase
Pre-requirements:
- Active Directory (Forest functional level – Windows 2012 R2)
- Add “A” record for the Root CA to the Active Directory DNS.
- Boot the server using Windows 2012 R2 bootable DVD.
- From the installation option, choose “Windows Server 2012 R2 Standard (Server with a GUI)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the “Welcome to Server Manager”, click on “Configure this local server” -> replace the “Computer name” -> restart the server.
- From the “Welcome to Server Manager”, click on “Configure this local server” -> click on Ethernet -> right click on the network interface -> properties -> configure static IP address.
- Enable “Remote Desktop”
- From the command prompt window, run the command bellow:
powershell
- Run the commands bellow to enable remote management of the Root CA:
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:
- DNS CNAME record named “www” for the Enterprise Subordinate CA.
- Make sure the clocks of the Offline Root CA and the Subordinate CA are synched.
- To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
- Copy the files bellow from the Offline Root CA server to a temporary folder on the subordinate CA:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
C:\Windows\System32\CertSrv\CertEnroll\*.crl - Run the command below to publish the Root CA in the Active Directory:
certutil.exe -dspublish -f "<CACertFileName.crt>" RootCA
Note: Replace “CACertFileName” with the actual CRT file. - Run the commands below to add the Root CA certificate to the subordinate CA certificate store:
certutil.exe -addstore -f root "<CACertFileName.crt>"
Note: Replace “CACertFileName” with the actual CRT and CRL files.
certutil.exe -addstore -f root "<CACertFileName.crl>" - From the command prompt window, run the command bellow:
powershell
- Run the command below to create CA policy file:
notepad c:\windows\capolicy.inf
- Specify the following data inside the capolicy.inf file:
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1 - Run the commands below to install Certification Authority using Powershell:
Import-Module ServerManager
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line.
Add-WindowsFeature Web-Mgmt-Console
Add-WindowsFeature Adcs-Web-Enrollment - Open Server Manager -> From the “Welcome to Server Manager”, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
- Specify credentials and click on Next.
- Select both “Certification Authority” and “Certification Authority Web Enrollment” roles and click on Next.
- Select “Enterprise CA” -> click on Next.
- Select “Subordinate CA” -> click on Next.
- Select “Create a new private key” -> click on Next.
- Cryptography:
Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
Key length: 2048
Hash algorithm: SHA256 - CA Name:
Common name: specify here the subordinate server NetBIOS name
Distinguished name suffix: leave the default domain settings - Select “Save a certificate request to file on the target machine” -> click Next
- Specify the database location and click Next.
- Click on Configure -> wait until the process completes and click on Close.
Note: If asked, choose not to configure additional role services. - Copy the request file (*.req) to the Offline Root CA.
- Login to the Offline Root CA using administrative account.
- Run the command below to approve the subordinate CA certificate request:
certreq -submit "<CACertFileName>.req"
Note: Replace “CACertFileName” with the actual request file. - Run the command below to approve the subordinate CA request:
certutil -resubmit 2
Note: Replace “2” with the request ID. - Run the command below to command to download the new certificate.
certreq -retrieve 2 "C:\<CACertFileName>.cer"
Note 1: Replace “CACertFileName” with the actual CER file.
Note 2: Replace “2” with the request ID. - Logoff the Root CA and power it off for up to 179 days (for CRL update).
- Return to the Subordinate CA.
- Copy the file “c:\<CACertFileName>.cer” from the Offline Root CA to the Subordinate CA.
Note: Replace “CACertFileName” with the actual CER file. - Run the commands below to complete the Subordinate CA installation process:
powershell
Note: Replace “CACertFileName” with the actual CER file.
Certutil -installcert "<CACertFileName>.cer" - Run the command below to restart the CA service:
start-service certsvc
- Run the command below to remove all default CRL Distribution Point (CDP):
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new CRL Distribution Point (CDP):
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8%9.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri file://\\<SubordinateCA_DNS_Name>\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note 1: The above command should be written in single line.
Note 2: Replace “<SubordinateCA_DNS_Name>” with the actual Subordinate CA DNS name. - Run the command below to remove all default Authority Information Access (AIA):
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new Authority Information Access (AIA):
Add-CAAuthorityInformationAccess -AddToCertificateAia http://www/CertEnroll/%1_%3%4.crt -Force
Note: The above command should be written in single line.
Add-CAAuthorityInformationAccess -AddToCertificateAia "ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"
Note: The above command should be written in single line.
Add-CAAuthorityInformationAccess -AddToCertificateOcsp http://www/ocsp -Force
Note: The above command should be written in single line. - Run the commands below to configure the Root CA settings:
Certutil -setreg CA\CRLPeriodUnits 2
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\AuditFilter 127
certutil -setreg CA\EncryptionCSP\CNGEncryptionAlgorithm AES
certutil -setreg CA\EncryptionCSP\SymmetricKeySize 256
certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINEcertutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Note: The above command should be written in single line. - Run the command bellow to stop the CertSvc service:
Restart-Service certsvc
- Run the command below to public new CRL’s:
certutil.exe -CRL
- Copy the files bellow from the Root CA to the subordinate CA (same location):
C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt - Create CPS (Certificate Practice Statement), save it as “cps.asp” inside the subordinate CA under the folder below:
C:\Windows\System32\CertSrv\CertEnroll
Note: For more information about Certificate Practice Statement, see:
http://technet.microsoft.com/en-us/library/cc780454(v=ws.10).aspx - Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Open Server Manager -> Tools -> Active Directory Users and Computers.
- From the left pane, expand the domain name -> choose an OU and create the following groups:
Group name: CA Admins
Group description/purpose: Manage CA server
Group name:CA Issuers
Group description/purpose: Issue certificates - Logoff the domain controller.
- Login to the Subordinate CA using administrative account, who is also member of the “CA Admins” group.
- Open Server Manager -> Tools -> Certification Authority.
- From the left pane, right click on the CA server name -> Properties -> Security tab -> Add -> add the “CA Admins” group -> grant the permissions “Issue and Manage Certificates” and “Manage CA” and remove all other permissions -> click on OK.
Note: As best practices, it is recommended to remove the default permissions of “Domain Admins” and “Enterprise Admins”. - From the left pane, expand the CA server name -> right click on Certificate Templates -> Manage -> from the main pane, right click on “User” certificate -> Duplicate Template -> General tab -> rename the template to “Custom User Certificate” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read”, “Enroll” and “Autoenroll” -> click on OK.
- From the main pane, right click on “Web Server” certificate -> Duplicate Template -> General tab -> rename the template to “Custom Web Server Certificate” -> Request Handling tab -> select “Allow private key to be exported” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> remove the permissions for the built-in Administrator account -> click on OK.
Note: All computer accounts requesting the “Custom Web Server Certificate” certificate must be member of the “CA Issuers” group. - From the main pane, right click on “OCSP Response Signing” certificate -> Duplicate Template -> General tab -> rename the template to “Custom OCSP Response Signing” -> Security tab -> add the subordinate CA computer account -> grant “Read”, “Enroll” and “Autoenroll” -> click OK.
- From the main pane, right click on “Web Server” certificate -> Properties -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> click OK
- Close the Certificate Templates Console.
- From the Certification Authority console left pane, right click on Certificate Templates -> New -> Certificate Template to issue -> select the following certificate templates:
“Web Server”
“Custom User Certificate”
“Custom Web Server Certificate”
“Custom OCSP Response Signing“ - Click OK.
- Close the Certification Authority console.
- Open Server Manager -> Manage -> Add Roles and Features -> click Next 3 times -> expand “Active Directory Certificate Services” -> select “Online Responder” -> click on Add Features -> click Next twice -> click on Install -> click on Close
- From the upper pane, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
- Specify credentials and click on Next.
- Select “Online Responder” -> click Next -> click on Configure -> click Close.
- From the left pane, right click on “Online Responder” -> Responder Properties -> Audit tab -> select “Changes to the Online Responder configuration”, “Changes to the Online Responder security settings” and “Requests submitted to the Online Responder” -> click OK -> close the “Online Responder Configuration” console.
- Open Server Manager -> Tools -> Local Security Policy -> from the left pane, expand “Advanced Audit Policies” -> expand “System Audit Policies – Local Group Policy Object” -> click on Object Access -> from the main pane, double click on “Audit Certification Services” -> select “Configure the following audit events” -> select both Success and Failure -> click OK -> close the Local Security policy console.
- Run from command line:
certutil -CRL
- Run from command line:
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
Note: The above command should be written in single line. - Run the commands bellow to stop the CertSvc service:
powershell
Restart-Service certsvc - Open Server Manager -> Tools -> Online Responder Management
- From the left pane, right click on “Revocation Configuration” -> Add revocation configuration -> click Next -> on the name field, specify “Custom Revocation Configuration” -> click Next -> select “Select a certificate for an Existing enterprise CA” -> click Next -> click Browse -> select the subordinate CA -> click OK -> Automatically select a signing certificate -> click Next -> click Finish
- Close the Online Responder Management console
- Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Copy the files bellow from the subordinate CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
Note: Copy the newest files - Open Server Manager -> Tools -> Group Policy Management.
- From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA server -> click Open -> click Next twice -> click Finish -> click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
- From the main pane, right click on the certificate name -> Properties -> OCSP tab -> inside the empty “Add URL” field, specify:
http://www/ocsp
Click on Add URL -> Click OK. - From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Certificate Enrollment Policy” -> Properties -> change the “Configuration Model” to “Enabled” and click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Auto-Enrollment” -> Properties -> change the “Configuration Model” to “Enabled” -> select “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” -> click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Administrative Templates” -> expand “Windows Components” -> expand “Internet Explorer” -> expand “Internet Control Panel” -> expand “Security Page” -> double click on “Site to zone assignment list” -> click on “Enabled” -> under Options, click on “Show” -> inside “Value name”, specify the Subordinate CA DNS name -> inside “Value”, specify 2 -> click OK twice.
- Close the “Group Policy Management”.
- Logoff the domain controller.
- Login to the Subordinate CA using administrative account.
- Open Server Manager -> Tools -> Internet Information Services (IIS) Manager.
- From the left pane, expand the server name -> expand Sites -> click on “Default Web Site” -> from the right pane, click on “Bindings” -> click on Add -> from the Type, select HTTPS -> under “SSL Certificate”, select the Subordinate CA certificate -> click OK -> click on Close.
- From the left pane, expand “Default Web Site” -> click on “CertSrv” -> from the main pane, double click on “Request Filtering” -> click Edit Feature Settings -> select “Allow Double Escaping” -> click OK
- From the main pane, double click on “SSL Settings” -> select “Require SSL” -> click on Apply.
- Close the Internet Information Services (IIS) Manager console.
- Run PKIVIEW.msc to make sure the entire PKI structure is fully functional.
- Logoff the Subordinate CA.