Skip to main content

PKI Lab Setup

Resource Forest

Active Directory Domain Service – DC01

Root Certificate Authority (Offline) – RCA01

Issuing Certificate Authority – ICA01

Client Server – WS01

Account Forest

ADC01

AWS01

------------------------------------------------------------------------------------------------------------------------------------------------------

Step 1 – Installing the Domain Controller

Step 2 – Installing the Root Certificate Authority

Ø  Install the AD CS Role on the server (RCA01)

Ø  Configure the AD CS Role

ü  Click – Configure Active Directory Certificate Service on the Destination Server

ü  Click Next – If you have logged in with Administration Account or Choose the Account which will be responsible for CA

ü  Select Role Service to configure – For my case I am selecting only Certification Authority

ü  Select Standalone CA – As this will be offline CA on a work group machine

ü  Select Root CA – As this will be the Root CA Server

ü  Create a new private key – Mandatory for the new environment

ü  Click Next – In my case I will keep all default or you can change according to your requirement

ü  Choose a common name for a Root CA – In my case it’s HOMELAB-RCA

ü  Click Next – Choose according to your requirement

ü  Specify the database location – In my case it is default

ü  Click Next and Click Configure

Step 3 – Configuring the Issuing Certificate Authority Web

Ø  Log in as a Domain Admin on the Issuing CA

Ø  Install the Web Server IIS with default settings (ICA01)

ü  Create a folder “CertData”  in C:\inetpub\www

ü  Log in back to Root CA for further configuration

ü  Tool > Certificate Authority

ü  Right Click on Root CA (HOMELAB-RCA) > Properties > Extensions

We have two extensions here “CRL Distribution Point – CDP” and “Authority Information Access – AIA”. We need to add location for both the extension. Let’s configure one by one.

                                                Configure CRL Distribution Point - CDP

ü  Select CRL Distribution Point – CDP > Add

ü  Issuing Certificate URL – http://ica01.home.local/CertData/

ü  Select Variable <CaName> - Click Insert

ü  Select Variable <CRLNameSuffix> - Click Insert

ü  Select Variable <DeltaCRLAllowed> - Click Insert

ü  Add .crl

ü  So the URL will look like: http://ica01.home.net/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

ü  Click OK

ü  Select “Include in CRLs. Client use this to find Delta CRL Locations”

ü  Select “Include in CDP extensions of issued certificates”

 

Configure Authority Information Access – AIA

ü  Select Authority Information Access – AIA > Add

ü  Issuing Certificate URL – http://ica01.home.local/CertData/

ü  Select Variable <ServerDNSName> - Click Insert

ü  Add _ to the URL

ü  Select Variable <CaName> - Click Insert

ü  Select Variable <CertificateName> - Click Insert

ü  Add .crt

ü  So the URL will look like: http://ica01.home.net/CertData/<ServerDNS>_<CaName><CertificateName>.crt

ü  Click OK

ü  Select “Include in the AIA extension of issued certificates”

ü  Click Apply – It will restart the service

ü  Click OK

Now we would like to publish the CRL

ü  Right Click on Revoked Certificates > All Tasks > Publish > New CRL > OK

ü  Navigate to C:\Windows\System32\CertSrv\CertEnroll

Get a Server Certificate

ü  Right Click on Root CA (RCA01) > Properties > View Certificate > Details Tab > Copy to File > Next > DER encoded binary X.509 (.CER) > Next > Browse Location “C:\Windows\System32\CertSrv \CertEnroll” > Name it “rootca_certificate” > Save > Next > Finish

These files need to provide to issuing CA. So we have now CRL, AIA and Root CA Certificate in C:\Windows\ System32\CertSrv\CertEnroll

ü  Copy these files

ü  Create a Share folder on issuing CA (ICA01) > \\ICA01.home.local\Cert > Permission to Authenticated User > Paste the Certificates

Step 3 - Create GPO to publish Root CA as part of the Trusted Root CA on the Domain

Ø  Create a Domain Policy

ü  GPMC > Computer Configuration > Policies > Window Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities > Right Click > Import > Next > Browse > Issuing CA Share Folder \\ICA01.home.local\Cert > Select Root CA Certificate > Next > Default “Place all certificates in the following store – Trusted Root Certificate Authorities > Next > Finish > GPupdate

ü  Run > Certmgr.msc > Navigate to Trusted Root Certificate Authorities > Certificate > Ensure Root CA Certificate is available

 

Step 4 – Installing CA Role on issuing certificate server (ICA01) and configure

Ø  Install the Certificate Authority and Certificate Authority Web Enrollment Role on the server (ICA01)

Ø  Configure the AD CS Role

ü  Click – Configure Active Directory Certificate Service on the Destination Server

ü  Click Next – If you have logged in with Administration Account or Choose the Account which will be responsible for CA

ü  Select Role Service to configure – For my case I am selecting only Certification Authority and Certificate Authority Web Enrollment

ü  Select Enterprise CA – As this will be offline CA on a work group machine

ü  Select Subordinate CA – As this will be the Root CA Server

ü  Create a new private key – Mandatory for the new environment

ü  Click Next – In my case I will keep all default or you can change according to your requirement

ü  Choose a common name for a Root CA – In my case it’s HOMELAB_IssuingCA

ü  Select Save a certificate request to file on the target machine

ü  Specify the database location – In my case it is default

ü  Click Next and Click Configure

You will get the request file on C:\. Log into Root CA server and issue a certificate

ü  Right Click on Root CA (HOMELAB_CA) > All Tasks > Submit New Request > Browse the Request File

ü  Navigate to Pending Requests > Right Click on Certificate Request > All Tasks > Issue

ü  Navigate to Issued Certificates > Double Click on Certificate > Details > Copy to File > Next > Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) > Select “Include all certificates in the certificate path if possible > Next > Browse Location “C:\Windows\System32\CertSrv \CertEnroll” > Name it “issuingca_certificate” > Save > Next > Finish

ü  Copy file to Issuing Certificate Share Folder \\ICA01.home.local\Cert

ü  Copy CRL and AIA information to C:\inetpub\www

ü  Log into Issuing Certificate Server > Tools > Certificate Authority > Right Click on Issuing Certificate CA (ICA01) > All Tasks > Install CA Certificate > Browse Issuing Certificate “issuingca_certificate.p7b”

ü  Right Click on Issuing Certificate CA (ICA01) > All Tasks > Start Service

ü  Run > Certmgr.msc > Navigate to Intermediate Certificate Authorities > Certificate > Ensure Issuing CA Certificate is available

Step 5 – Installing other Certificate Authority Roles

Ø  Install the Certificate Authority Additional Role on the server (ICA01)

v  Certificate Enrollment Policy Web Service

v  Certificate Enrollment Web Service

v  Network Device Enrollment Service

v  Online Responder

Ø  Configure the AD CS Role

ü  Click – Configure Active Directory Certificate Service on the Destination Server

ü  Click Next – If you have logged in with Administration Account or Choose the Account which will be responsible for CA

ü  Select Role Service to configure – For my case I am selecting Online Responder, NDES, CES and CEP

ü  NDES needs a service account. Specify the same. Service account must be member of IIS_USERS

ü  Provide the Common Name

ü  Keep Default Cryptography for NDES and Next

ü  Keep Default CA for CES

ü  Select User Name and Password for Authentication Type

ü  Select Service Account for CES

ü  Select User Name and Password for Authentication Type

ü  Select Enable Key-Based Renewal

ü  Select Existing Certificate and Next

ü  Click Configure

Step 6 – Setting up Certificate Enrollment Web Service (CES) and Certificate Enrollment Policy Web Service (CEP)

Ø  Before going to further configuration let configure certificate for our web server on Issuing Certificate Server so that we can bind with HTTPS protocol

ü  Open IIS Manager on Issuing Certificate Server (ICA01)

ü  Select Server by Click on Server Name > Open Server Certificates

ü  Click on Create Domain Certificate > Common Name as FQDN (ica01.home.local) > Rest of the information is optional so you can choose any > Next

ü  Specify online Certificate Authority > Click Select > Select the Certificate Authority > OK > Provide Friendly Name “HomeLab Certificate Authority” > Finish

ü  Select Default Web Site > Binding > Select https > Edit > Select Certificate “HomeLab Certificate Authority” > OK

ü  Select KeyBasedRenwal_ADPolicyProvider_CEP_UserNamePassword > Application Settings > Friendly Name “Home CA CEP” > OK > Browse KeyBasedRenwal_ADPolicyProvider_CEP_User NamePassword to get the URL. Copy somewhere the CEP URL which looks like:

https://ica01.home.net/KeyBasedRenwal_ADPolicyProvider_CEP_UserNamePassword/Service.SVC/CEP

ü  Log into Client Server > certmgr.msc > Navigate to Trusted Root Certificate Authority > Ensure Root CA Certificate is available or Import it

ü  Right Click on Personal > All Tasks > Advance > Manage Enrollment Policies > Add > Put the CEP URL > Select Authentication Type – Username/Password > Validate Server > Admin Credentials > ADD > OK

ü  Right Click on Personal > All Tasks > Request New Certificate > Next

It will prompt that Certificate type are not available

https://www.petenetlive.com/KB/Article/0001250

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM329

 

setspn -s http//rca01.home.local Home\sa_cert

Step 7 – Issuing a Certificate

ü  Log into Issuing Certificate Server > certmgr.msc > Navigate to Certificate Templates > Manage > Select template (Web Server or Any) > Right Click and Duplicate > Change Template Display Name > Make Changes > OK

ü  Certificate Templates > New > Certificate Template Issue > Select Template > OK

Certificate Template is now ready for issue Certificate to client machine. All we have to do is request a certificate from client machine.

ü  Log into Client Machine > certmgr.msc > Navigate to Personal > All Tasks > Request New Certificate > Next > Next > Select Certificate Template for your purpose > Click “More Information require to enroll for this certificate. Click here to configure certificate / or Details drop down and Properties >

ü  Add Values on Properties

v  Subject Name

Common Name:  WS01

v  Alternative Name

DNS: ws01.home.net (FQDN)

IP Address: X.X.X.X

ü  Select Certificate and Enroll

Step 8 – Configure Online Responder

ü  Need to generate Certificate to Online Responder

ü  Certmgr.msc > Certificate Template > Manage > Select OCSP Response Signing > Duplicate the Template > Change Settings > Make Sure Enroll & Auto Enroll is selected

ü  Certificate Templates > New > Certificate Template Issue > Select Template > OK

ü  Tools > Online Responder Management

ü  Right Click on Revocation Configuration > Add Revocation Configuration > Next > Name > Select a Certificate from Existing enterprise CA > Browse CA certificate published in Active Directory > Browse > Select CA > OK

ü  Automatically select a signing certificate (Certificate should be issued automatically) > Next > Finish



Comments

Post a Comment