In my post Active Directory Certificate Services [Part1], i explain to you the différents informations you need before you run an installation of PKI. Today in this new post, i show you how to install and settings a Microsoft PKI two layers.

In my lab, i prepare three servers with these features :

1024 RAM
1 Disk System C:\ (Disk for the system)

1024 RAM
1 Disk System C:\ (Disk for the system)

1024 RAM
1 Disk System C:\ (Disk for the system)
1 Disk Datas D:\ (Disk for CRL)

I have a DC server and the FQDN of my domain is “rod.local”, the operating system is Microsoft Windows Server 2016.

Before starting installation of CAROOT, i begin by the installation and setting of the IIS Web server.

IISCA Installation et settings

Create directory on drive D:\ name “PKI”

New-Item -Path c:\test -ItemType Directory -Force

Edit security properties and disable inheritance

Add ACL security groups on folder D:\PKIShare the folder, name pki$ and restricited access to only “Cert Publishers” Active Directory group with modifiy rights.

Install the roles and features for web server with these composants :

Settings IIS web server :

Add virtual directory :

Enabled directory browsing :

In CMD Windows, in path “C:\Windows\System32\inetsrv\”
Execute command
appcmd set config /section:directoryBrowse /enabled:false

Enable Allow double escaping :

In CMD Windows, in path “C:\Windows\System32\inetsrv\”
Execute command
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True

Reset IIS

In CMD Windows, execute command

Create a DNS Alias

In DNS server console, add an Alias “crl.rod.local” to redirect to “iisca.rod.local”

Settings CA Root

Add rôles and features :
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Setting CA :
Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName "CAROOT,O=ROD,L=EMEA,C=FR" –KeyLength 4096 -ValidityPeriod Years -ValidityPeriodUnits 20 –HashAlgorithm SHA256 –CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -OverwriteExistingKey

Set CRL :
Get-CACrlDistributionPoint | % {Remove-CACrlDistributionPoint $_.uri -Force}
New-Item -Path c:\PKI -ItemType Directory -Force
Add-CACRLDistributionPoint -Uri C:\PKI\%3%8.crl -PublishToServer -Force
Add-CACRLDistributionPoint -Uri http://crl.rod.local/pki/%3%8.crl -AddToCertificateCDP -Force

Set AIA :
Get-CAAuthorityInformationAccess | % {Remove-CAAuthorityInformationAccess $_.uri -Force}

Settings crl period value and time live for issue certificates
certutil -setreg CA\CRLPeriod Years
certutil -setreg CA\CRLPeriodUnits 20
Certutil -setreg CA\ValidityPeriodUnits 10
Certutil -setreg CA\ValidityPeriod "Years"

Set DN Active Directory for configuration partition and creating crl file :
certutil -setreg "CA\DSConfigDN" "CN=Configuration,DC=rod,DC=local"
restart-service certsvc
Start-sleep 30
certutil –crl

Copy certificate CA to directory c:\pki\
Copy-Item C:\Windows\System32\CertSrv\CertEnroll\CAROOT.crl C:\PKI\
  • Copy crl file to IISCA server into PKI directory
  • Copy CARoot certificate and CRL file to SUBCA server in temporally directory

Install and setting CASUB :

Open a user session with enterprise admin privileges on CASUB server.

Publish RootCA certificate and CRL to Active Directory :

In CMD Windows execute from path where you have copy the crl and certificate files :

certutil -dspublish -f CAROOT.crt RootCA
certutil -addstore -f root CAROOT.crt
certutil –addstore -f root CAROOT.crl

Install roles and features :

Install role :
Add-WindowsFeature Adcs-Cert-Authority –IncludeManagementTools

Configure  Sub CA :
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "CAINTER,O=ROD,L=EMEA,C=FR" -KeyLength 2048 -HashAlgorithmName SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -OutputCertRequestFile "c:\temp\ResquestPKI.req"

Copy request file to CA Root and validate the request :

After you have copied the request file to the CAROOT server, in PowerShell command line, submite the request :

certreq -submit c:\temp\requestpki.req

Open CA MMC and issue the request

Export the new certificate to file and copy it to SUBCA

On the SUBCA Server, import certificate and start CA :
certutil -installcert c:\temp\SUBCA.crt
Start-service certsvc

Setting SUBCA :

Set AIA and CDP :
Get-CACrlDistributionPoint | % {Remove-CACrlDistributionPoint $_.uri -Force}
Add-CACRLDistributionPoint -Uri \\iisca\pki$\%3%8.crl -PublishToServer –Force
Add-CACRLDistributionPoint -Uri \\iisca\pki$\%3%8%9.crl -PublishDeltaToServer –Force
Add-CACRLDistributionPoint -Uri http://crl.rod.local/pki/%3%8.crl -AddToCertificateCDP –Force
Add-CACRLDistributionPoint -Uri http://crl.rod.local/pki/%3%8%9.crl -AddToCertificateCDP –Force
Get-CAAuthorityInformationAccess | % {Remove-CAAuthorityInformationAccess $_.uri -Force}
Add-CAAuthorityInformationAccess -AddToCertificateAia http://crl.rod.local/pki/%3%4.crt –Force

Set CRL and plublish CRL to IISCA Server :
Certutil -setreg CA\CRLPeriodUnits 2
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
restart-service certsvc
Start-Sleep 20
certutil –crl

Okay, now, we have an operational PKI. The AIA and CRL files are stored on the IIS server. All requests and logs are stored on the SUBCA server. In my next POST, I will talk about security, certificate templates and the implementation of the autoenrollment.

0 69