Jump to content


  • 0
anyweb

How can I configure PKI in a lab on Windows Server 2016 - Part 6

Question

This series is comprised of different parts, listed below.

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP webserver) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.

In this part, you will perform post installation and configuration of the IssuingCA server.

Step 1. Configure Certificate Revocation and CA Certificate Validity Periods

To configure certificate revocation and CA certificate validity periods ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin (you can use whoami in the command prompt to verify which user is logged on).

Configure the CRL and Delta CRL settings

Enter the following commands from an administrative command prompt:

Certutil -setreg CA\CRLPeriodUnits 1

Press enter when done, then enter the following:

Certutil -setreg CA\CRLPeriod "Weeks"

Press enter when done, then enter the following:

Certutil -setreg CA\CRLDeltaPeriodUnits 1

Press enter when done, then enter the following:
 

Certutil -setreg CA\CRLDeltaPeriod "Days"

The output of the above commands is shown below.

Configure the CRL and Delta CRL settings.png

Define CRL overlap settings

Enter the following commands from an administrative command prompt:

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Press enter when done, then enter the following:

Certutil -setreg CA\CRLOverlapPeriod "Hours"

The output of the above commands is shown below.

define crl overlap settings.png

Configure the certificate validity period

The default setting for ValidityPeriodUnits for certificates issued from the IssuingCA server is 2 years in the registry as shown here (HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA).

the default validity period.png

You can adjust this setting depending on your needs to define the lifetime of certificates issued from the IssuingCA server. It is recommended that you don't configure validity periods that are longer than half the total lifetime of the windows noob Issuing CA certificate (which was issued to be valid for 10 years based upon settings configured in the CAPolicy.inf you created on the IssuingCA in part 5, in particular, this line).

RenewalValidityPeriodUnits=10

To limit issued certificates to 5 years, enter the following commands from an administrative command prompt:

Certutil -setreg CA\ValidityPeriodUnits 5

Press enter when done, then enter the following:

Certutil -setreg CA\ValidityPeriod "Years"

Press enter. The output of the above commands is shown below.

crlvalidityperiodunits.png

Step 2. Enable Auditing on the Issuing CA
CA auditing requires system Audit Object Access to be enabled. To use Local Security Policy to enable object access auditing do as follows. Click Start, click Administrative Tools, and then select Local Security Policy. Expand Local Policies and then select Audit Policy. Double click Audit Object Access and then select Success and Failure then click OK.

audit object access.png

Close Local Security Policy editor.

Configure Auditing for all CA related events
Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt:
 

Certutil -setreg CA\AuditFilter 127

The results of that command are shown below.

audit all CA events.png

Step 3. Configure the AIA
The AIA is used to point to the public key for the certification authority (CA). Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you'll configure the following:

  • a static file system location
  • a lightweight directory access path (LDAP) location
  • a http location for the AIA.

To configure AIA using certutil, open an administrative command prompt and enter the following command, pay close attention to the http address it's currently pointing to my http webserver.

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt"

The output of that command is shown below:

certutil output.png

After you have run that command, run the following command to confirm your settings:

certutil -getreg CA\CACertPublicationURLs

The result of that command is shown below:

confirm the certutil settings.png

You can also confirm these settings in the registry by using regedit and browsing to the following path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA

you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following:

1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt

as shown below:

confrim certutil CACertPublicationURLS in registry.png

You can also see this in the the CA (certsrv.msc) console. Click Start, select Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click windows noob Issuing CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings.

aia properties in certserv.png

Copy the windows noob Issuing CA certificate to the http AIA location

To copy the windows noob Issuing CA certificate (crt file) to the http AIA location, use the following command on the IssuingCA server while logged in as windowsnoob\EntAdmin, your CRT file will more than likely be named differently, so change the command below accordingly.

copy "c:\Windows\System32\certsrv\certenroll\IssuingCA.windowsnoob.lab.local_windows noob Issuing CA.crt" \\webserver.windowsnoob.lab.local\certenroll\

as shown below:

copying from the command prompt.png

Step 4. Configure the CDP

Clients will use the CDP to locate the CRL and delta CRLs for certificates issued by the CA. This allows clients to ensure that the certificates have not been revoked. You can also configure the CDP using the user interface (certsrv.msc), certutil, and the registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you'll configure:

  • a static file system location
  • a LDAP location
  • a http location
  • a file system location

Note: The file system location that you set will allow the CRL to be copied over the network to the web server (webserver.windowsnoob.lab.local), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on the webserver. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually.

Adjust this command so that it points to your public web server http and file location address, then open a command prompt as Administrator and enter the following:

certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl\n65:\\webserver.windowsnoob.lab.local\CertEnroll\%3%8%9.crl"

as shown below:

configuring the cdp via certutil.png

After you run that command, run the following certutil command to verify your settings:

certutil -getreg CA\CRLPublicationURLs

as shown below:

certutil crlpublicationurls confirmation.png

and of course, you can also verify it in the registry by browsing to :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA

using regedit, you should see the following values:

65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
6:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl
65:\\webserver.windowsnoob.lab.local\CertEnroll\%3%8%9.crl

as shown below:

crlpublicationurls in registry.png

Using an administrative command prompt, start PowerShell, then run the following commands to restart Active Directory Certificate Services and to publish the CRL.

Restart-Service certsvc

followed by:

certutil -crl

as shown below:

restart services.png

That's it for this part, join me in Part 7 where you will Install and configure the OCSP Responder role service.

Share this post


Link to post
Share on other sites

8 answers to this question

Recommended Posts

  • 0
On 3/22/2019 at 8:36 PM, BThomas123 said:

If anyone gets an access denied error at the last step (certutil -crl), then please reboot your Issuing CA server once and then issue the command again. I had this issue and apparently several other users had this too per various forums. 

Thanks for the heads up I had Access Denied error too and a reboot fixed it

Share this post


Link to post
Share on other sites

  • 0

I also have this issue but I can't resolve it right now even after a lot of reboot

I start the command with an elevated command prompt but I always get an access denied

image.png.e60af6d10d32bed6593acfe42a30e229.png

I found this is related to my CDP file location and I suspect UAC

How am I sure this is the problem ?

=> Because if I run again CRLPublicationURLs without adding the file location, then the "crtutil -CRL" command works without issues

 

I checked many times the rights and everything is right

  • I'm logged with my Enterprise Administrator account
  • This account is in the "Cert Publishers" AD Group and also on the Local Administrators Group of the server
  • The "Cert Publishers" AD Group has modify NTFS rigths on the folder "c:\certenroll"
  • image.png.267fb34d4533984e29d2a539a33dc7e1.png
  • The "Cert Publishers" AD Group has "Change" rights on the "CertEnroll" share
  • image.png.ba742f6cd260da2a9839bec8c01c49b3.png

 

So everything seems fine but I always receive an access denied

Why I think it's UAC causing problem ?

Because when I try to create a File on "c:\CertEnroll", I'm not able to do it

image.png.088b69b21bddc2bb4646824b0fb1f93a.png

The owner of the "c:\CertEnroll" folder is the server local administrators group and like I already said, my account is member of this group

image.png.bd82bdb906ee9036b066cb496cc5938e.png

 

And when I do the check on permissions, I should have the needed rights

image.png.c86b281a78ffa97849af432bd8fc3624.png

So I will continue to find what's wrong in my configuration

Share this post


Link to post
Share on other sites

  • 0

you must be doing something different to my guide, as i've done the guide from start to finish over 6 times and every time it works 100% on both Server 2016 and Server 2019

Share this post


Link to post
Share on other sites

  • 0

Yes maybe but I do not see what

I just did another test

If the share "CertEnroll" is on c:\CertEnroll => The command "Certutil -CRL" failed

If the share "CertEnroll" is on C:\Windows\System32\certsrv\CertEnroll => The command "Certutil -CRL" passed

Share this post


Link to post
Share on other sites

  • 0

Ok I found the issue which I think is still related to the UAC

If on the share "c:\certenroll" I allow "change" permissions for Everyone, it works

I tried also to place directly the Entreprise user I used with change permission but it failed

I suspect it is published by another user

 

Share this post


Link to post
Share on other sites

  • 0

I just found when I looked on the "Session" in the computermanagement mmc that it is published under the server account

I added the computer account directly on the share with change permissions and on the security tab with modify permissions but still an access denied

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.