Tag Archive: ADCS


Here are resources and comments about ADCS migration to 2012 R2:

https://windorks.wordpress.com/2014/08/12/migrating-a-microsoft-pki/

http://blog.datacenterfromhell.net/2014/12/migrating-two-tier-microsoft-pki-from.html

Is it possible to cohabit with an old PKI hierarchy and a new PKI in a same Forest?

“Yes you can have multiple root CAs and even multiple PKIs in a single Active Directory forest. Because of the way the objects are representing those CAs are named and stored, you couldn’t possibly experience a conflict unless you tried to give more than one CA the same CA name.”

http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx

Why? USE CASE: the old 2008 R2 AD CS SHA1 hierarchy and the new SHA256 hierarchy running AD CS 2012 R2

Multiple PKI Hierarchies in the Same Environment:

http://www.postseek.com/meta/fe2eee95f5a00bd80ab13f9627e2813b

 

Step by Step AD CS 2012 R2 two-tier PKI build:

http://www.flexecom.com/deploying-enterprise-pki-on-windows-server-2012-r2/

CAPolicy.inf syntax: http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx

http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

http://davidmtechblog.blogspot.fr/2015/02/pki-public-key-infrastructure-with.html

http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/

 

http://pleasework.robbievance.net/howto-install-a-2-tier-windows-2012-r2-ad-integrated-pki-infrastructure/

 

http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-1.html

http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-2.html

http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-3.html

 

http://hanygeorge.com/blog/2-tier-pki-on-windows-server-2012step-by-step-guide/

 

Here are list of other web resources about AD CS:

2013: Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy : http://technet.microsoft.com/en-us/library/hh831348.aspx

AD CS 2008 R2 Installation Getting Started Guide: http://technet.microsoft.com/en-us/library/cc753802(WS.10).aspx

Downloadable, printable job aids which include the most commonly used commands and procedures for administering Server Core installations are available at http://go.microsoft.com/fwlink/?LinkId=151984.

Steps for installing a server role on a Server Core installation of Windows Server 2008 R2:

Unlike Windows Server 2008, Server Core installations of Windows Server 2008 R2 use Dism.exe to install and uninstall most server roles. For more information about Dism.exe, see http://technet.microsoft.com/en-us/library/dd772580(WS.10).aspx.

Installing Windows Features on a server running a Server Core installation of Windows Server 2008 R2: http://technet.microsoft.com/en-us/library/ee441253(WS.10).aspx

Installing AD CS on a Server Core installation of Windows Server 2008 R2: By using PowerShell script: Setup Certification Authority with PowerShell

How to request and install a certificate on a server core: http://social.technet.microsoft.com/Forums/en-US/winservercore/thread/97d388e8-eb88-4744-b47a-938065849deb/

AD CS and PKI Step-by-Steps, Labs, Walkthroughs, HowTo, and Examples:

http://www.microsoft.com/download/en/details.aspx?id=22838

AD CS 2008 step by step: http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx

http://social.technet.microsoft.com/wiki/contents/articles/4797.aspx

AD PKI 2003 step by step: http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx

How to configure Certificate based authentication for OWA: http://msexchangeteam.com/archive/2008/10/07/449942.aspx

=> Example Step by Step: http://www.corelan.be/index.php/2008/07/14/windows-2008-pki-certificate-authority-ad-cs-basics/

Checklist: Configuring certificate Auto-Enrollment:

=> http://technet.microsoft.com/en-us/library/cc773385(WS.10).aspx

Checklist: Decommissioning a certification authority

=> http://technet.microsoft.com/en-us/library/cc786938(WS.10).aspx

Troubleshooting: http://technet.microsoft.com/en-us/library/cc758774(WS.10).aspx

ADCS Certificate Templates, how to, best practices and troubleshooting:

http://www.microsoft.com/download/en/details.aspx?id=7429

http://technet.microsoft.com/en-us/library/cc758496(WS.10).aspx

Certificate Services How To… http://technet.microsoft.com/en-us/library/cc737760(WS.10).aspx

French technet articles: http://technet.microsoft.com/fr-fr/library/cc770357(WS.10).aspx

Checklist: Creating a certification hierarchy with an offline root certification authority:

=> http://technet.microsoft.com/en-us/library/cc737834(WS.10).aspx (superseded by: http://social.technet.microsoft.com/wiki/contents/articles/2900.aspx )

ADCS and firewall ports: http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

ADCS FAQ: http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-frequently-asked-questions-faq.aspx

ADCS: Clean CA db

http://blogs.technet.com/b/askds/archive/2010/08/31/the-case-of-the-enormous-ca-database.aspx

ADCS: New Hotfix to fix the CA private key missing from system states backups:

http://support.microsoft.com/kb/2603469

AD CS – Permissions and delegation model:

http://technet.microsoft.com/en-us/library/cc732590.aspx

https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx

AD CS tool to install: PKI smtp exit module

http://social.technet.microsoft.com/wiki/contents/articles/active-directory-certificate-services-smtp-exit-module-for-windows-server-2008-r2-example.aspx

ADCS NDES/SCEP:  http://www.microsoft.com/download/en/details.aspx?id=1607

http://www.windowsitpro.com/article/security/setting-up-network-device-enrollment-service-

ADCS CEP/CES: http://www.microsoft.com/download/en/details.aspx?id=1746

http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM329

AD CS Online Responder Services (OCSP) in a Network: http://www.microsoft.com/download/en/details.aspx?id=17877

http://technet.microsoft.com/en-us/library/cc753468(WS.10).aspx

http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx

AD CS Online Responder Services (OCSP) in high availability mode with NLB:

http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-high-availability.aspx

 

ADCS deploying cross-forest certificate enrollment:

http://www.microsoft.com/download/en/details.aspx?id=17877

http://technet.microsoft.com/en-us/library/ff955845(WS.10).aspx

ADCS operations tasks: http://technet.microsoft.com/en-us/library/cc771702(WS.10).aspx

ADCS and Powershell: http://blog.powershell.no/2011/01/09/working-with-active-directory-certificate-services-from-windows-powershell/

Codeplex: PKI Powershell module: http://pspki.codeplex.com/

 

Advertisements

2013: Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy : http://technet.microsoft.com/en-us/library/hh831348.aspx

Certificate Services Concepts: http://technet.microsoft.com/en-us/library/cc778992(WS.10).aspx

Certificate Services Best practices: http://technet.microsoft.com/en-us/library/cc738786(WS.10).aspx

This step-by-step guide explains how to install and configure public key  infrastructure, based on:

  • Windows 2008 R2 Server core – offline Root CA
  • Windows 2008 R2 domain controller
  • Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

  1. Boot the server using Windows 2008 R2 bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 (Server Core
    Installation)
    ” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to
    install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server
    automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account
    password -> specify complex password and confirm it -> press Enter ->
    Press OK.
  9. From the command prompt window, run the command
    bellow:
    sconfig.cmd
  10. Press “2″ to replace the computer name -> specify new computer name ->
    click “Yes” to restart the server.
  11. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
  12. From the command prompt window, run the command
    bellow:
    sconfig.cmd
  13. Press “5″ to configure “Windows Update Settings” -> select “A” for
    automatic -> click OK.
  14. Press “6″ to download and install Windows Updates -> choose “A” to search
    for all updates -> Choose “A” to download and install all updates -> click
    “Yes” to restart the server.
  15. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
  16. From the command prompt window, run the command
    bellow:
    sconfig.cmd
  17. In-case you need to use RDP to access and manage the server, press “7″ to
    enable “Remote Desktop” -> choose “E” to enable -> choose either “1″ or
    “2″ according to your client settings -> Press OK.
  18. Press “8″ to configure “Network settings” -> select the network adapter
    by its Index number -> press “1″ to configure the IP settings -> choose
    “S” for static IP address -> specify the IP address, subnet mask and default
    gateway -> press “2″ to configure the DNS servers -> click OK -> press
    “4″ to return to the main menu.
  19. Press “9″ to configure “Date and Time” -> choose the correct “date/time”
    and “time zone” -> click OK
  20. Press “11″ to restart the server to make sure all settings take effect ->
    click “Yes” to restart the server.

Offline Root CA – Certificate Authority server installation
phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the
    “Administrator” account credentials.
  2. Install Certificate services:
    start /w ocsetup.exe
    CertificateServices /norestart /quiet
  3. To check that the installation completed, run the command:
    oclist
    find /i "CertificateServices"
  4. Download the file “setupca.vbs”
    from:
    http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
    To:
    C:\Windows\system32
  5. Run the command bellow to configure the Root CA:
    Cscript /nologo
    C:\Windows\System32\setupca.vbs /is /sn
    <ca_server_name> /sk 4096 /sp "RSA#Microsoft
    Software Key Storage Provider" /sa SHA256
  6. In-order to verify that the installation completed successfully, open using
    Notepad, the file “_SetupCA.log” located in
    the current running directory, and make sure the last line is:
    Install
    complete! Passed
  7. Run the command bellow to enable remote management of the Root
    CA:
    netsh advfirewall firewall set rule group="Remote Service
    Management" new enable=yes
  8. Run the command bellow to stop the CertSvc service:
    Net stop
    CertSvc
  9. Run the command bellow to change new certificate validity period
    time:
    reg add
    HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v
    ValidityPeriodUnits /t REG_DWORD /d 5 /f
    Note: The command above should be
    written in one line.
  10. Run the command bellow to start the CertSvc service:
    Net start
    CertSvc

Enterprise Subordinate CA – OS installation
phase

Pre-requirements:

  • Active Directory (Forest functional level – Windows 2008 R2)
  • Add “A” record for the Root CA to the Active Directory DNS.
  1. Boot the server using Windows 2008 R2
    Enterprise Edition
    bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full
    installation
    ” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to
    install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server
    automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account
    password -> specify complex password and confirm it -> press Enter ->
    Press OK.
  9. From the “Initial Configuration Tasks” window, configure the following
    settings:

    • Set time zone
    • Configure networking – specify static IP address, netmask, gateway, DNS
    • Provide computer name and domain – add the server to the domain
    • Enable Remote Desktop
  10. In-order to be able to remotely manage the Root CA, run the command
    bellow:
    cmdkey /add:<RootCA_Hostname>
    /user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA – Certificate Authority server
installation phase

Pre-requirements:

  • DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.
  1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials
    of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
  2. Start -> Administrative Tools -> Server Manager.
  3. From the left pane, right click on Roles -> Add Roles -> Next ->
    select “Web Server (IIS)
    -> click Next twice -> select the following role services:

    • Web Server
    • Common HTTP Features
    • Static Content
    • Default Document
    • Directory Browsing
    • HTTP Errors
    • HTTP Redirection
    • Application Development
    • .NET Extensibility
    • ASP
    • ISAPI Extensions
    • Health and Diagnostics
    • HTTP Logging
    • Logging Tools
    • Tracing
    • Request Monitor
    • Security
    • Windows Authentication
    • Client Certificate Mapping Authentication
    • IIS Client Certificate Mapping Authentication
    • Request Filtering
    • Performance
    • Static Content Compression
    • Management Tools
    • IIS Management Console
    • IIS Management Scripts and Tools
    • IIS 6 Management Compatibility
    • IIS 6 Metabase Compatibility
  4. Click Next -> click Install -> click Close.
  5. From the left pane, right click on Features -> Add Features -> Next
    -> expand “Windows Process Activation Service” -> select “.NET
    Environment” and “Configuration APIs” -> select the feature “.NET Framework
    3.5.1 Features” -> click Next -> click Install -> click Close.
  6. From the left pane, right click on Roles -> Add Roles -> Next ->
    select “Active Directory Certificate
    Services
    ” -> click Next twice -> select the following role
    services:

    • Certification Authority
    • Certification Authority Web Enrollment
    • Certificate Enrollment Policy Web Service
  7. Click Next.
  8. Configure the following settings:
    • Specify Setup Type: Enterprise
    • CA Type: Subordinate CA
    • Private Key: Create a new private key
    • Cryptography:
      Cryptographic service provider (CSP): RSA#Microsoft
      software Key Storage Provider
      Key length: 2048
      Hash algorithm SHA256
    • CA Name:
      Common name: specify here the subordinate server NetBIOS
      name
      Distinguished name suffix: leave the default domain settings
    • Certificate Request: Save a certificate to file and manually send it later
    • Certificate Database: leave the default settings
    • Authentication Type: Windows Integrated Authentication
    • Server Authentication Certificate: Choose and assign a certificate for SSL
      later
  9. Click Next twice -> click Install -> click Close.
  10. Close the Server Manager.
  11. Start -> Administrative Tools -> Certification Authority
  12. From the left pane, right click on “Certification Authority (Local)” ->
    “Retarget Certification Authority” -> choose “Another computer” -> specify
    the RootCA hostname -> click Finish.
  13. Right click on the RootCA server name -> Properties -> ->
    Extensions tab -> extension type: CRL Distribution Point (CDP):

    • Uncheck “Publish Delta CRLs to this location”.
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the only option checked
      is: “Include in CDP extension of issued certificates”.
    • Click on the line begins with “C:\Windows”, and make sure the only option
      checked is: “Publish CRLs to this location”
  14. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
  15. Click OK and allow the CA server to restart its services.
  16. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> Properties:

    • CRL publication interval: 180 days
    • Make sure “Publish Delta CRLs” is not checked
    • Click OK
  17. Right click on the CA name -> All tasks -> Stop service
  18. Right click on the CA name -> All tasks -> Start service
  19. Run the commands bellow from command line, to configure the Offline Root CA
    to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN
    "CN=Configuration,DC=mycompany,DC=com"
    certutil.exe -setreg
    ca\DSDomainDN "DC=mycompany,DC=com"
    Note: Replace
    DC=mycompany,DC=com
    according to your domain name.
  20. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> All tasks -> Publish -> click OK.
  21. Close the “Certification Authority” snap-in and logoff the subordinate CA
    server.
  22. Login to a domain controller in the forest root domain, with account member
    of Domain Admins and Enterprise Admins.
  23. Copy the file bellow from the Offline Root CA server to a temporary folder
    on the domain
    controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  24. Start -> Administrative Tools -> Group Policy Management.
  25. From the left pane, expand the forest name -> expand Domains -> expand
    the relevant domain name -> right click on “Default domain policy” ->
    Edit.
  26. From the left pane, under “Computer Configuration” -> expand Policies
    -> expand “Windows Settings” -> expand “Security Settings” -> expand
    “Public Key Policies” -> right click on “Trusted Root Certification
    Authorities” -> Import -> click Next -> click Browse to locate the CRT
    file from the Root CA -> click Open -> click Next twice -> click Finish
    -> click OK.
  27. Logoff the domain controller.
  28. Return to the subordinate enterprise CA server.
  29. Start -> Administrative Tools -> Certification Authority.
  30. From the left pane, right click on “Certification Authority (Local)” ->
    “Retarget Certification Authority” -> choose “Another computer” -> specify
    the RootCA hostname -> click Finish.
  31. Right click on the RootCA server name -> All Tasks -> Submit new
    request -> locate the subordinate CA request file (.req) -> Open.
  32. Expand the RootCA server name -> right click on “Pending Requests” ->
    locate the subordinate CA request ID according to the date -> right click on
    the request -> All Tasks -> Issue.
  33. From the left pane, click on “Issued Certificates” -> locate the
    subordinate CA request ID -> right click on the request -> All Tasks ->
    “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary
    data to a file” -> click OK -> specify location and the file name –
    <subordinate_ca_server_name_signed_certificate>.p7b
    -> click Save.
  34. Run the command bellow from command line to avoid offline CRL
    errors:
    Certutil.exe -setreg ca\CRLFlags
    +CRLF_REVCHECK_IGNORE_OFFLINE
  35. From the left pane, right click on “Certificate Authority” -> “Retarget
    Certification Authority” -> choose “Local computer” -> click Finish.
  36. Right click on the subordinate CA server name -> All Tasks -> “Install
    CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b
    -> click Open.
  37. Right click on the subordinate CA server name -> All Tasks -> Start
    Service.
  38. Right click on the subordinate CA server name -> Properties -> ->
    Extensions tab -> extension type: CRL Distribution Point (CDP):

    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<subordinate_CA_Server_Name&gt;.crl
    • Click on the line begins with “HTTP”, and make sure the following options
      are checked: “Include in CRLs” and “Include in the CDP”.
  39. Extensions tab -> extension type: Authority Information Access (AIA):
  40. Click OK and allow the CA server to restart its services.
  41. From the “Certification Authority” left pane, right click on “Revoked
    certificates”-> All tasks -> Publish -> click OK.
  42. Close the “Certification Authority” snap-in
  43. Copy the files bellow from the Root CA to the subordinate CA (same
    location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  44. Logoff the subordinate CA server.
  45. Login to a domain controller in the forest root domain, with account member
    of Domain Admins and Enterprise Admins.
  46. Copy the file bellow from the subordinate CA server to a temporary folder on
    the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
    – copy the newest file
  47. Start -> Administrative Tools -> Group Policy Management.
  48. From the left pane, expand the forest name -> expand Domains -> expand
    the relevant domain name -> right click on “Default domain policy” ->
    Edit.
  49. From the left pane, under “Computer Configuration” -> expand Policies
    -> expand “Windows Settings” -> expand “Security Settings” -> expand
    “Public Key Policies” -> right click on “Intermediate Certification
    Authorities” -> Import -> click Next -> click Browse to locate the CRT
    file from the subordinate CA server -> click Open -> click Next twice
    -> click Finish -> click OK.
  50. Logoff the domain controller.

To manage ADCS with Powershell, after you install the Quest Active Roles Management Shell For Active Directory (download here), you get lots of additional PowerShell CMDlets to use. To find those, just issue the command “Get-Command *QAD*” or have a look at the reference information. Just download and install the snap-in. To see the available snap-ins issue the command “Get-PSSnapIn -registered”. To import the snap-in issue the command “Add-PSSnapIn Quest.ActiveRoles.ADManagement”. The following CMDlets are available:

 

In addition, after you install the Public Key Infrastructure PowerShell Module available on Codeplex (download here), you get lots of additional PowerShell CMDlets to manage Microsoft Certificate Authorities. Just download and install the module. To see the available modules issue the command “Get-Module -ListAvailable”. To import the module issue the command “Import-Module PKI”. The following PowerShell CMDlets are available: