Jump to content


  • 0
anyweb

How can I configure PKI in a lab on Windows Server 2016 - Part 7

Question

This series is comprised of different parts, listed below.

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP web server) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.

In part 6, you performed post installation and configuration of the IssuingCA server by configuring Certificate Revocation and CA Certificate Validity Periods, you then enabled auditing on the CA server, and configured the AIA and CDP. In this part you will install and configure the OCSP responder role service on the web server. The use of Online Responders that distribute OCSP responses (1) along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant regardless of the number of revoked certificate. For more information about why having an OCSP is a good thing in your PKI environment read here (2).

Step 1. Install the Online Responder Role Service on the web server
Ensure that you are logged on to webserver.windowsnoob.lab.local as windowsnoob\Administrator. Open Server Manager. Right click on Roles, click Add Roles. On the Before You Begin page, then select Next. On the Select Server Roles page, select Active Directory Certificate Services

active directory certificate services.png

and then click Next. If you are prompted to add features, click Add features.

add features that are required for active directory certificate services.png

On the Features page, click Next, on the introduction to Active Directory Certificate Services page, click Next.

adcs intro.png

On the Select Role Services page, clear the Certification Authority option, and then select Online Responder as shown below:

Note: You do not want to install a Certification Authority on the web server, so make sure you clear that checkbox.

online responder.png

if you are prompted to add features required for the online responder, click Add features.

add features for ocsp role.png

On the confirmation screen, click Install and wait for the installation to complete successfully. When you see it has completed successfully, click close.

close the wizard.png

Note: You must complete the post-deployment configuration.

Click on the yellow exclamation mark in Server manager to start the post deployment configuration.

post deployment configuration.png

On the specify credentials page, ensure you are logged on with a user account that has local administrator permissions before clicking next.

specify credentials.png

on the Specify role services to configure, select Online Responder and click Next.

online responder.png

On the Confirmation screen click Configure. That's it.

configure.png

On the configuration succeeded screen, click Close.

configuration succeeded.png

Step 2. Add the OCSP URL to the windowsnoob Issuing CA
To add the OCSP URL to the windowsnoob Issuing CA ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin.

whoami.png

In the Certification Authority console (certsrv.msc),

CERTSRV.png

in the console tree, right-click windowsnoob Issuing CA, and then click Properties. On the Extensions tab, under Select extension, select Authority Information Access (AIA), and then click Add. In Location, type http://webserver.windowsnoob.lab.local/ocsp and then click OK.

add aia ocsp.png

Place a check mark in Include in the online certificate status protocol (OCSP) extension. Do not select the other option.

add aia ocsp.png

Click Apply, when prompted by the Certification Authority dialog box to restart Active Directory Certificate Services, click Yes.

restart acds.png

Note: The windowsnoob Issuing CA will now include the http://webserver.windowsnoob.lab.local/ocsp URL as part of Authority Information Access (AIA) extension in all newly issued certificates issued or renewed or re-enrolled certificates, however, certificates enrolled from the windowsnoob Issuing CA prior to this change will not have this URL.

Step 3. Configure and Publish the OCSP Response Signing Certificate on the Issuing CA
To configure the OCSP response signing certificate on the windowsnoob Issuing CA server, do as follows. Ensure that you are logged on as windowsnoob\Entadmin.  In the Certification Authority console, ensure that the windowsnoob Issuing CA is expanded in the console tree. Right-click on Certificate Templates and then click Manage.

manage certificate templates.png

Note: If you do not use the EntAdmin account you'll see the following error: "windows could not create the object identifier list. the specified domain either does not exist or could not be contacted. certificate templates are not available".

The Certificate Templates window should open and display the certificate templates stored in Active Directory.

certificate templates.png

In the details pane (middle pane), scroll down and right-click on the OCSP Response Signing certificate template and then click Properties. On the Security tab click Add. Click Object Types. In the Object Types dialog box, select Computers and then click OK.In Enter the object names to select, type webserver and then click Check Names. Click OK

webserver added.png

Ensure that webserver is selected and in the Allow column, ensure that both the Read and Enroll permissions are selected before clicking Apply.

enroll.png

Close the Certificate Templates MMC console. In the certsrv.msc console, right-click Certificate Templates, then select New and then select Certificate Template to Issue.

new certificate template to issue.png

In the Enable Certificate Templates dialog box, click OCSP Response Signing and then click OK

ocsp response signing certificate template.png

Step 4. Configure Revocation Configuration on the Online Responder

Logon to the web server as windowsnoob\administrator. Open Server Manager. In the console tree, click on Tools, expand Active Directory Certificate Services, and then expand Online Responder management.

online responder management.png

Right-click Revocation Configuration and then click Add Revocation Configuration.

add revocation configuration.png

On the Getting Started with Adding a Revocation Configuration page click Next.

getting started with adding a revocation configuration.png

In Name, enter windowsnoob Issuing CA, and then click Next.

windowsnoob issuing ca name.png

On the Select a CA Certificate Location page ensure that Select a certificate for an Existing enterprise CA is selected, then click Next.

select a certificate for an existing enterprise CA.png

On the Choose CA Certificates page, ensure that Browse CA certificates published in Active Directory is selected, and then click Browse.

browse CA certificates published in Active Directory.png

On the Select Certification Authority dialog box, ensure that the windowsnoob Issuing CA is selected, and then click OK.

select certificate authority.png
    
Click Next.

windowsnoob issuing ca selected.png

Leave the defaults on the Select Signing Certificate page, and then click Next.

select signing certificate defaults.png
On the Revocation Provider page, click Provider. You can review the choices listed for the OCSP Responder in terms of where to download CRLs in the form of LDAP and HTTP locations, do not change the base CRL's.

revocation provider properties.png

Clear the Refresh CRLs based on their validity periods check box. In the Update CRLs at this refresh interval (min) box, type 15, and then click OK. Click Finish.

update crls at this refresh interval.png

Note: Modifying this setting to download CRLs at a faster rate than the CRLs normal expiration makes it possible for the OCSP responder to rapidly download new CRLs rather than use the last downloaded CRLs normal expiration date. If you are setting up PKI in Production, consult with a PKI expert to determine if you should change the value chosen here.

In the Certification Authority console, expand Array Configuration and then click the webserver.windowsnoob.lab.local computer.  Verify that the Revocation Configuration Status in the middle pane is OK to ensure that there is a signing certificate present and that the status reports as OK. It should state:

Type: Microsoft CRL-based revocation status provider
The revocation provider is successfully using the current configuration

array configuration.png

Step 5. Configure Group Policy to Provide the OCSP URL for the windowsnoob Issuing CA on DC01

This configuration should only be needed to allow existing certificate holders to take advantage of a new OCSP responder without having to re-enroll new certificates with the required OCSP URL added in them. To do this configuration ensure you are logged on to DC01.windowsnoob.lab.local as windowsnoob\Administrator. Open an administrative command prompt and run the following commands:

cd \

press Enter then,

certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert windowsnoobissuingca.cer

the output should be something like this

certutil ca cert command completed successfully.png

Tip: If you get an error from the above command line, you can verify the correct certutil syntax for your lab by simply typing certutil and make note of the Config line as shown below.

config.png

Click Start, click Run, and then type gpmc.msc and press enter. Expand Forest, expand Domains, expand windowsnoob.lab.local, and then expand Group Policy Objects. Right click Default Domain Policy, then click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

gpmc.png

Right-click Intermediate Certification Authorities, and then click Import. On the Welcome to Certificate Import Wizard page, click Next.

import.png

In File name, type C:\windowsnoobissuingca.cer, and then click Next.

import CER file.png

On the Certificate Store page, click Next.

certificate store.png

On the Completing the Certificate Import Wizard, click Finish, and then click OK.

completing the certificate import wizard.png

You should see "The import was successful".

the import was successful.png

In the console tree, select Intermediate Certification Authorities. In the details pane, right-click the windowsnoob Issuing CA, then click Properties.

properties of the intermediate certificate authorities.png

On the OCSP tab, in the Add URL box enter http://webserver.windowsnoob.lab.local/ocsp, and then click Add URL. Click OK.

add ocsp url.png

You can now close the Group Policy Management Editor and then close the Group Policy Management console.

That's all for this part, please join me in Part 8 where you will Configure AutoEnroll and verify PKI health.

Recommended reading

(1) - OCSP responses https://www.ietf.org/rfc/rfc2560.txt

(2) - Introducing OCSP - https://blogs.technet.microsoft.com/askds/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp/

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

Hi

 

I think in this: 

certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert windowsnoobissuingca.cer

the path where to store the .cer is missing. 

When I'm using 

certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert c
:\temp\windowsnoobissuingca.cer

then I can find and import the certificate

Share this post


Link to post
Share on other sites

  • 0

thanks for the feedback, but no it's not missing,  that is why we do cd \ in step 5, it moves us from c:\windows\system32 to c:\ before running the command, which in turn, creates the cert in that location, if you want to specify the location of it go ahead and it's possible, but it's not 'missing' if you follow the steps above exactly, it will work 100%

this command retrieves the CA certificate from the issuingca and places (recreates it) using the name you specify in the folder you are currently in

see docs: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

 

 

-ca.cert

CertUtil [Options] -ca.cert OutCACertFile [Index]

Retrieve the CA's certificate

OutCACertFile: output file

Index: CA certificate renewal index (defaults to most recent)

[-f] [-split] [-config Machine\CAName]

 

cheers

niall

Share this post


Link to post
Share on other sites

  • 0

If you're using powershell to run the following command:

certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert windowsnoobissuingca.cer


You'll get an error for too many arguments.  I believe due escaping from the '\' symbol.  You may want to update the tutorial to clarify that it needs to be a command prompt and that using powershell will not work.  I wasted a good hour on this trying to figure out why the command was giving me the 'too many arguments' error.

  • Like 1

Share this post


Link to post
Share on other sites

  • 0

thanks for the feedback, i will amend the guide to point this out, however the guide does not show a powershell cmd prompt for that cmd, fyi and i'm sure you've noticed that by now...

Share this post


Link to post
Share on other sites

  • 0

probably to add an additional layer of security to the CA, as the OCSP and CRL's are on an internet facing server whereas the CA is not

Share this post


Link to post
Share on other sites

  • 0
On 3/13/2020 at 3:52 PM, The Dark Lord Sauron said:

If you're using powershell to run the following command:

certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert windowsnoobissuingca.cer


You'll get an error for too many arguments.  I believe due escaping from the '\' symbol.  You may want to update the tutorial to clarify that it needs to be a command prompt and that using powershell will not work.  I wasted a good hour on this trying to figure out why the command was giving me the 'too many arguments' error.

Hello,

Awsesome tutorials!

@The Dark Lord Sauron, You can easilly pipe to cmd if you want to execute the command in powershell:

'certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert windowsnoobissuingca.cer' | cmd

Greetings!!

  • Like 1

Share this post


Link to post
Share on other sites

  • 0
On 7/3/2018 at 1:39 PM, anyweb said:

This series is comprised of different parts, listed below.

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP web server) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.

In part 6, you performed post installation and configuration of the IssuingCA server by configuring Certificate Revocation and CA Certificate Validity Periods, you then enabled auditing on the CA server, and configured the AIA and CDP. In this part you will install and configure the OCSP responder role service on the web server. The use of Online Responders that distribute OCSP responses (1) along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant regardless of the number of revoked certificate. For more information about why having an OCSP is a good thing in your PKI environment read here (2).

Step 1. Install the Online Responder Role Service on the web server
Ensure that you are logged on to webserver.windowsnoob.lab.local as windowsnoob\Administrator. Open Server Manager. Right click on Roles, click Add Roles. On the Before You Begin page, then select Next. On the Select Server Roles page, select Active Directory Certificate Services

active directory certificate services.png

and then click Next. If you are prompted to add features, click Add features.

add features that are required for active directory certificate services.png

On the Features page, click Next, on the introduction to Active Directory Certificate Services page, click Next.

adcs intro.png

On the Select Role Services page, clear the Certification Authority option, and then select Online Responder as shown below:

Note: You do not want to install a Certification Authority on the web server, so make sure you clear that checkbox.

online responder.png

if you are prompted to add features required for the online responder, click Add features.

add features for ocsp role.png

On the confirmation screen, click Install and wait for the installation to complete successfully. When you see it has completed successfully, click close.

close the wizard.png

Note: You must complete the post-deployment configuration.

Click on the yellow exclamation mark in Server manager to start the post deployment configuration.

post deployment configuration.png

On the specify credentials page, ensure you are logged on with a user account that has local administrator permissions before clicking next.

specify credentials.png

on the Specify role services to configure, select Online Responder and click Next.

online responder.png

On the Confirmation screen click Configure. That's it.

configure.png

On the configuration succeeded screen, click Close.

configuration succeeded.png

Step 2. Add the OCSP URL to the windowsnoob Issuing CA
To add the OCSP URL to the windowsnoob Issuing CA ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin.

whoami.png

In the Certification Authority console (certsrv.msc),

CERTSRV.png

in the console tree, right-click windowsnoob Issuing CA, and then click Properties. On the Extensions tab, under Select extension, select Authority Information Access (AIA), and then click Add. In Location, type http://webserver.windowsnoob.lab.local/ocsp and then click OK.

add aia ocsp.png

Place a check mark in Include in the online certificate status protocol (OCSP) extension. Do not select the other option.

add aia ocsp.png

Click Apply, when prompted by the Certification Authority dialog box to restart Active Directory Certificate Services, click Yes.

restart acds.png

Note: The windowsnoob Issuing CA will now include the http://webserver.windowsnoob.lab.local/ocsp URL as part of Authority Information Access (AIA) extension in all newly issued certificates issued or renewed or re-enrolled certificates, however, certificates enrolled from the windowsnoob Issuing CA prior to this change will not have this URL.

Step 3. Configure and Publish the OCSP Response Signing Certificate on the Issuing CA
To configure the OCSP response signing certificate on the windowsnoob Issuing CA server, do as follows. Ensure that you are logged on as windowsnoob\Entadmin.  In the Certification Authority console, ensure that the windowsnoob Issuing CA is expanded in the console tree. Right-click on Certificate Templates and then click Manage.

manage certificate templates.png

Note: If you do not use the EntAdmin account you'll see the following error: "windows could not create the object identifier list. the specified domain either does not exist or could not be contacted. certificate templates are not available".

The Certificate Templates window should open and display the certificate templates stored in Active Directory.

certificate templates.png

In the details pane (middle pane), scroll down and right-click on the OCSP Response Signing certificate template and then click Properties. On the Security tab click Add. Click Object Types. In the Object Types dialog box, select Computers and then click OK.In Enter the object names to select, type webserver and then click Check Names. Click OK

webserver added.png

Ensure that webserver is selected and in the Allow column, ensure that both the Read and Enroll permissions are selected before clicking Apply.

enroll.png

Close the Certificate Templates MMC console. In the certsrv.msc console, right-click Certificate Templates, then select New and then select Certificate Template to Issue.

new certificate template to issue.png

In the Enable Certificate Templates dialog box, click OCSP Response Signing and then click OK

ocsp response signing certificate template.png

Step 4. Configure Revocation Configuration on the Online Responder

Logon to the web server as windowsnoob\administrator. Open Server Manager. In the console tree, click on Tools, expand Active Directory Certificate Services, and then expand Online Responder management.

online responder management.png

Right-click Revocation Configuration and then click Add Revocation Configuration.

add revocation configuration.png

On the Getting Started with Adding a Revocation Configuration page click Next.

getting started with adding a revocation configuration.png

In Name, enter windowsnoob Issuing CA, and then click Next.

windowsnoob issuing ca name.png

On the Select a CA Certificate Location page ensure that Select a certificate for an Existing enterprise CA is selected, then click Next.

select a certificate for an existing enterprise CA.png

On the Choose CA Certificates page, ensure that Browse CA certificates published in Active Directory is selected, and then click Browse.

browse CA certificates published in Active Directory.png

On the Select Certification Authority dialog box, ensure that the windowsnoob Issuing CA is selected, and then click OK.

select certificate authority.png
    
Click Next.

windowsnoob issuing ca selected.png

Leave the defaults on the Select Signing Certificate page, and then click Next.

select signing certificate defaults.png
On the Revocation Provider page, click Provider. You can review the choices listed for the OCSP Responder in terms of where to download CRLs in the form of LDAP and HTTP locations, do not change the base CRL's.

revocation provider properties.png

Clear the Refresh CRLs based on their validity periods check box. In the Update CRLs at this refresh interval (min) box, type 15, and then click OK. Click Finish.

update crls at this refresh interval.png

Note: Modifying this setting to download CRLs at a faster rate than the CRLs normal expiration makes it possible for the OCSP responder to rapidly download new CRLs rather than use the last downloaded CRLs normal expiration date. If you are setting up PKI in Production, consult with a PKI expert to determine if you should change the value chosen here.

In the Certification Authority console, expand Array Configuration and then click the webserver.windowsnoob.lab.local computer.  Verify that the Revocation Configuration Status in the middle pane is OK to ensure that there is a signing certificate present and that the status reports as OK. It should state:

Type: Microsoft CRL-based revocation status provider
The revocation provider is successfully using the current configuration

array configuration.png

Step 5. Configure Group Policy to Provide the OCSP URL for the windowsnoob Issuing CA on DC01

This configuration should only be needed to allow existing certificate holders to take advantage of a new OCSP responder without having to re-enroll new certificates with the required OCSP URL added in them. To do this configuration ensure you are logged on to DC01.windowsnoob.lab.local as windowsnoob\Administrator. Open an administrative command prompt and run the following commands:

cd \

press Enter then,

certutil -config "IssuingCA.windowsnoob.lab.local\windows noob Issuing CA" -ca.cert windowsnoobissuingca.cer

the output should be something like this

certutil ca cert command completed successfully.png

Tip: If you get an error from the above command line, you can verify the correct certutil syntax for your lab by simply typing certutil and make note of the Config line as shown below.

config.png

Click Start, click Run, and then type gpmc.msc and press enter. Expand Forest, expand Domains, expand windowsnoob.lab.local, and then expand Group Policy Objects. Right click Default Domain Policy, then click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

gpmc.png

Right-click Intermediate Certification Authorities, and then click Import. On the Welcome to Certificate Import Wizard page, click Next.

import.png

In File name, type C:\windowsnoobissuingca.cer, and then click Next.

import CER file.png

On the Certificate Store page, click Next.

certificate store.png

On the Completing the Certificate Import Wizard, click Finish, and then click OK.

completing the certificate import wizard.png

You should see "The import was successful".

the import was successful.png

In the console tree, select Intermediate Certification Authorities. In the details pane, right-click the windowsnoob Issuing CA, then click Properties.

properties of the intermediate certificate authorities.png

On the OCSP tab, in the Add URL box enter http://webserver.windowsnoob.lab.local/ocsp, and then click Add URL. Click OK.

add ocsp url.png

You can now close the Group Policy Management Editor and then close the Group Policy Management console.

That's all for this part, please join me in Part 8 where you will Configure AutoEnroll and verify PKI health.

Recommended reading

(1) - OCSP responses https://www.ietf.org/rfc/rfc2560.txt

(2) - Introducing OCSP - https://blogs.technet.microsoft.com/askds/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp/

How to add a second OSCP for load balancing?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.