Jump to content


anyweb

How can I configure PKI in a lab on Windows Server 2016 - Part 5

Recommended Posts

on your extensions tab, what does your CRL Distribution Point (CDP) list ?, attach it here...

Share this post


Link to post
Share on other sites

Thank you for the lab (up to part 6 its all working fine)

Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy 🙂 )

 

And what is the reason for using the template = 0 in the CAPolicy.inf file?

Best from Singapore

Lutz

Edited by Lutz Rahe

Share this post


Link to post
Share on other sites
Thank you for the lab (up to part 6 its all working fine) 

Great to hear it !

Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy 🙂 ) 

in Certsrv.msc on the IssuingCA right click on Certificate Templates, and choose Manage, you can then select a known Certificate Template (for example Workstation Authentication) that matches what is required for your FW, check the documentation of the FW to see exactly what type of certificate it requires and duplicate it by chgoosing Duplicate Template

then rename it to your needs and adjust it to suit the FW requirements

and as for your other question, see this answer from Technet.

According to https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file the LoadDefaultTemplate flag only applies to an enterprise CA.

My assumption is that if you set up a standalone, the templates will be loaded nevertheless.

LoadDefaultTemplates only applies during the install of an Enterprise CA. This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.

  • Thanks 1

Share this post


Link to post
Share on other sites

Thanks for your guidance, it is a very helpful!


I did all the steps on my test infrastructure, though I had a reduced set of virtual machines.
It seems to me that there is an error in section 5 (maybe my comment will help other people)


You suggest to execute the command:
certutil -f -dspublish "E: \ ROOTCA_windows noob Root CA.crt" RootCA
Where RootCA , as you write, is the host name of offline Root CA, however certutil helps us:

CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
...
    CertFile - certificate file to publish
    NTAuthCA - Publish cert to DS Enterprise store
    RootCA - Publish cert to DS Trusted Root store
    SubCA - Publish CA cert to DS CA object
    CrossCA - Publish cross cert to DS CA object
...

So RootCA in this case is not the host name here, but the store name.

Your host name matches the store name, and your command has been executed.
My Root CA name was different, and when I will have tried to execute the command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RCA01
i got an error
CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

however command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RootCA
performed correctly.

Next command in your manual
certutil -f -dspublish "E: \ windows noob Root CA.crl" RootCA
is correct, because to publish CRL you must specify the host name:

  CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
  ....
    CRLFile - CRL file to publish
    DSCDPContainer - DS CDP container CN, usually the CA machine name

  • Thanks 1

Share this post


Link to post
Share on other sites

EDIT - I found the root cause. After adding the AIA and CDP paths to the RootCA, I had forgotten to restart the certsvc and then requested the SubCA certificates. These did not include the proper AIA and CDP paths because the RootCA simply didn't know them yet. PKIView reads the SubCA certificates issued by the RootCA to get the proper AIA and CDP paths for the RootCA, hence the wrong paths and a bad status. To remediate the issue, I renewed the SubCA certificates, which this time included the proper AIA and CDP paths as I had restarted the service in the meantime. I then revoked the old SubCA certificates and any certificate issued by the SubCAs, requested and issued new certificates and published and distributed the RootCA and SubCA CRLs. Now PKIView is showing all paths as ok and the overall status is good. All services are working as intended.

Hi Niall,

you mention that the RootCA part of the command "certutil -f -dspublish myRootCACert.crt RootCA" needs to be changed to the hostname of my offline RootCa. However, when I do this on Server 2019, I get the following error:

certutil -f -dspublish myRootCACert.crt RootCAHostName
CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

The command is successful if I leave it at "RootCA". However, despite having added the http AIA and CDP locations as described in your series, the pkiview for the root only shows a file path like "file:////RootCAHostName/CertEnroll/myRootCACert.crt" and "file:////RootCAHostName/CertEnroll/myRootCACRL.crl" and both show the status "unable to download". There is no http AIA and CDP entry for the root CA in pkiview. I've checked the root CA itself and the properties clearly show AIA and CDP http location entries and the correct boxes ticked as per your guide (see screenshots).

Running "certutil -f -dspublish myRootCACRL.crl RootCAHostName" works, but does not change anything in the pkiview for the root CA, even after restarting the service.

Certificate Services themselves are working fine, both issuing CAs, the OCSP (as an array) and the http crl locations work fine. Certificates issued by both CAs are valid and the certificate chain checks out as ok. SO everything seems fine, except for pkiview 😕

Any idea what could have gone wrong and what I could further try to remediate?

Thanks,

Fred

PKIViewError001.png.40b97df5b9c8ac855f7ab84322f00ae8.png

PKIViewError002.png.6daf510dfa048427d451597c49b2fc2d.png PKIViewError003.png.a84c176ebdd983c138fe27a708c33c83.png

 

Edited by BaronVonSuff

Share this post


Link to post
Share on other sites

Hi there, 

Firstly thanks for your turtorial.

Im in step 9 of Part 5. When i issue the req in RootCA svr , the request has failed:

Request status code: The Certificate has invalid Policy. 0x800b0113 (-2146762477 CERT-E-INVALID-POLICY)

Request disposition Message: Error constructing or Publish Certificate Invalid Issuance policies: 1.3.6.1.4.1.52765.1.2 Resubmitted by RootCA\Administrator

Could you help me to fix it please

Hopefully.
 

fail when issue SubCA.png

Edited by phuongtd91@gmail.com

Share this post


Link to post
Share on other sites

did you follow the guide 100% as it works every time I've tried it, and I've implemented multiple labs successfully with this,

I'd double check what you've entered and take a look at this blog post to see if it gives you some ideas of where you may have gone wrong.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...