The Post-Installation script I am using is based on the one provided in the Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure. If you are looking to deploy a PKI this is a must read, and goes in to greater depth then this blog series. Below is the Post-Installation configurations script that I will be using:
You will have to modify line 1 of the script to reflect your forest root domain name. For our environment the line is modified to:
In lines 3-6 we configure the CRL publication options.
Before we look at this section of the script, we first need to understand the options, variables, and structure of this command. So, clearly the command certutil –setreg CA\CRLPublicationURLs is going to set locations for publishing CRLs.
The Publication Option includes a number that maps to the options that are configured in the GUI. For CDP there are the following options as outlined in the table below. Each option is represented by a number, and the list of all options selected is represented by the combined total of their option numbers. This total value is what is placed in the CRLPublicationURLs publication options value.
1. Publish CRLs to %WINDIR%\System32\CertSrv\CertEnroll\ directory.
2. The filename of the CRL will be the name of the CA + a CRL name suffix + a “+” character if the file represents a CRL.
3. Note that the only publication option set by this string instructs the CA to write the CRL to the specified location. This location will not appear in the actual certificates issued by the CA because that option was not specified.
Understanding the variables and options not only allows you to understand what the script does, but also how to modify the script. It also allows you to understand the configuration when reviewing the Certificate Authorities configuration in the registry.
In my example, I am happy with the default settings, so I am going to leave them in the default.
On lines 7 through 9 of the script we define publication options for the CA certificate, commonly referred to as Authority Information Access.
1. Publish the CA Certificate to %WINDIR%\system32\CertSrv\CertEnroll
2. The file name of the CA certificate will be _ with the renewal extension of the Certificate Authority.
3. As with the CRL, the option specified indicates only that the CA should write the CA certificate to this location. This location will not be included in the AIA extension of certificates issued by this CA since that option was not specified.
These set the CRL Validity and Publishing period 180 days or roughly six months.
This means that Delta CRLs will not be published because the publication period is zero.
These settings define the maximum validity period for certificates issued by the CA. Since this is a Root CA and only Subordinate CA certificates are going to be issued, this would be the validity period for the Subordinate CA certificate. In my case I only want my Subordinate CA to be valid for 5 years so I am going to change the entry in line 13 to reflect that, with the following change:
Then on line 15 we stop and start certificate services. We do that so that the new configuration can be read by the certificate authority:
On line 16 we ensure that the CertEnroll share is created, and if IIS is installed, that the CertSrv virtual directory is installed.
So now we are done with the post-installation configuration script. The reason for understanding this script is so that you validate the values in the sample script are the ones you want implemented on your CA. If not, you can of course modify the sample script or create your own. The reason for using the sample script on the Root CA is that you validate all of the settings prior to implementing them. Also, if you are going to test your installation in a test environment, you can run this script and verify you get the results you are expecting. This will help eliminate any surprises you may have when implementing the Root CA in production.
Issuing CA Post-Installation Configuration Script
The post-installation script I am using is based on the one in Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure. I am not going to go in as much detail for this script, since I covered all of the settings for the Root CA. Below is the script I will be using:
certutil -setreg CA\CRLPublicationURLs "65:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://FCCA01.FOURTHCOFFEE.COM/certenroll/%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.FOURTHCOFFEE.COM/certenroll/%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"
certutil -setreg CA\CRLPeriodUnits 7
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\DeltaCRLPeriodUnits 2
certutil -setreg CA\DelatCRLPeriod "Hours"
net stop certsvc & net start certsvc
certutil.exe -vroot
certutil -CRL
Lines 1-8 of the script will Configure CRL and AIA publication. You can use the tables in the previous section to determine if these are configured to meet your requirements. After examining the CDP and AIA publishing, the settings in the script happen to match the requirements of my environment.
In lines 9 and 10 we configure the validity period and publication interval for the Base CRL. In my environment, my requirement is publication once a week. So, I will change line 10 to reflect this (Since this setting is used in combination with the certutil -setreg CA\CRLPeriod "Days" the resulting period will be seven days):
certutil -setreg CA\CRLPeriodUnits 7
After line 10 I am going to add two additional lines to configure my delta CRL publication so that a new delta CRL is published every two hours:
Certutil –setreg CA\DeltaCRLPeriodUnits 2
Certutil –setreg CA\DeltaCRLPeriod “Hours”
PKI Installation Walkthrough
Root CA Install
1. Copy CAPolicy.inf to the c:\Windows directory.
2. Start Server Manager and select Roles. In the Roles section click on Add Roles.
3. This will start the Add Roles Wizard, click Next.
4. On the Select Server Roles page of the wizard, select Active Directory Certificate Services and click Next.
5. On the Introduction to Active Directory Certificate Services page, click Next.
6. On the Select Role Services page, select Certification Authority, and click Next.
7. On the Specify Setup Type page, make sure Standalone is selected, and click Next.
8. On the Specify CA Type, select Root CA, and click Next.
9. On the Set Up Private Key page of the wizard, and make sure Create a new private key is selected and click Next.
10. On the Configure Cryptography for CA, you can select the CSP or KSP you wish to use, the Key Length for the Root Certification Authorities key, and the hash algorithm. Due to the business requirements of Fabrikam, I will be using the RSA Microsoft Software Key Storage Provider KSP, a key length of 4096 bits, and the SHA1 algorithm. (Check to determine supportability of stronger hash algorithms.) When finished click Next.
11. On the Configure CA Name page enter the Common Name for the CA and the name suffix.
12. When setting up the PKI for Fabrikam we are going to use Fabrikam Root Certification Authority for the Common Name and O=Fabrikam,C=US for the name suffix.
13. When complete, click Next.
14. On the Set Validity Period of the wizard, select the validity for the Root CA Certificate. As specified at the beginning of this post, Fabrikam is using a validity period of 10 years for the Root CA. Once complete, click Next to continue the wizard.
15. On the Configure Certificate Database page, select the locations for the Certificate Services Database and logs. Fabrikam will be using the default file paths. Select Next, when complete.
16. The Confirm Installation Selection page will summarize your selections. Review this information and then click Install.
17. Once setup is complete, run the post-installation configuration script. Review the settings to determine they are set to your specifications.
18. Copy the CRL and CRT files from c:\windows\system32\certsrv\certenroll to a Floppy or other removable media.
19. Logon to the machine that will become the Enterprise CA. Attach the removable media. Run the following command to publish the Root CA Certificate to Active Directory: certutil –f –dspublish RootCA.
20. Then publish the CRL from the Root CA to Active Directory with the following command: certutil –f –dspublish .
21. Wait sufficient time for replication to complete within your site.
22. Run certutil –pulse. Running this command will trigger autoenrollment and the Root CAs Certificate and CRL will be downloaded automatically to the Trusted Root Certification Authority store on the local machine.
Issuing CA Installation
1. Copy the CAPolicy.inf file to the c:\Windows directory.
2. Start Server Manager and select Roles. In the Roles section click on Add Roles.
3. This will start the Add Roles Wizard, click Next.
4. On the Select Server Roles page of the wizard select Active Directory Certificate Services and click Next.
5. On the Introduction to Active Directory Certificate Services page, click Next.
6. Part of the business requirements of Fabrikam is to have Web Enrollment available. As part of the plan we decided to install Web Enrollment on the Issuing CA, and in this way we could use it as the HTTP repository for CRLs and CA Certificates as well. If you wish to use the same approach, on the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment, and click Next.
7. You will then be prompted to add the additional IIS role services required to run Web Enrollment. Click on Add Required Role Services.
8. On the Specify Setup Type page, select Enterprise, and click Next. Note: If you see the Enterprise option grayed out, that is an indication that the computer is not joined to the domain or you are not logged in with Enterprise Admin credentials.
9. On the Specify CA Type page, select Subordinate CA, and click Next.
10. On the Setup Private Key page, select Create a new private key, and click Next.
11. On the Configure Cryptography for CA, you can select the CSP or KSP you wish to use, the Key Length for the Issuing Certification Authorities key, and the hash algorithm. Due to the business requirements of Fabrikam, I will be using the RSA Microsoft Software Key Storage Provider KSP, a key length of 2048 bits, and the SHA1 algorithm. (Check to determine supportability of stronger hash algorithms.) When finished click Next.
12. On the Configure CA Name, enter the Common Name for the Issuing CA. The distinguished name should already be poplulated with the DN of the domain in which you are installing the CA. Fabrikam has the Common name set as “Fabrikam Issuing Certification Authority”, and the DN of course is set to DC=Fabrikam,DC=com. When finished click Next.
13. On the Request Certificate from a Parent CA, select Save a certificate request to file and manually send it later to a parent CA. Then click the Browse button, navigate to Removable Media, enter a file name for the request, and click Save. Then click Next.
14. On the Configure Certificate Database page, select the locations for the Certificate Services Database and logs. Fabrikam will be using the default file paths. Select Next, when complete.
15. On the Web Server (IIS) page, click Next.
16. On the Select Role Services page of the wizard, click Next.
17. On the Confirm Installation Selections, select Install.
18. You will then be prompted with the Installation Results. The results will indicate that installation is not complete because you still need to submit the request to the Root CA and then install the resulting certificate. Click Close to acknowledge the results.
19. Take the removable media that you saved the request to and connect it to the Root CA. In the Certificate Services MMC (certsrv.msc) on the Root CA, select the root node (CA Name), right click, then select All Tasks, then Submit new request…, from the context menus.
20. Browse to the request file and then select Open.
21. The request will now be pending. Navigate to the Pending Request Folder and locate the request. Right click on the request, select All Tasks, and then Issue.
22. Navigate to the Issued Certificates folder. Locate the certificate for the Issuing CA, Right click on the certificate and select Open. This will open the Certificate Properties. Select the Details tab, then click on the Copy to File… button.
23. This will open the Certificate Export Wizard, click Next.
24. Select DER encoded binary X.509 (.CER) and click Next.
25. Click Browse…
26. Navigate to Removable Media, enter a name for the certificate and then click Save.
27. Then click Next.
28. Then click Finish.
29. You will be prompted that The export was successful. Click OK to acknowledge.
30. Open the Certification Authority MMC on the Issuing CA. Right click on the Root Node (CA Name), select All Tasks, and Start Service.
31. You will then be asked if you would like to install the CA Certificate, click Yes.
32. Insert the removable media that contains the CA Certificate for the issuing CA. Browse to the certificate, and select Open.
33. Next run the Post Installation Configuration Script and review the configuration to ensure that it meets your requirements.
Conclusion
In this installment we covered the requirements for a sample PKI deployment. We covered configuring the CAPolicy.inf and Post Configuration script. In Part III of this series I will cover a sample configuration and setup of Certificate Templates.
- Chris “Duuuuude” Delay
SET myADnamingcontext=DC=fourthcoffee,DC=com
certutil.exe -setreg ca\DSConfigDN "CN=Configuration,%myADnamingcontext%"
certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://FCCA01.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"
certutil -setreg CA\CRLPeriodUnits 180
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod "Years"
net stop certsvc & net start certsvc
certutil -vroot
certutil -CRL