So, now that we have walked through configuring our Windows 2012 based PKI, let’s discuss securing this new environment. 

Security Considerations for a Root CA

So, we setup a Root CA.  A best practice for a PKI is to have the Root CA Offline.  In other words the Root CA should never be connected to a network.  Back when I started supporting PKI, the use of Virtual Machines was very limited.  When an organization would setup an Offline Root it would typically be on a server in the Datacenter, that was not connected to a network.  Sometimes, organizations would take the additional step of removing the Hard Drives from the servers and storing them in a locked cabinet or safe. 

Today, the landscape has drastically change.  Organizations virtualize every system they can.  Virtualization has allowed organizations control cost, by in many cases reducing the amount of hardware that needs to be purchased and maintained.  As such we see customer’s increasingly virtualizing Certification Authorities, including Root CAs. 

So, what steps can be done to secure virtualized Root CAs?  Well, disconnecting the virtual adapter would be the first step in securing the CA.  If your virtualization allows you to remove or not connect an adapter, that would be a good strategy as well. The nice thing about Virtualization Software in this type of situation is although the network adapter is disconnected you can still connect to the console via the Virtualization Software.  The downside is to copy updated files such as a CRL is a very manual process.  In other words you have to take several steps such as mounting a virtual floppy, copying the new CRL file on to the Virtual floppy, and then mounting that Virtual Floppy to a system where you can publish the CRL to the CDP repositories.

Also, if you are going to use a Hardware Security Module (HSM) with a virtual CA, then you will need a network based HSM.  It is generally recommended that use an HSM with any type of CA as it protects the Private Key of the CA.  However, as with any security measure you will need to perform risk analysis to determine if the purchase of an HSM is justified.  In some cases, where you are using certificates with a 3rd party or subordinating your CA to a 3rd Party CA, the use of an HSM may be required.

Additionally, to secure your CA there are some basic security configuration that is recommended.  This included ensuring that Auditing is enabled on the CA.  In the previous blogs articles I configured CA Auditing using the command: certutil –setreg CA\AuditFilter 127.  However, Audit Object Access also has to be enabled.  Since the Root CA is not connected to a network, it obviously does not participate in Active Directory.  Therefore configurations such as Password Policies that are normally configured via Group Policy have to be done manually.  We also recommend configuring the CA so that the last logged on user is not displayed and that AutoPlay is disabled. 

• In the following steps I will:
• Disable the network adapter
• Enable auditing for Object Access
• Set the Password Policy
• Disabling displaying the last logged on user
• Renaming the Administrator Account
• Disabling AutoPlay

Disable the network adapter

To disable the network adapter open the Network and Sharing Center, click on Change Adapter Settings.  Then right click on the adapter and select Disable. 

In Hyper-V you can choose to use a Private adapter or Remove the adapter altogether.

Enable auditing for Object Access

Open GPEDIT.MSC.  Expand Computer Configuration > Windows Settings > Security Settings > Local Policies.  Double-click on Audit Object Access, on the Properties page, select Success and Failure, and click OK.

Set the Password Policy

Again, since the Root CA is Offline it is not a domain member and hence will not receive Group Policy.  Therefore, you need to manually configure the password policy.  To configure the password policy open the Local Group Policy Editor (GPEDIT.MSC) on the Root CA.  Expand Computer Configuration > Windows Settings > Security Settings > Password Policy.  I configured the Microsoft recommend configuration which is:

• Enforce password History: 24 passwords remembered
• Maximum password age: 60 days
• Minimum password length: 14 characters
• Password must meet complexity requirements: Enabled
• Store passwords using reversible encryption: Disabled

Disabling displaying the last logged on user

Another recommended security configuration that is recommend is to suppress displaying the last logged on user at login. If you are going to configure this setting, you should also rename the Administrator account, as the default name if trivial to guess.  To disable displaying the last user name, open GPEDIT.MSC, and expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.  Next set Interactive logon: Do not display last user name to Enabled.

Renaming the Administrator Account

Open GPEDIT.MSC, and expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Double-click on Accounts: Rename administrator account, enter the desired name of the Administrator account on the Properties page, and click OK.  In my example I used the name CertAdmin.  Regardless, of what name you will choose, you will want to note it, so you don’t lock yourself out by forgetting the account name you need to log in with.

Disabling AutoPlay

Disabling AutoPlay is to protect against someone mounting a USB stick or CD-ROM and using Autoplay to launch malicious code.  To Disable Autoplay, open GPEDIT.MSC, and expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.  Then double-click on Turn Off Autoplay.  Although it may seem counterintuitive, choose Enabled and click OK.  

Although it may seem counterintuitive, choose Enabled and click OK

Security Considerations for an Issuing CA

The security considerations for a online CA are slightly different than for an offline CA.  For one on an Offline Root CA the best practice is to install Service Packs to maintain supportability.  However for an Offline Root CA, we don’t expect security updates to be regularly applied.  This is because the CA is offline and therefore not exposed to network based attacks.  An Issuing CA has to be online by the nature of it’s role of issuing end-entity certificates.  So, for an Issuing CA, security updates should be applied on a regular basis. 

An Issuing CA that uses Certificate Templates is called an Enterprise CA, in Microsoft terminology.  Enterprise CAs must be joined to a domain.  Therefore there are going to be a lot of user potentially (think Domain Admins) that will have administrator privileges on the CA.  So, you may definitely want to consider reducing the number of Administrators. 

Also, for Domain Joined CAs, they get Group Policy applied so most of the configuration for these CAs are going to come from GP.  So, although we are going to configure settings similar to what is configured on the Root CA, we would do this through Group Policy and not through Local Group Policy. 

OU Structure

To be able to better manage your Enterprise CAs, it is a good idea to place them in their own OU.  In my example below, I placed my Issuing CA in a PKI Servers OU, that is underneath my Servers OU.

Group Policy

Now, if I want to apply specific settings to my CAs I can right click on the OU in GPMC.MSC and select Create a GPO in this domain, and Link it here…

Next I give the Group Policy a name and click OK.

Now that the GPO has been created, I right click on the GPO and select Edit.

In that GPO I would run the same steps I ran in the previous section for these settings:

• Enable auditing for Object Access
• Disabling displaying the last logged on user
• Renaming the Administrator Account
• Disabling AutoPlay

So, please refer to the previous section on steps on how to deploy these settings.  Keep in mind that some of these settings may already be deployed through some of your existing GPOs. 

Management Permissions

As I stated previously it would be a good idea to restrict who has Administrator privileges on the CA.  Additionally, you will want to limit what users have Manage CA permissions to the CA.  To restrict Manage CA permission, you would follow the following steps.

In the Certification Authority console (certsrv.msc), right-click on the CA Name.  Select Properties form the context menu.

At this point you have a number of default groups listed.  By default, Domain Admins, Enterprise Admins, and Local Administrators all have Manage CA permissions to the CA.

Regardless of how you configure this, you will want to leave Authenticated Users and leave them with Request Certificates permission.  There are a few exceptions to this, but these exceptions are very rare.  In my example I am leaving Authenticated Users with their default permission, removing all other groups, and adding my own group PKIADMINS.  I have give the PKIADMINS group Issue and Manage Certificates and Mange CA permissions.  I will then only add the appropriate individuals to the PKIADMINS group

Windows Firewall

It is recommended that the Windows Firewall is enabled on Certification Authorities to reduce the attack surface. 

If you enable the Windows Firewall on the CA it will create the necessary exceptions for the Certification Authority as seen below.

Conclusion

So. I covered some basic security configuration you would want to preform on your Certification Authorities.  There still are some outstanding issues I didn’t cover here.  Some of those outstanding items would be configuring Role Separation as well as Monitoring.  These two topics however, are worthy of their own blog posts, so I will cover these in the future.  In the next section I will configuring High Availability for the HTTP AIA and CDP Repositories. 

-Chris

https://twitter.com/chdelay

In this installment of this blog series, I will cover enabling SSL on the Web Enrollment website.  If you are new to Active Directory Certificate Services this blog will also give you an idea of what’s involved in issuing certificates. 

Duplicating the Web Server Certificate Template

A best practice is to duplicate Certificate Templates instead of using the Out-of-box templates.  This allows you to retain the original templates, without modification.  So, the first step for me to perform is to duplicate the Web Server Certificate Template.  In order to do this I open up the Certificate Templates Console.  Then I right-click on the Web Server template and select Duplicate Template from the context menu.

In Windows Server 2012 you will first be presented with the Compatibility tab.  The idea is that you select the OS Version of your Certification Authority and the OS Version of clients that will be enrolling for certificates based on this template.  This will then only allow you to select options in the Certificate Template that are supported by both the CA and the client/enrollee.  In my example, I am going to leave the defaults.

Next I am going to name the Certificate Template FourthCoffee Web Server.

Next, I have to give the CA the proper permissions for the template, so that it can enroll for a certificate.  On the Security tab, click on Add…

I then ensure that Computers is selected under Object Types…, type the CA name, click Check Names, and then click OK.

Finally, I click OK.

Enabling the Certificate Template on the CA

So, now the CA has proper permission to the Certificate Template.  Next, I have to make the Certificate Template available on the CA.  So, I open up the Certification Authority Console (certsrv.msc).  I then right-click on Certificate Templates, select New, then Certificate Template to Issue.

Then I select FourthCoffee Web Server, and click OK.

Enrolling for the Certificate

I could enroll for the Certificate through IIS.  However, I prefer to use the Certificates MMC as that gives me more control over the configuration of my request.  So, I type MMC.exe and press Enter.  Then on the MMC Console, I select File then Add/Remove Snap-in…

From the Add or Remove Snap-ins selection tool, I select Certificates, and click Add.

I then select Computer account, and click Next.

Then on the Select Computer page of the wizard, I select Local Computer, and click Finish

I then click OK to complete this task.

Next, I expand Certificates (Local Computer), right click on Personal, select All Tasks, and then Request New Certificate…

Now, the Certificate Enrollment wizard opens, and I click Next.

On the Certificate Enrollment page of the wizard, I click Next.

On the Request Certificate page of the Wizard, I select the Check Box to choose FourthCoffee Web Server.  I then, click on Details, and then the Properties button.

Under Alternative Name, on the Subject Tab, I change the Type to DNS. 

Next I type the short name of the CAs machine name, under Value, and click Add.  I then perform the same step for the FQDN of the CAs machine name.  I click Apply, and then click on the General tab.

I type SSL Cert under friendly name.  I will later use this name to identify the appropriate certificate.  Then I click OK.

Next on the Request Certificates page of the wizard, I click Enroll.

After I successfully enroll for the certificate, I click Finish.

Installing IIS Administration Console

At this point I realized that did not have the IIS Administration tools installed (Oops!).  To install the IIS Administration tools I ran the following PowerShell command: Add-WindowsFeature Web-Mgmt-Console.

Configuring IIS

Now that I have the IIS Administration Console installed, I open the console.  I expand the Server Name node, then expand the Sites node and click on Default Web Site.  In the Actions pane I click on Bindings…

In the Site Bindings windows, I click Add…

In the Add Site Binding window, I select https from the Type drop-down.  Then under SSL certificate I chose SSL Cert, and finally click OK.  Then I click Close to close the Site Bindings window.

I then expand the Default Web Site, and click on the CertSrv virtual directory. Next, I double-click on SSL Settings.

Under SSL Settings, I select Require SSL, then I click the Apply link in the Actions pane.

Now the Web Enrollment site is configured with SSL.

Conclusion

I have now configured SSL on the Web Enrollment website.  The next step for me to take is to perform some security configuration on both CAs to reduce the attack surface, and secure my shiny new PKI.

In the last episode of this blog series I installed an Enterprise Subordinate CA. In this episode I am going to perform post configuration of this CA.

So, let’s first sum up where I am with my setup. I have installed my Root and Subordinate CA. I have configured the Root CA. I am using LDAP (Active Directory) and HTTP Repositories to host the CA Certificates and CRLs. From a best practices standpoint the one major issue I have with this setup is I am using the Issuing CA to host the HTTP AIA and CDP Repositories. This is a problem, because it means I have a single point of failure for the HTTP AIA and CDP Repositories. I will be addressing how to fix this in a future blog posting. However, the one good thing I have going for me in terms of the HTTP repositories is that I chose a DNS Name (pki.fourthcoffee.com) that is not a machine name. This configuration allows me to later move the HTTP Repositories without having to reconfigure the AIA and CDP extensions in any of my certificates.

The steps I am going to perform in this blog post are:

• Run post-configuration script to configure the CA
• Configuring the DNS Alias for the HTTP repository
• Publish Root CA Certificate and CRL to HTTP Repository

Post-Configuration Script

The 1st line in my configuration script is the following:

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n3:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

This line configures where the CRL is published and what is defined in the CDP extension of issued certificates. If you are interested in better understanding the Variables and Numbers used in this line you can reference a blog I wrote a couple of years back: http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx

The 2nd line in my configuration script is the following:

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

This line configures where the CA Certificate is published and what is defined in the AIA extension of issued certificates. If you are interested in better understanding the Variables and Numbers used in this line you can reference a blog I wrote a couple of years back: http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx

Lines 3-7 of my configurations script are:

certutil -setreg CA\CRLPeriodUnits 3

certutil -setreg CA\CRLPeriod "Days"

certutil -setreg CA\CRLOverlapUnits 3

certutil -setreg CA\CRLOverlapPeriod "Days"

certutil -setreg CA\CRLDeltaPeriodUnits 0

These lines Configure a CRL Period of 3 Days and a CRL Overlap Period of 3 Days. Delta CRLs are disabled. These lines will effectively configure a CRL that is valid for 6 days, and configure the CA to publish a new CRL every 3 days. For additional information, please see a recent blog post on this subject: http://blogs.technet.com/b/xdot509/archive/2012/11/26/pki-design-considerations-certificate-revocation-and-crl-publishing-strategies.aspx

Lines 8-9 of the script are:

certutil -setreg ca\ValidityPeriodUnits 5

certutil -setreg ca\ValidityPeriod "Years"

These two registry keys combine to set the longest maximum validity that a CA can issue a certificate for. In other words with this setting configured as 5 Years, my CA can issue certificates that are valid for up to 5 years. The default for an Enterprise CA is 2 Years. This does not mean, however, that all certs I issue will be valid for up to 2 years. First, the CA cannot issue certificates that are valid for longer than it’s own certificate. So, if I were to forget to renew my CA certificate, I would eventually reach a point in time when it would not be capable of issuing a 5 year certificate. So, the CAs lifetime is one constraint. However, how long you actually issue certificates is set configured on a Certificate Template, and on a Certificate Template basis. In other words I could configure some templates to allow issuance of 1 year certificates, some for 2 year certificates, some for 5 year certificates, and so on.

Line 9 of my configuration script is the following:

certutil -setreg CA\AuditFilter 127

This line enables auditing on the CA itself. In order for Auditing to be completely enabled, Auditing for Object Access, Success and Failure must be enabled in the Security Policy as well. I will cover securing the CA in an upcoming blog post.

Line 10 is:

net stop certsvc & net start certsvc

This line restarts the CA service (Active Directory Certificate Services). The restart is needed for the CA to pickup the configuration changes that I made in the previous lines.

Line 11 of the script is:

certutil –CRL

This line publishes a new CRL, this is necessary because I have altered the CRL Publishing intervals.

Running the Post-Configuration Script

Now that we have discussed the configuration script, I need to run the following script as Administrator.

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n3:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil -setreg CA\CRLPeriodUnits 3

certutil -setreg CA\CRLPeriod "Days"

certutil -setreg CA\CRLOverlapPeriodUnits 3

certutil -setreg CA\CRLOverlapPeriod "Days"

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg ca\ValidityPeriodUnits 5

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg CA\AuditFilter 127

net stop certsvc & net start certsvc

certutil –CRL

Configuring the DNS Alias for the HTTP repository

The HTTP repository I am using for the AIA and CDP repositories is: http://pki.fourthcoffee.com. So, I need to either create an A record that points to my CA with this name or create a CNAME record for this name that aliases the CA. I need to point it the DNS record to my CA, since my CA is hosting the AIA and CDP repositories. For simplicities sake, I am including instructions for creating a CNAME below:

Open DNS Manager (dnsmgmt.msc), navigate to the appropriate DNS zone, right click and select New Alias (CNAME…) from the context menu.

Type in the name of the Alias (in my case this is “pki”). Then click Browse…

Select the name of the machine you are aliasing, in my case this is FCCA01, which is hosting the AIA and CDP repositories, and click OK. Then click OK again.

Publish Root CA Certificate and CRL to HTTP Repository

Previously I copied the Root CA Certificate and CRL off of the Root CA so that I could publish them to AD. Since I am hosting the AIA and CDP repositories from the \CertEnroll directory on the CA, I now need to copy these two files to C:\Windows\System32\CertSrv\CertEnroll\ directory on my Issuing CA, since it is hosting the AIA and CDP repositories.

Health Check

Finally, I run PKIView.msc to spot check the health of my PKI. Everything comes back OK.

Conclusion

In this blog posting I performed post-configuration of the CA, which included:

• Run post-configuration script to configure the CA
• Configuring the DNS Alias for the HTTP repository
• Publish Root CA Certificate and CRL to HTTP Repository

So, what am I missing at this point. Well, I am missing a couple of configuration steps. The first is securing the Web Enrollment website with SSL. The second is locking down the CA from a security perspective. I will be covering these steps in upcoming blog posts.

In the previous blog postings for this series I covered installing the Root Certification Authority, configuring the Root Certification Authority, and publishing the Root CA Certificate and CRL to Active Directory.  In this installment I am going to cover installing an Enterprise Subordinate CA with PowerShell. 

In this example I am going to install a Certification Authority with the following base configuration:

CA Type: Enterprise Subordinate CA

Common Name: FourthCoffee Issuing Certification Authority 01

Key Storage Provider: RSA#Microsoft Software Key Storage Provider

Public Key Algorithm: RSA

Hashing Algorithm: SHA1

Key Length: 2048

Validity Period: 10 years

Additional Role Services: Web Enrollment

I will be installing the ADCS Role with PowerShell.  Additional documentation for these steps can found http://technet.microsoft.com/en-us/library/hh848390 and http://technet.microsoft.com/en-us/library/hh848389.

Configuring CAPolicy.inf

The CAPolicy.inf is an optional file that is read during the installation of Certificate Services.  Typically for an Enterprise CA, the LoadDefaultTemplate=0 option is used to suppress the loading of the default Certificate Templates.  This allows the CA to be installed with no certificate templates available, and in that way the administrator can later add just the certificate templates that are needed.

I will copy the following text to a text file named CAPolicy.inf, and then copy that file to the C:\Windows directory:

[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
LoadDefaultTemplates=0

Launching PowerShell

The first step of course is to launch PowerShell.  This can be accomplished by starting a command prompt and typing powershell and pressing the Enter key or by clicking on the PowerShell icon on the taskbar.

Import Server Manager Module

The first step is to import the Server Manager Module for PowerShell which will then allow you to add the ADCS feature.  To import the Server Manager Module for Powershell type: Import-Module ServerManager and press Enter.

Installing ADCS Binaries

The next step is to install the ADCS binaries so that we can install ADCS.  To install the ADCS binaries type: Add-WindowsFeature Adcs-Cert-Authority and press Enter.

Installing ADCS Web Enrollment Binaries

Since, I will be installing the Web Enrollment Role Services, I need to load the binaries for ADCS Web Enrollment as well.  To install the ADCS Web Enrollment binaries type: Add-WindowsFeature Adcs-Web-Enrollment

Install Certification Authority Role

To install the Certification Authority Role you will need to use the Install-AdcsCertificationAuthority cmdlets.  The options for the Install-AdcsCertificationAuthority cmdlets is available here: http://technet.microsoft.com/en-us/library/hh848390.aspx. 

Below is the entire command that I will be using to install Active Directory Certificate Services in my environment:

Install-ADcsCertificationAuthority -CACommonName "FourthCoffee Issuing Certification Authority 01" -CAType EnterpriseSubordinateCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA1 -KeyLength 2048

I am using the CACommonName option to specify a Common Name of “FourthCoffee Issuing Certification Authority 01”.  Then I am specifying the CAType option to set the CA Type to a Enterprise Subordinate CA.  Next I am selecting my Key Storage Provider of “RSA#Microsoft Software Key Storage Provider” with the CryptoProviderName option.  I have decided to use SHA1 as the hashing algorithm and therefore am using SHA1 with the HashAlgorithmName option.  Then I am setting the RSA Key Length to 2048-bit with the KeyLength  option.

After you run the Install-AdcsCertificationAuthority cmdlet you will be prompted to accept the changes as seen in the screenshot below:

Also, you will notice a Warning and Error ID of 398.  This is just informing me that installation of the CA is incomplete.  Installation is incomplete because I have to have to submit the request to the Root CA, receive the resulting certificate, and load the certificate on the Issuing (Subordinate) CA.

Installing the Certification Authority Management Tools

To Install the Certification Authority Management Tools type the following command in PowerShell and hit enter: Install-WindowsFeature RSAT-ADCS-Mgmt.

Submitting the Request

Next you will need to submit the request to the Root CA.  So, first copy the request file from the C:\ directory on the Issuing CA to a file location on the Root CA.

On the Root CA, start the Certification Authority MMC (Certsrv.msc).  Right click on the CA Name node, select All Tasks, then Submit new request…

Next, select the Request File that you copied from the Subordinate CA and click Open

If you would like to review the request before approving the request, go to the Pending Requests container.  Then right-click on the request, select View Attributes/Extensions…

You will then be prompted for the type of binary data, select Binary Request, make sure View formatted text version of data is selected, and click OK

You can then review the request file.

To approve the request, right-click on the request, select All Tasks, then Issue

You can then review the resulting certificate, by going to the Issued Certificates view, and double-clicking on the certificate

You can then review the certificate to ensure it is configured as desired.  I usually at least spot check the CRL Distribution Points and Authority Information Access extensions.

You then need to copy the certificate to a file.  So, on the Details tab, click on Copy to File…  This will open the Certificate Export Wizard.  On the Export File Format page of the wizard, you can select any format, I chose P7B.  After selecting the file format, click Next.  Now, on the File to Export page of the wizard you will need to click Browse…, select a location, typed the desired name of the file (I chose “CACert”), and then click the Save button.  To complete the File to Export task, click on the Next button. Finally, click the Finish button on the Completing the Certificate Export Wizard page of the wizard, click OK when prompted that The export was successful.

Completing Installation of Certificate Services

First copy the Certificate that was issued from the Root CA to the Subordinate CA. To complete the installation of Certificate Services, open the Certification Authority MMC (certsrv.msc).  Then right-click on the CA Name, select All Tasks, and then Start Service.

You will then be prompted to install the certificate, select Yes.

Browse to the certificate file

The CA Service will no start.

Installing Web Enrollment

To install Web Enrollment, run the following powershell command: Install-AdcsWebEnrollment.  An error ID of 0 indicates that the Role Service was installed successfully.

Conclusion

During this blog posting, I installed my Subordinate CA and installed Web Enrollment.  I have not configured the Subordinate CA.  So, stay tuned, in an upcoming blog posting, I will cover the steps necessary to configure the Subordinate CA.

In parts I-III of this series I covered installing a Root Certification Authority as well as some post configuration steps for the Root CA.  In this blog posting I am going to cover Root CA Certificate and Certificate Revocation List (CRL) Publishing to Active Directory.

In Part III of this series I ran a Post-Configuration script to configure the Root CA.  Here is the entire script:

certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=fourthcoffee,DC=com"

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil -setreg CA\CRLPeriodUnits 6

certutil -setreg CA\CRLPeriod "Months"

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg ca\ValidityPeriodUnits 10

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg CA\AuditFilter 127

net stop certsvc & net start certsvc

certutil –CRL

The first line of the script relevant to today’s discussion is:

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

With this command I configured:

The Root CA to publish the CA Certificate locally to the C:\Windows\System32\CertSrv\CertEnroll directory

“Stamp” an HTTP location in the Authoritative Information Access (AIA) extension of issued certificates (repository where clients can download the Root CA Certificate)

“Stamp” an LDAP location in the Authoritative Information Access (AIA) extension of issued certificates (repository where clients can download the Root CA Certificate)

The second line of the script relevant to today’s discussion is:

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

With this command I configured:

• The Root CA to publish a CRL locally to the C:\Windows\System32\CertSrv\CertEnroll directory
• “Stamp” an HTTP location in the CRL Distribution Points (CDP) extension of issued certificates (repository where clients can download CRLs)
• “Stamp” an LDAP location in the CDP extension of issued certificates (repository where clients can download CRLs)

So, later on when I install my Issuing CA, it’s certificate will point to the HTTP and LDAP locations that I specified.  So, the next step is to Publish my Root CA Certificate and CRL to these locations, so they are accessible.

AD Publishing

CA Certificate Publishing

The first step I want to take is to publish my Root CA Certificate to AD.  AD is my LDAP repository, so I need to publish the Root CA certificate there.  Also, I need to publish my Root CA Certificate to Active Directory so that it can be trusted by Windows clients.

In order to Publish my Root CA Certificate to Active Directory, I need to be logged into a Domain joined machine as an Enterprise Admin. Once logged in I need to have a copy of the Root CA Certificate which can be copied from the C:\Windows\System32\Certsrv\CertEnroll directory on the Root CA. Once logged in, I run the following command to publish the CA Certificate to Active Directory:

certutil –f –dspublish <CACertFileName> RootCA

This is illustrated in the screenshot below:

And as you can see from the following screenshots (of ADSIEDIT.msc), the CA certificate is now published to the AIA Container

and the Certification Authorities container.

CRL Publishing

Since my CRL will also be accessible via LDAP, I need to publish my Root CA’s CRL to AD as well.  The Root CA’s CRL first needs to be copied from the C:\Windows\System32\Certsrv\CertEnroll directory on the Root CA to the machine where I am performing the publishing.  I then run the following command to publish the CRL to Active Directory:

certutil –f –dspublish <CRLFileName>

This is illustrated in the Screenshot below:

And as you can see from the following screenshot (of ADSIEDIT.msc), the CRL is now published to the CDP Container.

Wrap-up

So, now I have my Root CA Certificate and CRL published to Active Directory.  I will have to manually update the CA Certificate every time it is renewed.  I will also need to update the CRL before it expires.

I still have not published the Root CA Certificate and CRL to the HTTP repository.  I will be performing this later on, as I am hosting my HTTP repositories on my Issuing CA (not best practice).

Troubleshooting

When publishing the CRL you may receive the following error:  A referral was returned from the server

This is illustrated in the screenshot below:

Typically this is due to:

• Mis-configured DSConfigDN registry key on the Root CA
• The service was not restarted after configuring the DSConfigDN registry key
• The CRL was published right after the service was restarted and a timing issue cause the updated DSConfigDN to be updated in the CRL (timing issue)

-Chris