My status

My backup memory

Thứ Năm, 14 tháng 6, 2012

Build an Offline Root CA with a Subordinate CA


Install Root CA
  1. Build new stand-alone root CA, not attached to domain and give unique name.
  2. Log on to the server as the administrator and install Certificate Services to create a stand-alone root certification authority.
    1. Install Certificate Authority service only, IIS is not needed.
    2. Create a new private key
    3. Ensure the common name for the CA is unique.
    4. Change the validity period for the CA’s certificate to 20 years
Install Sub CA
  1. Build new enterprise subordinate CA and add to domain.
    Add the following role services
    1. Certification Authority
    2. Certification Authority Web Enrollment
    3. Online Responder
    4. Certificate Enrollment Policy Web Service (Might need to install this later) 
    5. Setup type is Enterprise, Subordinate CA, create a new key, Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
      Key length: 2048, Hash algorithm SHA1. Common name is the same netbios name as the original enterprise root CA if you are migrating from a stand alone CA, otherwise use a new name. Certificate Request: Save a certificate to file and manually send it later. Server Authentication Certificate: Choose and assign a certificate for SSL later.
    6. Save the certificate request to file and manually send it later to a parent CA.
      • Save this file to a shared location, it will be used later after other configurations need to be done.
    7. For the following few steps we will setup a CRL for the new offline Root CA and change the URL location of the certificate revocation list (CRL) distribution point to a location that is accessible to all users in you organization’s network while the Root CA is offline. It is necessary to do this because the offline root CA’s default CRL Distribution Points (CDPs) are not accessible to users on the network and, if they are left unchanged, certificate revocation checking will fail.
      On the Root CA, Open Certification Authority
    8. Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):.
    9. Mark the line begins with “LDAP”, and click ‘Include in the CDP extension of issued certificates’.
      clip_image001
    10. Mark the line begins with “HTTP”, and click remove.
    11. Mark the line begins with “file”, and click remove.
    12. Click on Add -> on the location, put: http://wwwca/CertEnroll/.crl (wherewwwca is the netbios name of the Sub CA server) Tick the following.
      clip_image002
    13. Click on the line begins with “C:\Windows”, and make sure the only options checked are:
      clip_image003
  2. Setup AIA information for the Offline Root CA, On the Extensions tab -> extension type: Authority Information Access (AIA):
    1. Mark the line begins with “LDAP”, and tick the following boxes
      clip_image005
    2. Mark the line begins with “HTTP”, and click remove.
    3. Mark the line begins with “file”, and click remove.
    4. Click on Add -> on the location, put: http://wwwca/CertEnroll/_.crt (wherewwwca is the netbios name of the Sub CA). Tick the following boxes.
      clip_image007
    5. Click OK and allow the CA server to restart its service
  3. From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
    1. CRL publication interval: 6 months
    2. Make sure “Publish Delta CRLs” is not checked
    3. Click OK
  4. Setup the root CA to issue certificates with an expiry date of 10 years (will issue to the Sub CA for 10 years)
    1. Change the following registry path on the Root CA -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\Root-CA\ValidityPeriodUnits
    2. Change the REG_DWORD decimal value to 10.
    3. This changes it to 10 years, so when the Sub CA gets a certificate, it won’t expire for another 10 years.
    4. Alternatively you can run from the command prompt – certutil -setreg CA\ValidityPeriodUnits 10 & certutil -setreg CA\ValidityPeriod "Years"
  5. Configure the offline root CA to support certificate revocation listing with Active Directory
    1. On the Root CA, Log on to the system as a Certification Authority Administrator.
    2. Open Command Prompt.
    3. Type the following, and then press ENTER. – certutil -setreg ca\DSConfigDN “CN=Configuration,DC=domain,DC=local”
    4. Type the following, and then press ENTER. – certutil -setreg ca\DSDomainDN “DC=domain,DC=local”
    5. Open Certification Authority.
    6. In the console tree, click the name of the certification authority (CA).
      Where?
      • Certification Authority (Computer)/CA name
    7. On the Action menu, point to All Tasks, and click Stop Service to stop the service.
    8. On the Action menu, point to All Tasks, and click Start Service to start the service.
  6. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK
Manual steps to publish the Root CA CRL & AIA
  1. Copy the CRL & CRT file to the Sub CA
    1. On the Root CA, copy the files from C:\Windows\System32\CertSrv\CertEnroll to the same location on the Sub CA
  2. Publish the CRL & Root CA certificate to Active Directory
    For this to work, you need to be a member of the Enterprise Admins group. Information is published to CN=Public Key Services,CN=Services,CN=Configuration,DC=C=domain,DC=local
    1. From the Sub CA, the two files you copied before (.CRT and .CRL need to be used for this)
    2. Publish the Root certificate to AD -  certutil -dspublish -f RootCACertificateFile.crt RootCA
    3. Publish the CRL information to Active Directory – certutil –dspublish -f CACRLFile.crl
  3. Add the Root CA to the AD trusted root area in Group Policy (Not really needed, up to you)
    1. On the DC, Start -> Administrative Tools -> Group Policy Management. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA (C:\Windows\System32\CertSrv\CertEnroll) -> click Open -> click Next twice -> click Finish -> click OK.
  4. Issue the Sub CA a certificate from the Root CA server.
    1. Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
    2. Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
    3. From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID –> double click on the request –> Click the details TAB –> Copy to file –.p7b -> click Save.
    4. As an option only, on the SubCA, run the command bellow from command line to avoid offline CRL errors: Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
    5. On the Sub CA, from command prompt, run – gpupdate/force
    6. Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file.p7b -> click Open.
    7. Right click on the subordinate CA server name -> All Tasks -> Start Service.
  5. Start -> Administrative Tools -> Group Policy Management.
    1. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
    2. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server (C:\Windows\System32\certsrv\CertEnroll) -> click Open -> click Next twice -> click Finish -> click OK.
    3. Logoff the domain controller.
  6. By default, IIS 7.0 request filtering blocks the plus sign (+), which is used in the URL of delta CRLs. To allow delta CRL retrieval, modify the IIS configuration by setting allowDoubleEscaping=true on the requestFiltering element in the system.web section of IIS configuration. For more information about IIS 7.0 request filter configuration, see IIS 7.0: Configure Request Filters in IIS 7.0.
    appcmd set config /section:requestfiltering /allowdoubleescaping:true Appcmd.exe can be found – %windir%\system32\inetsrv
Installing and configuring Online Responder (OCSP)
Testing CDP, AIA & OCSP information
  1. To Test CRL & AIA on client certificates, export any client certificate to a .CER file. Run the following command against the .CER file –
certutil -url file.cer or certutil -url file.crl
clip_image009
  1. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d98bbcb3-0164-44af-b7d4-d64547479ff3

Posted by at
Labels:

Không có nhận xét nào:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)