In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB.
In this part you'll install and do initial configuration on the Standalone Offline Root CA.
What is a Standalone Offline Root CA ?
If you've never dealt with PKI before you are probably wondering what a Standalone Offline Root CA is and why do you need it. I'll quote the following paragraph from the excellently written article about a Standalone Offline Root CA here. If you don't read the article itself, at least read the Quote below.
Quote
A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self-validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy and trust path.
CA Compromise
If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access.
To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA (1).
To cut a long story short, you should use a Standalone Offline Root CA because it lowers the possibility of compromise and ensures reliability of your Certificate Authority infrastructure.
Step 1. Create a CAPolicy.inf file
Before installing the Standalone Offline Root CA, you should create a CAPolicy.inf to define 'default' settings for CA templates, some of these settings cannot be changed later and you want them in place before creating any certificates on the Standalone Offline Root CA.
Quote
The CAPolicy.inf is a configuration file that defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA. The CAPolicy.inf file must be installed on a host server before the setup routine for the root CA begins. When the security restrictions on a root CA are to be modified, the root certificate must be renewed and an updated CAPolicy.inf file must be installed on the server before the renewal process begins (2).
So now that you know that you should create the file as a first step, let's go and do that. On the #11_RootCA virtual machine (RootCA), login as Administrator using the password specified.
Open an administrative command prompt and type the following:
notepad C:\Windows\CAPolicy.inf
and press ENTER, when prompted to create new file, click Yes. Paste in the following text into the new CAPolicy.inf file.
Note: Any misspellings or mistakes will be ignored, so please copy/paste carefully. To understand what these values are, and why you are using them please see the following link, but in a nutshell, you are telling the CA that by default the Root CA should issue certificates that are valid for 20 years, feel free to adjust accordingly if you think it's appropriate but be aware of the consequences (having to re-issue certificates etc.).
I'd recommend your verify that the file is indeed correctly named and in the C:\Windows folder. You don't want .TXT appended to it or it will be ignored. To verify, do the following:
dir C:\Windows\Capolicy.*
The file has the right name and is in the right location.
Step 2. Install Active Directory Certificate Services
Now that you've created the CAPolicy.inf file you are ready to install Active Directory Certificate Services on the Standalone Offline Root CA. To do so, open Server Manager and select Add Roles and Features.
Click Next and select Role-based or feature-based installation.
Click Next and Select Select a server from the server pool, ensure that ROOTCA is selected.
Click Next and select Active Directory Certificate Services from the choices available on the Select server roles page, if prompted to Add features that are required for Active Directory Certificate Services, click Add features.
And here you see the Active Directory Certificate Services role is selected. Click Next to continue.
on the Select features screen, click Next.
Click Next, On the Active Directory Certificate Services introduction page, read the Things to note before clicking on Next.
Insure that Certificate Authority is selected
on the Confirmation screen, click on Install.
Wait for the installation progress to finish successfully before clicking on Close.
Click Close to close the wizard.
Step 3. Configure Active Directory Certificate Services
After the installation succeeded in the previous step, click on Configure Active Directory Certificate Services on the destination server in Server Manager.
On the Specify credentials to configure role services screen, ensure your credentials are ROOTCA\Administrator and then click Next.
Select the Certificate Authority role to configure… by default it is not selected.
Click Next and select Standalone CA
Click Next and on the Specify the type of the CA select Root CA
Click Next. On the Specify the type of private key select Create a new private key and click Next.
On the Specify the cryptographic options screen pay attention to the settings before clicking Next. For example, ensure that sha-256 is selected as sha-1 is dead (3). The key length defaults to 2048 but only change to 4096 if you are sure it doesn't break communication with your Switches and legacy applications.
On the Specify the name for this CA, change Common Name for this CA to suit your needs, for example enter the following
Click Next. On the Specify the validityperiod page, select 20 years instead of the default of 5.
Quote
Every certificate has a validity period. After the end of the validity period, the certificate is no longer considered an acceptable or usable credential. CAs cannot issue certificates that are valid beyond their own validity period. A best practice is to renew the CA certificate when half of its validity period is expired. When installing a CA, you should plan this date and ensure that it is recorded as a future task.
Click Next. On the Specify the database locations click Next.
On the Confirmation screen review the details and change if necessary or if you are satisfied, click Configure.
and you should see Configuration Succeeded. Click Close when done.
Configuring the above with PowerShell
To configure the above using PowerShell, use the following commands.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
This series is comprised of different parts, listed below.
In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB.
In this part you'll install and do initial configuration on the Standalone Offline Root CA.
What is a Standalone Offline Root CA ?
If you've never dealt with PKI before you are probably wondering what a Standalone Offline Root CA is and why do you need it. I'll quote the following paragraph from the excellently written article about a Standalone Offline Root CA here. If you don't read the article itself, at least read the Quote below.
To cut a long story short, you should use a Standalone Offline Root CA because it lowers the possibility of compromise and ensures reliability of your Certificate Authority infrastructure.
Step 1. Create a CAPolicy.inf file
Before installing the Standalone Offline Root CA, you should create a CAPolicy.inf to define 'default' settings for CA templates, some of these settings cannot be changed later and you want them in place before creating any certificates on the Standalone Offline Root CA.
So now that you know that you should create the file as a first step, let's go and do that. On the #11_RootCA virtual machine (RootCA), login as Administrator using the password specified.
Open an administrative command prompt and type the following:
notepad C:\Windows\CAPolicy.inf
and press ENTER, when prompted to create new file, click Yes. Paste in the following text into the new CAPolicy.inf file.
Once done, save the file.
Note: Any misspellings or mistakes will be ignored, so please copy/paste carefully. To understand what these values are, and why you are using them please see the following link, but in a nutshell, you are telling the CA that by default the Root CA should issue certificates that are valid for 20 years, feel free to adjust accordingly if you think it's appropriate but be aware of the consequences (having to re-issue certificates etc.).
I'd recommend your verify that the file is indeed correctly named and in the C:\Windows folder. You don't want .TXT appended to it or it will be ignored. To verify, do the following:
dir C:\Windows\Capolicy.*
The file has the right name and is in the right location.
Step 2. Install Active Directory Certificate Services
Now that you've created the CAPolicy.inf file you are ready to install Active Directory Certificate Services on the Standalone Offline Root CA. To do so, open Server Manager and select Add Roles and Features.
Click Next and select Role-based or feature-based installation.
Click Next and Select Select a server from the server pool, ensure that ROOTCA is selected.
Click Next and select Active Directory Certificate Services from the choices available on the Select server roles page, if prompted to Add features that are required for Active Directory Certificate Services, click Add features.
And here you see the Active Directory Certificate Services role is selected. Click Next to continue.
on the Select features screen, click Next.
Click Next, On the Active Directory Certificate Services introduction page, read the Things to note before clicking on Next.
Insure that Certificate Authority is selected
on the Confirmation screen, click on Install.
Wait for the installation progress to finish successfully before clicking on Close.
Click Close to close the wizard.
Step 3. Configure Active Directory Certificate Services
After the installation succeeded in the previous step, click on Configure Active Directory Certificate Services on the destination server in Server Manager.
On the Specify credentials to configure role services screen, ensure your credentials are ROOTCA\Administrator and then click Next.
Select the Certificate Authority role to configure… by default it is not selected.
Click Next and select Standalone CA
Click Next and on the Specify the type of the CA select Root CA
Click Next. On the Specify the type of private key select Create a new private key and click Next.
On the Specify the cryptographic options screen pay attention to the settings before clicking Next. For example, ensure that sha-256 is selected as sha-1 is dead (3). The key length defaults to 2048 but only change to 4096 if you are sure it doesn't break communication with your Switches and legacy applications.
On the Specify the name for this CA, change Common Name for this CA to suit your needs, for example enter the following
windows noob Root CA
but do not change the other values.
For more info about the CA Name see here (4).
Click Next. On the Specify the validity period page, select 20 years instead of the default of 5.
Click Next. On the Specify the database locations click Next.
On the Confirmation screen review the details and change if necessary or if you are satisfied, click Configure.
and you should see Configuration Succeeded. Click Close when done.
Configuring the above with PowerShell
To configure the above using PowerShell, use the following commands.
First install the ADCS role
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Edit as necessary before running the below (which configures the ADCS role).
Install-AdcsCertificationAuthority -CAType StandaloneRootCA -CACommonName "windows noob Root CA" -KeyLength 2048 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -ValidityPeriod Years -ValidityPeriodUnits 20 -Force
That's it for this part, in Part 3 you'll configure the Web server for CDP and AIA Publication.
Recommended reading
(1) - https://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx
(2) - https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file
(3) - https://blogs.technet.microsoft.com/askpfeplat/2015/03/15/sha-1-deprecation-and-changing-the-root-cas-hash-algorithm/
(4) - http://go.microsoft.com/fwlink/?LinkId=218063
Share this post
Link to post
Share on other sites