How can I configure PKI in a lab on Windows Server 2016 - Part 8

[anyweb 478]

This series is comprised of different parts, listed below.

• Part 1 - Introduction and server setup
• Part 2 - Install and do initial configuration on the Standalone Offline Root CA
• Part 3 - Prepare the HTTP Web server for CDP and AIA Publication
• Part 4 - Post configuration on the Standalone Offline Root CA
• Part 5 - Installing the Enterprise Issuing CA
• Part 6 - Perform post installation tasks on the Issuing CA
• Part 7 - Install and configure the OCSP Responder role service
• Part 8 - Configure AutoEnroll and Verify PKI health (this part)

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP web server) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.

In part 6, you performed post installation and configuration of the IssuingCA server by configuring Certificate Revocation and CA Certificate Validity Periods, you then enabled auditing on the CA server, and configured the AIA and CDP. In part 7 you installed and configured the OCSP responder role service on the web server. Now you will configure Auto Enrollment and Verify PKI health.

Step 1.Configure a GPO for Auto Enrollment

Logon to to the Domain Controller (DC01) as windowsnoob\Administrator. Click Start, click Run, and then type gpmc.msc and press enter. Expand Forest, expand Domains, expand windowsnoob.lab.local, and then expand Group Policy Objects. Right click Default Domain Policy, then click Edit. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies. Select Certificate Services Client - Auto-Enrollment, right click and choose Properties. Change it from Not Configured to Enabled and enable the following 2 options.

• Renew expired certificates, update pending certificates, and remove revoked certificates
• Update certificate that use certificate templates

As shown here.

Click Apply when done, and close the Group Policy Management Editor and then close the Group Policy Management Console.

Step 2. Configure AutoEnrollment for Workstation Authentication on the Issuing CA

Ensure that you are logged on as windowsnoob\EntAdmin on the Issuing CA server (IssuingCA), start the Certification Authority console by entering certsrv.msc, ensure that windowsnoob Issuing CA is expanded. Right-click on Certificate Templates, then select Manage.

In the Certificate Templates that appear, select Workstation Authentication.

Right click it, and select Properties, click on the Security tab, select Domain Computers and ensure that AutoEnroll is selected, click Apply.

Step 3. Join the Windows 10 computer to the domain

Logon to Windows 10 version 1803 computer (Win101803) as Administrator, and copy the JoinDomain.ps1 script below to a folder called C:\Scripts. Open the script in PowerShell ISE as Administrator, then run Set-ExecutionPolicy to unrestricted before running the JoinDomain.ps1 PowerShell script by clicking on the Green Arrow in Windows PowerShell ISE.

JoinDomain.ps1

Note: The computer will reboot by itself after joining the windowsnoob.lab.local domain.

Step 4. Check PKI Health with Enterprise PKI
To use the Enterprise PKI console to check PKI health, on the IssuingCA server, ensure that you are logged on as windowsnoob\entadmin. Run PKIView.msc from an administrative command prompt.

Right click Enterprise PKI and then click Manage AD Containers. On the NTAuthCertificates tab, verify the windows noob Issuing CA certificate appears with a status of OK as shown below:

On the AIA Container tab, verify both the windows noob Root CA and the windows noob Issuing CA certificates are present with a status of OK.

On the CDP Container tab, verify that the windows noob Issuing CA has both Delta CRL and Base CRL, and that the windows noob Root CA has a Base CRL present and with a status of OK.

 On the Certification Authorities Container, verify that the windows noob Root CA certificate is present and with a status of OK.

and finally on the Enrollment Services Container tab, verify that the windows noob Issuing CA certificate is present with a status of OK.

Step 5. Configure Certificate Distribution on the Issuing CA
To publish a certificate for computers in the enterprise do as follows. Logon to the IssuingCA computer as windowsnoob\EntAdmin. In the Certification Authority console (certsrv.msc), ensure that windows noob Issuing CA is expanded. Right-click Certificate Templates, select New and select Certificate Template to Issue.

On the Enable Certificate Templates dialog box, select Workstation Authentication and then click OK.

Step 6. verify certificate autoenrollment on the Windows 10 client
To verify that autoenrollment of certificates on the Windows 10 compute do as follows. Log on to win101803.windowsnoob.lab.local as windowsnoob\Administrator. (Ensure that you switch user to log on as windowsnoob\Administrator)

Click Start, type mmc and then press ENTER. Click File, and then click Add/Remove Snap-in. Click Certificates, then click Add, Select Computer Account, and then click Finish. Click OK.

Expand Personal and select Certificates, if you do not see Certificates, in an Administrative Command prompt issue the following command

gpupdate /force

then refresh the view in the Certificates MMC. You should now see a Certificates folder and a certificate listed. This certificate was issued using AutoEnrollment which was configured above.

Step 7. Verify PKI health on the issued certificate

While logged on to W101803.windowsnoob.local.local as windowsnoob\Administrator, In the certificates console tree, expand Personal, click Certificates. In the details pane, right click the W101803.windowsnoob.lab.local certificate, click All Tasks, and then click Export.

the Welcome to the certificate export wizard appears, click Next.

Click Next at the No do not export the private key screen

On the Export File Format page, click Next. [DER encoded binary X.509 (.CER) is the default selection].

in the File to Export, call it C:\Windows10

at the completing the certificate export wizard screen click Finish.

you should be notified of the success of the export.

Open an administrative command prompt and run the following commands:

cd\

then
 

certutil -URL C:\Windows10.cer

The URL retrieval tool should appear.

In the URL Retrieval Tool, select the OCSP (from AIA) option and then click Retrieve. Confirm that it shows status as Verified.

In the URL Retrieval Tool, select the CRLs (from CDP) option and then click Retrieve. Confirm that it shows status as Verified.

 In the URL Retrieval Tool, select the Certs (from AIA) option and then click Retrieve. Confirm that it shows status as Verified.

Click Exit to close URL Retrieval Tool. From the administrative command prompt run following command to thoroughly verify the certificate chain retrieval and revocation status.
 

certutil -verify -urlfetch C:\Windows10.cer

you'll see a lot of output similar to the following
 

PS C:\> certutil -verify -urlfetch C:\Windows10.cer
Issuer:
    CN=windows noob Issuing CA
    DC=windowsnoob
    DC=lab
    DC=local
  Name Hash(sha1): b500ca9b33a216fcc44492f25bb6e6b8bd6a5a78
  Name Hash(md5): b0c8a9c15f77c9e2b7af24718ab3f3ec
Subject:
    EMPTY (DNS Name=W101803.windowsnoob.lab.local)
  Name Hash(sha1): f944dcd635f9801f7ac90a407fbc479964dec024
  Name Hash(md5): a46c3b54f2c9871cd81daf7a932499c0
Cert Serial Number: 1e000000057a5838e2727d5162000000000005

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Weeks, 1 Hours, 35 Minutes, 37 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Weeks, 1 Hours, 35 Minutes, 37 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local
  NotBefore: 7/6/2018 4:04 AM
  NotAfter: 7/6/2019 4:04 AM
  Subject:
  Serial: 1e000000057a5838e2727d5162000000000005
  SubjectAltName: DNS Name=W101803.windowsnoob.lab.local
  Template: Workstation Authentication
  Cert: 9eae120ea27c064e609df51cacda77e286a223d6
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 33daad0a6923fdbd02300d703264d13d70eedf42
    [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (0)" Time: 0 33daad0a6923fdbd02300d703264d13d70eedf42
    [1.0] http://pki.windows-noob.com/CertEnroll/IssuingCA.windowsnoob.lab.local_windows%20noob%20Issuing%20CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (05)" Time: 0 7cf12cea65a271e322dcd148dafca9890381d68c
    [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d
    [0.0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d
    [0.0.1] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl

  Verified "Base CRL (05)" Time: 0 7cf12cea65a271e322dcd148dafca9890381d68c
    [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA.crl

  Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d
    [1.0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Delta CRL (05)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d
    [1.0.1] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl

  ----------------  Base CRL CDP  ----------------
  OK "Delta CRL (07)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d
    [0.0] ldap:///CN=windows%20noob%20Issuing%20CA,CN=IssuingCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint

  OK "Delta CRL (07)" Time: 0 b27c6e817abccb07e6d18c37c808013cc1377c1d
    [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Issuing%20CA+.crl

  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0 f7d32928b44de5b419a11bac19cc56fad7d4f9ee
    [0.0] http://webserver.windowsnoob.lab.local/ocsp

  --------------------------------
    CRL 05:
    Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local
    ThisUpdate: 7/3/2018 7:02 AM
    NextUpdate: 7/10/2018 7:22 PM
    CRL: 7cf12cea65a271e322dcd148dafca9890381d68c
    Delta CRL 07:
    Issuer: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local
    ThisUpdate: 7/5/2018 7:02 AM
    NextUpdate: 7/6/2018 7:22 PM
    CRL: b27c6e817abccb07e6d18c37c808013cc1377c1d
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=windows noob Root CA
  NotBefore: 6/19/2018 4:34 AM
  NotAfter: 6/19/2028 4:44 AM
  Subject: CN=windows noob Issuing CA, DC=windowsnoob, DC=lab, DC=local
  Serial: 5600000002ff2362e624faf00a000000000002
  Template: SubCA
  Cert: 33daad0a6923fdbd02300d703264d13d70eedf42
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 1c2e0479a69623ffddcec692d01af64996b2b6e9
    [0.0] ldap:///CN=windows%20noob%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?cACertificate?base?objectClass=certificationAuthority

  Verified "Certificate (0)" Time: 0 1c2e0479a69623ffddcec692d01af64996b2b6e9
    [1.0] http://pki.windows-noob.com/CertEnroll/ROOTCA_windows%20noob%20Root%20CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (02)" Time: 0 22cafd2ae550e12401696bac4a424652050c55a2
    [0.0] ldap:///CN=windows%20noob%20Root%20CA,CN=ROOTCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=windowsnoob,DC=lab,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Verified "Base CRL (02)" Time: 0 22cafd2ae550e12401696bac4a424652050c55a2
    [1.0] http://pki.windows-noob.com/CertEnroll/windows%20noob%20Root%20CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 02:
    Issuer: CN=windows noob Root CA
    ThisUpdate: 6/15/2018 3:12 AM
    NextUpdate: 6/14/2019 3:32 PM
    CRL: 22cafd2ae550e12401696bac4a424652050c55a2

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=windows noob Root CA
  NotBefore: 6/14/2018 11:03 AM
  NotAfter: 6/14/2038 11:13 AM
  Subject: CN=windows noob Root CA
  Serial: 3d0d623b5abd19b34640212c87d45269
  Cert: 1c2e0479a69623ffddcec692d01af64996b2b6e9
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

Exclude leaf cert:
  Chain: d5f425d64a9d41434507a599da1260fdced44873
Full chain:
  Chain: 0c69840fda437706dd390c3d120ab496038c2564
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
PS C:\>

Review the output and make sure all the chain retrieval and revocation status are successfully verified.

Job done !

That's it for this mini-series about setting up PKI in a lab, thanks for joining me, I hope you completed everything successfully and have a better understanding of how PKI works and how to set it up in a lab.

Next steps

If you'd like to see how SCCM works with HTTPS, see below:-

• How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1
• How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2

cheers

niall.

 

 

[kevlar01 2]

Thanks for making this.

This made PKI a less tough cookie to crack for me

[anyweb 478]

you are welcome, it was one of the more difficult thing I've gotten around to blogging, and I did it to understand the process better myself and to teach others, I've done the lab 3 times already and I know it works :-), if you follow the next in the series you can also configure SCCM with HTTPS, links below

 

How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1

How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2

[kevlar01 2]

Yeah it's pretty complicated stuff. I was planning to follow the next blogs, as we are planning to setup HTTPS in our own environment, so I'm curious  thanks again.

[Seigoa 0]

I have a weird issue.
In my PKIView it lists one of the CDP location as unavailable, it is looking at the Root CA computer name which is correct.

 

However when I look in Adsi Edit it shows Root CA instead of cvp-rootca01, how can I fix this or would that mean starting from scratch?

[anyweb 478]

first things first, i hope you snap shotted your labs after each part like i suggested at the start of these guides,

secondly, if you look at step 4 part 4 here have you missed anything ?

my CDP locations looks quite different to yours and don't point to the root ca at all, but instead it's on the IssuingCA, so how did you cdp end up on the rootca (if you followed my guides...)

[Thomas Capacci 0]

Hi there,

Unfortunately for me I didn't snapshot the environment and I have the exact same issue as Seigoa reported, I have made it through part 8 and all the check s are OK except for the CDP location on the Root CA.

Please note the error is not on the Issuing ca but on the root ca

The only difference in my lab is that I have used the name RootCA01 (instead of RootCA)

The command to set the CDP location in chapter 4 is:

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl"

 

I am trying to figure out how to fix the issue for that string: ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10

I was assuming the part CN=%2 will resolve automatically to my RootCA01 name but for som ereason it doesnt.

As you can see below in ADSIEdit, the CN is RootCA while my RootCA CN should be RootCA01, when I click the error in pkiview the URL it is trying to reach is:

ldap:///CN=xxxxx%20Root%20CA,CN=ROOTCA01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxxxxxx,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

 

I am really tempted to edit manually adisedit and change RootCA with RootCA01

Edited July 3, 2019 by Thomas Capacci

[Thomas Capacci 0]

replying to myself, I think I managed to fix the issue by rerunning that command on my CA:

certutil -f -dspublish "E:\xxxx Root CA.crl" RootCA01

Now pkiview reports no errors

[eljub 0]

On 7/3/2019 at 11:04 AM, Thomas Capacci said:

replying to myself, I think I managed to fix the issue by rerunning that command on my CA:

certutil -f -dspublish "E:\xxxx Root CA.crl" RootCA01

Now pkiview reports no errors

You are right it's because for this command, the name at the end has to be the computer name of the RootCA Server from your environment

[Goochi 1]

Great guide as always!  Love this site..   

For what its worth..If you don't follow the documented setup its really beneficial to document which servers will host which roles prior to setting them up.    

Look forward to more guides in the future! 

[Lutz Rahe 0]

Thank you for this lab. 

(and yes...it will help a lot, when you will document different server names etc....)

One question I have: After 1 year, when the RootCA is  always offline and the published .crl is outdated.......what is to do? Just publish a new crl list from the RootCA and copy this to AD and the webserver?

[KtDann 0]

Thank you and I really appreciate how much effort you put in into making this great blog.

Just want to let you know that all the PowerShell script links are broken.

Mostly okay because there are plenty of information in the description to do with it without PS script but there is one section where this is impossible.

It's the section which talks about creating OID and not using Microsoft default. I've never had to create OID before so I'm not all that sure how to go about doing this without more information and without PS script.

I know this section is not criticial to get the whole thing done but would be great to have those links working again.

Anyway let me point out once again that "You've done a GREAT job".

Cheers,

[anyweb 478]

thanks for the thanks ! I appreciate it

however the links are not broken, you can only download scripts if you are a logged on member of windows-noob.com

please retry the download now that you are a logged on member

cheers

niall

[Stephen McGuire 0]

Thomas's CLI for the certutil -f -dspublish fixed my problems as well, thanks!

[Tony124 0]

Thanks so much for putting this together.  It was very well done and saved me a lot of time.  Got my PKI working!

[anyweb 478]

8 hours ago, Tony124 said:

Thanks so much for putting this together.  It was very well done and saved me a lot of time.  Got my PKI working!

awesome to hear it ! spread the word 🙂

[nocrusltd 0]

On 1/8/2020 at 5:10 AM, Lutz Rahe said:

Thank you for this lab. 

(and yes...it will help a lot, when you will document different server names etc....)

One question I have: After 1 year, when the RootCA is  always offline and the published .crl is outdated.......what is to do? Just publish a new crl list from the RootCA and copy this to AD and the webserver?

Your Root CA's CRL should not change often. As far as I'm aware, if you are only issuing subordinate CA's from it (which you should only be doing), The root CA's CRL will only show revoked Subordinate CA's and therefore should rarely need updating. Your Issuing CA (subordinate) should be the CRL that gets updated more often, but this should be automatically published if you've followed this guide correctly.

[Ndaedzo 0]

Good tutorial indeed, perhaps you can add one more series on the actual Active Directory Certificate-Based Authentication. I have followed the series and everything works fine, now I am stuck with authenticating to MS AD using two factor which is (Pass and username together with Certificate). Your reply is highly appreciated.