Jump to content


Sign in to follow this  
anyweb

How can I configure PKI in a lab on Windows Server 2016 - Part 3

Recommended Posts

This series is comprised of different parts, listed below.

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In this part you will prepare the HTTP Web Server for CDP and AIA Publication. But before you get started with that, please have a read below of what a CDP and AIA actually are.

    What is a CDP ?

    A CDP (CRL Distribution Point) is an extension that contains links to the CRL of the issuer of the certificate which is being verified (1).

    Quote

    The certificate revocation list distribution point (CDP) is a path represented as one or more attributes on every certificate issued by a PKI. This path, literal, share, lightweight directory access protocol (LDAP), and HTTP is clearly defined and uses variables to simplify the configuration. After definition, the PKI publishes CRLs and delta CRLs (if you choose to publish delta CRLs) for the computers that hold certificates that it has issued (2).

    What is an AIA ?

    An AIA (Authority Information Access) is an extension that contains links to the certificate of the issuer of the certificate which is being verified.

    Step 1. Join the web server computer to the domain

    When you installed the web server virtual machine (#11_Webserver) in part 1, it was workgroup joined. To join the domain do as follows. Logon to the web server virtual machine as Administrator. In Windows File Explorer, right click on This PC and choose Properties. Click on Change Settings beside Computer name, domain and workgroup settings.

    join domain.png

    In the System Properties screen, click on Change.

    system properties.png

    In the Member of field select Domain and enter the domain name you configured in part 1.

    member of domain.png

    enter credentials required for Domain join membership (eg: windowsnoob\administrator)

    windows noob credentials.png

    click OK and click OK again when prompted with the welcome

    welcome to the.png

    click OK

    restart now.png

    Click OK, click Close then click Restart Now.

    restart computer now.png

    After the reboot login to the domain as windowsnoob\administrator

    login as administrator.png

    Alternatively, to join the domain automatically, use the joindomain.ps1 PowerShell script which you can download from here.

    JoinDomain.ps1

    1. Copy the script to C:\Scripts on the webserver.

    2. Edit the variables (lines 16-18) as desired before running.

    3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

    Step 2. Install the Web Server (IIS) Role

    Logon to the web server as windowsnoob\administrator and open Server Manager, select Add Roles and Features. In the wizard that appears click Next.

    add server roles.png

    Click Next and select Role-based or feature-based installation.

    role based or feature based.png

    Click Next and Select Select a server from the server pool, ensure that webserver.windowsnoob.lab.local is selected.

    select a server from the pool.png

    Click Next and select Web Server(IIS) from the choices available on the Select server roles page, if prompted to Add features that are required for Active Directory Certificate Services, click Add features.

    add features for iis.png

    Here you can see the Web Server (IIS) role selected.

    web server iis selected.png

    On Select features click Next.

    select features.png

    In the introduction to Web Server (IIS) screen, select Next.

    intro to IIS.png

    Accept the defaults and click Next.

    iis defaults.png

    on the Confirm Installation Selections screen click Install.

    confirm installation selections.png

    Click Close when the installation succeeds.

    iis installed.png

    Step 3. Create a CertEnroll Folder and grant Share & NTFS Permissions to the Cert Publishers group

    Create the CertEnroll Folder

    Now you need to create a shared folder where certificates and delta certificates can be stored from the PKI infrastructure. Open Windows File Explorer and then browse to the C:\ drive, Create a folder called CertEnroll at the root of the drive.

    CertEnroll folder.png

    Share the CertEnroll folder

    Right-click on the CertEnroll folder and select Properties. On the CertEnroll Properties page select the Sharing tab to configure share permissions.

    sharing tab.png
    Click on the Advanced Sharing option and then select Share this folder.

    share this folder.png

    Click on Permissions and then click Add, on the Select Users or Groups page, in the Enter the object names to select, type windowsnoob\Cert Publishers and then click OK.

    cert publishers.png

     

    On Permissions for CertEnroll dialog box, select the Cert Publishers group and then in the Allow column select Change permission.

    change.png

    Click OK twice to go back to the CertEnroll Properties page.    

    Edit NTFS permissions on the CertEnroll folder

    Select the Security tab and click Edit to configure NTFS permissions. On Permissions for CertEnroll page click Add. On the Select Users or Groups page, under the Enter the object names to select, enter windowsnoob\Cert Publishers and then click OK.

    cert publishers ntfs permissions.png

    On the Permissions for CertEnroll page highlight the Cert Publishers group and then under the Allow column select the Modify permission and then click OK.

    modify added.png

    On the Permissions for CertEnroll page, click OK to close the window and click OK again to close CertEnrolls properties page.

    Step 4. Create a Virtual Directory in IIS

    Ensure you are logged on to webserver as windowsnoob\Administrator. Click Start, select Administrative Tools and then select Internet Information Services (IIS) Manager. In the Connections pane, expand WEBSERVER and then expand Sites. Right-click on Default Web Site and select Add Virtual Directory.

    add virtual directory.png

    On the Add Virtual Directory page, in Alias, type CertEnroll and for Physical path, type C:\Certenroll, and then click OK.

    adding virtual directory.png

    In the Connections pane, under the Default Web Site, ensure the CertEnroll virtual directory is selected then in the CertEnroll Home pane, double-click on Directory Browsing.
    In the Actions pane click Enable.

    Enable directory browsing.png

    Step 4. Enable Double Escaping on the IIS Server

    Allowing double escaping makes it possible for the web server to host Delta CRLs. For more information about this see KB Article 942076 (3).

    Ensure you are logged on to the webserver as windowsnoob\Administrator. Open an Administrative Command Prompt. Then enter the following

    cd %windir%\system32\inetsrv\ 

    and press ENTER. Type following command and press Enter.

    Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True


     Type the following to restart IIS.

    iisreset

    and press ENTER.

    enable double escaping.png

    Step 5. Create a DNS record for externally accessible website address

    To answer requests for OCSP and CRL, AIA via a publicly available URL, login to your DNS provider and create a new DNS record for your chosen public URL, eg: http://pki.windows-noob.com

    Note: http://pki.windows-noob.com is a website address that I own and use, and I'm using it in this guide to show you what you need to do, obviously you need to use your own website address, for example http://pki.yourdomain.com.

    This should point to the IP address of your internet connection that is being shared via the smoothwall.

    add DNS record.png

    Once it's setup, you can verify pinging the URL

    ping URL.png

    Lastly, you need to configure your Smoothwall (or use another method) to port forward port 80 (http) internet requests to the webserver. To do that, login to https://192.168.11.199:441 (the Smoothwall IP address) via the Internet Explorer Web browser on the WebServer. Note that you may have to disable IE enhanced security information temporarily to allow access. Once connected, login as Admin/password, which you defined when you installed the Smoothwall. Below you can see the Port Forward I've configured for port 80 requests.

    port forward configured.png

    After doing so, anyone can browse to http://pki.windows-noob.com using a web browser which means they'll be able to retrieve CRL's when they are published to http://pki.windows-noob.com/certenroll

    public url.png

    Join me in part 4 to further configure the Standalone Offline Root CA.

    Recommended reading

    (1) - https://www.sysadmins.lv/blog-en/root-certification-authority-ca-cdp-and-aia-extension-question.aspx

    (2) - https://blogs.technet.microsoft.com/nexthop/2012/12/17/updated-creating-a-certificate-revocation-list-distribution-point-for-your-internal-certification-authority/

    (3) - http://support.microsoft.com/kb/942076

     

     

    Share this post


    Link to post
    Share on other sites

    Hello Naill, Hope you are doing good. I have added the DNS entry but i am not able to browse it. i am getting the error

    Share this post


    Link to post
    Share on other sites

    Hi Muyar,

    thanks,

    so you configured the DNS cname in your DNS provider but it's not redirecting to your webserver, is that correct ? did you also configure smoothwall ?

    Share this post


    Link to post
    Share on other sites

    Hello Naill,

    I am using Vyos as a virtual appliance for connecting my SCCM servers to internet.

    Vyos has internal DHCP as 192.168.3.X and External IP is 192.168.1.X

    I have assigned pki.mydomain.xxx IP as 192.168.1.XXX at Godaddy.com

    i can ping  pki.mydomain.xxx and getting the IP address 192.168.1.XXX as configured in GoDaddy.com

    Kindly can you help me what exact i am missing or need to change?

     

    For Refrence,

    I have configured Vyos as :

     

    set nat destination rule 10 description 'Port Forward: HTTP to 192.168.1.XXX'
    set nat destination rule 10 destination port '80'
    set nat destination rule 10 inbound-interface 'eth0'
    set nat destination rule 10 protocol 'tcp'
    set nat destination rule 10 translation address '192.168.1.XXX'

     

    Thanks

    Edited by Mayur

    Share this post


    Link to post
    Share on other sites

    hi Muyar,

    the 192.168.x.x address at godaddy will never work, as that's a local lab ip range, it must instead point to the actual internet ip address you have in your lab (use www.whatismyipaddress.com to find out)

    Share this post


    Link to post
    Share on other sites

    Hello Naill, Thanks for the fast response.

    I have changed the IP as per your suggestion. kindly can you verify in the enclosed screenshot if this is right ?

    Capture.PNG

    Share this post


    Link to post
    Share on other sites

    hi Muray,

    this does not look like my setup, but then again DNS providers have different views of the same thing, obviously you need to use your own domain name (eg: pki.mydomain.com) and your own internet ip address

    image.png

     

    once you've made the change in your DNS provider, you can test if it works by pinging the url and see what ip address it returns, or try and browse the url from your phone (external network)

     

    for example you can ping or browse http://pki.windows-noob.com it should respond as the lab is online now.

    Share this post


    Link to post
    Share on other sites

    Hello Naill,

    I have added the IP as you mentioned.

    I am not able to ping nor browse from mobile/laptop/desktop.

     

    Any help ?

    Share this post


    Link to post
    Share on other sites
    I am not able to ping nor browse from mobile/laptop/desktop. 

    what do you mean you are not able to ping ? what ip address does it resolve to ?

    Share this post


    Link to post
    Share on other sites

    well it could be your firewall solution that's blocking it, i don't know, I use smoothwall and it works just fine.

    when you ping the url, it should return the correct ip address, does it ?

     

    Share this post


    Link to post
    Share on other sites

    after you ping the url pki.whatever.com it should list the correct INTERNET based ip address which you are sharing internet from in your pki lab, does it ?

     

    Share this post


    Link to post
    Share on other sites

    you are not answering my question, if you ping your pki.yourdomain.com it should return the IP address you configured in godaddy, does it ? and does that ip address also correspond to the internet ip address which www.whatismyipaddress.com revealed on the webserver ?

     

    Share this post


    Link to post
    Share on other sites

    you are not answering my question, if you ping your pki.yourdomain.com it should return the IP address you configured in godaddy, does it ?

     

    NO ITS NOT  RETURNING THE IP. ITS RETURNING "REQUEST TIME OUT"

     

     and does that ip address also correspond to the internet ip address which www.whatismyipaddress.com revealed on the webserver ?

    NO

    Share this post


    Link to post
    Share on other sites

    so are you saying the you don't see any ip address like I have higlighted in yellow below ?

     

    image.png

    Share this post


    Link to post
    Share on other sites

    then you may have issues with godaddy, because the ip address (in yellow) is returned from the DNS provider, if it returns no ip address then it is not resolving the url to an ip.

    use https://dnschecker.org/

    to verify what your configured url is telling you

    Share this post


    Link to post
    Share on other sites

    Hello Naill,

     

    Its like this as in picture when i ping. It has IP address in the first line " Pinging pki.mydomain.com [27.XX.XX.XX] with 32 bytes of data:"

    Capture1.PNG

    Share this post


    Link to post
    Share on other sites

    Hi @Mayur

    ok then you are contradicting what you said earlier, oh well, if it is indeed returning the correct ip address then that means godaddy is working, the 'request timed out' could be because of your firewall solution blocking ping or windows firewall itself, and it's not the end of the world,

    you now need to verify that you can browse the IIS welcome page on your url by browsing on a phone (not connected to wifi, use 3g instead..) to the http://pki.windows-noob.com

    obviously use your own url for this testing.

    if that doesn't work, then your vyos firewall is not routing port 80 correctly to the local ip address of the webserver

    cheers

    Niall.

    Share this post


    Link to post
    Share on other sites

    Hello Naill, Not working from me. So i have to drop this LAb creation and search for some alternative.Thanks 

    Share this post


    Link to post
    Share on other sites

    what is not working exactly ? be specific, I've gone through this lab multiple times and it works every single time.

    Share this post


    Link to post
    Share on other sites

    Hello Naill,

     

    I have set my public IP in GoDaddy.

    I have port forwarded in the Vyos router.

     

    When i ping pki.mydomain.com i get "request timed out"

     

    i am not able to browse thorugh my personal mobile to the pki.mydomain.com

     

    I have also tried firewall disabling.

    Share this post


    Link to post
    Share on other sites

    whether it responds to ping or not doesn't really matter, what does matter is whether you can reach your pki.mydomain.com though, and clearly if it's not working for you, then your port forwarding via Vyos must be configured incorrectly, double check the settings and verify that it's forwarding port 80 to the local ip address of your webserver hosting the crl

    you can test this by using https://canyouseeme.org/ to verify if your port 80 is indeed open

    when testing browsing to the webserver url, you must disable WIFI on your phone and use your 3g connection

    Share this post


    Link to post
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    Loading...
    Sign in to follow this  

    ×
    ×
    • Create New...