Jump to content


anyweb

How can I configure PKI in a lab on Windows Server 2016 - Part 5

Recommended Posts

Thank you for the lab (up to part 6 its all working fine)

Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy 🙂 )

 

And what is the reason for using the template = 0 in the CAPolicy.inf file?

Best from Singapore

Lutz

Edited by Lutz Rahe

Share this post


Link to post
Share on other sites
Thank you for the lab (up to part 6 its all working fine) 

Great to hear it !

Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy 🙂 ) 

in Certsrv.msc on the IssuingCA right click on Certificate Templates, and choose Manage, you can then select a known Certificate Template (for example Workstation Authentication) that matches what is required for your FW, check the documentation of the FW to see exactly what type of certificate it requires and duplicate it by chgoosing Duplicate Template

then rename it to your needs and adjust it to suit the FW requirements

and as for your other question, see this answer from Technet.

According to https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file the LoadDefaultTemplate flag only applies to an enterprise CA.

My assumption is that if you set up a standalone, the templates will be loaded nevertheless.

LoadDefaultTemplates only applies during the install of an Enterprise CA. This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.

  • Thanks 1

Share this post


Link to post
Share on other sites

Thanks for your guidance, it is a very helpful!


I did all the steps on my test infrastructure, though I had a reduced set of virtual machines.
It seems to me that there is an error in section 5 (maybe my comment will help other people)


You suggest to execute the command:
certutil -f -dspublish "E: \ ROOTCA_windows noob Root CA.crt" RootCA
Where RootCA , as you write, is the host name of offline Root CA, however certutil helps us:

CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
...
    CertFile - certificate file to publish
    NTAuthCA - Publish cert to DS Enterprise store
    RootCA - Publish cert to DS Trusted Root store
    SubCA - Publish CA cert to DS CA object
    CrossCA - Publish cross cert to DS CA object
...

So RootCA in this case is not the host name here, but the store name.

Your host name matches the store name, and your command has been executed.
My Root CA name was different, and when I will have tried to execute the command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RCA01
i got an error
CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

however command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RootCA
performed correctly.

Next command in your manual
certutil -f -dspublish "E: \ windows noob Root CA.crl" RootCA
is correct, because to publish CRL you must specify the host name:

  CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
  ....
    CRLFile - CRL file to publish
    DSCDPContainer - DS CDP container CN, usually the CA machine name

  • Like 1
  • Thanks 2

Share this post


Link to post
Share on other sites

EDIT - I found the root cause. After adding the AIA and CDP paths to the RootCA, I had forgotten to restart the certsvc and then requested the SubCA certificates. These did not include the proper AIA and CDP paths because the RootCA simply didn't know them yet. PKIView reads the SubCA certificates issued by the RootCA to get the proper AIA and CDP paths for the RootCA, hence the wrong paths and a bad status. To remediate the issue, I renewed the SubCA certificates, which this time included the proper AIA and CDP paths as I had restarted the service in the meantime. I then revoked the old SubCA certificates and any certificate issued by the SubCAs, requested and issued new certificates and published and distributed the RootCA and SubCA CRLs. Now PKIView is showing all paths as ok and the overall status is good. All services are working as intended.

Hi Niall,

you mention that the RootCA part of the command "certutil -f -dspublish myRootCACert.crt RootCA" needs to be changed to the hostname of my offline RootCa. However, when I do this on Server 2019, I get the following error:

certutil -f -dspublish myRootCACert.crt RootCAHostName
CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

The command is successful if I leave it at "RootCA". However, despite having added the http AIA and CDP locations as described in your series, the pkiview for the root only shows a file path like "file:////RootCAHostName/CertEnroll/myRootCACert.crt" and "file:////RootCAHostName/CertEnroll/myRootCACRL.crl" and both show the status "unable to download". There is no http AIA and CDP entry for the root CA in pkiview. I've checked the root CA itself and the properties clearly show AIA and CDP http location entries and the correct boxes ticked as per your guide (see screenshots).

Running "certutil -f -dspublish myRootCACRL.crl RootCAHostName" works, but does not change anything in the pkiview for the root CA, even after restarting the service.

Certificate Services themselves are working fine, both issuing CAs, the OCSP (as an array) and the http crl locations work fine. Certificates issued by both CAs are valid and the certificate chain checks out as ok. SO everything seems fine, except for pkiview 😕

Any idea what could have gone wrong and what I could further try to remediate?

Thanks,

Fred

PKIViewError001.png.40b97df5b9c8ac855f7ab84322f00ae8.png

PKIViewError002.png.6daf510dfa048427d451597c49b2fc2d.png PKIViewError003.png.a84c176ebdd983c138fe27a708c33c83.png

 

Edited by BaronVonSuff

Share this post


Link to post
Share on other sites

Hi there, 

Firstly thanks for your turtorial.

Im in step 9 of Part 5. When i issue the req in RootCA svr , the request has failed:

Request status code: The Certificate has invalid Policy. 0x800b0113 (-2146762477 CERT-E-INVALID-POLICY)

Request disposition Message: Error constructing or Publish Certificate Invalid Issuance policies: 1.3.6.1.4.1.52765.1.2 Resubmitted by RootCA\Administrator

Could you help me to fix it please

Hopefully.
 

fail when issue SubCA.png

Edited by phuongtd91@gmail.com

Share this post


Link to post
Share on other sites

did you follow the guide 100% as it works every time I've tried it, and I've implemented multiple labs successfully with this,

I'd double check what you've entered and take a look at this blog post to see if it gives you some ideas of where you may have gone wrong.

Share this post


Link to post
Share on other sites
On 8/6/2019 at 7:17 PM, anyweb said:

you need to paste in YOUR OID which you created in step 4 into the file, so that it looks pretty much like what I've shown you, other than it will have YOUR OID and not MINE.

you might want to change the pki cps url also to point to your url

cheers

niall

I would love to know how and where I'd get this "OID". I saw someone talking about an IANA registration earlier, but surely!!!! surely!! PKI's are not THIS convoluted? I just normally see a root ca hanging of a DC...

On 8/6/2019 at 7:26 AM, anyweb said:

thanks

the important bit is...

 

" Once done, paste in the OID created in Step 4 and then save the file as C:\Windows\CAPolicy.inf. "

Hi Niall, How exactly do step 4 run that script as is or modify it? if I modify it what do I modify? I don't want to assume. I also have no idea  how ( or course I'm missing something) anyone understands what you said to do there..... reminds me that I might not be in the right industry? do I just modify that script? or run it on the issuing CA? also now that I'm in part 5, i am getting more confused how this will work in our prod as our prod is nothing like this lab at all.....

Share this post


Link to post
Share on other sites
On 8/6/2019 at 7:26 AM, anyweb said:

thanks

the important bit is...

 

" Once done, paste in the OID created in Step 4 and then save the file as C:\Windows\CAPolicy.inf. "

I see this website https://freeoid.pythonanywhere.com/getoid I wonder if just create it here and update the capolicy file, Its because I have no idea what that script does. I will run that script on a machine anyway to see what it does. I will be too scared to any OID stuff on our prod environment...  I cannot see me doing this. This lab is informative, but no way  can this PKI setup be on our prod. I also only wanted to know how to just use IIS for bitlocker recovery keys, now I'm building 20 servers in a lab haha

Share this post


Link to post
Share on other sites
8 minutes ago, Imraz said:

I see this website https://freeoid.pythonanywhere.com/getoid I wonder if just create it here and update the capolicy file, Its because I have no idea what that script does. I will run that script on a machine anyway to see what it does. I will be too scared to any OID stuff on our prod environment...  I cannot see me doing this. This lab is informative, but no way  can this PKI setup be on our prod. I also only wanted to know how to just use IIS for bitlocker recovery keys, now I'm building 20 servers in a lab haha

I have run the OID script on an unrelated machine and I have been given this: 1.2.840.113556.1.8000.2554.4056.31062.24957.18466.39108.9288047.13760481  I don't know if this is an OID? Do you know what this mean Niall? thank you again.

Share this post


Link to post
Share on other sites

hi Imraz,

the scripts available on the internet allow you to create an OID for use in your lab for free, if you want one for production then as explained in the note in step 5

image.png

and I quote...
 

Quote

 

the preferred way to obtain a root object identifier (OID) is to request one from an International Standards Organization (ISO) Name Registration Authority. This is a one-time action; when you have obtained a root OID, the OID space it defines is yours and you can administer it yourself.

There is usually a fee associated with registering an organization name and receiving a root OID. Fees and registration policies vary by country/region. In the United States, the ISO NRA is the American National Standards Institute (ANSI). For more information about the ANSI registration procedure and fee schedule, see https://web.ansi.org. The ISO maintains a list of member organizations at https://www.iso.ch. If you are outside the United States, you should contact the ISO member organization for your country/region for name registration information.

Regardless of the source used to get the OID, if you intend to extend the Active Directory schema and wish to apply for the Certified for Windows logo, you must register your OID with Microsoft. For more information about how to register your OID with Microsoft, see Obtaining an Object Identifier from Microsoft.

 

I hope that clears it up

Share this post


Link to post
Share on other sites
On 6/19/2018 at 10:14 PM, anyweb said:

certutil -f -dspublish

 for  Step 6, also I'm not using an offline Root CA, in fact I'm using the Root CA on the DC in my lab, when I run the CRL component, I see it is successful, I can confirm the new entry in Adsiedit.  but with the CRT, it does not work. I get this error: CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) Certutil: Parameter is incorrect. looking about  I don't have the registry entry thats meant to be there as per this good article: https://social.technet.microsoft.com/wiki/contents/articles/12035.ad-certification-authority-web-enrollment-configuration-failed-0x80070057-win32-87.aspx

 

Anyway I think this PKI is too much of an undertaking that will never be replicated in our Prod. Surely there is a much simpler way to  just  get the some encryption for https traffic on  SCCM.  Will look at other sources for deploying bitlocker  via SCCM.

Share this post


Link to post
Share on other sites

I don't understand why you are saying things are not working in your lab when you are not following the guide exactly as I've explained it, I've done this guide multiple times, and it works every time. Do it right in your lab so that you get a better understanding of how it all fits together, then once it's working in your lab, try and implement something similar in production with the help of professional consultants in the PKI and/or SCCM area.

Share this post


Link to post
Share on other sites

I can definitely confirm that this guide works. In truth, there aren't many alternative ways to install this, just a few. But it would be practically the same with hopefully the same result.
Do not install the PKI on DC and for simlpe deplyoments forget the OID and use the standard one.

  • Like 1

Share this post


Link to post
Share on other sites

Anyway I went to the doctor about a headache and got taken in to be treated for open heart surgery and a colonoscopy. This video from Patch My PC references this detailed undertaking but it has exactly what i needed to get a POC started in my LAB, this is all I needed for now: 

 

Share this post


Link to post
Share on other sites
9 hours ago, anyweb said:

I don't understand why you are saying things are not working in your lab when you are not following the guide exactly as I've explained it, I've done this guide multiple times, and it works every time. Do it right in your lab so that you get a better understanding of how it all fits together, then once it's working in your lab, try and implement something similar in production with the help of professional consultants in the PKI and/or SCCM area.

yeah that error can have many different causes not necessarily related to your exact setup, anyway Justin from PatchMYPC has exactly what i need for now for some POC's. I will revisit this nice thread afterwards.

Share this post


Link to post
Share on other sites
12 hours ago, anyweb said:

hi Imraz,

the scripts available on the internet allow you to create an OID for use in your lab for free, if you want one for production then as explained in the note in step 5

image.png

and I quote...
 

I hope that clears it up

I will look into this further, but is this required for the internet clients? I have to do some proper digging into PKI before making these kinds of mods if needed in production.

Share this post


Link to post
Share on other sites

These guides explain to you how to setup PKI in a 2 tier setup, after you've completed these 8 detailed guides you are then ready to configure SCCM in https/pki mode as explained here.

And after that, you are ready to configure BitLocker Management in PKI mode.

if you choose to set it up using other guides then please understand that problems you may face may be directly as a result of that choice

Share this post


Link to post
Share on other sites
On 2/25/2020 at 9:04 PM, Alex Shumilin said:

Thanks for your guidance, it is a very helpful!


I did all the steps on my test infrastructure, though I had a reduced set of virtual machines.
It seems to me that there is an error in section 5 (maybe my comment will help other people)


You suggest to execute the command:
certutil -f -dspublish "E: \ ROOTCA_windows noob Root CA.crt" RootCA
Where RootCA , as you write, is the host name of offline Root CA, however certutil helps us:

CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine]
...
    CertFile - certificate file to publish
    NTAuthCA - Publish cert to DS Enterprise store
    RootCA - Publish cert to DS Trusted Root store
    SubCA - Publish CA cert to DS CA object
    CrossCA - Publish cross cert to DS CA object
...

So RootCA in this case is not the host name here, but the store name.

Your host name matches the store name, and your command has been executed.
My Root CA name was different, and when I will have tried to execute the command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RCA01
i got an error
CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

however command
certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RootCA
performed correctly.

Next command in your manual
certutil -f -dspublish "E: \ windows noob Root CA.crl" RootCA
is correct, because to publish CRL you must specify the host name:

  CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]]
  ....
    CRLFile - CRL file to publish
    DSCDPContainer - DS CDP container CN, usually the CA machine name

thanks a lot for clearing that up @Alex Shumilin, I've modified step 6, part 5 with a link to your comments, much appreciated !

Share this post


Link to post
Share on other sites

it's available to logged on members of windows-noob.com, which you now are, so try again and you'll see it's available.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...