Tag Archives: ADCS

How PKI Works ?

When I talk to customers, engineers, most of them know SSL is “more secure” and works with TCP 443. But most of them do not really know what is a certificate and how this encryption and decryption works. It is very important to know how it’s exactly works then the deployment and management becomes easy. Most of the PKI related issues I have worked on are related to misunderstanding on core technologies, components and concepts related to it, rather than service level issues. 

Symmetric-key vs Asymmetric-key

There are two type of cryptographic methods use to encrypt the data in computer world. Symmetric method works exactly the same way your door lock works. You have one key to lock or open the door. This is also called as shared secret and private key. VPN connections, Backup Software are some of the examples where still uses Symmetric-key to encrypt data.

Asymmetric-key method is in other hand uses key pair to do the encryption and decryption. It includes two keys one is public key and the other one is private key. Public key is always distributed to public and any one can have it. Private key is unique for the object and it will not distribute to others. Any message encrypts using a public key only can decrypt using its private key. Any message encrypts using private key only can decrypt using public key. PKI uses the Asymmetric-key method for digital encryption and digital signature. 

Digital Encryption 

Digital encryption mean, the data transfer between two parties will be encrypted and sender will ensure it only can open from the expected receiver. Even another unauthorized party gain access to that encrypted data, they will not be able to decrypt the data. Best way to explain it will following example, 

pki1

We have an employee in organization called Sean. In PKI environment, he owns two keys which is public key and private key. It can use to encryption and signature process. Now he has a requirement to receive set of confidential data from compony account manager Chris. He doesn’t want anyone else to have this confidential data. The best way to do this to encrypt the data which going to send from Chris to Sean. 

pki2

In order to encrypt the data, Sean sends his public key to Chris. There is no issue with providing public key to any party. Then Chris uses this public key to encrypt the data he is sending over to Sean. This encrypted data only can open using Sean’s private key. He is the only one have this private key. This verifies the receiver and his authority over the data. 

Digital Signature 

Digital signature verifies the authenticity of the service or data. It is similar to signing a document to prove its authenticity. As an example, before purchase anything from amazon, we can check its digital certificate and it will verify the authenticity of the website and prove it’s not a phishing website. Let’s look in to it further with a use case. In previous scenario, Sean successfully decrypted the data he received from Chris. Now Sean wants to send some confidential data back to Chris. It can be encrypt using same method using Chris’s public key. But issue is Chris is not part of the PKI setup and he do not have key pair. Only thing Chris need to verify the sender is legitimate and its same user he claims to be. If Sean can certify it using digital signature and if Chris can verify it, the problem is solved. 

pki3

Now in here, Sean encrypt the data using his private key. Now the only key it can be decrypt is the Sean’s public key. Chris already have this information. Even if he doesn’t have public key it can distribute to him. When Chris receives the data, he decrypts it using Sean’s public key and it confirms the sender is definitely Sean. 

Signing and Encryption  

In previous two scenarios, I have explained how digital encryption and digital signature works with PKI. But both of these scenarios can combined together to provide the encryption and signing in same time. In order to do that system, use two additional techniques.

Symmetric-Key – One time symmetric-key will use for the message encryption process as it is faster than the asymmetric-key encryption algorithms. This key need to be available for the receiver but to improve the security it will be still encrypt using receiver’s public key. 

Hashing – During the sign process system will generate a one-way hash value to represent the original data. Even some one manage to get that hash value it will not possible to reverse engineer to get the original data. If any modification done to the data, hash value will get change and the receiver will know straight away. These hashing algorithms are faster than encryption algorithms and also the hashed data will be smaller than actual data values. 

Let’s look in to this based on a scenario. We have two employees Simran and Brian and both using PKI setup. Both have their private and public keys assigned. 

pki4

Simran wants to send encrypted and signed data segment to Brian. Process mainly can be divided in to two stages which is data signing and data encryption. It will go through both stages before the data send to Brian. 

pki5

The first stage is to sign the data segment. System received the Data from Simran and first step is to generate the message digest using the hashing algorithms. This will ensure data integrity and if its altered once it leaves the senders system, receiver can easily identify it using the decryption process. This is one-way process. Once message digest it generated, in next step the messages digest will encrypt using Simran’s Private key in order to digitally sign. It will also include Simran’s Public key so Brian will be able to decrypt and verify the authenticity of the message. Once encrypt process finish it will attached with original data value. This process will ensue data was not altered and send from exact expected sender (Genuine). 

pki6

Next stage of the operation is to encrypt the data. First step is in the process is to generate one time symmetric key to encrypt the data. Asymmetric algorithm is less efficient compare to symmetric algorithms to use with long data segments. Once symmetric key is generated the data will encrypt using it (including message digest, signature). This symmetric key will be used by Brian to decrypt the message. There for we need to ensure it only available for Brian. The best way to do it is to encrypt the symmetric key using Brian’s public key. So, once he received it, he will be able to decrypt using his private key. This process is only encrypting symmetric key itself and rest of the message will stay same. Once it completed the data can send to Brian. 

Next step of the process to see how the decryption process will happen on Brian’s side. 

pki7

Message decryption process starts with decrypting the symmetric key. Brian needs symmetric to go further with decryption process. It only can decrypt using Brian’s private key. Once its decrypt, symmetric key can use to decrypt the messaged digests + signature. Once decryption done same key information cannot be used to decrypt similar messages as its one time key. 

pki8

Now we have the decrypted data and next step is to verify the signature. At this point we have message digest which is encrypt using Simran’s private key. It can be decrypt using Simran’s public key which is attached to the encrypted message. Once its decrypt we can retrieve the message digest. This digest value is one-way. We cannot reverse engineer it. There for retrieved original data digest value will recalculate using exact same algorithm used by sender. After that this newly generated digest value will compare with the digest value attached to message. If the value is equal it will confirm the data wasn’t modified during the communication process. When value is equal, signature will be verified and original data will issue to Brain. If the digest values are different the message will be discard as it been altered or not signed by Simran. 

This explained how PKI environment works with encryption/decryption process as well as digital signing /verification process.  

If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

STEP-BY-STEP GUIDE TO MIGRATE ACTIVE DIRECTORY CERTIFICATE SERVICE FROM WINDOWS SERVER 2003 TO WINDOWS SERVER 2012 R2

Microsoft has already announced that windows server 2003 / windows server 2003 R2 versions support is coming to end in 14th July 2015 (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). It’s no wonder that some organizations still uses windows server 2003 versions in production environment.

If you still not plan for migration from legacy windows server versions, well time has come!!

This guide will explain how we can migrate AD CS from windows server 2003 to windows server 2012 R2.

In this demonstration I am using following setup.

Server Name

Operating System

Server Roles

canitpro-casrv.canitpro.local

Windows Server 2003 R2 Enterprise x86

AD CS ( Enterprise Certificate Authority )

CANITPRO-DC2K12.canitpro.local

Windows Server 2012 R2 x64

Backup windows server 2003 certificate authority database and its configuration

•    Log in to Windows 2003 Server as member of local administrator group
•    Go to Start > Administrative Tools > Certificate Authority

adcs1

•    Right Click on Server Node > All Tasks > Backup CA

adcs2

•    Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue

adcs3

•    In next window click on check boxes to select options as highlighted and click on “Brows” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue

adcs4

•    Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue

adcs5

•    In next window it will provide the confirmation and click on “Finish” to complete the process

Backup CA Registry Settings

•    Click Start > Run and then type regedit and click “Ok”

adcs6

•    Then expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

•    Right click on “Configuration” key and click on “Export”

adcs7

•    In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup

adcs8

Now we have the backup of the CA and move these files to the new windows 2012 R2 server.

adcs9

 

Uninstall CA Service from windows server 2003

Now we have the backup files ready and before configure certificate services in new windows server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.

•    Click on Start > Control Panel > Add or Remove Programs

adcs10

•    Then click on “Add/Remove Windows Components” button

adcs11

•    In next window remove the tick in “Certificate Services” and click on next to continue

adcs12

•    Once its completed the process it will give the confirmation and click on “Finish”

adcs13

With it we done with windows server 2003 CA services and next step to get the windows server 2012 CA services install and configure.

Install windows server 2012 R2 Certificate Services

•    Log in to windows server 2012 as Domain Administrator or member of local administrator group

•    Go to Server Manager > Add roles and features

adcs14

•    It will open up “Add roles and feature” wizard and click on next to continue

adcs15

•    Then next window select “Role-based or Feature-based installation” and click next to continue

adcs16

•    From the server selections keep the default selection and click on next to continue

adcs17

•    In next window click on tick box to select “Active Directory Certificate Services” and it will pop up with window to acknowledge about  required features need to be added. Click on add features to add them

adcs18

adcs19

•    Then in features section will let it run with default. Click next to continue

adcs20

•    In next window, it will give brief description about AD CS. Click next to continue

adcs21

•    Then it will give option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click next to continue

adcs22

•    Since Certification Authority Web Enrollment selected it will required IIS. So next window it will give brief description about IIS

adcs23

•    Then in next window it gives option to add IIS role services. I will leave it default and click next to continue

adcs24

•    Next window will give confirmation about service install and click on “Install” to start the installation process

adcs25

•    Once installation completes you can close the wizard.

Configure AD CS

In this step will look in to configuration and restoring the backup we created.

•    Log in to server as Enterprise Administrator
•    Go to Server Manager > AD CS

adcs26

•    In right hand panel it will show message as following screenshot and click on “More”

adcs27

•    It will open up window and click on “Configure Active Directory Certificate Service ……”

adcs28

•    It will open role configuration wizard, it gives option to change the credential, in here I already log in as Enterprise administrator so I will leave the default and click next to continue

adcs29

•    In next window it asking which service you like to configure. Select “Certification Authority”,  “Certification Authority Web Enrollment” options and click next to continue

adcs30

•    It will be Enterprise CA so in next window select the Enterprise CA as the setup type and click next to continue

adcs31

•    Next window select “Root CA” as the CA type and click next to continue

adcs32

•    The next option is very important on the configuration. If its new installation we will only need to create new private key. But since it’s a  migration process we already made a backup of private key. So in here select the options as highlighted in screenshot. Then click on next to continue

adcs33

•    In next window click on “Import” button

adcs34

•    In here it will give option to select the key we backup during the backup process from windows 2003 server. Brows and select the key from the backup we made and provide the password we used for protection. Then click ok

adcs35

•    Then it will import the key successfully and in window select the imported certificate and click next to continue

adcs36

•    Next window we can define certificate database path. In here I will leave it default and click next to continue

adcs37

•    Then in next window it will provide the configuration confirmation and click on configure to proceed with the process

adcs38

•    Once its completed click on close to exit from the configuration wizard

Restore CA Backup

Now it’s comes to the most important part of the process which is to restore the CA backup we made from windows server 2003.

•    Go To Server Manager > Tools > Certification Authority

adcs39

•    Then right click on server node > All Tasks > Restore CA

adcs40

•    Then it will ask if it’s okay to stop the certificate service in order to proceed. Click ok

adcs41

•    It will open up Certification Authority Restore Wizard, click next to continue

adcs42

•    In next window brows the folder where we stored backup and select it. Then also select the options as I did in below. Later click next to continue

adcs43

•    Next window give option to enter the password we used to protect private key during the backup process. Once its enter click next to continue

adcs44

•    In next window click “Finish” to complete the import process

adcs45

•    Once its completed system will ask if it’s okay to start the certificate service again. Please proceed with it to bring service back online

Restore Registry info

During the CA backup process we also backup registry key. It’s time to restore it. To do it open the folder which contains the backup reg key. Then double click on the key.
Then click yes to proceed with registry key restore.

adcs46

Once completed it will give confirmation about the restore.

adcs47

Reissue Certificate Templates

We have done with the migration process and now it’s time to reissue the certificates. I had template setup in windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.

•    Open the Certification Authority Snap-in
•    Right click on Certificate Templates Folder > New > Certificate Template to Reissue

adcs48

•    From the certificate templates list click on the appropriate certificate template and click ok

adcs49

Test the CA

In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup windows 8 pc called demo1 and added it to canitpro.local domain. Once it’s loaded first time in server I open certification authority snap in and once I expanded the “Issued Certificate” section I can clearly see the new certificate it issued for the PC.

adcs50

So this confirms the migration is successful.