In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.
In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP webserver) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.
In this part, you will perform post installation and configuration of the IssuingCA server.
Step 1. Configure Certificate Revocation and CA Certificate Validity Periods
To configure certificate revocation and CA certificate validity periods ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin (you can use whoami in the command prompt to verify which user is logged on).
Configure the CRL and Delta CRL settings
Enter the following commands from an administrative command prompt:
Certutil -setreg CA\CRLPeriodUnits 1
Press enter when done, then enter the following:
Certutil -setreg CA\CRLPeriod "Weeks"
Press enter when done, then enter the following:
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Press enter when done, then enter the following:
Certutil -setreg CA\CRLDeltaPeriod "Days"
The output of the above commands is shown below.
Define CRL overlap settings
Enter the following commands from an administrative command prompt:
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Press enter when done, then enter the following:
Certutil -setreg CA\CRLOverlapPeriod "Hours"
The output of the above commands is shown below.
Configure the certificate validity period
The default setting for ValidityPeriodUnits for certificates issued from the IssuingCA server is 2 years in the registry as shown here (HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA).
You can adjust this setting depending on your needs to define the lifetime of certificates issued from the IssuingCA server. It is recommended that you don't configure validity periods that are longer than half the total lifetime of the windows noob Issuing CA certificate (which was issued to be valid for 10 years based upon settings configured in the CAPolicy.inf you created on the IssuingCA in part 5, in particular, this line).
RenewalValidityPeriodUnits=10
To limit issued certificates to 5 years, enter the following commands from an administrative command prompt:
Certutil -setreg CA\ValidityPeriodUnits 5
Press enter when done, then enter the following:
Certutil -setreg CA\ValidityPeriod "Years"
Press enter. The output of the above commands is shown below.
Step 2. Enable Auditing on the Issuing CA
CA auditing requires system Audit Object Access to be enabled. To use Local Security Policy to enable object access auditing do as follows. Click Start, click Administrative Tools, and then select Local Security Policy. Expand Local Policies and then select Audit Policy. Double click Audit Object Access and then select Success and Failure then click OK.
Close Local Security Policy editor.
Configure Auditing for all CA related events
Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt:
Certutil -setreg CA\AuditFilter 127
The results of that command are shown below.
Step 3. Configure the AIA
The AIA is used to point to the public key for the certification authority (CA). Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you'll configure the following:
a static file system location
a lightweight directory access path (LDAP) location
a http location for the AIA.
To configure AIA using certutil, open an administrative command prompt and enter the following command, pay close attention to the http address it's currently pointing to my http webserver.
You can also see this in the the CA (certsrv.msc) console. Click Start, select Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click windows noob Issuing CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings.
Copy the windows noob Issuing CA certificate to the http AIA location
To copy the windows noob Issuing CA certificate (crt file) to the http AIA location, use the following command on the IssuingCA server while logged in as windowsnoob\EntAdmin, your CRT file will more than likely be named differently, so change the command below accordingly.
Clients will use the CDP to locate the CRL and delta CRLs for certificates issued by the CA. This allows clients to ensure that the certificates have not been revoked. You can also configure the CDP using the user interface (certsrv.msc), certutil, and the registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you'll configure:
a static file system location
a LDAP location
a http location
a file system location
Note: The file system location that you set will allow the CRL to be copied over the network to the web server (webserver.windowsnoob.lab.local), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on the webserver. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually.
Adjust this command so that it points to your public web server http and file location address, then open a command prompt as Administrator and enter the following:
Using an administrative command prompt, start PowerShell, then run the following commands to restart Active Directory Certificate Services and to publish the CRL.
Restart-Service certsvc
followed by:
certutil -crl
as shown below:
That's it for this part, join me in Part 7 where you willInstall and configure the OCSP Responder role service.
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
This series is comprised of different parts, listed below.
In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.
In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP webserver) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.
In this part, you will perform post installation and configuration of the IssuingCA server.
Step 1. Configure Certificate Revocation and CA Certificate Validity Periods
To configure certificate revocation and CA certificate validity periods ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin (you can use whoami in the command prompt to verify which user is logged on).
Configure the CRL and Delta CRL settings
Enter the following commands from an administrative command prompt:
Press enter when done, then enter the following:
Press enter when done, then enter the following:
Press enter when done, then enter the following:
Certutil -setreg CA\CRLDeltaPeriod "Days"The output of the above commands is shown below.
Define CRL overlap settings
Enter the following commands from an administrative command prompt:
Certutil -setreg CA\CRLOverlapPeriodUnits 12Press enter when done, then enter the following:
Certutil -setreg CA\CRLOverlapPeriod "Hours"The output of the above commands is shown below.
Configure the certificate validity period
The default setting for ValidityPeriodUnits for certificates issued from the IssuingCA server is 2 years in the registry as shown here (HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA).
You can adjust this setting depending on your needs to define the lifetime of certificates issued from the IssuingCA server. It is recommended that you don't configure validity periods that are longer than half the total lifetime of the windows noob Issuing CA certificate (which was issued to be valid for 10 years based upon settings configured in the CAPolicy.inf you created on the IssuingCA in part 5, in particular, this line).
To limit issued certificates to 5 years, enter the following commands from an administrative command prompt:
Certutil -setreg CA\ValidityPeriodUnits 5Press enter when done, then enter the following:
Certutil -setreg CA\ValidityPeriod "Years"Press enter. The output of the above commands is shown below.
Step 2. Enable Auditing on the Issuing CA
CA auditing requires system Audit Object Access to be enabled. To use Local Security Policy to enable object access auditing do as follows. Click Start, click Administrative Tools, and then select Local Security Policy. Expand Local Policies and then select Audit Policy. Double click Audit Object Access and then select Success and Failure then click OK.
Close Local Security Policy editor.
Configure Auditing for all CA related events
Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt:
Certutil -setreg CA\AuditFilter 127The results of that command are shown below.
Step 3. Configure the AIA
The AIA is used to point to the public key for the certification authority (CA). Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you'll configure the following:
To configure AIA using certutil, open an administrative command prompt and enter the following command, pay close attention to the http address it's currently pointing to my http webserver.
certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt"The output of that command is shown below:
After you have run that command, run the following command to confirm your settings:
certutil -getreg CA\CACertPublicationURLsThe result of that command is shown below:
You can also confirm these settings in the registry by using regedit and browsing to the following path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA
you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following:
1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt
as shown below:
You can also see this in the the CA (certsrv.msc) console. Click Start, select Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click windows noob Issuing CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings.
Copy the windows noob Issuing CA certificate to the http AIA location
To copy the windows noob Issuing CA certificate (crt file) to the http AIA location, use the following command on the IssuingCA server while logged in as windowsnoob\EntAdmin, your CRT file will more than likely be named differently, so change the command below accordingly.
copy "c:\Windows\System32\certsrv\certenroll\IssuingCA.windowsnoob.lab.local_windows noob Issuing CA.crt" \\webserver.windowsnoob.lab.local\certenroll\as shown below:
Step 4. Configure the CDP
Clients will use the CDP to locate the CRL and delta CRLs for certificates issued by the CA. This allows clients to ensure that the certificates have not been revoked. You can also configure the CDP using the user interface (certsrv.msc), certutil, and the registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you'll configure:
Note: The file system location that you set will allow the CRL to be copied over the network to the web server (webserver.windowsnoob.lab.local), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on the webserver. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually.
Adjust this command so that it points to your public web server http and file location address, then open a command prompt as Administrator and enter the following:
certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl\n65:\\webserver.windowsnoob.lab.local\CertEnroll\%3%8%9.crl"as shown below:
After you run that command, run the following certutil command to verify your settings:
certutil -getreg CA\CRLPublicationURLsas shown below:
and of course, you can also verify it in the registry by browsing to :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA
using regedit, you should see the following values:
65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
6:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl
65:\\webserver.windowsnoob.lab.local\CertEnroll\%3%8%9.crl
as shown below:
Using an administrative command prompt, start PowerShell, then run the following commands to restart Active Directory Certificate Services and to publish the CRL.
Restart-Service certsvcfollowed by:
certutil -crlas shown below:
That's it for this part, join me in Part 7 where you will Install and configure the OCSP Responder role service.
Share this post
Link to post
Share on other sites