2013: Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy : http://technet.microsoft.com/en-us/library/hh831348.aspx

Certificate Services Concepts: http://technet.microsoft.com/en-us/library/cc778992(WS.10).aspx

Certificate Services Best practices: http://technet.microsoft.com/en-us/library/cc738786(WS.10).aspx

This step-by-step guide explains how to install and configure public key  infrastructure, based on:

  • Windows 2008 R2 Server core – offline Root CA
  • Windows 2008 R2 domain controller
  • Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

  1. Boot the server using Windows 2008 R2 bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 (Server Core
    Installation)
    ” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to
    install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server
    automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account
    password -> specify complex password and confirm it -> press Enter ->
    Press OK.
  9. From the command prompt window, run the command
    bellow:
    sconfig.cmd
  10. Press “2″ to replace the computer name -> specify new computer name ->
    click “Yes” to restart the server.
  11. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
  12. From the command prompt window, run the command
    bellow:
    sconfig.cmd
  13. Press “5″ to configure “Windows Update Settings” -> select “A” for
    automatic -> click OK.
  14. Press “6″ to download and install Windows Updates -> choose “A” to search
    for all updates -> Choose “A” to download and install all updates -> click
    “Yes” to restart the server.
  15. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
  16. From the command prompt window, run the command
    bellow:
    sconfig.cmd
  17. In-case you need to use RDP to access and manage the server, press “7″ to
    enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or
    “2″ according to your client settings -> Press OK.
  18. Press “8″ to configure “Network settings” -> select the network adapter
    by its Index number -> press “1″ to configure the IP settings -> choose
    “S” for static IP address -> specify the IP address, subnet mask and default
    gateway -> press “2″ to configure the DNS servers -> click OK -> press
    “4″ to return to the main menu.
  19. Press “9″ to configure “Date and Time” -> choose the correct “date/time”
    and “time zone” -> click OK
  20. Press “11″ to restart the server to make sure all settings take effect ->
    click “Yes” to restart the server.

Offline Root CA – Certificate Authority server installation
phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
  2. Install Certificate services:
    start /w ocsetup.exe
    CertificateServices /norestart /quiet
  3. To check that the installation completed, run the command:
    oclist
    find /i "CertificateServices"
  4. Download the file “setupca.vbs”
    from:
    http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
    To:
    C:\Windows\system32
  5. Run the command bellow to configure the Root CA:
    Cscript /nologo
    C:\Windows\System32\setupca.vbs /is /sn
    <ca_server_name> /sk 4096 /sp "RSA#Microsoft
    Software Key Storage Provider" /sa SHA256
  6. In-order to verify that the installation completed successfully, open using
    Notepad, the file “_SetupCA.log” located in
    the current running directory, and make sure the last line is:
    Install
    complete! Passed
  7. Run the command bellow to enable remote management of the Root
    CA:
    netsh advfirewall firewall set rule group="Remote Service
    Management" new enable=yes
  8. Run the command bellow to stop the CertSvc service:
    Net stop
    CertSvc
  9. Run the command bellow to change new certificate validity period
    time:
    reg add
    HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v
    ValidityPeriodUnits /t REG_DWORD /d 5 /f
    Note: The command above should be
    written in one line.
  10. Run the command bellow to start the CertSvc service:
    Net start
    CertSvc

Enterprise Subordinate CA – OS installation
phase

Pre-requirements:

  • Active Directory (Forest functional level – Windows 2008 R2)
  • Add “A” record for the Root CA to the Active Directory DNS.
  1. Boot the server using Windows 2008 R2
    Enterprise Edition
    bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full
    installation
    ” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to
    install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server
    automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account
    password -> specify complex password and confirm it -> press Enter ->
    Press OK.
  9. From the “Initial Configuration Tasks” window, configure the following
    settings:

    • Set time zone
    • Configure networking – specify static IP address, netmask, gateway, DNS
    • Provide computer name and domain – add the server to the domain
    • Enable Remote Desktop
  10. In-order to be able to remotely manage the Root CA, run the command
    bellow:
    cmdkey /add:<RootCA_Hostname>
    /user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA – Certificate Authority server
installation phase

Pre-requirements:

  • DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.
  1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials
    of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
  2. Start -> Administrative Tools -> Server Manager.
  3. From the left pane, right click on Roles -> Add Roles -> Next ->
    select “Web Server (IIS)
    -> click Next twice -> select the following role services:

    • Web Server
    • Common HTTP Features
    • Static Content
    • Default Document
    • Directory Browsing
    • HTTP Errors
    • HTTP Redirection
    • Application Development
    • .NET Extensibility
    • ASP
    • ISAPI Extensions
    • Health and Diagnostics
    • HTTP Logging
    • Logging Tools
    • Tracing
    • Request Monitor
    • Security
    • Windows Authentication
    • Client Certificate Mapping Authentication
    • IIS Client Certificate Mapping Authentication
    • Request Filtering
    • Performance
    • Static Content Compression
    • Management Tools
    • IIS Management Console
    • IIS Management Scripts and Tools
    • IIS 6 Management Compatibility
    • IIS 6 Metabase Compatibility
  4. Click Next -> click Install -> click Close.
  5. From the left pane, right click on Features -> Add Features -> Next
    -> expand “Windows Process Activation Service” -> select “.NET
    Environment” and “Configuration APIs” -> select the feature “.NET Framework
    3.5.1 Features” -> click Next -> click Install -> click Close.
  6. From the left pane, right click on Roles -> Add Roles -> Next ->
    select “Active Directory Certificate
    Services
    ” -> click Next twice -> select the following role
    services:

    • Certification Authority
    • Certification Authority Web Enrollment
    • Certificate Enrollment Policy Web Service
  7. Click Next.
  8. Configure the following settings:
    • Specify Setup Type: Enterprise
    • CA Type: Subordinate CA
    • Private Key: Create a new private key
    • Cryptography:
      Cryptographic service provider (CSP): RSA#Microsoft
      software Key Storage Provider
      Key length: 2048
      Hash algorithm SHA256
    • CA Name:
      Common name: specify here the subordinate server NetBIOS
      name
      Distinguished name suffix: leave the default domain settings
    • Certificate Request: Save a certificate to file and manually send it later
    • Certificate Database: leave the default settings
    • Authentication Type: Windows Integrated Authentication
    • Server Authentication Certificate: Choose and assign a certificate for SSL
      later
  9. Click Next twice -> click Install -> click Close.
  10. Close the Server Manager.
  11. Start -> Administrative Tools -> Certification Authority
  12. From the left pane, right click on “Certification Authority (Local)” ->
    “Retarget Certification Authority” -> choose “Another computer” -> specify
    the RootCA hostname -> click Finish.
  13. Right click on the RootCA server name -> Properties -> ->
    Extensions tab -> extension type: CRL Distribution Point (CDP):

    • Uncheck “Publish Delta CRLs to this location”.
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the only option checked
      is: “Include in CDP extension of issued certificates”.
    • Click on the line begins with “C:\Windows”, and make sure the only option
      checked is: “Publish CRLs to this location”
  14. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
  15. Click OK and allow the CA server to restart its services.
  16. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> Properties:

    • CRL publication interval: 180 days
    • Make sure “Publish Delta CRLs” is not checked
    • Click OK
  17. Right click on the CA name -> All tasks -> Stop service
  18. Right click on the CA name -> All tasks -> Start service
  19. Run the commands bellow from command line, to configure the Offline Root CA
    to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN
    "CN=Configuration,DC=mycompany,DC=com"
    certutil.exe -setreg
    ca\DSDomainDN "DC=mycompany,DC=com"
    Note: Replace
    DC=mycompany,DC=com
    according to your domain name.
  20. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> All tasks -> Publish -> click OK.
  21. Close the “Certification Authority” snap-in and logoff the subordinate CA
    server.
  22. Login to a domain controller in the forest root domain, with account member
    of Domain Admins and Enterprise Admins.
  23. Copy the file bellow from the Offline Root CA server to a temporary folder
    on the domain
    controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  24. Start -> Administrative Tools -> Group Policy Management.
  25. From the left pane, expand the forest name -> expand Domains -> expand
    the relevant domain name -> right click on “Default domain policy” ->
    Edit.
  26. From the left pane, under “Computer Configuration” -> expand Policies
    -> expand “Windows Settings” -> expand “Security Settings” -> expand
    “Public Key Policies” -> right click on “Trusted Root Certification
    Authorities” -> Import -> click Next -> click Browse to locate the CRT
    file from the Root CA -> click Open -> click Next twice -> click Finish
    -> click OK.
  27. Logoff the domain controller.
  28. Return to the subordinate enterprise CA server.
  29. Start -> Administrative Tools -> Certification Authority.
  30. From the left pane, right click on “Certification Authority (Local)” ->
    “Retarget Certification Authority” -> choose “Another computer” -> specify
    the RootCA hostname -> click Finish.
  31. Right click on the RootCA server name -> All Tasks -> Submit new
    request -> locate the subordinate CA request file (.req) -> Open.
  32. Expand the RootCA server name -> right click on “Pending Requests” ->
    locate the subordinate CA request ID according to the date -> right click on
    the request -> All Tasks -> Issue.
  33. From the left pane, click on “Issued Certificates” -> locate the
    subordinate CA request ID -> right click on the request -> All Tasks ->
    “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary
    data to a file” -> click OK -> specify location and the file name –
    <subordinate_ca_server_name_signed_certificate>.p7b
    -> click Save.
  34. Run the command bellow from command line to avoid offline CRL
    errors:
    Certutil.exe -setreg ca\CRLFlags
    +CRLF_REVCHECK_IGNORE_OFFLINE
  35. From the left pane, right click on “Certificate Authority” -> “Retarget
    Certification Authority” -> choose “Local computer” -> click Finish.
  36. Right click on the subordinate CA server name -> All Tasks -> “Install
    CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b
    -> click Open.
  37. Right click on the subordinate CA server name -> All Tasks -> Start
    Service.
  38. Right click on the subordinate CA server name -> Properties -> ->
    Extensions tab -> extension type: CRL Distribution Point (CDP):

    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<subordinate_CA_Server_Name&gt;.crl
    • Click on the line begins with “HTTP”, and make sure the following options
      are checked: “Include in CRLs” and “Include in the CDP”.
  39. Extensions tab -> extension type: Authority Information Access (AIA):
  40. Click OK and allow the CA server to restart its services.
  41. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> All tasks -> Publish -> click OK.
  42. Close the “Certification Authority” snap-in
  43. Copy the files bellow from the Root CA to the subordinate CA (same
    location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  44. Logoff the subordinate CA server.
  45. Login to a domain controller in the forest root domain, with account member
    of Domain Admins and Enterprise Admins.
  46. Copy the file bellow from the subordinate CA server to a temporary folder on
    the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
    – copy the newest file
  47. Start -> Administrative Tools -> Group Policy Management.
  48. From the left pane, expand the forest name -> expand Domains -> expand
    the relevant domain name -> right click on “Default domain policy” ->
    Edit.
  49. From the left pane, under “Computer Configuration” -> expand Policies
    -> expand “Windows Settings” -> expand “Security Settings” -> expand
    “Public Key Policies” -> right click on “Intermediate Certification
    Authorities” -> Import -> click Next -> click Browse to locate the CRT
    file from the subordinate CA server -> click Open -> click Next twice
    -> click Finish -> click OK.
  50. Logoff the domain controller.