RebelAdmin.com - The Tech Blog You Need
RebelAdmin.com - The Tech Blog You Need
  • Active Directory
  • Azure Active Directory
  • Azure
  • Windows Server
  • Contact us
Browsing Category
Archive
Active Directory MICROSOFT

Step-by-Step Guide to Setup Two-Tier PKI Environment

June 2, 2018 No Comments

In previous posts on PKI blog series we learned about theory part of PKI. If you didn’t read those yet, please go ahead and read those before start on deployment part. 

How PKI Works? – http://www.rebeladmin.com/2018/05/how-pki-works/ 

Active directory certificate service components – http://www.rebeladmin.com/2018/05/active-directory-certificate-service-components/

PKI Deployment Models – http://www.rebeladmin.com/2018/05/pki-deployment-models/

In this post I am going to demonstrate how we can setup PKI using Two-Tier model. I have use this model as it is the recommended model for mid and large organizations. 

 capki1
The above figure explains the setup I am going to do. In there I have one domain controller, one standalone root CA and one Issuing CA. all are running with windows server 2016 with latest patch level. 
 
Setup Standalone Root CA
 
First step is to setup the standalone root CA. This is not a domain member server and it is operating in workgroup level. By configuring it on separate VLAN will add additional security to the root CA as it will not be able to talk to each other directly even its online. 
Once server is ready log in to the server as member of local administrator group. First task is to install the AD CS role service. It can be done using,
 
Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
 
Once role service is installed, next step is to configure the role and get the CA up and running. 
 
Install-ADcsCertificationAuthority -CACommonName “REBELAdmin Root CA” -CAType StandaloneRootCA -CryptoProviderName “RSA#Microsoft Software Key Storage Provider” -HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 20
 
The above command will configure the CA. in the command CACommonName defines the common name for the CA. CAType defines the CA operation type. In our case, it is a StandaloneRootCA. The option for it will be EnterpriseRootCA, EnterpriseSubordinateCA or StandaloneSubordinateCA. CryptoProviderName specify the cryptographic service provider and in the demo, I am using the Microsoft default service provider. HashAlgorithmName defines the hashing algorithm use by the CA. The option for it will be change based on the CSP we choose. SHA1 is no longer counted as secure algorithm as recommended to use SHA256 or above. KeyLength specify the key size for the algorithm. In this demo, I am using 2048 key. ValidityPeriod defines the validity period of CA certificates. It can be hours, days, weeks, months or years. ValidityPeriodUnits is followed by the ValidityPeriod and specify how many hours, days, weeks, months or years it will valid. In our demo, we are using 20 years. 
 
capki2
 
Now we have the root CA up and running. But before we use it we need to do certain configuration changes. 
 
DSConfigDN
 
As I mentioned early this is a standalone root CA and it is not part of the domain. However, CDP (Certificate Revocation List Distribution Points) and AIA (Authority Information Access) locations which required by CA will be storing in DC. Since those use DN names with domain, root CA need to be aware of the domain information to publish it properly. It will retrieve this information via registry key. 
 
certutil.exe –setreg ca\DSConfigDN CN=Configuration,DC=rebeladmin,DC=com
 
CDP Location
 
CDP is stands for Certificate Revocation List Distribution Points and it is defined the location where CRL can retrieve. This is web based location and should be able to access via HTTP. This list will be used by the certificate validator to verify the given certificate is not in revocation list.  
Before we do this, we need to prepare the web server for that task. This task will use the same server built for online issuing CA.
The web server can be install using, 
 
Install-WindowsFeature Web-WebServer -IncludeManagementTools
 
Next step is to create a folder and create share so that can be use as the virtual directory.
 
mkdir C:\CertEnroll 

New-smbshare -name CertEnroll C:\CertEnroll -FullAccess SYSTEM,"rebeladmin\Domain Admins" -ChangeAccess "rebeladmin\Cert Publishers"
 
As part of the exercise it will set share permissions to rebeladmin\Domain Admins (Full Access) and rebeladmin\Cert Publishers (Change Access).
After that load the IIS manager and add a Virtual Directory CertEnroll with the above path. 
 
capki3
 
Last but not least we need to create a DNS record to use this publication point using FQDN. In this demo, I am using crt.rebeladmin.com. This will allow to access the new distribution point using http://crt.rebeladmin.com/CertEnroll
Now everything ready and we can publish the CDP settings using,
 
certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl \n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://crt.rebeladmin.com/CertEnroll/%3%8%9.crl"
 
The single numbers in the command refers to the options and numbers with % refers to the variables.

 

Option

Details

0

No Changes

1

Publish CRL to the given location

2

Attach CDP extensions of issued certificates

4

Include in CRL to find the delta CRL locations

8

Specify if need to publish all CRL info to AD when publishing manually

64

Delta CRL location

128

Include IDP extension of issued CRL

All these settings also can specify using GUI. In order to access it, got to Server Manager > Tools > Certificate Authority > Right click and select properties of the server > Go to the Extension Tab

There you can add all the above using GUI.

Variable

GUI Reference

Details

%1

<ServerDNSName>

DNS Name of the CA server

%2

<ServerShortName>

NetBIOS name of the CA server

%3

<CAName>

Given Name for the CA

%4

<CertificateName>

Renewal Extension of the CA

%6

<ConfigurationContainer>

DN of the Configuration Container in AD

%7

<CATruncatedName>

Truncated Name of the CA ( 32 Characters )

%8

<CRLNameSuffix>

Inserts a name suffix at the end of the file name before publishing a CRL

%9

<DeltaCRLAllowed>

When this called, this will replace the CRLNameSuffix with a separate suffix to use the delta CRL

%10

<CDPObjectClass>

Object Class identifier for CDP

%11

<CAObjectClass>

Object Class identifier for a CA

AIA Location 

AIA (Authority Information Access) is an extension which is in certificate and it defines the location where application or service can retrieve issuing CA’s certificate. This is also a web based path and we can use the same location we used for the CDP.

This can be set using,

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://crt.rebeladmin.com/CertEnroll/%1_%3%4.crt"

The Options are very much similar to the CDP with few smaller changes.

Option

Details

0

No Changes

1

Publish CA certificate to given location

2

Attach AIA extensions of issued certificates

32

Attach Online Certificate Status Protocol (OCSP) Extensions

CA Time Limits

When we setup the CA we have defined CA validity period as 20 years. but it doesn’t mean every certificate it issue will have 20 years’ valid period. Root CA will issue certificates only to Issuing CAs. Certificate request, approval and renewal processes are manual. There for typically these certificates will have longer validity periods. In demo, I will set it for 10 years. 

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg ca\ValidityPeriodUnits 10

Continue reading
Reading time: 14 min
Written by: Dishan M. Francis

Search

Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages

Microsoft MVP

MVP for Last 5 Years!

July 19, 2018

I am glad to announce that I have been awarded with MVP award by Microsoft for 5th consecutive time. It is a true honor to be a part of such a great community. I got my first award back in 2014 under Active Directory category. […]

Mastering Active Directory

Mastering Active Directory

July 2, 2017

Mastering Active Directory

This is my 14th year in IT. During that time, I was working with different companies. I was working on different positions. […]

Follow Us

Twitter
LinkedIn

© 2018 copyright Dishan Francis // All rights reserved