How can I configure PKI in a lab on Windows Server 2016 - Part 5

[anyweb]

This series is comprised of different parts, listed below.

• Part 1 - Introduction and server setup
• Part 2 - Install and do initial configuration on the Standalone Offline Root CA
• Part 3 - Prepare the HTTP Web server for CDP and AIA Publication
• Part 4 - Post configuration on the Standalone Offline Root CA
• Part 5 - Installing the Enterprise Issuing CA (this part)
• Part 6 - Perform post installation tasks on the Issuing CA
• Part 7 - Install and configure the OCSP Responder role service
• Part 8 - Configure AutoEnroll and Verify PKI health

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In this part you will install and do initial configuration on the Enterprise Issuing CA. This is a long blog post so make sure you've got lots of coffee or beer handy (depending on your preference).

Step 1. Add EntAdmin user to groups

We'll be using a special user called EntAdmin (an Enterprise Admin and a member of Cert Publishers) for some tasks on the IssuingCA computer, but before doing so, we need to add that user as a member of the Enterprise Admins group and the Cert Publishers on the domain controller. You could do so simply by issuing the following in Windows PowerShell ISE on DC01.

Import-Module ActiveDirectory
Add-ADGroupMember -Identity "Enterprise Admins" -Members "EntAdmin"
Add-ADGroupMember -Identity "Cert Publishers" -Members "EntAdmin"

Alternatively you can run this script in Windows PowerShell ISE as windowsnoob\Administrator on DC01.

Create Users Usergroups and OUs in AD.ps1

Step 2. join IssuingCA to the domain

When you installed the Issuing CA virtual machine (#11_IssuingCA) in part 1, it was workgroup joined. To join the domain do as follows. Logon to the web server virtual machine as Administrator. In Windows File Explorer, right click on This PC and choose Properties. Click on Change Settings beside Computer name, domain and workgroup settings. You can follow the instructions in Part 3, Step 1 for how to join a domain manually or use the JoinDomain.ps1 PowerShell script here.

JoinDomain.ps1

1. Copy the script to C:\Scripts on the IssuingCA server.

2. Edit the variables (lines 16-18) as desired before running.

3. Start Windows PowerShell ISE as Administrator and run the script by clicking on the green triangle.

Note: After running the script, the computer will restart automatically.

Step 3. Add EntAdmin as a local admin on IssuingCA

Next, logon to the IssuingCA domain joined computer as windowsnoob\administrator. Once logged in, start compmgmt.msc and add EntAdmin as to the Local Administrators group by expanding System Tools, Local Users or Groups, Administrators, Members tab and clicking Add, Enter EntAdmin as the user.

Alternatively use this PowerShell command to do it for you on the IssuingCA computer while logged in as windowsnoob\administrator.

Add-LocalGroupMember -Group Administrators -Member windowsnoob\EntAdmin

Press Enter. The output of the above command is shown below.

The user is now listed as a member of Local Administrators group on IssuingCA.

After doing the above, logoff (Sign out) from IssuingCA.

Step 4. Create an OID

Before creating the CAPolicy.inf file in the next step, we should use our own OID rather than the default Microsoft one (OID= 1.2.3.4.1455.67.89.5). I'm using a PowerShell script found here for that purpose (1).

You can download that script below:

createOID.ps1

Step 5. Create a CAPolicy.inf file for the Enterprise Issuing CA.

Before installing the Issuing CA, you should create a CAPolicy.inf to define 'default' settings for CA templates, some of these settings cannot be changed later and you want them in place before creating any certificates on the Issuing CA.

On the #11_IssuingCA virtual machine (IssuingCA), login as windowsnoob\Entadmin using the password specified.

Open an administrative command prompt and type the following:

notepad C:\Windows\CAPolicy.inf

and press ENTER, when prompted to create new file, click Yes. Paste in the following text into the new CAPolicy.inf file.
  

[Version]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=InternalPolicy

[InternalPolicy]
OID=1.2.3.4.1455.67.89.5
URL=http://pki.windows-noob.com/cps.txt

[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=0 

Once done, paste in the OID created in Step 4 and then save the file as C:\Windows\CAPolicy.inf.

Note: The OID in the CAPolicy.inf pasted above uses Microsoft's own OID, you should use the one generated in Step 4 or obtain one from here (2).

Step 6. Publish the Root CA Certificate and CRL

In this step, you will copy CER and CRT files from the Standalone Offline Root CA virtual machine to the IssuingCA virtual machine before publishing the Root CA Certificate and CRL. I'm showing you a few methods how to copy the files (PowerShell or manually) but you are doing so using a 1GB VHDX disk. The reason for this is you should not connect the StandAlone Offline Root CA to the network.

On your Hyper-V host (the computer that you use to host this LAB), run the following PowerShell script (after adjusting the variables as necessary) to create a 1GB VHDX disk which we will use to copy CER and CRL files between the StandAlone Offline Root CA (RootCA) to the IssuingCA virtual machines.

Note: The first time your run this script it will automatically attach the VHDX to the #11_RootCA virtual machine. You may need to open disk administrator on that virtual machine and change the disk to Online before use.

Download the PowerShell script - create_PKI_vhdx.ps1

Note: Before taking any new snapshots (checkpoints) of your virtual machines, please ensure that you have first offlined the PKI disk and then removed it from the respective vm's.

Logon to the StandAlone Offline Root CA (RootCA) as Administrator, and if necessary, change the just attached vhdx disk to Online using Disk Management.

Using a command prompt, copy the StandAlone Offline Root CA Certificate (ROOTCA_windows noob Root CA.crt) and Root CA CRL (windows noob Root CA.crl) files from the C:\Windows\System32\CertSrv\CertEnroll directory on RootCA server to the VHDX removable media (probably E:\).

copy C:\Windows\System32\CertSrv\CertEnroll\*.cr* E:\

Now, using Disk Management, set the PKI disk to Offline

Using the virtual machine settings GUI for #11_RootCA (RootCA), remove the previously attached PKI disk.

or alternatively, use the following PowerShell (on the Hyper-v host), where $TargetVM="#11_RootCA"

Remove-VMHardDiskDrive -VMName $TargetVM -ControllerType SCSI -ControllerNumber 1 -ControllerLocation 1

On the #11_IssuingCA virtual machine, use the Virtual Machine GUI settings to attach the PKI disk, or use Powershell where $TargetVM="#11_IssuingCA" and $path=the path to the VHDX file

Add-VMHardDiskDrive -VMName $TargetVM -ControllerType SCSI -ControllerNumber 1 -ControllerLocation 1 -Path $path

On the #11_IssuingCA virtual machine, login as windowsnoob\EntAdmin and using Disk Management, change the PKI disk to Online.

Issue the following command as windowsnoob\EntAdmin where E:\somefile.crt is the path to the CRT file.

Note: Pay close attention when doing this step, getting it wrong will cause problems with PKIview and other areas. RootCA in this case is not the host name here, but the DS Trusted Root store store name, see this comment for more details.

certutil -f -dspublish "E:\ROOTCA_windows noob Root CA.crt" RootCA 

Press Enter. The output of the above command is shown below. You should see "Certificate added to DS store".

Next, issue the following command as windowsnoob\EntAdmin where E:\somefile.crl is the path to the CRL file and where RootCA is the HOSTNAME of your Standalone Offline Root CA server.

certutil -f -dspublish "E:\windows noob Root CA.crl" RootCA 

Press Enter. The output of the above command is shown below. You should see "Base CRL added to DS store".

Using Windows File Explorer on IssuingCA as windowsnoob\Entadmin, copy the CR* files on E:\ (or whatever drive letter the PKI disk is mounted as) to \\webserver.windowsnoob.lab.local\CertEnroll

On the IssuingCA, to add the windows noob Root CA Certificate and CRL to the IssuingCA local store, run the following command from an administrative command prompt as windowsnoob\EntAdmin. Ensure that you substitute the correct drive letter of your removable media (for E:) in the command below:

certutil -addstore -f root "E:\ROOTCA_windows noob Root CA.crt"

Press Enter. The output of the above command is shown below. You should see "CertUtil: -addstore command completed successfully".

Next, run the following command from an administrative command prompt as windowsnoob\EntAdmin. Ensure that you substitute the correct drive letter of your removable media (for E:) in the command below:

certutil -addstore -f root "E:\windows noob Root CA.crl"

Press Enter. The output of the above command is shown below. You should see "CertUtil: -addstore command completed successfully".

Step 7. Install the Subordinate Issuing CA

  Now that you've created the CAPolicy.inf file and published the CRT and CRL files (from the StandAlone Offline Root CA) to Active Directory, copied them to the Webserver CertEnroll folder and to the local store on the Issuing CA, you are ready to install Active Directory Certificate Services (on the Issuing CA).

To do so, open Server Manager and select Add Roles and Features, on the Before You Begin page select Next. On the Select Server Roles page select Active Directory Certificate Services and then click Next, if prompted to Add features that are required for Active Directory Certificate Services, click Add features.

On the Introduction to Active Directory Certificate Services page, click Next. On the Select Role Services page (shown below), select Certification Authority and Certification Authority Web Enrollment. If you see the Add Roles Wizard, click Add Required Role Services. Click Next.

Continue through the wizard and click on Install. Leave the wizard open until the feature installation completes successfully, then click Close.

In Server Manager, click on Configure Active Directory Certificate Services (yellow exclamation mark).

Ensure that your credentials are windowsnoob\EntAdmin click Next.

On the Select roles to configure, ensure that both Certification Authority and Certification Authority Web Enrollment are selected. On the Specify the setup type of the CA page, ensure that Enterprise is selected, and then click Next.

Note: The Enterprise option will be greyed out if you are not logged on as Enterprise Admin (windowsnoob\EntAdmin) or do not have local administrator permission.

On the Specify the type of CA page, select Subordinate CA, and then click Next.

On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next. Ensure that Sha256 is selected  on the Specify the cryptographic options page, then click Next.

Note: When installing in a production environment, the CSP, Hash Algorithm and Key length selected must support application compatibility requirements of your organization.

On the Specify the name of the CA page, clear the existing entry for Common name for this CA box, and enter windows noob Issuing CA, then click Next.

On the Request certificate from a parent CA page, select Save a certificate request to file and manually send it later to a parent CA option then click Next

Continue through the wizard and finally click on Configure in the Confirm Installation Selections page, finally, click on Close at the Configuration Succeeded screen. Take note of the warning,  it is expected.

Step 8. Copy the certificate request file to the StandAlone Offline Root CA

Run the following command from an administrative command prompt as windowsnoob\EntAdmin on the IssuingCA computer. Ensure that you substitute the correct drive letter of your removable media (for E:) in the command below:

copy c:\IssuingCA.windowsnoob.lab.local_windowsnoob-ISSUINGCA-CA.req E:\

Next, take the PKI disk offline in Disk Management on the IssuingCA

Next, Remove the PKI disk from the IssuingCA virtual machine using the GUI settings or use the PowerShell commands shown earlier to do it.

And insert the PKI disk into the StandAlone Offline Root CA virtual machine, then make if Online in Disk Management (on RootCA).

Step 9. Submit the Request and Issue windows noob Issuing CA Certificate

On the StandAlone Offline Root CA, login as Administrator and use the following command in an Administrative command prompt where E:\ is the PKI disk

certreq -submit E:\IssuingCA.windowsnoob.lab.local_windowsnoob-ISSUINGCA-CA.req

When prompted which CA to use, select the windows noob Root CA and click OK.

Take note of the certificate requestID

On the StandAlone Offline Root CA, start CertSrv.msc and click on Pending requests, right click the matching RequestID, choose All Tasks then select Issue.

Return to the administrative command prompt to accept the issued certificate by running the following command. Make sure you are using the correct drive letter for your removable media for E: as well as the correct RequestID for 2:

Note: Notice the .crt in the command line below, you must make sure it's typed correctly.

certreq -retrieve 2 E:\IssuingCA.windowsnoob.lab.local_windowsnoob-ISSUINGCA-CA.crt

When prompted which CA to use, select the windows noob Root CA and click OK. If everything went ok you'll see output like the below.

If you now do a DIR on the PKI disk you'll see new files have been generated.

Next, take the PKI disk offline in Disk Management on the StandAlone Offline Root CA

Finally, Remove the PKI disk from the StandAlone Offline Root CA virtual machine using the GUI settings or use the PowerShell commands shown earlier to do it.

Step 10. Install the windows noob Issuing CA Certificate on IssuingCA

Once again, add the PKI disk to the IssuingCA virtual machine, and take it Online in Disk Management.

Ensure you are logged on to IssuingCA as windowsnoob\EntAdmin. Next, open the Certification Authority console (CertSrv.msc) and in the Certification Authority console tree, right-click windows noob Issuing CA, and then click Install CA Certificate.

In the Select file to complete CA installation, navigate to your removable media (PKI disk). Ensure that you are displaying All Files (*.*) and click the IssuingCA.windowsnoob.lab.local_windowsnoob-ISSUINGCA-CA.rsp, (response file), click Open.

The CertSrv console will reload itself. Next, In the console tree, right-click windows noob  Issuing CA, click All Tasks, and then click Start Service.

In the console tree, expand windows noob Issuing CA and then click Certificate Templates. Notice there are no certificates shown in the details pane. This is because the CAPolicy.inf specified not to install the default templates in the line LoadDefaultTemplates=0.

Next, take the PKI disk offline in Disk Management on the IssuingCA



and finally, Remove the PKI disk from the IssuingCA virtual machine using the GUI settings or use the PowerShell commands shown earlier to do it.

 

That's all for this Part, phew...

Please join me in Part 6 when you will perform post installation tasks on the Subordinate Issuing CA.

Recommended reading

(1) - https://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06#content

(2) - http://msdn.microsoft.com/library/windows/desktop/ms677621.aspx

 

[Dietmar]

Hi! Great work! However, I have two questions:

• The OID thing: why or for what reason is this necessary? I never heard before. What if I use the standard OID?

• Quote

  URL=http://pki.windows-noob.com/cps.txt

  What is the cps.txt file for? What's the content of this file? I read all of your instructions twice but this file only appears here.

Can you explain this in a little more detail, please! Thank you very much!

 

...Dietmar

[Dietmar]

I hope it's ok if I answer my question on my own for all who read this post. On friday I registered on IANA a private enterprise number (pen).
You can do this here: https://pen.iana.org/pen/PenApplication.page
It's absolutly for free. I received my number for "Einfaches Netzwerk" a few hours later via e-mail.
After a day or so you can find your number on a really hugh list here:  https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers.
Mine looks like this

 

Now I am able to build my own OID with the prefix: iso.org.dod.internet.private.enterprise (1.3.6.1.4.1) > 1.3.6.1.4.1.52765 (the prefix is listed on the site above on the top).
Behind this OID you can add additional nubmers according to your certification policy statement (cps.txt). For example:

• 1.3.6.1.4.1.52765.1.1 > Client certificates
• 1.3.6.1.4.1.52765.1.2 > Server certificates
• 1.3.6.1.4.1.52765.1.3 > EFS and so on.

You can find a cps template here: https://www.globalsign.com/en/repository/TrustedRoot Template CPS.pdf

You only need a public OID if your organization plans with other organzations to use PKI-enabled applications. It this case you need an OID which is unique on the internet.

 

...Dietmar

[anyweb]

thanks for sharing that info Dietmar !

 

[Dietmar]

You are welcome. 😊

[BThomas123]

Thanks for the guide. One question. If the IIS is already configured on the webserver on Part 3 for publishing AIA & CDP, then why are you installing webenrollment again on the issuing CA server ? Does it make more sense to use the webserver for webenrollment ?

Edited March 22, 2019 by BThomas123
fixing typos

[eljub]

On 3/13/2019 at 8:22 PM, BThomas123 said:

Thanks for the guide. One question. If the IIS is already configured on the webserver on Part 3 for publishing AIA & CDP, then why are you installing webenrollment again on the issuing CA server ? Does it make more sense to use the webserver for webenrollment ?

Yes if you are like me and you install the Web Server on the Issuing Server

So I noticed that with the PART5, the network share "CertEnroll" has been reset to its default value "c:\system32\certsrv\certenroll"

So you need to

- remove the share on this folder

- recreate a share on the c:\certenroll (with "modify" share permissions for AD group "Cert Publisher")

- change the IIS target folder for the "CertEnroll" virtual directory to "c:\certenroll"

Edited July 23, 2019 by eljub

[anyweb]

6 hours ago, eljub said:

Yes if you are like me and you install the Web Server on the Issuing Server

So I noticed that with the PART5, the network share "CertEnroll" has been reset to its default value "c:\system32\certsrv\certenroll"

So you need to

- remove the share on this folder

- recreate a share on the c:\certenroll (with "modify" share permissions for AD group "Cert Publisher")

- change the IIS target folder for the "CertEnroll" virtual directory to "c:\certenroll"

where exactly are you seeing that is it being reset to it's default value, please explain. Are you following my guide 100% or are you doing your own thing ? if you are doing your own thing then I cannot guarantee your results.

I've done this series 6 times using both Windows Server 2016 and Windows Server 2019 and have had zero issues with it.

[eljub]

12 hours ago, anyweb said:

where exactly are you seeing that is it being reset to it's default value, please explain. Are you following my guide 100% or are you doing your own thing ? if you are doing your own thing then I cannot guarantee your results.

I've done this series 6 times using both Windows Server 2016 and Windows Server 2019 and have had zero issues with it.

I followed your guide but like I said I do not use a separate server as Web Server

Yesterday after completing PART5 I noticed that the "CertEnroll" share was on "c:\system32\certsrv\certenroll" and not on "C:\CertEnroll" anymore

I had a doubt I missed something but

- when I went to the security of the folder "C:\CertEnroll", the AD Group "Cert Publisher" was there as done in PART3

- the IIS virtual directory "CertEnroll" was pointing on "c:\system32\certsrv\certenroll" and not on "C:\CertEnroll" anymore

 

I think it's because I selected to install Web Enrollment feature in PART5

 

SO for me in case of installation of the Web Server Enrollment on the Issuing CA Server, it would be better to dot the PART3 after the PART5 and change the thing I wrote above

Edited July 24, 2019 by eljub

[anyweb]

ok well if you are not following my guide exactly then you may have issues, but at least you figured it out. I hope you understand that it's hard to support people when they don't follow my guide 100%.

[mniceguy81]

Thank you Sir, very very much for your lovely Tutorial that is easy to follow but i just have one problem as i'm confused on this part where i'm supposed to enter OID , Should i copy this and enter it in my line [InternalPolicy]
OID=1.2.840.113556.1.8000.2554
URL=http://pki.XXXXX.XXXXX/cps.txt

On 6/19/2018 at 2:14 PM, anyweb said:

Step 5. Create a CAPolicy.inf file for the Enterprise Issuing CA.

Before installing the Issuing CA, you should create a CAPolicy.inf to define 'default' settings for CA templates, some of these settings cannot be changed later and you want them in place before creating any certificates on the Issuing CA.

On the #11_IssuingCA virtual machine (IssuingCA), login as windowsnoob\Entadmin using the password specified.

Open an administrative command prompt and type the following:

notepad C:\Windows\CAPolicy.inf

and press ENTER, when prompted to create new file, click Yes. Paste in the following text into the new CAPolicy.inf file.
  

[Version]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=InternalPolicy

[InternalPolicy]
OID=1.2.3.4.1455.67.89.5
URL=http://pki.windows-noob.com/cps.txt

[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=0 

Once done, paste in the OID created in Step 4 and then save the file as C:\Windows\CAPolicy.inf.

Much apprieciated for your help nad wish you a lovely evening

[anyweb]

thanks

the important bit is...

 

" Once done, paste in the OID created in Step 4 and then save the file as C:\Windows\CAPolicy.inf. "

[mniceguy81]

Thank you for your feedback but I’m stuck at that exact comment, should I paste only the OID Line or the whole information inside that file?

[mniceguy81]

Quote

Dear Sir, hope this finds you well, I'm contacting you I'm lost from Step 4, Should i run? the script and copy the code given to the line  [InternalPolicy] OID=1.2.3.4.1455.67.89.5 and also my code is very long.

I hope you can help me understand.

 

11 hours ago, anyweb said:

" Once done, paste in the OID created in Step 4 and then save the file as C:\Windows\CAPolicy.inf. "

Thank you for your help and as always much apprieciated.

Wish you a lovely day

 

[anyweb]

you need to paste in YOUR OID which you created in step 4 into the file, so that it looks pretty much like what I've shown you, other than it will have YOUR OID and not MINE.

you might want to change the pki cps url also to point to your url

cheers

niall

[mniceguy81]

Thank you for your feedback and appreciate getting back to me. I did change the url and was just waiting for the OID as i was not sure.

After running the script it generated a lot of numbers 1.2.840.113556.1.8000.2554.xxxxx.xxx.xxxxx.xxxxx.xxxxxxxx.xxxxxxxx, Should i copy the whole numbers or just some of it?

 

[anyweb]

all of it

[mniceguy81]

Thank you very much and thank you again for the tutorials you make as they're very very helpful.

Wish you a lovely day and a great week.

[BryanC]

On ‎8‎/‎6‎/‎2019 at 5:25 AM, mniceguy81 said:

Thank you for your feedback and appreciate getting back to me. I did change the url and was just waiting for the OID as i was not sure.

After running the script it generated a lot of numbers 1.2.840.113556.1.8000.2554.xxxxx.xxx.xxxxx.xxxxx.xxxxxxxx.xxxxxxxx, Should i copy the whole numbers or just some of it?

 

 

[BryanC]

I have been following your articles very closely.. I use an offline server, a issuing server, a web server...

I have done all the steps thru step 5 and when I use PKIView.msc the display shows me the my root has an error. the error is gthe cdp location #1 is unable to download.

I canty figure out why... below is the errored line. (HELP) I am going a bit crazy trying to figure out why?

ldap:///CN=DC2K16ENTCAROOT,CN=dc2k16EntCA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=egmc,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint

[BryanC]

Please disregard my previous post.. BUT in chapter 8 you show the way to verify all is well .  I am having no issues with auto enrollment..

but when I do the certutil -url c:\windows.cer, the OCSP shows verified, when I do the retrieve certs from AIA and CDP .. I get no urls… I cant seem to find anything to correct this that isn't very confusing??

Also maybe I am doing something wrong when request a cert thru the web browser.. https://dc2k16entsubca/certsrv  and fill out the form.. I go thru the steps and finally it tells me to install cert.. I do..

but when I look at mmc w/cert I don't see the cert .. but it is in the Cert Auth on the issuing Server.. Am I doing something wrong, or should I be doing something else.. (this server is not in autoenrollment) ..

[BryanC]

Hello again,

  I do have one more question that I was never really sure about when I followed your guide.

certutil -f -dspublish "E:\dc2k16EntCA_DC2K16ENTCAROOT.crt" RootCA     ( ROOTCA ; Were we supposed to change that to the server name : dc2k16entCA (if so should it be FQDN) or leave it as ROOTCA  

certutil -f -dspublish "E:\DC2K16ENTCAROOT.crl" RootCA     ( ROOTCA ; same here:  Were we supposed to change that to the server name : dc2k16entSUBCA (if so should it be FQDN) or leave it as ROOTCA

your input would be most appreciated!!!!

[anyweb]

have a look at the comments at the end of Part 8 here

 

[anyweb]

2 hours ago, BryanC said:

Please disregard my previous post.. BUT in chapter 8 you show the way to verify all is well .  I am having no issues with auto enrollment..

but when I do the certutil -url c:\windows.cer, the OCSP shows verified, when I do the retrieve certs from AIA and CDP .. I get no urls… I cant seem to find anything to correct this that isn't very confusing??

Also maybe I am doing something wrong when request a cert thru the web browser.. https://dc2k16entsubca/certsrv  and fill out the form.. I go thru the steps and finally it tells me to install cert.. I do..

but when I look at mmc w/cert I don't see the cert .. but it is in the Cert Auth on the issuing Server.. Am I doing something wrong, or should I be doing something else.. (this server is not in autoenrollment) ..

I did this 8 part series several times in separate labs to be 100% sure of the result and it always worked, so i know it works. You might have done something incorrectly or missed a step, as regards requesting a certificate via a webbrowser, i didn't cover this in my guide but if you try it you'll see the following text, i've bolded the interesting bit...

Quote

Use this Web site to request a certificate for your Web browser, e-mail client, or other program. By using a certificate, you can verify your identity to people you communicate with over the Web, sign and encrypt messages, and, depending upon the type of certificate you request, perform other security tasks.

does that explain things ?

[BryanC]

I understand how to request the cert and why.. my question was after requesting it.. it was there in cert auth under issued certificates but it wasn't installed on the server I requested from.

I know I can install cert manually.. I was just wondering why it says it installed but it really didn't..

BY THE WAY>>>>

Can you tell me HOW TO CHANGE THE DELTACRL LOCATION #2

from http://dc2k16entsubca.egmc.org/CertEnroll/DC2K16ENTSUBCA-CA+.crl

to http://pki.egmc.org/certentroll/DC2K16ENTSUBCA-CA+.crl

like yours... I have been trying for hours to change...\

all my other issues I have worked out … this is the only one I just cant find or figure out.. I have gone back over your pub's and nothing...……...HELP