In my post Active Directory Certificate Services [Part1], i explain to you the différents informations you need before you run an installation of PKI. Today in this new post, i show you how to install and settings a Microsoft PKI two layers.
In my lab, i prepare three servers with these features :
CAROOT
1 CPU
1024 RAM
1 Disk System C:\ (Disk for the system)
CASUB
1 CPU
1024 RAM
1 Disk System C:\ (Disk for the system)
IISCA
1 CPU
1024 RAM
1 Disk System C:\ (Disk for the system)
1 Disk Datas D:\ (Disk for CRL)
I have a DC server and the FQDN of my domain is “rod.local”, the operating system is Microsoft Windows Server 2016.
Before starting installation of CAROOT, i begin by the installation and setting of the IIS Web server.
IISCA Installation et settings
Create directory on drive D:\ name “PKI”
New-Item -Path c:\test -ItemType Directory -ForceEdit security properties and disable inheritance
Add ACL security groups on folder D:\PKI
Share the folder, name pki$ and restricited access to only “Cert Publishers” Active Directory group with modifiy rights.
Install the roles and features for web server with these composants :
Settings IIS web server :
Add virtual directory :
Enabled directory browsing :
In CMD Windows, in path “C:\Windows\System32\inetsrv\”
Execute command
appcmd set config /section:directoryBrowse /enabled:false
Enable Allow double escaping :
In CMD Windows, in path “C:\Windows\System32\inetsrv\”
Execute command
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
Reset IIS
In CMD Windows, execute command
iisreset
Create a DNS Alias
In DNS server console, add an Alias “crl.rod.local” to redirect to “iisca.rod.local”
Settings CA Root
Add rôles and features :
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Setting CA :
Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName "CAROOT,O=ROD,L=EMEA,C=FR" –KeyLength 4096 -ValidityPeriod Years -ValidityPeriodUnits 20 –HashAlgorithm SHA256 –CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -OverwriteExistingKey
Set CRL :
Get-CACrlDistributionPoint | % {Remove-CACrlDistributionPoint $_.uri -Force}
New-Item -Path c:\PKI -ItemType Directory -Force
Add-CACRLDistributionPoint -Uri C:\PKI\%3%8.crl -PublishToServer -Force
Add-CACRLDistributionPoint -Uri http://crl.rod.local/pki/%3%8.crl -AddToCertificateCDP -Force
Set AIA :
Get-CAAuthorityInformationAccess | % {Remove-CAAuthorityInformationAccess $_.uri -Force}
Settings crl period value and time live for issue certificates
certutil -setreg CA\CRLPeriod Years
certutil -setreg CA\CRLPeriodUnits 20
Certutil -setreg CA\ValidityPeriodUnits 10
Certutil -setreg CA\ValidityPeriod "Years"
Set DN Active Directory for configuration partition and creating crl file :
certutil -setreg "CA\DSConfigDN" "CN=Configuration,DC=rod,DC=local"
restart-service certsvc
Start-sleep 30
certutil –crl
Copy certificate CA to directory c:\pki\
Copy-Item C:\Windows\System32\CertSrv\CertEnroll\CAROOT.crl C:\PKI\- Copy crl file to IISCA server into PKI directory
- Copy CARoot certificate and CRL file to SUBCA server in temporally directory
Install and setting CASUB :
Open a user session with enterprise admin privileges on CASUB server.
Publish RootCA certificate and CRL to Active Directory :
In CMD Windows execute from path where you have copy the crl and certificate files :
certutil -dspublish -f CAROOT.crt RootCA
certutil -addstore -f root CAROOT.crt
certutil –addstore -f root CAROOT.crl
Install roles and features :
Install role :
Add-WindowsFeature Adcs-Cert-Authority –IncludeManagementTools
Configure Sub CA :
Install-AdcsCertificationAuthority -CAType EnterpriseSubordinateCA -CACommonName "CAINTER,O=ROD,L=EMEA,C=FR" -KeyLength 2048 -HashAlgorithmName SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -OutputCertRequestFile "c:\temp\ResquestPKI.req"
Copy request file to CA Root and validate the request :
After you have copied the request file to the CAROOT server, in PowerShell command line, submite the request :
certreq -submit c:\temp\requestpki.req
Open CA MMC and issue the request
Export the new certificate to file and copy it to SUBCA
On the SUBCA Server, import certificate and start CA :
certutil -installcert c:\temp\SUBCA.crt
Start-service certsvc
Setting SUBCA :
Set AIA and CDP :
Get-CACrlDistributionPoint | % {Remove-CACrlDistributionPoint $_.uri -Force}
Add-CACRLDistributionPoint -Uri \\iisca\pki$\%3%8.crl -PublishToServer –Force
Add-CACRLDistributionPoint -Uri \\iisca\pki$\%3%8%9.crl -PublishDeltaToServer –Force
Add-CACRLDistributionPoint -Uri http://crl.rod.local/pki/%3%8.crl -AddToCertificateCDP –Force
Add-CACRLDistributionPoint -Uri http://crl.rod.local/pki/%3%8%9.crl -AddToCertificateCDP –Force
Get-CAAuthorityInformationAccess | % {Remove-CAAuthorityInformationAccess $_.uri -Force}
Add-CAAuthorityInformationAccess -AddToCertificateAia http://crl.rod.local/pki/%3%4.crt –Force
Set CRL and plublish CRL to IISCA Server :
Certutil -setreg CA\CRLPeriodUnits 2
Certutil -setreg CA\CRLPeriod "Weeks"
Certutil -setreg CA\CRLDeltaPeriodUnits 1
Certutil -setreg CA\CRLDeltaPeriod "Days"
Certutil -setreg CA\CRLOverlapPeriodUnits 12
Certutil -setreg CA\CRLOverlapPeriod "Hours"
Certutil -setreg CA\ValidityPeriodUnits 5
Certutil -setreg CA\ValidityPeriod "Years"
restart-service certsvc
Start-Sleep 20
certutil –crlOkay, now, we have an operational PKI. The AIA and CRL files are stored on the IIS server. All requests and logs are stored on the SUBCA server. In my next POST, I will talk about security, certificate templates and the implementation of the autoenrollment.
