Jump to content




Sign in to follow this  
anyweb

How can I configure PKI in a lab on Windows Server 2016 - Part 6



Recommended Posts

This series is comprised of different parts, listed below.

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP webserver) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.

In this part, you will perform post installation and configuration of the IssuingCA server.

Step 1. Configure Certificate Revocation and CA Certificate Validity Periods

To configure certificate revocation and CA certificate validity periods ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin (you can use whoami in the command prompt to verify which user is logged on).

Configure the CRL and Delta CRL settings

Enter the following commands from an administrative command prompt:

Certutil -setreg CA\CRLPeriodUnits 1

Press enter when done, then enter the following:

Certutil -setreg CA\CRLPeriod "Weeks"

Press enter when done, then enter the following:

Certutil -setreg CA\CRLDeltaPeriodUnits 1

Press enter when done, then enter the following:
 

Certutil -setreg CA\CRLDeltaPeriod "Days"

The output of the above commands is shown below.

Configure the CRL and Delta CRL settings.png

Define CRL overlap settings

Enter the following commands from an administrative command prompt:

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Press enter when done, then enter the following:

Certutil -setreg CA\CRLOverlapPeriod "Hours"

The output of the above commands is shown below.

define crl overlap settings.png

Configure the certificate validity period

The default setting for ValidityPeriodUnits for certificates issued from the IssuingCA server is 2 years in the registry as shown here (HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA).

the default validity period.png

You can adjust this setting depending on your needs to define the lifetime of certificates issued from the IssuingCA server. It is recommended that you don't configure validity periods that are longer than half the total lifetime of the windows noob Issuing CA certificate (which was issued to be valid for 10 years based upon settings configured in the CAPolicy.inf you created on the IssuingCA in part 5, in particular, this line).

RenewalValidityPeriodUnits=10

To limit issued certificates to 5 years, enter the following commands from an administrative command prompt:

Certutil -setreg CA\ValidityPeriodUnits 5

Press enter when done, then enter the following:

Certutil -setreg CA\ValidityPeriod "Years"

Press enter. The output of the above commands is shown below.

crlvalidityperiodunits.png

Step 2. Enable Auditing on the Issuing CA
CA auditing requires system Audit Object Access to be enabled. To use Local Security Policy to enable object access auditing do as follows. Click Start, click Administrative Tools, and then select Local Security Policy. Expand Local Policies and then select Audit Policy. Double click Audit Object Access and then select Success and Failure then click OK.

audit object access.png

Close Local Security Policy editor.

Configure Auditing for all CA related events
Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt:
 

Certutil -setreg CA\AuditFilter 127

The results of that command are shown below.

audit all CA events.png

Step 3. Configure the AIA
The AIA is used to point to the public key for the certification authority (CA). Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you'll configure the following:

  • a static file system location
  • a lightweight directory access path (LDAP) location
  • a http location for the AIA.

To configure AIA using certutil, open an administrative command prompt and enter the following command, pay close attention to the http address it's currently pointing to my http webserver.

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt"

The output of that command is shown below:

certutil output.png

After you have run that command, run the following command to confirm your settings:

certutil -getreg CA\CACertPublicationURLs

The result of that command is shown below:

confirm the certutil settings.png

You can also confirm these settings in the registry by using regedit and browsing to the following path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA

you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following:

1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt

as shown below:

confrim certutil CACertPublicationURLS in registry.png

You can also see this in the the CA (certsrv.msc) console. Click Start, select Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click windows noob Issuing CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings.

aia properties in certserv.png

Copy the windows noob Issuing CA certificate to the http AIA location

To copy the windows noob Issuing CA certificate (crt file) to the http AIA location, use the following command on the IssuingCA server while logged in as windowsnoob\EntAdmin, your CRT file will more than likely be named differently, so change the command below accordingly.

copy "c:\Windows\System32\certsrv\certenroll\IssuingCA.windowsnoob.lab.local_windows noob Issuing CA.crt" \\webserver.windowsnoob.lab.local\certenroll\

as shown below:

copying from the command prompt.png

Step 4. Configure the CDP

Clients will use the CDP to locate the CRL and delta CRLs for certificates issued by the CA. This allows clients to ensure that the certificates have not been revoked. You can also configure the CDP using the user interface (certsrv.msc), certutil, and the registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you'll configure:

  • a static file system location
  • a LDAP location
  • a http location
  • a file system location

Note: The file system location that you set will allow the CRL to be copied over the network to the web server (webserver.windowsnoob.lab.local), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on the webserver. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually.

Adjust this command so that it points to your public web server http and file location address, then open a command prompt as Administrator and enter the following:

certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl\n65:\\webserver.windowsnoob.lab.local\CertEnroll\%3%8%9.crl"

as shown below:

configuring the cdp via certutil.png

After you run that command, run the following certutil command to verify your settings:

certutil -getreg CA\CRLPublicationURLs

as shown below:

certutil crlpublicationurls confirmation.png

and of course, you can also verify it in the registry by browsing to :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA

using regedit, you should see the following values:

imageproxy.php?img=&key=588032a05702b0f0

65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
6:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl
65:\\webserver.windowsnoob.lab.local\CertEnroll\%3%8%9.crl

as shown below:

crlpublicationurls in registry.png

Using an administrative command prompt, start PowerShell, then run the following commands to restart Active Directory Certificate Services and to publish the CRL.

Restart-Service certsvc

followed by:

certutil -crl

as shown below:

restart services.png

That's it for this part, join me in Part 7 where you will Install and configure the OCSP Responder role service.

Share this post


Link to post
Share on other sites


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


×