Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
3K
0
0
Stéphane Thirion
Stéphane Thirion
  • Home
  • Consulting – Raidho
  • homelab
  • Microsoft
  • PowerShell
  • Windows 2012R2
  • Windows 2016

Active Directory Certificate Services [Part2]

  • October 5, 2017
  • Rodolphe Herpeux
Total
0
Shares
0
0
0
0
0
0
0

In my post Active Directory Certificate Services [Part1], i explain to you the différents informations you need before you run an installation of PKI. Today in this new post, i show you how to install and settings a Microsoft PKI two layers.

In my lab, i prepare three servers with these features :

CAROOT
1 CPU
1024 RAM
1 Disk System C: (Disk for the system)

CASUB
1 CPU
1024 RAM
1 Disk System C: (Disk for the system)

IISCA
1 CPU
1024 RAM
1 Disk System C: (Disk for the system)
1 Disk Datas D: (Disk for CRL)

I have a DC server and the FQDN of my domain is “rod.local”, the operating system is Microsoft Windows Server 2016.

Before starting installation of CAROOT, i begin by the installation and setting of the IIS Web server.

IISCA Installation et settings

Create directory on drive D: name “PKI”

Source code   
New-Item -Path c:test -ItemType Directory -Force
Edit security properties and disable inheritance

Add ACL security groups on folder D:PKIShare the folder, name pki$ and restricited access to only “Cert Publishers” Active Directory group with modifiy rights.

Install the roles and features for web server with these composants :

Settings IIS web server :

Add virtual directory :

Enabled directory browsing :

In CMD Windows, in path “C:WindowsSystem32inetsrv”
Execute command
appcmd set config /section:directoryBrowse /enabled:false

Enable Allow double escaping :

In CMD Windows, in path “C:WindowsSystem32inetsrv”
Execute command
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True

Reset IIS

In CMD Windows, execute command
iisreset

Create a DNS Alias

In DNS server console, add an Alias “crl.rod.local” to redirect to “iisca.rod.local”

Settings CA Root

Add rôles and features :
Source code   
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Setting CA :
Source code   
Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName "CAROOT,O=ROD,L=EMEA,C=FR" –KeyLength 4096 -ValidityPeriod Years -ValidityPeriodUnits 20 –HashAlgorithm SHA256 –CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -OverwriteExistingKey

Set CRL :
Source code   
Get-CACrlDistributionPoint | % {Remove-CACrlDistributionPoint $_.uri -Force}
New-Item -Path c:PKI -ItemType Directory -Force
Add-CACRLDistributionPoint -Uri C:PKI%3%8.crl -PublishToServer -Force
Add-CACRLDistributionPoint -Uri %3%8.crl -AddToCertificateCDP -Force

Set AIA :
Source code   
Get-CAAuthorityInformationAccess | % {Remove-CAAuthorityInformationAccess $_.uri -Force}

Settings crl period value and time live for issue certificates
Source code   
certutil -setreg CACRLPeriod Years
certutil -setreg CACRLPeriodUnits 20
Certutil -setreg CAValidityPeriodUnits 10
Certutil -setreg CAValidityPeriod "Years"

Set DN Active Directory for configuration partition and creating crl file :
Source code   
certutil -setreg "CADSConfigDN" "CN=Configuration,DC=rod,DC=local"
restart-service certsvc
Start-sleep 30
certutil –crl

Copy certificate CA to directory c:pki
Source code   
Copy-Item C:WindowsSystem32CertSrvCertEnrollCAROOT.crl C:PKI
  • Copy crl file to IISCA server into PKI directory
  • Copy CARoot certificate and CRL file to SUBCA server in temporally directory

Install and setting CASUB :

Open a user session with enterprise admin privileges on CASUB server.

Publish RootCA certificate and CRL to Active Directory :

In CMD Windows execute from path where you have copy the crl and certificate files :

Source code   
certutil -dspublish -f CAROOT.crt RootCA
certutil -addstore -f root CAROOT.crt
certutil –addstore -f root CAROOT.crl

Install roles and features :

Install role :
Source code   
Add-WindowsFeature Adcs-Cert-Authority –IncludeManagementTools

Configure  Sub CA :
Source code   
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "CAINTER,O=ROD,L=EMEA,C=FR" -KeyLength 2048 -HashAlgorithmName SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -OutputCertRequestFile "c:tempResquestPKI.req"

Copy request file to CA Root and validate the request :

After you have copied the request file to the CAROOT server, in PowerShell command line, submite the request :

Source code   
certreq -submit c:temprequestpki.req

Open CA MMC and issue the request

Export the new certificate to file and copy it to SUBCA

On the SUBCA Server, import certificate and start CA :
Source code   
certutil -installcert c:tempSUBCA.crt
Start-service certsvc

Setting SUBCA :

Set AIA and CDP :
Source code   
Get-CACrlDistributionPoint | % {Remove-CACrlDistributionPoint $_.uri -Force}
Add-CACRLDistributionPoint -Uri iiscapki$%3%8.crl -PublishToServer –Force
Add-CACRLDistributionPoint -Uri iiscapki$%3%8%9.crl -PublishDeltaToServer –Force
Add-CACRLDistributionPoint -Uri %3%8.crl -AddToCertificateCDP –Force
Add-CACRLDistributionPoint -Uri %3%8%9.crl -AddToCertificateCDP –Force
Get-CAAuthorityInformationAccess | % {Remove-CAAuthorityInformationAccess $_.uri -Force}
Add-CAAuthorityInformationAccess -AddToCertificateAia %3%4.crt –Force

Set CRL and plublish CRL to IISCA Server :
Source code   
Certutil -setreg CACRLPeriodUnits 2
Certutil -setreg CACRLPeriod "Weeks"
Certutil -setreg CACRLDeltaPeriodUnits 1
Certutil -setreg CACRLDeltaPeriod "Days"
Certutil -setreg CACRLOverlapPeriodUnits 12
Certutil -setreg CACRLOverlapPeriod "Hours"
Certutil -setreg CAValidityPeriodUnits 5
Certutil -setreg CAValidityPeriod "Years"
restart-service certsvc
Start-Sleep 20
certutil –crl

Okay, now, we have an operational PKI. The AIA and CRL files are stored on the IIS server. All requests and logs are stored on the SUBCA server. In my next POST, I will talk about security, certificate templates and the implementation of the autoenrollment.

Total
0
Shares
Tweet 0
Share 0
Share 0
Share 0
Share 0
Share 0
Share 0
Related Topics
  • Certificate
  • PKI
  • Security
Rodolphe Herpeux

Previous Article
  • Experience
  • Microsoft
  • News
  • Windows 2016

Microsoft Honolulu project

  • September 28, 2017
  • Rodolphe Herpeux
View Post
Next Article
  • Microsoft
  • PowerShell
  • Uncategorized
  • Windows 2016

Hyper-V 2016 – Add-VMTPM issue

  • October 28, 2017
  • Rodolphe Herpeux
View Post
You May Also Like
View Post
  • VMware
  • vSphere
  • Windows 2022

Migrating FSMO roles Windows 2022 Server

  • Stephane Thirion
  • January 3, 2022
View Post
  • Azure
  • Azure
  • PowerShell
  • Scripting
  • Security

Export all Admin Roles and members from Azure AD

  • Rodolphe Herpeux
  • March 25, 2021
View Post
  • RDS
  • Security
  • Windows 2016

RDS access to applications with second authentication factor by smartcard

  • Rodolphe Herpeux
  • January 7, 2021
View Post
  • Windows 2016
  • Windows 2019

Migration farm ADFS operating system Windows server 2016 to Windows server 2019

  • Rodolphe Herpeux
  • January 6, 2021
View Post
  • Windows 2016

Migrate ADFS configuration Database from WID to MS-SQL

  • Rodolphe Herpeux
  • January 5, 2021
View Post
  • ArchY.net Site
  • Azure
  • Citrix
  • Cloud
  • Experience
  • Microsoft
  • News
  • Office365
  • Raidho
  • VMware

Mettre en place une solution de travail à distance (RemoteOffice / Remoteworking) 2/2

  • Stephane Thirion
  • March 24, 2020
View Post
  • Amazon
  • Citrix
  • Cloud
  • Experience
  • Microsoft
  • News
  • Office365
  • Raidho
  • Security
  • VMware

Mettre en place une solution de travail à distance (RemoteOffice / Remoteworking) 1/2

  • Stephane Thirion
  • March 22, 2020
View Post
  • Citrix
  • Citrix Virtual Apps and Desktops
  • Microsoft
  • PowerShell
  • Scripting
  • Windows 2016
  • Windows 2019
  • XenApp
  • XenDesktop

Enable SSL on Citrix Virtual Apps and Desktops 1912(+) XML Service

  • Stephane Thirion
  • February 13, 2020
vmware
Blog Stats
  • 1,228,196 hits
Categories
  • Amazon (1)
  • Apple (20)
    • iOS (5)
    • Mac OSx (11)
  • ArchY.net Site (30)
  • Azure (8)
  • Certifications (3)
  • Citrix (207)
    • ADC (1)
    • Citrix Virtual Apps and Desktops (3)
    • NetScaler (12)
    • Password Manager (3)
    • Personal vDisk (5)
    • Power and Capacity Management (3)
    • Provisioning Services (22)
    • Receiver (29)
    • ShareFile (8)
    • Single Sign On (3)
    • SmartAuditor (2)
    • Storefront (12)
    • Synergy (25)
    • User Profile Management (2)
    • VDI (7)
    • WebInterface (21)
    • XenApp (84)
    • XenApp Plugin (3)
    • XenClient (10)
    • XenDesktop (55)
    • XenServer (42)
  • Cloud (12)
  • Crystal Ball (2)
  • CTP (13)
  • Docker (2)
  • Events (35)
    • E2E – PubForum (9)
    • Geek Speak (3)
  • Experience (51)
  • Kubernetes (2)
  • Licensing (3)
  • Linux (11)
  • Microsoft (145)
    • Azure (8)
    • Office365 (4)
    • PowerShell (18)
    • RDS (5)
    • Windows 10 (6)
    • Windows 2003 (21)
    • Windows 2008 (20)
    • Windows 2008 R2 (54)
    • Windows 2012 (13)
    • Windows 2012R2 (13)
    • Windows 2016 (18)
    • Windows 2019 (4)
    • Windows 2022 (1)
    • Windows 7 (27)
    • Windows 8 (19)
    • Windows Virtual Desktop (1)
    • Windows XP (11)
  • News (5)
  • Raidho (2)
  • Raspberry (2)
  • Scripting (13)
  • Security (4)
  • Slide Deck (1)
  • Thin Clients (3)
  • Twitter (1)
  • Ubiquiti (1)
  • Uncategorized (12)
  • VMware (26)
    • VMWare WorkStation (2)
    • vSphere (14)
Stéphane Thirion
Don't Follow the Trend

Input your search keywords and press Enter.

 

Loading Comments...