Jump to content


  • 0
anyweb

How can I configure PKI in a lab on Windows Server 2016 - Part 4

Question

This series is comprised of different parts, listed below.

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

Now you will perform post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enable object access Auditing and finally, to configure three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil.

Step 1. Configure CRL period registry settings using CertUtil

Quote

Certutil.exe is a command-line program that is installed as part of Active Directory Certificate Services. You can use Certutil.exe to set or get certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains(1).

In this step, you'll use CertUtil to set various related registry settings for the Certificate Revocation List periods in the registry on the Standalone Offline Root CA. Logon to the Standalone Offline Root CA as RootCA\Administrator. Right-click on Start, and choose Command Prompt (admin).

command prompt admin.png

I'll show screenshots of the output of each command separately so that you can compare it to your environment. To start off, you need to define the Active Directory Configuration Partition Distinguished Name, and to do that using certutil enter the following command:

Certutil -setreg CA\DSConfigDN "CN=Configuration,DC=windowsnoob,DC=lab,DC=local"

Note: You can determine what the configuration path should be (for your LAB) for the command above by logging on to the Domain Controller (DC01), and by opening Adsi Edit, and click on Action then select Connect to. In the window that appears, change Select a well known naming context to Configuration. In the Adsi Edit pane, right click on CN=Configuration,DC=windowsnoob,DC=lab,DC=local and choose Properties, scroll down and double click on Distinguished Name, copy the Value listed in the String attribute editor.

string attribute editor.png

The results of the certutil -setreg command on the Standalone Offline Root CA are shown below. Be sure that it states CertUtil: -setreg command completed successfully.

certutil setreg.png

Next you will define the Certificate Revocation List (CRL) Period Units, CRL Period and CRL Delta Period Units. To do so run the following commands from an administrative command prompt:

Certutil -setreg CA\CRLPeriodUnits 52

Press Enter. The output of the above command is shown below.

crlperiodunits.png

Certutil -setreg CA\CRLPeriod "Weeks"

Press Enter. The output of the above command is shown below.

crlperiod weeks.png

Certutil -setreg CA\CRLDeltaPeriodUnits 0 

Press Enter. The output of the above command is shown below.

crldeltaperiodunits.png

To define the CRL Overlap Period Units and the CRL Overlap Period, run the following commands from an administrative command prompt:

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Press Enter. The output of the above command is shown below.

crloverlap period units.png

Certutil -setreg CA\CRLOverlapPeriod "Hours"

Press Enter. The output of the above command is shown below.

crloverlap period hours.png

To define the Validity Period Units for all certificates issued by this CA, type following command and then press Enter. In this lab, the Enterprise Issuing CA should receive a 10 year lifetime for its CA certificate. To configure this, run the following commands from an administrative command prompt:

Certutil -setreg CA\ValidityPeriodUnits 10

Press Enter. The output of the above command is shown below.

validity period units.png

Certutil -setreg CA\ValidityPeriod "Years" 

Press Enter. The output of the above command is shown below.

validity period years.png

Note: You can confirm all these 8 settings that you have just set on the Standalone Offline Root CA, by using CertUtil -getreg (and query the appropriate setting, for example Certutil -getreg CA\CRLPeriod), or simply browse the registry using RegEdit to the following address.

HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\windows noob Root CA

You can see those values highlighted in the screenshot below.

registry settings set.png

Can the above all be done with PowerShell ? yup, and i'll add the commands later, check back for that.

Step 2. Enable Auditing on the Standalone Offline Root CA

Note: You cannot configure these setting via Group Policy as the Standalone Offline Root CA should  not be  connected to any Domain and is Offline (disconnected from the network).

Auditing is the ability to log successful or failed attempts when performing certain actions, and as the Standalone Offline Root CA is an important security resource, you want to enable auditing. To enable auditing on the Standalone Offline Root CA click start, select Administrative Tools, and then select Local Security Policy. Expand Local Policies and then select Audit Policy. Double click Audit Object Access and then select Success and Failure then click OK (2).

After configuring this, you'll see the following.

local security policy audit object access.png

To enable auditing for the CA you can select which group of events to audit in the Certificate Authority MMC snap-in or by configuring the AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt:

Certutil -setreg CA\AuditFilter 127 

Press Enter. The output of the above command is shown below.

enable auditing on all ca events.png

Step 3. Configure the AIA

There are multiple different methods for configuring the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. You can use the user interface (in the Properties of the CA object), the certutil command, or directly edit the registry. The Authority Information Access (AIA) is used to point to the public key for the certification authority (CA).

To configure the Authority Information Access (AIA) using certutil to set the following three locations on the Standalone Offline Root CA:

  • Static file system
  • LDAP (lightweight directory access path)
  • HTTP

Note: Edit the command below to use your public facing HTTP web server address, I'm using http://pki.windows-noob.com, you should use your own address.

Open an administrative command prompt and do as follows:

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt"

Press Enter. The output of the above command is shown below.

set the aia locations.png

To confirm the output you can issue the following command:

certutil -getreg CA\CACertPublicationURLs

Press Enter. The output of the above command is shown below.

confirm command using certutil getreg.png

If you look in the registry, under the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob RootCA, you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following:

1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt

as shown in the screenshot below.

cacertpublicationURLs.png

You can also see this in the the Certification Authority console (certsrv) . To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local).

windows noob root ca.png

Right-click windows noob Root CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings that you've just configured using certutil.

windows noob root ca AIA settings.png

In the above step, you have used the following three different methods to confirm the specified settings.

  • certutil
  • registry
  • certsrv.msc

Step 4. Configure the CDP

The CDP is where the certificate revocation list is maintained, which allows client computers to determine if a certificate has been revoked. To configure the Certificate revocation list Distribution Point (CDP) using certutil to set the following four locations on the Standalone Offline Root CA:

  • Static file system
  • LDAP (lightweight directory access path)
  • HTTP
  • File system

The file system location (4th option) that you will set will allow the CRL to be copied over the network to the web server (webserver), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on the webserver computer. You may wish to grant a specific group rights to access this share instead, it's up to you.

Note: Edit the command below to use your public facing HTTP web server address, I'm using http://pki.windows-noob.com, you should use your own address.

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl"

Press Enter. The output of the above command is shown below.

set crlpublicationURLs.png

After you run that command, run the following certutil command to verify your settings:

certutil -getreg CA\CRLPublicationURLs

Press Enter. The output of the above command is shown below.

verify crlpublicationURLs.png

You can also verify it in the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\windows noob Root CA

crlPublicationURLs in registry.png

and in CertSrv.msc

crlPublicationURLs in certsrv.png

Step 5. restart the CertSvc service

On the Standalone Offline Root CA, open an Administrative command prompt and type PowerShell. In the PowerShell command prompt issue the following command:

Restart-Service certsvc

Press Enter. The output of the above command is shown below.

restart service using PowerShell.png

Step 6. Publish the CRL

On the Standalone Offline Root CA, open an Administrative command prompt and type PowerShell. In the PowerShell command prompt issue the following command:

certutil -crl

Press Enter. The output of the above command is shown below.

certutil crl command completed successfully.png

That's it for this part, please continue to Part 5 where you will Install the Enterprise Issuing CA.

Recommended reading

(1) - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

(2) - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc776774(v=ws.10)

 

Share this post


Link to post
Share on other sites

10 answers to this question

Recommended Posts

  • 0

hi Thomas,

i guess you missed the start of the blog post ? here it is again...I've also added a hard link to part 5 at the end of this blog post, thanks

This series is comprised of different parts, listed below.

Share this post


Link to post
Share on other sites

  • 0

Hi,

I'm trying to follow this guide an am failing on Step 6. Certutil -crl is generating an error for me.

CertUtil: -CRL command FAILED: 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
CertUtil: The directory name is invalid.

I've double/triple checked for typo's. Everything looks exactly as you outlined except editing in my specific http address. Trying to research the error seems to point to an issue with the CDP configuration but I see no errors there. In Step 4 you mention configuring 4 locations but in the setup there is only 3. The 4th was mentioned as the share we created on the webserver but not a part of the instructions. Is this part of the problem or did I miss a step where the rootCA needs to be on the network during the configuration so that it can access the locations configured in the CDP?

Share this post


Link to post
Share on other sites

  • 0

can you paste a screenshot of your failure please, also are you running it on the Standalone Offline Root CA

Share this post


Link to post
Share on other sites

  • 0

I found that article and thought I reviewed my configurations thoroughly but I didn't. I just now noticed this little guy, ▯, showing up in the publish path. Not sure how it got there but fixing that and rebooting allowed me to run the CRL command.

Thanks! I probably would have kept overlooking that character without you pointing me back in that direction.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.