Wednesday, April 27, 2016

HOWTO - Setup a Windows 2012 R2 AD CS Two Tier PKI hierarchy deployment - Part 1 - The RootCA

This lab guide is a consolidated description on how to set up a two tier PKI infrastructure on Windows 2012 R2 with  Active Directory Certificate services.

This guide contains instructions for installing a standalone offline root CA, and an enterprise issuing CA (two-tier PKI hierarchy).

In this guide you will deploy a two-tier PKI hierarchy, configure a certificate revocation list (CRL) distribution point (CDP), automatically deploy certificates to the domain, and utilize a certificate.

This lab tutorial requires that you have 2 servers, installed with Windows 2012 R2.

A Windows 2012 R2 Stand Alone server, not domain-joined.
This server will be used to deploy our offline Root CA.

A Windows 2012 R2 Server, promoted to domain controller in a new forest.

Installing the standalone offline root CA:

To complete this installation we will be performing below steps:

  • Prepare the CAPolicy.inf for the standalone root CA
  • Install the standalone root CA
  • Configure the Root CA Authority Information Access and Certificate Distribution Point settings
  • Copy the root CA certificate and CRL to removable media
  • Distribute the root CA via GPO
  • Create an internal DNS zone and www host record
  • To prepare the CAPolicy.inf for the standalone root CA

Open Windows PowerShell

Type: notepad c:\Windows\CAPolicy.inf and press ENTER.

When prompted to create a new file, click Yes.Enter the following as the contents of the file:

Signature="$Windows NT$"
Notice="Legal Policy Statement"


Windows XP and Windows Server 2003 certificate clients do not support the Alternate Signature Algorithm. If you want these clients to be able to enroll for certificates, do not add the line AlternateSignatureAlgorithm=1 to the CAPolicy.inf.


In the above example there is an OID (object identifier) noted from Microsoft.
Individual organizations should obtain their own OIDs.
The preferred way to obtain a root object identifier (OID) is to request one from an International Standards Organization (ISO) Name Registration Authority. This is a one-time action; when you have obtained a root OID, the OID space it defines is yours and you can administer it yourself.
For this tutorial, we will be using Microsoft's OID.


Setting the CRLDeltaPeriodUnits=0 in the CAPolicy.inf disables Delta CRL publishing, which is the appropriate setting for an offline Root CA.

For more information about about CAPolicy.inf file syntax and purposes, check out:

Save the file as C:\Windows\CAPolicy.inf, make sure to save it in the ANSI encoding format.

To install the standalone Root CA Role:

1. In Server Manager, click Manage, and then click Add Roles and Features.

2. On the Before you begin screen, click Next.

3. On the Select installation type screen, ensure the default selection of Role-based or feature-based installation is selected. Click Next.

4. On the Select destination server screen, ensure that ROOTCA is selected and then click Next.

5. On the Select server roles screen, select the Active Directory Certificate Services role.

6. When prompted to install Remote Server Administration Tools click Add Features. Click Next.

7. On the Select features screen, click Next.

8. On the Active Directory Certificate Services screen, click Next.

9. On the Select role services screen, the Certification Authority role is selected by default. Click Next.

10. On the Confirm installation selections screen, verify the information and then click Install.

11. Wait for the installation to complete. The installation progress screen is displayed while the binary files for the CA are installed. 

The necessary files have now been installed for our Certificate Services Role.

Configuring Active Directory Certificates Services on the destination server.

1. When the binary file installation is complete, click the Configure Active Directory Certificate Services on the destination server link.

2 On the Credentials screen, you should see that the ROOTCA\Administrator is displayed in the Credentialsbox. Click Next.

3. On the Role Services screen, select Certification Authority. This is the only available selection when only the binary files for the certification authority role are installed on the server. Click Next.

4 The only selection available on the Setup Type screen is Standalone CA. This is because the account used to install is a member of the local Administrators group and the server is not a member of an Active Directory Domain Services (AD DS) domain. Click Next.

5. In the CA Type screen, Root CA is selected by default. Click Next.

6. On the Private Key screen, leave the default selection to Create a new private key selected. Click Next.

7. On the Cryptography for CA screen, ensure that the cryptographic provider is RSA#Microsoft Software Key Storage Provider, the key length is set to 2048 and the hash algorithm is set to SHA1 then click Next.

Do not select the Allow administrator interaction when the private key is accessed by the CAcheckbox. This setting is typically used with Hardware Security Modules (HSMs) and similar key protection devices prompt for additional information when the private key is accessed.

8. On the CA Name screen, in the Common name for this CA text box, type MyRootCA and then clickNext.

9. On the Validity Period screen, enter 20 for the number of years for the certificate to be valid.

10. On the CA Database screen, leave the default locations for the database and database log files. Click Next.

11. On the Confirmation screen, click Configure.

12. The Progress screen is displayed during the configuration processing, then the Results screen appears. Click Close. If the Installation progress screen is still open, click Close on that screen as well.

Configuring Certificate Revocation Lists and Authority Information Access

In Server Manager, click Tools and then click Certification Authority.

In the Certification Authority console tree, expand MyRootCA. Right-click Revoked Certificates and then click Properties.

On the CRL Publishing Parameters tab, ensure that Publish Delta CRLs is cleared (not selected). Click OK.

In the Certification Authority console tree, right-click MyRootCA and then click Properties.

Click the Extensions tab. Ensure that Select extensions is set to CRL Distribution Point (CDP) and in theSpecify locations from which users can obtain a certificate revocation list (CRL), review the default settings.

Change Select extension to Authority Information Access (AIA) and review the default settings. Click OK. If you are prompted to restart Active Directory Certificate Services, click No. You will restart the service after modifying the default paths in the next step.

Now configure our AIA and CDP url's and additional expiry information.
This should be done in powershell.
Lines starting with a hashtag are comments.

# Remove the current CAAuthorityInformationAccess locations

  • $aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};

# Add an url to CAAuthorityInformationAccess

  • Add-CAAuthorityInformationAccess –AddToCertificateAia -uri

# Remove the current CrlDistributionPoint information locations

  • $crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};

# Add an url to CrlDistributionPoint

  • Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force

# Add an url to CrlDistributionPoint

  • Add-CACRLDistributionPoint -Uri -AddToCertificateCDP -Force

# Set grace time for replacing your revocation lists, this is the time u have to create a new revocation list and transfer it to an accessible location.

  • Certutil -setreg CA\CRLOverlapPeriodUnits 24
  • Certutil -setreg CA\CRLOverlapPeriod "Hours"

# Set how long issues certificates will be valid.

  • Certutil -setreg CA\ValidityPeriodUnits 5
  • Certutil -setreg CA\ValidityPeriod "Years"

# Restart certificate services to activate this configuration.

  • restart-service certsvc

# Trigger a manual publish of a certificate revocation list

  • certutil -crl
# Copy the root CA certificate and CRL to removable media (usb stick) and paste in the CDP and / or AIA location
# From Windows PowerShell, run the command dir C:\Windows\system32\certsrv\certenroll\*.cr*, which displays the certificates and CRLs in the default certificate store.
# Copy the CA certificate file and CRL to removable media. For example, if you were running commands to copy the certificate and CRL to a floppy disk drive (A:), you would run the following commands: 
  • copy C:\Windows\system32\certsrv\certenroll\*.cr* A:\

# Now log in to your domain server that will become your subordinate certificate authority and insert your removable media

# Publish the "ROOTCA_RonnyVdB Trusted Root.crt" certificate into the configuration container of AD, this will make all machines on the domain trust this certificate without need for group policy distribution. 
ldap:///CN=RonnyVdB Trusted Root,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=my,DC=domain,DC=net?c
  • certutil –dspublish –f "ROOTCA_RonnyVdB Trusted Root.crt" RootCA
# Add the "ROOTCA_RonnyVdB Trusted Root.crt" certificate to the local certificate store, normally this happens at next group policy update, but this speeds up the process
  • certutil –addstore –f root orca1_ContosoRootCA.crt
  • certutil –addstore –f root ContosoRootCA.crl

# Don't forget to create dns records and check if the CDP and AIA urls are reacheable.

This concludes part 1, the set-up of the Enterprise RootCA of our tutorial.

Go to part 2, the set-up of the Enterprise Subordinate Authority.

No comments:

Post a Comment