Archive for the ‘Server Core’ Category
Windows 2012 R2 Certification Authority installation guide
This step-by-step guide explains how to install and configure public key infrastructure, based on:
- Windows 2012 R2 Server core – offline Root CA
- Windows 2012 R2 domain controller
- Windows 2012 R2 standard edition – Subordinate Enterprise CA server
Offline Root CA – OS installation phase
- Boot the server using Windows 2012 R2 bootable DVD.
- From the installation option, choose “Windows Server 2012 R2 Standard (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
- 20. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
powershell
- Run the commands bellow to enable remote management of the Root CA:
Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
Note: The above command should be written in single line.
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Offline Root CA – Certificate Authority server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
powershell
- Run the command below to create CA policy file:
notepad c:\windows\capolicy.inf
- Specify the following data inside the capolicy.inf file:
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=Weeks
CRLPeriodUnits=26
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
[PolicyStatementExtension]
Policies=LegalPolicy
[LegalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://www/CertEnroll/cps.asp - Run the commands below to install Certification Authority using Powershell:
Import-Module ServerManager
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line. - Run the command below to install the Root CA:
Install-AdcsCertificationAuthority -CAType StandaloneRootCA -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName <CA_Server_Name> -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"
Note 1: The above command should be written in single line.
Note 2: Replace “CA_Server_Name” with the Root CA NetBIOS name. - Run the command below to remove all default CRL Distribution Point (CDP):
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new CRL Distribution Point (CDP):
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line. - Run the command below to remove all default Authority Information Access (AIA):
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Note: The above command should be written in single line. - Run the command below to configure new Authority Information Access (AIA):
Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crt
Note: The above command should be written in single line. - Run the commands below to configure the Root CA settings:
certutil.exe -setreg CA\CRLPeriodUnits 26
certutil.exe -setreg CA\CRLPeriod "Weeks"
certutil.exe -setreg CA\CRLDeltaPeriodUnits 0
certutil.exe -setreg CA\CRLDeltaPeriod "Days"
certutil.exe -setreg CA\CRLOverlapPeriodUnits 12
certutil.exe -setreg CA\CRLOverlapPeriod "Hours"
certutil.exe -setreg CA\ValidityPeriodUnits 20
certutil.exe -setreg CA\ValidityPeriod "Years"
certutil.exe -setreg CA\KeySize 4096
certutil.exe -setreg CA\AuditFilter 127 - Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
certutil.exe -setreg ca\DSConfigDN "CN=Configuration, DC=mycompany,DC=com"
Note 1: The above command should be written in single line.
Note 2: Replace “DC=mycompany,DC=com” according to your domain name.
certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
Note: Replace “DC=mycompany,DC=com” according to your domain name. - Run the command bellow to stop the CertSvc service:
Restart-Service certsvc
- Run the command below to publish new CRL’s:
certutil.exe -CRL
Enterprise Subordinate CA – OS installation phase
Pre-requirements:
- Active Directory (Forest functional level – Windows 2012 R2)
- Add “A” record for the Root CA to the Active Directory DNS.
- Boot the server using Windows 2012 R2 bootable DVD.
- From the installation option, choose “Windows Server 2012 R2 Standard (Server with a GUI)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom: Install Windows Only (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the “Welcome to Server Manager”, click on “Configure this local server” -> replace the “Computer name” -> restart the server.
- From the “Welcome to Server Manager”, click on “Configure this local server” -> click on Ethernet -> right click on the network interface -> properties -> configure static IP address.
- Enable “Remote Desktop”
- From the command prompt window, run the command bellow:
powershell
- Run the commands bellow to enable remote management of the Root CA:
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:
- DNS CNAME record named “www” for the Enterprise Subordinate CA.
- Make sure the clocks of the Offline Root CA and the Subordinate CA are synched.
- To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
- Copy the files bellow from the Offline Root CA server to a temporary folder on the subordinate CA:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
C:\Windows\System32\CertSrv\CertEnroll\*.crl - Run the command below to publish the Root CA in the Active Directory:
certutil.exe -dspublish -f "<CACertFileName.crt>" RootCA
Note: Replace “CACertFileName” with the actual CRT file. - Run the commands below to add the Root CA certificate to the subordinate CA certificate store:
certutil.exe -addstore -f root "<CACertFileName.crt>"
Note: Replace “CACertFileName” with the actual CRT and CRL files.
certutil.exe -addstore -f root "<CACertFileName.crl>" - From the command prompt window, run the command bellow:
powershell
- Run the command below to create CA policy file:
notepad c:\windows\capolicy.inf
- Specify the following data inside the capolicy.inf file:
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1 - Run the commands below to install Certification Authority using Powershell:
Import-Module ServerManager
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line.
Add-WindowsFeature Web-Mgmt-Console
Add-WindowsFeature Adcs-Web-Enrollment - Open Server Manager -> From the “Welcome to Server Manager”, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
- Specify credentials and click on Next.
- Select both “Certification Authority” and “Certification Authority Web Enrollment” roles and click on Next.
- Select “Enterprise CA” -> click on Next.
- Select “Subordinate CA” -> click on Next.
- Select “Create a new private key” -> click on Next.
- Cryptography:
Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
Key length: 2048
Hash algorithm: SHA256 - CA Name:
Common name: specify here the subordinate server NetBIOS name
Distinguished name suffix: leave the default domain settings - Select “Save a certificate request to file on the target machine” -> click Next
- Specify the database location and click Next.
- Click on Configure -> wait until the process completes and click on Close.
Note: If asked, choose not to configure additional role services. - Copy the request file (*.req) to the Offline Root CA.
- Login to the Offline Root CA using administrative account.
- Run the command below to approve the subordinate CA certificate request:
certreq -submit "<CACertFileName>.req"
Note: Replace “CACertFileName” with the actual request file. - Run the command below to approve the subordinate CA request:
certutil -resubmit 2
Note: Replace “2” with the request ID. - Run the command below to command to download the new certificate.
certreq -retrieve 2 "C:\<CACertFileName>.cer"
Note 1: Replace “CACertFileName” with the actual CER file.
Note 2: Replace “2” with the request ID. - Logoff the Root CA and power it off for up to 179 days (for CRL update).
- Return to the Subordinate CA.
- Copy the file “c:\<CACertFileName>.cer” from the Offline Root CA to the Subordinate CA.
Note: Replace “CACertFileName” with the actual CER file. - Run the commands below to complete the Subordinate CA installation process:
powershell
Note: Replace “CACertFileName” with the actual CER file.
Certutil -installcert "<CACertFileName>.cer" - Run the command below to restart the CA service:
start-service certsvc
- Run the command below to remove all default CRL Distribution Point (CDP):
$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new CRL Distribution Point (CDP):
Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8%9.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line.
Add-CACRLDistributionPoint -Uri file://\\<SubordinateCA_DNS_Name>\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note 1: The above command should be written in single line.
Note 2: Replace “<SubordinateCA_DNS_Name>” with the actual Subordinate CA DNS name. - Run the command below to remove all default Authority Information Access (AIA):
$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Note: The above command should be written in single line. - Run the commands below to configure new Authority Information Access (AIA):
Add-CAAuthorityInformationAccess -AddToCertificateAia http://www/CertEnroll/%1_%3%4.crt -Force
Note: The above command should be written in single line.
Add-CAAuthorityInformationAccess -AddToCertificateAia "ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"
Note: The above command should be written in single line.
Add-CAAuthorityInformationAccess -AddToCertificateOcsp http://www/ocsp -Force
Note: The above command should be written in single line. - Run the commands below to configure the Root CA settings:
Certutil -setreg CA\CRLPeriodUnits 2
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
certutil -setreg CA\AuditFilter 127
certutil -setreg CA\EncryptionCSP\CNGEncryptionAlgorithm AES
certutil -setreg CA\EncryptionCSP\SymmetricKeySize 256
certutil -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINEcertutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Note: The above command should be written in single line. - Run the command bellow to stop the CertSvc service:
Restart-Service certsvc
- Run the command below to public new CRL’s:
certutil.exe -CRL
- Copy the files bellow from the Root CA to the subordinate CA (same location):
C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt - Create CPS (Certificate Practice Statement), save it as “cps.asp” inside the subordinate CA under the folder below:
C:\Windows\System32\CertSrv\CertEnroll
Note: For more information about Certificate Practice Statement, see:
http://technet.microsoft.com/en-us/library/cc780454(v=ws.10).aspx - Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Open Server Manager -> Tools -> Active Directory Users and Computers.
- From the left pane, expand the domain name -> choose an OU and create the following groups:
Group name: CA Admins
Group description/purpose: Manage CA server
Group name:CA Issuers
Group description/purpose: Issue certificates - Logoff the domain controller.
- Login to the Subordinate CA using administrative account, who is also member of the “CA Admins” group.
- Open Server Manager -> Tools -> Certification Authority.
- From the left pane, right click on the CA server name -> Properties -> Security tab -> Add -> add the “CA Admins” group -> grant the permissions “Issue and Manage Certificates” and “Manage CA” and remove all other permissions -> click on OK.
Note: As best practices, it is recommended to remove the default permissions of “Domain Admins” and “Enterprise Admins”. - From the left pane, expand the CA server name -> right click on Certificate Templates -> Manage -> from the main pane, right click on “User” certificate -> Duplicate Template -> General tab -> rename the template to “Custom User Certificate” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read”, “Enroll” and “Autoenroll” -> click on OK.
- From the main pane, right click on “Web Server” certificate -> Duplicate Template -> General tab -> rename the template to “Custom Web Server Certificate” -> Request Handling tab -> select “Allow private key to be exported” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> remove the permissions for the built-in Administrator account -> click on OK.
Note: All computer accounts requesting the “Custom Web Server Certificate” certificate must be member of the “CA Issuers” group. - From the main pane, right click on “OCSP Response Signing” certificate -> Duplicate Template -> General tab -> rename the template to “Custom OCSP Response Signing” -> Security tab -> add the subordinate CA computer account -> grant “Read”, “Enroll” and “Autoenroll” -> click OK.
- From the main pane, right click on “Web Server” certificate -> Properties -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read” and “Enroll” -> click OK
- Close the Certificate Templates Console.
- From the Certification Authority console left pane, right click on Certificate Templates -> New -> Certificate Template to issue -> select the following certificate templates:
“Web Server”
“Custom User Certificate”
“Custom Web Server Certificate”
“Custom OCSP Response Signing“ - Click OK.
- Close the Certification Authority console.
- Open Server Manager -> Manage -> Add Roles and Features -> click Next 3 times -> expand “Active Directory Certificate Services” -> select “Online Responder” -> click on Add Features -> click Next twice -> click on Install -> click on Close
- From the upper pane, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”
- Specify credentials and click on Next.
- Select “Online Responder” -> click Next -> click on Configure -> click Close.
- From the left pane, right click on “Online Responder” -> Responder Properties -> Audit tab -> select “Changes to the Online Responder configuration”, “Changes to the Online Responder security settings” and “Requests submitted to the Online Responder” -> click OK -> close the “Online Responder Configuration” console.
- Open Server Manager -> Tools -> Local Security Policy -> from the left pane, expand “Advanced Audit Policies” -> expand “System Audit Policies – Local Group Policy Object” -> click on Object Access -> from the main pane, double click on “Audit Certification Services” -> select “Configure the following audit events” -> select both Success and Failure -> click OK -> close the Local Security policy console.
- Run from command line:
certutil -CRL
- Run from command line:
certutil -v -setreg policy\editflags +EDITF_ENABLEOCSPREVNOCHECK
Note: The above command should be written in single line. - Run the commands bellow to stop the CertSvc service:
powershell
Restart-Service certsvc - Open Server Manager -> Tools -> Online Responder Management
- From the left pane, right click on “Revocation Configuration” -> Add revocation configuration -> click Next -> on the name field, specify “Custom Revocation Configuration” -> click Next -> select “Select a certificate for an Existing enterprise CA” -> click Next -> click Browse -> select the subordinate CA -> click OK -> Automatically select a signing certificate -> click Next -> click Finish
- Close the Online Responder Management console
- Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Copy the files bellow from the subordinate CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
Note: Copy the newest files - Open Server Manager -> Tools -> Group Policy Management.
- From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA server -> click Open -> click Next twice -> click Finish -> click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
- From the main pane, right click on the certificate name -> Properties -> OCSP tab -> inside the empty “Add URL” field, specify:
http://www/ocsp
Click on Add URL -> Click OK. - From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Certificate Enrollment Policy” -> Properties -> change the “Configuration Model” to “Enabled” and click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> click on “Public Key Policies” -> from the main pane, right click on “Certificate Services Client – Auto-Enrollment” -> Properties -> change the “Configuration Model” to “Enabled” -> select “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” -> click OK.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Administrative Templates” -> expand “Windows Components” -> expand “Internet Explorer” -> expand “Internet Control Panel” -> expand “Security Page” -> double click on “Site to zone assignment list” -> click on “Enabled” -> under Options, click on “Show” -> inside “Value name”, specify the Subordinate CA DNS name -> inside “Value”, specify 2 -> click OK twice.
- Close the “Group Policy Management”.
- Logoff the domain controller.
- Login to the Subordinate CA using administrative account.
- Open Server Manager -> Tools -> Internet Information Services (IIS) Manager.
- From the left pane, expand the server name -> expand Sites -> click on “Default Web Site” -> from the right pane, click on “Bindings” -> click on Add -> from the Type, select HTTPS -> under “SSL Certificate”, select the Subordinate CA certificate -> click OK -> click on Close.
- From the left pane, expand “Default Web Site” -> click on “CertSrv” -> from the main pane, double click on “Request Filtering” -> click Edit Feature Settings -> select “Allow Double Escaping” -> click OK
- From the main pane, double click on “SSL Settings” -> select “Require SSL” -> click on Apply.
- Close the Internet Information Services (IIS) Manager console.
- Run PKIVIEW.msc to make sure the entire PKI structure is fully functional.
- Logoff the Subordinate CA.
Windows 2008 R2 Certification Authority installation guide
This step-by-step guide explains how to install and configure public key infrastructure, based on:
- Windows 2008 R2 Server core – offline Root CA
- Windows 2008 R2 domain controller
- Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server
Offline Root CA – OS installation phase
- Boot the server using Windows 2008 R2 bootable DVD.
- Specify the product ID -> click Next.
- From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
Offline Root CA – Certificate Authority server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- Install Certificate services:
start /w ocsetup.exe CertificateServices /norestart /quiet
- To check that the installation completed, run the command:
oclist find /i "CertificateServices"
- Download the file “setupca.vbs” from:
http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
To:
C:\Windows\system32
- Run the command bellow to configure the Root CA:
Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn
< ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256 - In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
Install complete! Passed
- Run the command bellow to enable remote management of the Root CA:
netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
- Run the command bellow to stop the CertSvc service:
Net stop CertSvc
- Run the command bellow to change new certificate validity period time:
reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\
Note: The command above should be written in one line.< rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /f - Run the command bellow to start the CertSvc service:
Net start CertSvc
Enterprise Subordinate CA – OS installation phase
Pre-requirements:
- Active Directory (Forest functional level – Windows 2008 R2)
- Add “A” record for the Root CA to the Active Directory DNS.
- Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
- Specify the product ID -> click Next.
- From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full installation” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the “Initial Configuration Tasks” window, configure the following settings:
- Set time zone
- Configure networking – specify static IP address, netmask, gateway, DNS
- Provide computer name and domain – add the server to the domain
- Enable Remote Desktop
- In-order to be able to remotely manage the Root CA, run the command bellow:
cmdkey /add:
< RootCA_Hostname> /user:Administrator /pass:< RootCA_Admin_Password>
Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:
- DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.
- To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
- Start -> Administrative Tools -> Server Manager.
- From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
- Web Server
- Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
- Application Development
- .NET Extensibility
- ASP
- ISAPI Extensions
- Health and Diagnostics
- HTTP Logging
- Logging Tools
- Tracing
- Request Monitor
- Security
- Windows Authentication
- Client Certificate Mapping Authentication
- IIS Client Certificate Mapping Authentication
- Request Filtering
- Performance
- Static Content Compression
- Management Tools
- IIS Management Console
- IIS Management Scripts and Tools
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
- Click Next -> click Install -> click Close.
- From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
- From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
- Certification Authority
- Certification Authority Web Enrollment
- Certificate Enrollment Policy Web Service
- Click Next.
- Configure the following settings:
- Specify Setup Type: Enterprise
- CA Type: Subordinate CA
- Private Key: Create a new private key
- Cryptography:
Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
Key length: 2048
Hash algorithm SHA256 - CA Name:
Common name: specify here the subordinate server NetBIOS name
Distinguished name suffix: leave the default domain settings - Certificate Request: Save a certificate to file and manually send it later
- Certificate Database: leave the default settings
- Authentication Type: Windows Integrated Authentication
- Server Authentication Certificate: Choose and assign a certificate for SSL later
- Click Next twice -> click Install -> click Close.
- Close the Server Manager.
- Start -> Administrative Tools -> Certification Authority
- From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
- Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
- Uncheck “Publish Delta CRLs to this location”.
- Mark the line begins with “LDAP”, and click remove.
- Mark the line begins with “HTTP”, and click remove.
- Mark the line begins with “file”, and click remove.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< RootCA_Server_Name> .crl - Click on the line begins with “HTTP”, and make sure the only option checked is: “Include in CDP extension of issued certificates”.
- Click on the line begins with “C:\Windows”, and make sure the only option checked is: “Publish CRLs to this location”
- Extensions tab -> extension type: Authority Information Access (AIA):
- Mark the line begins with “LDAP”, and click remove.
- Mark the line begins with “HTTP”, and click remove.
- Mark the line begins with “file”, and click remove.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< RootCA_Server_Name> .crt
- Click OK and allow the CA server to restart its services.
- From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
- CRL publication interval: 180 days
- Make sure “Publish Delta CRLs” is not checked
- Click OK
- Right click on the CA name -> All tasks -> Stop service
- Right click on the CA name -> All tasks -> Start service
- Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com"
Note: Replace “DC=mycompany,DC=com” according to your domain name.
certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com" - From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
- Close the “Certification Authority” snap-in and logoff the subordinate CA server.
- Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
- Start -> Administrative Tools -> Group Policy Management.
- From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
- Logoff the domain controller.
- Return to the subordinate enterprise CA server.
- Start -> Administrative Tools -> Certification Authority.
- From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
- Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
- Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
- From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name –
< subordinate_ca_server_name_signed_certificate> .p7b -> click Save. - Run the command bellow from command line to avoid offline CRL errors:
Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
- From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
- Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file
< Subordinate_CA_Server_Name_Signed_Certificate> .p7b -> click Open. - Right click on the subordinate CA server name -> All Tasks -> Start Service.
- Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
- Mark the line begins with “HTTP” -> click Remove -> click Yes.
- Mark the line begins with “file” -> click Remove -> click Yes.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< subordinate_CA_Server_Name> .crl - Click on the line begins with “HTTP”, and make sure the following options are checked: “Include in CRLs” and “Include in the CDP”.
- Extensions tab -> extension type: Authority Information Access (AIA):
- Mark the line begins with “HTTP” -> click Remove -> click Yes.
- Mark the line begins with “file” -> click Remove -> click Yes.
- Click on Add -> on the location, put:
http://wwwca/CertEnroll/< SubordinateCA-FQDN_Subordinate_NetBIOS_Name> .crt - Click on the line begins with “HTTP”, and make sure the following option is checked: “Include in the AIA”.
Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt
- Click OK and allow the CA server to restart its services.
- From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
- Close the “Certification Authority” snap-in
- Copy the files bellow from the Root CA to the subordinate CA (same location):
C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt - Logoff the subordinate CA server.
- Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
- Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file - Start -> Administrative Tools -> Group Policy Management.
- From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
- From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
- Logoff the domain controller.
Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform
OS installation phase
- Boot the server using Windows 2008 R2 bootable DVD.
- Specify the product ID -> click Next.
- From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
- Accept the license agreement -> click Next.
- Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
- Allow the installation phase to continue and restart the server automatically.
- To login to the server for the first time, press CTRL+ALT+DELETE
- Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
- Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- From the command prompt window, run the command bellow:
sconfig.cmd
- In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
- Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
- Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
- Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
Web server installation phase
- To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
- For minimal installation of IIS7.5 features, run the command bellow from command prompt:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
- For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
- For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
- Create a new folder for the WWW content, in a different partition then the operating system, for example:
md D:\WWW
- Copy the content of the web site to the newly created folder.
- Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
- Run the command bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
- Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
md D:\LogFiles
- Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
- Run the commands bellow to configure IIS metadata to use the new folder:
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"
%windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles" - Run the command bellow to configure the newly created WWW folder for service packs and other installers:
reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW