Export (0) Print
Expand All
8 out of 14 rated this helpful - Rate this topic

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

Published: February 8, 2012

Updated: June 24, 2013

Applies To: Windows Server 2012, Windows Server 2012 R2



The purpose of this Test Lab Guide (TLG) is to enable you to create a two-tier public key infrastructure (PKI) hierarchy using Windows Server® 2012 and Active Directory Certificate Services (AD CS).

noteNote
To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

This document contains instructions for extending the Windows Server 2012 Base Configuration Test Lab Guide (TLG) to include an offline root certification authority and install an online enterprise subordinate certification authority on the computer APP1 from the Base Configuration TLG. In this guide you will deploy a two-tier PKI hierarchy, configure a certificate revocation list (CRL) distribution point (CDP), automatically deploy certificates to the domain, and utilize a certificate to enable Secure Sockets Layer (SSL) communication with the APP1 web site.

ImportantImportant
The configuration of the computers and network in this guide was designed to give you hands-on practice in creating a two-tier certification authority PKI hierarchy. The design decisions made in this guide were geared toward increasing your hands-on experience and do not reflect a best practices configuration. For best practice information, see Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure (http://technet.microsoft.com/library/cc772670.aspx) and PKI Design Brief Overview (http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx).

The test lab configuration demonstrated in this guide extends the Windows Server 2012 or Windows Server 2012 R2 Base Configuration TLG by one server computer. The additional computer will serve as an offline root CA and be named ORCA1. There are six major steps in this test lab guide to complete that include multiple subordinate procedures.

  1. Complete the Base TLG Configuration

  2. Configure ORCA1

  3. Configure APP1 to distribute certificates and CRLs

  4. Configure APP1 as an enterprise subordinate CA

  5. Enable certificate auto-enrollment

  6. Configure SSL for APP1

PKI Base Configuration Network Layout
ImportantImportant
Although EDGE1 and INET1 are pictured in the figure, they are not utilized in the lab.

The following are the minimum required components of the test lab:

  1. The product disc or files for Windows Server 2012 or Windows Server 2012 R2.

  2. Three computers that meet the minimum hardware requirements for Windows Server 2012 or Windows Server 2012 R2.

    noteNote
    You will need only the DC1, APP1, and CLIENT1 computers from the Base Test Lab configuration to complete this lab. You will also build the ORCA1 computer during this lab. As previously mentioned, INET1 and EDGE1 are not utilized in this lab.

  3. The product disc or files for Windows® 8 or Windows® 8.1.

  4. One computer that meets the minimum hardware requirements for Windows 8 or Windows 8.1.

  5. One removable media with enough free space to hold a few certificates and certificate revocation lists (about 10 kilobytes). This can be either physical or virtual removable media depending on whether your lab is using physical or virtual computers.

    noteNote
    For instructions on transferring files using a virtual floppy disk using Microsoft Windows Server™ Hyper-V, see Creating, Using, and Transferring Files using Virtual Floppy Disks (http://social.technet.microsoft.com/wiki/contents/articles/4272.aspx).

  6. If you wish to deploy the Base Configuration test lab in a virtualized environment, your virtualization solution must support Windows Server 2012 or Windows Server 2012 R2 64-bit virtual machines. The server hardware must support the amount of RAM required to run the virtual operating systems included in the Base Configuration test lab and any other virtual machines that may be required by additional TLGs.

ImportantImportant
Run Windows Update on all computers or virtual machines either during the installation or immediately after installing the operating systems. After running Windows Update, you can isolate your physical or virtual test lab from your production network.

The Windows Server 2012 Base Configuration Test Lab Guide (TLG) is located at http://go.microsoft.com/fwlink/p/?LinkId=236358.

TipTip
See Test Lab Guides for information on the location of other test lab guide files.

The procedures to complete the configuration of the offline root CA, named ORCA1, include:

  • Install the Operating system

  • Rename the computer

  • Prepare the CAPolicy.inf for the standalone root CA

  • Install the standalone root CA

  • Configure the root CA settings

  • Copy the root CA certificate and CRL to removable media

  • Distribute the root CA via GPO

  • Create an internal contoso.com DNS zone and www host record

  1. Do not connect this computer to a network.

  2. Start the installation of Windows Server 2012 or Windows Server 2012 R2.

  3. Follow the instructions to complete the installation, specifying Windows Server 2012 or Windows Server 2012 R2 (full installation) and a strong password for the local Administrator account. Sign in using the local Administrator account.

  1. Open Windows PowerShell®.

  2. Type rename-computer orca1 and then press ENTER.

  3. Type restart-computer and then press ENTER.

    After the computer restarts, sign in using the local Administrator account.

  1. Open Windows PowerShell, type notepad c:\Windows\CAPolicy.inf and press ENTER.

  2. When prompted to create a new file, click Yes.

  3. Enter the following as the contents of the file:

    [Version]
    Signature="$Windows NT$"
    [PolicyStatementExtension]
    Policies=InternalPolicy
    [InternalPolicy]
    OID= 1.2.3.4.1455.67.89.5
    Notice="Legal Policy Statement"
    URL=http://www.contoso.com/pki/cps.txt
    [Certsrv_Server]
    RenewalKeyLength=2048
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=20
    CRLPeriod=weeks
    CRLPeriodUnits=26
    CRLDeltaPeriod=Days
    CRLDeltaPeriodUnits=0
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=1
    
    
    CautionCaution
    Windows XP and Windows Server 2003 certificate clients do not support the Alternate Signature Algorithm. If you want these clients to be able to enroll for certificates, do not add the line AlternateSignatureAlgorithm=1 to the CAPolicy.inf. For more information, see Guidelines for Using Alternate Signature Formats.

    noteNote
    The OID shown in the example is the Microsoft OID. Individual organizations should obtain their own OIDs. For more information about OIDs, see Obtaining a Root OID from an ISO Name Registration Authority.

    TipTip
    Setting the CRLDeltaPeriodUnits=0 in the CAPolicy.inf disables Delta CRL publishing, which is the appropriate setting for an offline Root CA.

  4. Click Save As. Ensure the following:

    • File name is set to CAPolicy.inf

    • Save as type is set to All Files

    • Encoding is ANSI

  5. When you are prompted to overwrite the file, click Yes.

    Configuring root CAPolicy.inf
    CautionCaution
    Be sure to save the CAPolicy.inf with the inf extension. If you do not specifically type .inf at the end of the file name and select the options as described, the file will be saved as a text file and will not be used during CA installation.

  6. Close Notepad.

ImportantImportant
In the CAPolicy.inf, you can see there is a line specifying the URL http://www.contoso.com/pki/cps.txt. The Internal Policy section of the CAPolicy.inf is just shown as an example of how you would specify the location of a certificate practice statement (CPS). To learn more about policy statements including CPS, see Creating Certificate Policies and Certificate Practice Statements (http://technet.microsoft.com/library/cc780454.aspx) and RFC 2527 (http://www.ietf.org/rfc/rfc2527.txt). For more information about CAPolicy.inf file syntax and purposes, see CA Policy.inf Syntax (http://technet.microsoft.com/library/cc728279.aspx).

  1. In Server Manager, click Manage, and then click Add Roles and Features.

  2. On the Before you begin screen, click Next.

  3. On the Select installation type screen, ensure the default selection of Role-based or feature-based installation is selected. Click Next.

  4. On the Select destination server screen, ensure that orca1 is selected and then click Next.

  5. On the Select server roles screen, select the Active Directory Certificate Services role.

  6. When prompted to install Remote Server Administration Tools click Add Features. Click Next.

  7. On the Select features screen, click Next.

  8. On the Active Directory Certificate Services screen, click Next.

  9. On the Select role services screen, the Certification Authority role is selected by default. Click Next.

  10. On the Confirm installation selections screen, verify the information and then click Install.

  11. Wait for the installation to complete. The installation progress screen is displayed while the binary files for the CA are installed. When the binary file installation is complete, click the Configure Active Directory Certificate Services on the destination server link.

    Configure AD CS on destination server
    TipTip
    If you were to click Close before the installation completed, you could complete the configuration of the role service by through a link to complete the configuration in the notifications icon of Server Manager.

  12. On the Credentials screen, you should see that the ORCA1\Administrator is displayed in the Credentials box. Click Next.

    noteNote
    When installing a Standalone CA, you must use an account that is a member of the local Administrators group.

  13. On the Role Services screen, select Certification Authority. This is the only available selection when only the binary files for the certification authority role are installed on the server. Click Next.

  14. The only selection available on the Setup Type screen is Standalone CA. This is because the account used to install is a member of the local Administrators group and the server is not a member of an Active Directory Domain Services (AD DS) domain. Click Next.

  15. On the CA Type screen, Root CA is selected by default. Click Next.

  16. On the Private Key screen, leave the default selection to Create a new private key selected. Click Next.

  17. On the Cryptography for CA screen, ensure that the cryptographic provider is RSA#Microsoft Software Key Storage Provider, the key length is set to 2048 and the hash algorithm is set to SHA1 then click Next.

    noteNote
    Do not select the Allow administrator interaction when the private key is accessed by the CA checkbox. This setting is typically used with Hardware Security Modules (HSMs) and similar key protection devices prompt for additional information when the private key is accessed.

  18. On the CA Name screen, in the Common name for this CA text box, type ContosoRootCA and then click Next.

  19. On the Validity Period screen, enter 20 for the number of years for the certificate to be valid.

  20. On the CA Database screen, leave the default locations for the database and database log files. Click Next.

  21. On the Confirmation screen, click Configure.

  22. The Progress screen is displayed during the configuration processing, then the Results screen appears. Click Close. If the Installation progress screen is still open, click Close on that screen as well.

TipTip
The following Windows PowerShell commands would perform the same action as shown above

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName "ContosoRootCA" –KeyLength 2048 –HashAlgorithm SHA1 –CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

  1. In Server Manager, click Tools and then click Certification Authority.

  2. In the Certification Authority console tree, expand ORCA1-ContosoRootCA. Right-click Revoked Certificates and then click Properties.

  3. On the CRL Publishing Parameters tab, ensure that Publish Delta CRLs is cleared (not selected). Click OK.

  4. In the Certification Authority console tree, right-click ORCA1-ContosoRootCA and then click Properties.

  5. Click the Extensions tab. Ensure that Select extensions is set to CRL Distribution Point (CDP) and in the Specify locations from which users can obtain a certificate revocation list (CRL), review the default settings.

  6. Change Select extension to Authority Information Access (AIA) and review the default settings. Click OK. If you are prompted to restart Active Directory Certificate Services, click No. You will restart the service after modifying the default paths in the next step.

  7. From Windows PowerShell run the following commands:

    certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://www.contoso.com/pki/%3%8.crl"

    certutil –setreg CA\CACertPublicationURLs "2:http://www.contoso.com/pki/%1_%3%4.crt"

    Certutil -setreg CA\CRLOverlapPeriodUnits 12

    Certutil -setreg CA\CRLOverlapPeriod "Hours"

    Certutil -setreg CA\ValidityPeriodUnits 10

    Certutil -setreg CA\ValidityPeriod "Years"

    certutil -setreg CA\DSConfigDN CN=Configuration,DC=corp,DC=contoso,DC=com

    restart-service certsvc

    certutil -crl

noteNote
The certutil commands above set the CDP and AIA paths respectively for the Root CA. The overlap period for CRLs is the amount of time at the end of a published CRLs lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable, which is set for 12 hours. The default setting for this value is 10% of the CRL lifetime. The validity period settings are to define the number of days, weeks, months, or years that a certificate issued by the CA will be valid, which is set for 10 years in the commands above. The validity period for a certificate cannot be greater than the validity period of the CA that issued the certificate. The default value depends on the type of certificate. The default location of the CDP in also established for eventual use with Active Directory. The same configuration can be accomplished by using the following Windows PowerShell® and certutil commands:

$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};

Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force

Add-CACRLDistributionPoint -Uri http://www.contoso.com/pki/%3%8.crl -AddToCertificateCDP -Force

$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Certutil -setreg CA\CRLOverlapPeriod "Hours"

Certutil -setreg CA\ValidityPeriodUnits 10

Certutil -setreg CA\ValidityPeriod "Years"

restart-service certsvc

certutil -crl

To view the AIA and CDP, you can run the following commands: Get-CAAuthorityInformationAccess | format-list and Get-CACRLDistributionPoint | format-list. You can also return to the Extensions tab in certification authority properties dialog box and see the changes made to the AIA and CDP.

  1. From Windows PowerShell, run the command dir C:\Windows\system32\certsrv\certenroll\*.cr*, which displays the certificates and CRLs in the default certificate store.

  2. Copy the CA certificate file and CRL to removable media. For example, if you were running commands to copy the certificate and CRL to a floppy disk drive (A:), you would run the following commands:

    1. copy C:\Windows\system32\certsrv\certenroll\*.cr* A:\

    2. dir A:\

    TipTip
    Substitute the drive letter of your removable media for A: in the commands shown above. The removable media can be either physical or virtual, as discussed in Hardware and software requirements. Also, if you see an error that reads “The volume does not contain a recognized file system.” You may need to format the media. For example, if it is a floppy disk, you might need to type format a: and then press ENTER.

  1. On APP1, sign in using the User1 account, which is a member of both Domain Admins and Enterprise Admins. Open Windows PowerShell as administrator. To do so, right-click the Windows PowerShell icon and then click Run as administrator. When prompted by User Account Control, click Yes.

  2. Insert the removable media containing the offline root CA certificate into APP1.

  3. From Windows PowerShell change to the removable media drive using the cd command (as in run cd a:\ to change to the root of drive A).

  4. From the Windows PowerShell on the removable media drive, run the following commands:
    certutil –dspublish –f orca1_ContosoRootCA.crt RootCA

    certutil –addstore –f root orca1_ContosoRootCA.crt

    certutil –addstore –f root ContosoRootCA.crl

noteNote
The first command places the root CA public certificate into the Configuration container of Active Directory. Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy. The second and third commands place the root CA certificate and CRL into the local store of APP1. This provides APP1 immediate trust of root CA public certificate and knowledge of the root CA CRL. APP1 could obtain the certificate from Group Policy and the CRL from the CDP location, but publishing these two items to the local store on APP1 is helpful to speed the configuration of APP1 as a subordinate CA.

The public certificates, certificate revocation lists, and certificate practices statement are all to be placed in the location http://www.contoso.com/pki. Internal client computers will not be able to resolve this computer name to the internal web site (APP1) unless an appropriate DNS entry is placed on the DNS server.

  1. On DC1, open the DNS console. In Server Manager, click Tools, then click DNS.

  2. In the DNS console, expand the following in the console tree: DC1, Forward Lookup Zones.

  3. Right-click the Forward Lookup Zones and then click New Zone.

  4. On the Welcome to the New Zone Wizard screen, click Next.

  5. By default you will see that Primary zone is selected and that the zone will be stored in Active Directory. To accept these defaults, click Next.

  6. Leave the default setting and then click Next.

  7. On Zone name screen, type contoso.com and then click Next.

  8. On the Dynamic Update screen, leave the default setting and then click Next.

  9. On the Completing the New Zone Wizard, click Finish.

  10. In the console tree of the DNS console, right-click the contoso.com zone and then click New Host (A or AAAA).

    TipTip
    You may have to click the corp.contoso.com zone one time before you are able to access the right-click options.

  11. In Name (uses parent domain if left blank), type www.

  12. In IP Address, type 10.0.0.3. This zone and record will direct communications from internal clients for www.contoso.com to the address of APP1. Click Add Host.

  13. Click OK to confirm that the record was created. Click Done.

  14. Close the DNS console

In the extensions of the root CA, it was stated that the CRL from the root CA would be available via http://www.contoso.com/pki. Currently, there is not a PKI virtual directory on APP1, so one must be created. In a production environment, you would typically separate the issuing CA role from the role of hosting the AIA and CDP. However, this lab combines both in order to reduce the number of resources needed to complete the lab.

TipTip
If a CA cannot find the CRLs of its parent CA, the AD DS service (certsvc) will fail to start on the subordinate CA. This can only be remedied by resolving the CRL distribution issue (recommended) or by changing the CA log level from the default of 3 to level 2. For more information on CA log levels, see Microsoft Knowledge Base article 305018 http://support.microsoft.com/kb/305018.

  1. Ensure that you sign in using the User1 account. Run Windows PowerShell as Administrator and then run the following commands:

    New-item -path c:\pki –type directory

    write-output "Example CPS statement" | out-file c:\pki\cps.txt

    new-smbshare -name pki c:\pki -FullAccess SYSTEM,"CORP\Domain Admins" -ChangeAccess "CORP\Cert Publishers"

  2. Open the IIS console. In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

  3. In the Internet Information Services (IIS) Manager console tree, expand APP1. If you are invited to get started with Microsoft Web Platform, click Cancel.

  4. Expand Sites and then right-click the Default Web Site and then click Add Virtual Directory.

  5. In Alias, type pki and then in physical path type C:\pki, then click OK.

  6. Enable Anonymous access to the pki virtual directory. To do so:

    1. In the Connections pane, expand Default Web Site, ensure that pki is selected.

    2. On pki Home click Authentication.

    3. In the Actions pane, click Edit Permissions.

    4. On the Security tab, click Edit

    5. On the Permissions for pki dialog box, click Add.

    6. On Select Users, Computers, Service Accounts, or Groups, type Cert Publishers and then click Check Names.

    7. On Select Users, Computers, Service Accounts, or Groups, click Object Types.

    8. On Object Types, select Service Accounts and then click OK.

    9. On Select Users, Computers, Service Accounts, or Groups, click Locations.

    10. On Locations, click APP1 and then click OK.

    11. On Select Users, Computers, Service Accounts, or Groups after Cert Publishers, type ;IIS AppPool\DefaultAppPool and then click Check Names. Click OK.

      noteNote
      These steps have granted the IIS default application pool Read & execute, List folder contents, and Read permissions. IIS uses the default application pool to allow anonymous access. This will allow users to check the AIA and CDP hosted on IIS.

    12. On Permissions for pki select Cert Publishers (CORP\Cert Publishers). Under Permissions for Cert Publishers, select the Modify checkbox in the Allow column and then click OK twice.

      noteNote
      Granting modify permissions to the pki folder to Cert Publishers allows for the publishing of certificates and CRLs by CAs in the enterprise to the folder.

  7. In the pki Home pane, double-click Request Filtering.

  8. The File Name Extensions tab is selected by default in the Request Filtering pane. In the Actions pane, click Edit Feature Settings.

  9. In Edit Request Filtering Settings, select Allow double escaping and then click OK. Close Internet Information Services (IIS) Manager.

    noteNote
    Allowing double escaping is needed if you are publishing Delta CRLs to IIS because the Delta CRL file contains a + symbol. For more information, see Microsoft Knowledge Base article 942076 (http://support.microsoft.com/kb/942076).

  10. Run Windows PowerShell as an administrator. From Windows PowerShell, run the command iisreset

The steps to configure APP1 as an Enterprise Subordinate CA include the following procedures:

  1. Configure the CAPolicy.inf

  2. Install the enterprise subordinate CA role

  3. To configure the AIA and CDP

  1. On APP1, as User1, open Windows PowerShell as Administrator and then type notepad c:\Windows\CAPolicy.inf and press ENTER.

  2. When asked if you want to create the file. Click Yes.

  3. Use the following information for the enterprise subordinate CA CAPolicy.inf file.

    [Version]
    Signature="$Windows NT$"
    [PolicyStatementExtension]
    Policies=InternalPolicy
    [InternalPolicy]
    OID= 1.2.3.4.1455.67.89.5
    Notice="Legal Policy Statement"
    URL=http://www.contoso.com/pki/cps.txt
    [Certsrv_Server]
    RenewalKeyLength=2048
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=5
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=1
    
    
    CautionCaution
    Windows XP and Windows Server 2003 certificate clients do not support the Alternate Signature Algorithm. If you want these clients to be able to enroll for certificates, do not add the line AlternateSignatureAlgorithm=1 to the CAPolicy.inf. For more information, see Guidelines for Using Alternate Signature Formats.

  4. Click File, Save As and ensure that you are saving an ANSI file named CAPolicy.inf in the C:\Windows folder. You will have to switch the Save as type to All Files in order to get the inf extension instead of txt extension. When prompted to replace CAPolicy.inf, click Yes.

  5. Close Notepad.

  1. On APP1, as User1, run Windows PowerShell as Administrator, and then run the following command gpupdate /force. This action ensures that the GPO for the trusted root certification authority is applied to APP1.

  2. In Server Manager, click Manage, and then click Add Roles and Features.

  3. On the Before you begin, click Next.

  4. On the Select installation type screen, ensure the default selection of Role or Feature Based Install is selected. Click Next.

  5. On the Select destination server screen, ensure that APP1 is selected and then click Next.

  6. On the Select server roles screen, select the Active Directory Certificate Services role.

  7. When prompted to install Remote Server Administration Tools click Add Features. Click Next.

  8. On the Select features screen, click Next.

  9. On the Active Directory Certificate Services screen, click Next.

  10. On the Select role services screen, ensure Certification Authority is selected and then click Next.

  11. On the Confirm installation selections screen, verify the information and then click Install.

  12. Wait for the installation to complete. The installation progress screen is displayed while the binary files for the CA are installed. When the binary file installation is complete, click the Configure Active Directory Certificate Services on the destination server link.

    TipTip
    If you clicked Close before the installation completed, you could complete the configuration of the role service by through a link to complete the configuration in the notifications icon of Server Manager.

  13. On the Credentials screen, the credentials for User1 appear. Click Next.

  14. On the Role Services screen, select Certification Authority.

  15. On the Setup Type screen, ensure that Enterprise CA is selected and then click Next.

    noteNote
    If the computer is a domain member and the credentials supplied previously were for an account that is a member of the Enterprise Admins group, you can select Enterprise CA or Standalone CA. If the computer is not a domain member or credentials were entered for an account that is not a member of Enterprise Admins, then only the Standalone CA selection is available.

  16. On the CA Type screen, select Subordinate CA to install an Enterprise Subordinate CA. Click Next.

  17. On the Private Key screen, ensure the Create a new private key option is selected and then click Next.

  18. The Cryptography for CA screen, ensure that the cryptographic provider is RSA#Microsoft Software Key Storage Provider, key length is 2048, and the hash algorithm is set to SHA1. Click Next.

  19. On the CA Name screen, in Common name for this CA, type IssuingCA-APP1. You will see that the distinguished name changes to CN=IssuingCA-APP1,DC=corp,DC=contoso,DC=com. Click Next.

  20. On the Certificate Request screen, notice that Save a certificate request to file on the target machine is selected. This is the correct option because we are using an offline parent CA (the root CA) in this configuration. Leave the default and click Next.

  21. On the CA Database screen, leave the default database and log locations and then click Next.

  22. On the Confirmation screen, click Configure.

  23. On the Results screen, you see that you must take the certificate request to the ContosoRootCA in order to complete the configuration. Click Close

    noteNote
    The Windows PowerShell commands to perform the installation of the Enterprise Subordinate CA as shown in this section are:

    Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

    Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "IssuingCA-APP1" -KeyLength 2048 -HashAlgorithm SHA1 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

  24. Copy the certificate request to removable media to take to the ORCA1. For example, if you wanted to copy the file from the C:\ drive to a floppy drive with drive letter A:\, then you could run the following command from Windows PowerShell: copy C:\*.req A:\

  25. Take the removable media with the certificate request file to the ORCA1. Sign on to the root CA using an account that is a member of local Administrators.

  26. On ORCA1, from Windows PowerShell, submit the request using the following command (assuming that A:\ is your removable media drive letter):
    certreq -submit A:\APP1.corp.contoso.com_IssuingCA-APP1.req

    noteNote
    If the removable media has a different drive letter, then substitute that letter for A:\.

  27. On Certification Authority List, ensure that ContosoRootCA (Kerberos) CA is selected and then click OK. You see that the certificate request is pending and the request identification number. Ensure that you note the request ID number.

  28. On ORCA1, you must approve the request. You can do this using Server Manager or by using certutil from the command line.

    • To use Server Manager, click Tools, and then click Certification Authority. Expand the ContosoRootCA object and then click Pending Requests.

      Right-click the Request ID that corresponds with the one you saw when you submitted the request in the previous step. Click All Tasks and then click Issue.

      Click Issued Certificates and see the issued certificate in the Details pane.

    • To use certutil, enter Certutil resubmit <RequestId>, replace the actual request number for <RequestId>. For example, if the Request ID is 2, you would enter Certutil resubmit 2

  29. From the command prompt on ORCA1, retrieve the issued certificate by running the command
    certreq –retrieve <RequestId> <drive>:\APP1.corp.contoso.com_corp-APP1-CA.crt.
    Substitute the actual number of the request when it was submitted for <RequestId> and the actual drive letter of the removable media for <drive>. For example, if the request ID where 2 and the removable media was drive A, then the request would be: certreq –retrieve 2 a:\APP1.corp.contoso.com_IssuingCA-APP1.crt. When prompted to select the CA, ensure that ORCA1-ContosoRootCA is selected and then click OK.

  30. On ORCA1, run the command dir A:\ (assuming that A is the removable media drive letter, if not substitute the correct drive letter for A). You see that ContosoRootCA.crl, orca1_ORCA1-ContosoRootCA.crt, and APP1.corp.contoso.com_corp-APP1-CA.crt are now saved to the removable media. Move the removable media to APP1.

  31. On APP1, in Windows PowerShell, run the following commands to copy the root CA certificate and CRL to the PKI folder (assuming that A: is the removable media drive, if not substitute the correct drive letter), install the subordinate CA certificate, start the certificate service, and copy the subordinate CA certificate and CRLs to the PKI folder:

    • copy a:\*.cr* c:\pki\

    • certutil –installcert a:\APP1.corp.contoso.com_corp-APP1-CA.crt

    • start-service certsvc

    • copy c:\Windows\system32\certsrv\certenroll\*.cr* c:\pki\

TipTip
ORCA1 is no longer needed for this lab, so you can turn it off. To turn off a computer from Windows PowerShell, you can run the command stop-computer.

  1. On APP1, as User1, right-click Windows PowerShell, click Run as Administrator. Click Yes to confirm that you want to run Windows PowerShell as an Administrator.

  2. From Windows PowerShell run the following commands:

    certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://www.contoso.com/pki/%3%8.crl"

    certutil -setreg CA\CACertPublicationURLs "2:http://www.contoso.com/pki/%1_%3%4.crt\n1:file://\\App1.corp.contoso.com\pki\%1_%3%4.crt"

    Certutil -setreg CA\CRLPeriodUnits 2

    Certutil -setreg CA\CRLPeriod "Weeks"

    Certutil -setreg CA\CRLDeltaPeriodUnits 1

    Certutil -setreg CA\CRLDeltaPeriod "Days"

    Certutil -setreg CA\CRLOverlapPeriodUnits 12

    Certutil -setreg CA\CRLOverlapPeriod "Hours"

    Certutil -setreg CA\ValidityPeriodUnits 5

    Certutil -setreg CA\ValidityPeriod "Years"

    restart-service certsvc

    certutil -crl

noteNote
The same configuration can be accomplished using the following Windows PowerShell and certutil commands:

$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};

Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force

Add-CACRLDistributionPoint -Uri http://www.contoso.com/pki/%3%8%9.crl -AddToCertificateCDP -Force

Add-CACRLDistributionPoint -Uri file://\\App1.corp.contoso.com\pki\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force

$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};

Add-CAAuthorityInformationAccess -AddToCertificateAia http://www.contoso.com/pki/%1_%3%4.crt -Force

Certutil -setreg CA\CRLPeriodUnits 2

Certutil -setreg CA\CRLPeriod "Weeks"

Certutil -setreg CA\CRLDeltaPeriodUnits 1

Certutil -setreg CA\CRLDeltaPeriod "Days"

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Certutil -setreg CA\CRLOverlapPeriod "Hours"

Certutil -setreg CA\ValidityPeriodUnits 5

Certutil -setreg CA\ValidityPeriod "Years"

restart-service certsvc

certutil -crl

By sharing the pki folder and including the file path file://\\App1.corp.contoso.com\pki\%3%8%9.crl as a CDP extension, the CRLs and Delta CRLs will be copied to the share when you run the command certutil –crl. If you want to further restrict access to the share, you could create a separate group and include only the CAs that you want to authorize to publish to the share in that group. Then, share the pki folder only to that specific group and the SYSTEM account.

ImportantImportant
A configuration item that is typically performed on production CAs that is not part of this lab is to enable Audit Object Access (http://technet.microsoft.com/library/cc776774.aspx) and then to enable all auditing events by running the following command: certutil -setreg CA\AuditFilter 127. After doing so, ensure that you regularly archive the Security Event Log and follow the Auditing Security Events Best Practices (http://technet.microsoft.com/library/cc778162.aspx).

There are two procedures in order to configure computer certificate autoenrollment:

  1. Enable certificate autoenrollment through Group Policy

  2. Configure a client and server authentication certificate template for autoenrollment

  1. On DC1, sign in as User1. In Server Manager, click Tools, and then click Group Policy Management.

  2. On the console tree, expand the following objects: Forest: corp.contoso.com, Domains, corp.contoso.com.

    noteNote
    You might see a warning that any policies linked to the domain will affect all computers to which the policy is linked. If so, read it and then click OK.

  3. In the console tree, right-click Default Domain Policy, and then click Edit.

  4. In the console tree of the Group Policy Management Editor, under Computer Configuration, expand the following objects: Policies, Windows Settings, Security Settings, and then click Public Key Policies.

  5. In the details pane, double-click Certificate Services Client - Auto-Enrollment. In Configuration Model, select Enabled.

  6. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Click OK.

  7. Close Group Policy Management Editor and Group Policy Management Console.

  1. On APP1, in the Certification Authority console pane, ensure that IssuingCA-APP1 is expanded.

  2. Right-click Certificate Templates and then click Manage.

  3. In the details pane, right-click Workstation Authentication and then click Duplicate Template.

  4. Click the General tab, in Template display name, type Client-Server Authentication.

  5. Click the Extensions tab, ensure Application Policies is selected, and then click Edit.

  6. Click Add then click Server Authentication. Click OK twice.

  7. On the Properties of New Template dialog, click the Security tab.

  8. In Group or user names, click Domain Computers (CORP\Domain Computers).

  9. In the Autoenroll row, select the Allow checkbox. This will cause all domain computers to automatically enroll for certificates using this template.

    noteNote
    • You would typically not assign a template both the Client Authentication and the Server Authentication enhanced key usage (EKU). Also, Server Authentication EKU are typically not configured for autoenrollment. This is done in this lab only for convenience and compatibility with other labs.

    • The computers also need Read permission for the template in order to enroll. However, this permission is already granted to the Authenticated Users group. All computer accounts in the domain are members of Authenticated Users, so they already have the permission to Read the template.

  10. Click OK. Close the Certificate Templates Console.

  11. Right-click Certificate Templates, click New, click Certificate Template to Issue.

  12. In the Enable Certificate Templates dialog box, click Client-Server Authentication and then click OK. Close the Certification Authority console.

To demonstrate how the certificates deployed through AD DS and AD CS can be used, you will secure the APP1 Web site using SSL and then connect to that secure site with CLIENT1.

noteNote
This part of the lab is done to demonstrate using a certificate to secure a Web site.

There are two procedures in this step:

  1. Secure the APP1 Default Web Site

  2. Connect to the secure web site

  1. On APP1, as User1, run Windows PowerShell as Administrator. Then, run the following commands:

    Gpupdate /force. Wait for the update of Group Policy to complete and then close the Command Prompt. This ensures that the autoenrollment certificate distributed through Group Policy is issued to APP1.

    cd cert:\LocalMachine\My

    dir | format-list

    You should see that you have two certificates. One was issued by ContosoRootCA, which is the APP1 CA certificate. The other certificate was issued by IssuingCA-APP1 and it can be used to secure the APP1 default web site.

  2. Open the Internet Information Services (IIS) Manager console. To do so, in Server Manager, click Tools and then click Internet Information Services (IIS) Manager. In the contents pane, expand the following path APP1, Sites, and Default Web Site.

    noteNote
    If you see an Internet Information Services (IIS) Manager prompt asking if you want to get started with Microsoft Web Platform, click Cancel.

  3. Click Default Web Site. In the Actions pane click Bindings.

  4. In the Site Bindings dialog box, click Add.

  5. In the Add Site Binding dialog box, in Type, select https.

  6. Under SSL certificate, click Select.

  7. In Select Certificate use the selection box to select the certificate that was issued by the IssuingCA-APP1 through the Group Policy. This will be a certificate with a long alphanumeric, as opposed one that reads IssuingCA-APP1. To verify you have the correct certificate, click View. Ensure the certificate you select shows that it was issued to APP1.corp.contoso.com and issued by IssuingCA-APP1. Once you have the correct certificate, click OK on the Certificate dialog box.

  8. On Add Site Binding dialog box, click OK.

  9. In the Site Bindings dialog box, click Close.

  1. Connect CLIENT1 to the Corporate network.

  2. Log on to CLIENT1 as User1.

  3. Open Internet Explorer on CLIENT1.

  4. In Internet Explorer, enter the address https://app1.corp.contoso.com and press ENTER. When you see the default IIS 8 web page, you are confirming that https and the SSL binding are working for the Default Web Site on APP1.

    TipTip
    If instead you see that there is a problem with the certificate, then you probably selected an incorrect certificate in the previous procedure. You must select the certificate that was issued for the name APP1.corp.contoso.com. Also, it could be that Group Policy has not yet updated the Trusted Root Certification authorities. To ensure that the Group Policy updates are in place, open Explorer, then type cmd in the Explorer address bar. Then type gpupdate /force and press ENTER.

ImportantImportant
The ORCA1 certificate revocation list (CRL) is valid for 26 weeks, which was configured using the CAPolicy.inf. The APP1 CRL must be updated weekly by default. To update the CRL, use the command:

Certutil –crl, which publishes the CRL to the locations that you specified in the CA Properties Extensions tab.

noteNote
To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.