June 2, 2018 | RebelAdmin.com

Active Directory MICROSOFT

Step-by-Step Guide to Setup Two-Tier PKI Environment

June 2, 2018 1 Comment

In previous posts on PKI blog series we learned about theory part of PKI. If you didn’t read those yet, please go ahead and read those before start on deployment part.

How PKI Works? – http://www.rebeladmin.com/2018/05/how-pki-works/

Active directory certificate service components – http://www.rebeladmin.com/2018/05/active-directory-certificate-service-components/

PKI Deployment Models – http://www.rebeladmin.com/2018/05/pki-deployment-models/

In this post I am going to demonstrate how we can setup PKI using Two-Tier model. I have use this model as it is the recommended model for mid and large organizations.

The above figure explains the setup I am going to do. In there I have one domain controller, one standalone root CA and one Issuing CA. all are running with windows server 2016 with latest patch level.

Setup Standalone Root CA

First step is to setup the standalone root CA. This is not a domain member server and it is operating in workgroup level. By configuring it on separate VLAN will add additional security to the root CA as it will not be able to talk to each other directly even its online.

Once server is ready log in to the server as member of local administrator group. First task is to install the AD CS role service. It can be done using,

Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

Once role service is installed, next step is to configure the role and get the CA up and running.

Install-ADcsCertificationAuthority -CACommonName “REBELAdmin Root CA” -CAType StandaloneRootCA -CryptoProviderName “RSA#Microsoft Software Key Storage Provider” -HashAlgorithmName SHA256 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 20

The above command will configure the CA. in the command CACommonName defines the common name for the CA. CAType defines the CA operation type. In our case, it is a StandaloneRootCA. The option for it will be EnterpriseRootCA, EnterpriseSubordinateCA or StandaloneSubordinateCA. CryptoProviderName specify the cryptographic service provider and in the demo, I am using the Microsoft default service provider. HashAlgorithmName defines the hashing algorithm use by the CA. The option for it will be change based on the CSP we choose. SHA1 is no longer counted as secure algorithm as recommended to use SHA256 or above. KeyLength specify the key size for the algorithm. In this demo, I am using 2048 key. ValidityPeriod defines the validity period of CA certificates. It can be hours, days, weeks, months or years. ValidityPeriodUnits is followed by the ValidityPeriod and specify how many hours, days, weeks, months or years it will valid. In our demo, we are using 20 years.

Now we have the root CA up and running. But before we use it we need to do certain configuration changes.

DSConfigDN

As I mentioned early this is a standalone root CA and it is not part of the domain. However, CDP (Certificate Revocation List Distribution Points) and AIA (Authority Information Access) locations which required by CA will be storing in DC. Since those use DN names with domain, root CA need to be aware of the domain information to publish it properly. It will retrieve this information via registry key.

certutil.exe –setreg ca\DSConfigDN CN=Configuration,DC=rebeladmin,DC=com

CDP Location

CDP is stands for Certificate Revocation List Distribution Points and it is defined the location where CRL can retrieve. This is web based location and should be able to access via HTTP. This list will be used by the certificate validator to verify the given certificate is not in revocation list.

Before we do this, we need to prepare the web server for that task. This task will use the same server built for online issuing CA.

The web server can be install using,

Install-WindowsFeature Web-WebServer -IncludeManagementTools

Next step is to create a folder and create share so that can be use as the virtual directory.

mkdir C:\CertEnroll

New-smbshare -name CertEnroll C:\CertEnroll -FullAccess SYSTEM,"rebeladmin\Domain Admins" -ChangeAccess "rebeladmin\Cert Publishers"

As part of the exercise it will set share permissions to rebeladmin\Domain Admins (Full Access) and rebeladmin\Cert Publishers (Change Access).

After that load the IIS manager and add a Virtual Directory CertEnroll with the above path.

Last but not least we need to create a DNS record to use this publication point using FQDN. In this demo, I am using crt.rebeladmin.com. This will allow to access the new distribution point using http://crt.rebeladmin.com/CertEnroll

Now everything ready and we can publish the CDP settings using,

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl \n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://crt.rebeladmin.com/CertEnroll/%3%8%9.crl"

The single numbers in the command refers to the options and numbers with % refers to the variables.

Option

Details

No Changes

Publish CRL to the given location

Attach CDP extensions of issued certificates

Include in CRL to find the delta CRL locations

Specify if need to publish all CRL info to AD when publishing manually

Delta CRL location

128

Include IDP extension of issued CRL

All these settings also can specify using GUI. In order to access it, got to Server Manager > Tools > Certificate Authority > Right click and select properties of the server > Go to the Extension Tab

There you can add all the above using GUI.

Variable

GUI Reference

Details

DNS Name of the CA server

NetBIOS name of the CA server

Given Name for the CA

Renewal Extension of the CA

DN of the Configuration Container in AD

Truncated Name of the CA ( 32 Characters )

Inserts a name suffix at the end of the file name before publishing a CRL

When this called, this will replace the CRLNameSuffix with a separate suffix to use the delta CRL

%10

Object Class identifier for CDP

%11

Object Class identifier for a CA

AIA Location

AIA (Authority Information Access) is an extension which is in certificate and it defines the location where application or service can retrieve issuing CA’s certificate. This is also a web based path and we can use the same location we used for the CDP.

This can be set using,

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://crt.rebeladmin.com/CertEnroll/%1_%3%4.crt"

The Options are very much similar to the CDP with few smaller changes.

Option

Details

No Changes

Publish CA certificate to given location

Attach AIA extensions of issued certificates

Attach Online Certificate Status Protocol (OCSP) Extensions

CA Time Limits

When we setup the CA we have defined CA validity period as 20 years. but it doesn’t mean every certificate it issue will have 20 years’ valid period. Root CA will issue certificates only to Issuing CAs. Certificate request, approval and renewal processes are manual. There for typically these certificates will have longer validity periods. In demo, I will set it for 10 years.

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg ca\ValidityPeriodUnits 10

Written by: Dishan M. Francis

Step-by-Step Guide to Setup Two-Tier PKI Environment

Search

Microsoft MVP

MVP for Last 5 Years!

Book Release

Mastering Active Directory, Second Edition Released!

Follow Us