Skip to main content

PKI Lab Setup

Resource Forest

Active Directory Domain Service – DC01

Root Certificate Authority (Offline) – RCA01

Issuing Certificate Authority – ICA01

Client Server – WS01

Account Forest

ADC01

AWS01

------------------------------------------------------------------------------------------------------------------------------------------------------

Step 1 – Installing the Domain Controller

Step 2 – Installing the Root Certificate Authority

Ø  Install the AD CS Role on the server (RCA01)

Ø  Configure the AD CS Role

ü  Click – Configure Active Directory Certificate Service on the Destination Server

ü  Click Next – If you have logged in with Administration Account or Choose the Account which will be responsible for CA

ü  Select Role Service to configure – For my case I am selecting only Certification Authority

ü  Select Standalone CA – As this will be offline CA on a work group machine

ü  Select Root CA – As this will be the Root CA Server

ü  Create a new private key – Mandatory for the new environment

ü  Click Next – In my case I will keep all default or you can change according to your requirement

ü  Choose a common name for a Root CA – In my case it’s HOMELAB-RCA

ü  Click Next – Choose according to your requirement

ü  Specify the database location – In my case it is default

ü  Click Next and Click Configure

Step 3 – Configuring the Issuing Certificate Authority Web

Ø  Log in as a Domain Admin on the Issuing CA

Ø  Install the Web Server IIS with default settings (ICA01)

ü  Create a folder “CertData”  in C:\inetpub\www

ü  Log in back to Root CA for further configuration

ü  Tool > Certificate Authority

ü  Right Click on Root CA (HOMELAB-RCA) > Properties > Extensions

We have two extensions here “CRL Distribution Point – CDP” and “Authority Information Access – AIA”. We need to add location for both the extension. Let’s configure one by one.

                                                Configure CRL Distribution Point - CDP

ü  Select CRL Distribution Point – CDP > Add

ü  Issuing Certificate URL – http://ica01.home.local/CertData/

ü  Select Variable <CaName> - Click Insert

ü  Select Variable <CRLNameSuffix> - Click Insert

ü  Select Variable <DeltaCRLAllowed> - Click Insert

ü  Add .crl

ü  So the URL will look like: http://ica01.home.net/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

ü  Click OK

ü  Select “Include in CRLs. Client use this to find Delta CRL Locations”

ü  Select “Include in CDP extensions of issued certificates”

 

Configure Authority Information Access – AIA

ü  Select Authority Information Access – AIA > Add

ü  Issuing Certificate URL – http://ica01.home.local/CertData/

ü  Select Variable <ServerDNSName> - Click Insert

ü  Add _ to the URL

ü  Select Variable <CaName> - Click Insert

ü  Select Variable <CertificateName> - Click Insert

ü  Add .crt

ü  So the URL will look like: http://ica01.home.net/CertData/<ServerDNS>_<CaName><CertificateName>.crt

ü  Click OK

ü  Select “Include in the AIA extension of issued certificates”

ü  Click Apply – It will restart the service

ü  Click OK

Now we would like to publish the CRL

ü  Right Click on Revoked Certificates > All Tasks > Publish > New CRL > OK

ü  Navigate to C:\Windows\System32\CertSrv\CertEnroll

Get a Server Certificate

ü  Right Click on Root CA (RCA01) > Properties > View Certificate > Details Tab > Copy to File > Next > DER encoded binary X.509 (.CER) > Next > Browse Location “C:\Windows\System32\CertSrv \CertEnroll” > Name it “rootca_certificate” > Save > Next > Finish

These files need to provide to issuing CA. So we have now CRL, AIA and Root CA Certificate in C:\Windows\ System32\CertSrv\CertEnroll

ü  Copy these files

ü  Create a Share folder on issuing CA (ICA01) > \\ICA01.home.local\Cert > Permission to Authenticated User > Paste the Certificates

Step 3 - Create GPO to publish Root CA as part of the Trusted Root CA on the Domain

Ø  Create a Domain Policy

ü  GPMC > Computer Configuration > Policies > Window Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities > Right Click > Import > Next > Browse > Issuing CA Share Folder \\ICA01.home.local\Cert > Select Root CA Certificate > Next > Default “Place all certificates in the following store – Trusted Root Certificate Authorities > Next > Finish > GPupdate

ü  Run > Certmgr.msc > Navigate to Trusted Root Certificate Authorities > Certificate > Ensure Root CA Certificate is available

 

Step 4 – Installing CA Role on issuing certificate server (ICA01) and configure

Ø  Install the Certificate Authority and Certificate Authority Web Enrollment Role on the server (ICA01)

Ø  Configure the AD CS Role

ü  Click – Configure Active Directory Certificate Service on the Destination Server

ü  Click Next – If you have logged in with Administration Account or Choose the Account which will be responsible for CA

ü  Select Role Service to configure – For my case I am selecting only Certification Authority and Certificate Authority Web Enrollment

ü  Select Enterprise CA – As this will be offline CA on a work group machine

ü  Select Subordinate CA – As this will be the Root CA Server

ü  Create a new private key – Mandatory for the new environment

ü  Click Next – In my case I will keep all default or you can change according to your requirement

ü  Choose a common name for a Root CA – In my case it’s HOMELAB_IssuingCA

ü  Select Save a certificate request to file on the target machine

ü  Specify the database location – In my case it is default

ü  Click Next and Click Configure

You will get the request file on C:\. Log into Root CA server and issue a certificate

ü  Right Click on Root CA (HOMELAB_CA) > All Tasks > Submit New Request > Browse the Request File

ü  Navigate to Pending Requests > Right Click on Certificate Request > All Tasks > Issue

ü  Navigate to Issued Certificates > Double Click on Certificate > Details > Copy to File > Next > Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) > Select “Include all certificates in the certificate path if possible > Next > Browse Location “C:\Windows\System32\CertSrv \CertEnroll” > Name it “issuingca_certificate” > Save > Next > Finish

ü  Copy file to Issuing Certificate Share Folder \\ICA01.home.local\Cert

ü  Copy CRL and AIA information to C:\inetpub\www

ü  Log into Issuing Certificate Server > Tools > Certificate Authority > Right Click on Issuing Certificate CA (ICA01) > All Tasks > Install CA Certificate > Browse Issuing Certificate “issuingca_certificate.p7b”

ü  Right Click on Issuing Certificate CA (ICA01) > All Tasks > Start Service

ü  Run > Certmgr.msc > Navigate to Intermediate Certificate Authorities > Certificate > Ensure Issuing CA Certificate is available

Step 5 – Installing other Certificate Authority Roles

Ø  Install the Certificate Authority Additional Role on the server (ICA01)

v  Certificate Enrollment Policy Web Service

v  Certificate Enrollment Web Service

v  Network Device Enrollment Service

v  Online Responder

Ø  Configure the AD CS Role

ü  Click – Configure Active Directory Certificate Service on the Destination Server

ü  Click Next – If you have logged in with Administration Account or Choose the Account which will be responsible for CA

ü  Select Role Service to configure – For my case I am selecting Online Responder, NDES, CES and CEP

ü  NDES needs a service account. Specify the same. Service account must be member of IIS_USERS

ü  Provide the Common Name

ü  Keep Default Cryptography for NDES and Next

ü  Keep Default CA for CES

ü  Select User Name and Password for Authentication Type

ü  Select Service Account for CES

ü  Select User Name and Password for Authentication Type

ü  Select Enable Key-Based Renewal

ü  Select Existing Certificate and Next

ü  Click Configure

Step 6 – Setting up Certificate Enrollment Web Service (CES) and Certificate Enrollment Policy Web Service (CEP)

Ø  Before going to further configuration let configure certificate for our web server on Issuing Certificate Server so that we can bind with HTTPS protocol

ü  Open IIS Manager on Issuing Certificate Server (ICA01)

ü  Select Server by Click on Server Name > Open Server Certificates

ü  Click on Create Domain Certificate > Common Name as FQDN (ica01.home.local) > Rest of the information is optional so you can choose any > Next

ü  Specify online Certificate Authority > Click Select > Select the Certificate Authority > OK > Provide Friendly Name “HomeLab Certificate Authority” > Finish

ü  Select Default Web Site > Binding > Select https > Edit > Select Certificate “HomeLab Certificate Authority” > OK

ü  Select KeyBasedRenwal_ADPolicyProvider_CEP_UserNamePassword > Application Settings > Friendly Name “Home CA CEP” > OK > Browse KeyBasedRenwal_ADPolicyProvider_CEP_User NamePassword to get the URL. Copy somewhere the CEP URL which looks like:

https://ica01.home.net/KeyBasedRenwal_ADPolicyProvider_CEP_UserNamePassword/Service.SVC/CEP

ü  Log into Client Server > certmgr.msc > Navigate to Trusted Root Certificate Authority > Ensure Root CA Certificate is available or Import it

ü  Right Click on Personal > All Tasks > Advance > Manage Enrollment Policies > Add > Put the CEP URL > Select Authentication Type – Username/Password > Validate Server > Admin Credentials > ADD > OK

ü  Right Click on Personal > All Tasks > Request New Certificate > Next

It will prompt that Certificate type are not available

https://www.petenetlive.com/KB/Article/0001250

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM329

 

setspn -s http//rca01.home.local Home\sa_cert

Step 7 – Issuing a Certificate

ü  Log into Issuing Certificate Server > certmgr.msc > Navigate to Certificate Templates > Manage > Select template (Web Server or Any) > Right Click and Duplicate > Change Template Display Name > Make Changes > OK

ü  Certificate Templates > New > Certificate Template Issue > Select Template > OK

Certificate Template is now ready for issue Certificate to client machine. All we have to do is request a certificate from client machine.

ü  Log into Client Machine > certmgr.msc > Navigate to Personal > All Tasks > Request New Certificate > Next > Next > Select Certificate Template for your purpose > Click “More Information require to enroll for this certificate. Click here to configure certificate / or Details drop down and Properties >

ü  Add Values on Properties

v  Subject Name

Common Name:  WS01

v  Alternative Name

DNS: ws01.home.net (FQDN)

IP Address: X.X.X.X

ü  Select Certificate and Enroll

Step 8 – Configure Online Responder

ü  Need to generate Certificate to Online Responder

ü  Certmgr.msc > Certificate Template > Manage > Select OCSP Response Signing > Duplicate the Template > Change Settings > Make Sure Enroll & Auto Enroll is selected

ü  Certificate Templates > New > Certificate Template Issue > Select Template > OK

ü  Tools > Online Responder Management

ü  Right Click on Revocation Configuration > Add Revocation Configuration > Next > Name > Select a Certificate from Existing enterprise CA > Browse CA certificate published in Active Directory > Browse > Select CA > OK

ü  Automatically select a signing certificate (Certificate should be issued automatically) > Next > Finish



Comments

Post a Comment

Popular posts from this blog

Active Directory Replication

Active Directory Replication: is the process by which a change made to an Active Directory objects on one domain controller is propagate to another domain controller. Type of change can be addition, modification, container change or deletion of an object. When a change occurs, domain controller notify to other domain controller which is called Change Notification . Then replication partners generates Change Request . Then the source domain controller send the Update to replication partners.  The delay between the time a change occurs and the time it is propagated to all domain controllers in the site is known as  Replication Latency . 15 Sec for first direct replication partner (Configurable) 3 sec for rest replication partner (Configurable) Security updates like Password lock do not wait for 15 sec and replicates immediately and known as Urgent Replication . Changes can take place on any DC. It may possible that same change take place on multiple DC at same time and this can cause
Post a Comment
Read more

What is Active Directory

Active Directory (AD)   is a  directory  service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security. Active Directory is subdivided into one or more domains By simple meaning,  Active Directory   is a centralize repository of  O bjects . Everything like User, Group, Service, Resources etc, is an object for Active Directory.  Active Directory  is simply a collection of all these resources. When we put all these object together under a logical grouping or boundary including network resources to construct  Active Directory  is know as  Domain . A single/ multiple  Domains  in contiguous namespace together construct a  Tree   and  single/ multiple  Trees  with a t
Post a Comment
Read more