Virtual Machine
Role(s)
IP Address
DC01.Fabrikam.com
Domain controller, DNS server, LDAP host for CDP and AIA
192.168.1.10
CA01.Fabrikam.com
Enterprise Root CA
192.168.1.11
SRV1.Fabrikam.com
Web Server, HTTP host for CDP and AIA
192.168.1.13
WIN7.Fabrikam.com
Windows Client Computer
192.168.1.14
In some installations of Windows Server 2008 R2, the Group Policy Management console is added automatically. In other installations, it is not. If your installation does not automatically include the Group Policy Management tools upon AD DS installation, then you can add them using the following procedure:
1 Log onto SRV1.Fabrikam.com as Fabrikam\Administrator. 2 Click Start and select Computer to open Windows Explorer and then go to C: drive. 3 Create folder called CertEnroll at the root of C: drive. 4. Right click on CertEnroll folder and select Properties. 5 On CertEnroll Properties page select Sharing tab to configure share permissions. 6 Click on Advanced Sharing option and then select Share this folder. 7 Click on Permissions and then click Add. 8 On Select Users or Groups page, type in Fabrikam\Cert Publishers under the Enter the object names to select field and then click OK. 9 On Permissions for CertEnroll page highlight Cert Publishers group and then select Change permission and then click OK twice to go back to CertEnroll Properties page. 10 Select Security tab and click Edit to configure NTFS permissions. 11 On Permissions for CertEnroll page click Add. 12 On Select Users or Groups page, type in Fabrikam\Cert Publishers under the Enter the object names to select field and then click OK. 13 On Permissions for CertEnroll page highlight Cert Publishers group and then select Modify permission and then click OK. 14 On CertEnroll Properties page, click Close.
Allowing double escaping makes it possible for the web server to host Delta CRLs. For more information, see KB Article 942076 - Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
Note - Include the terminating “.” in the FQDN in the previous step. In a production environment this alias can resolve to a load balancer which distributes requests to any number of web servers that contain the CA certificates and CRLs.
Enterprise CAs must be joined to the domain. Before you install the Enterprise Root CA, you must first join the server to the domain. Then you can install the Certification Authority role service on the server.
[Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 Notice="Legal Policy Statement" URL=http://pki.fabrikam.com/cps.txt [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10 LoadDefaultTemplates=0 AlternateSignatureAlgorithm=1 Notes:
Important: Ensure that the CAPolicy.inf is saved as an .inf file. The file will not be used if it is saved with any other file extension.
Certutil -setreg CA\CRLPeriodUnits 1 Certutil -setreg CA\CRLPeriod "Weeks" Certutil -setreg CA\CRLDeltaPeriodUnits 1 Certutil -setreg CA\CRLDeltaPeriod "Days" CRLPeriodUnits - You can use this setting to specify the number of days, weeks, months, or years, that a CRL will be valid. CRLPeriod - You can use this setting to specify whether the validity period of a CRL will be defined in days, weeks, months, or years. CRLDeltaPeriodUnits - You use this setting to specify the number of days, weeks, months, or years that delta CRLs will be valid. If a CA is to be offline, you should disable delta CRL publication. CRLDeltaPeriod - You use this setting to specify whether delta CRL lifetimes will be defined in days, weeks, months, or years. The delta CRL publication interval setting is similar to the CRL publication interval setting. If a CA is to be offline, you should disable delta CRL publication. Note: The use of delta CRLs needs to be based on a need to publish revocation knowledge quickly while minimizing bandwidth consumption issues that can result with base CRL usage only. CRLPeriodUnits and CRLDeltaPeriodUnits settings should not be less than Active Directory convergence time if you are planning to publish CRLs to Active Directory. 4. To define CRL Overlap Period Units and CRL Overlap Period, run the following commands: Certutil -setreg CA\CRLOverlapPeriodUnits 12 Certutil -setreg CA\CRLOverlapPeriod "Hours" CRLOverlapPeriodUnits - You use this setting to specify the number of days, weeks, months, or years that CRLs can overlap. When a large number of certificates are revoked, such as during an employee layoff, the delta CRL size might increase significantly because of the large number of entries, and almost all clients will refer to the older base CRL. You can reduce the size of the overlap period to speed the propagation process for the new base CRL and help minimize the size of delta CRLs. CRLOverlapPeriod - This setting specifies whether the overlap period for CRLs will be defined in days, weeks, months, or years. Note: The overlap period for CRLs is the amount of time at the end of a published CRLs lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10% of the CRL lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually. 5. To define Validity Period Units for all issued certificates by this CA, type following commands and then press ENTER. In this single-tier PKI hierarchy scenario, end-entity certificates should not be valid for more than 5 years. Certutil -setreg CA\ValidityPeriodUnits 5 Certutil -setreg CA\ValidityPeriod "Years" ValidityPeriodUnits - You can use this setting to define the number of days, weeks, months, or years that a certificate issued by the CA will be valid. The validity period for a certificate cannot be greater than the validity period of the CA that issued the certificate. The default value depends on the type of certificate. ValidityPeriod - You can use this setting to specify whether the validity period of certificates issued by the CA will be defined in days, weeks, months, or years. The default value depends on the type of certificate. 6. Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring AuditFilter registry key setting. To configure Auditing for all CA related events, type following command: Certutil -setreg CA\AuditFilter 127 Note: CA\AudtiFilter 127 enables all forms of auditing. You can enable use this setting to enable specific or all auditing events for CA.
CA auditing depends on system Audit Object Access to be enabled. You can enabled Object Access Auditing through Active Directory Domain Services (AD DS) Group Policy or the Local Security Policy. The following instructions describe how to do so using Local Security Policy.
Additional Information
There are multiple different methods for configuring the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. You can use the user interface (in the Properties of the CA object), certutil, or directly edit the registry. The AIA is used to point to the public key for the certification authority (CA). The CDP is where the certificate revocation list is maintained, which allows client computers to determine if a certificate has been revoked. In this lab there will be three locations for the AIA and four locations for the CDP.
Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you will be configuring a static file system location, a lightweight directory access path (LDAP) location, and http location for the AIA. The certutil command to set the AIA modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command: certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt" After you have run that command, run the following command to confirm your settings: certutil -getreg CA\CACertPublicationURLs
Clients will use the CDP to locate the CRL and delta CRLs for the certificates issued by the CA. This allows certificate clients to ensure that the certificates have not been revoked. You can also configure the CDP with the user interface, certutil, and registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you will be configuring a static file system location, an LDAP location, an http location, and a file system location. Note: The file system location that you will be setting will allow the CRL to be copied over the network to the web server (SRV1), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on SRV1. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually. The certutil command to set the CDP modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command: certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://pki.fabrikam.com/CertEnroll/%3%8%9.crl\n65:file://\\Srv1.fabrikam.com\CertEnroll\%3%8%9.crl" After you run that command, run the following certutil command to verify your settings: certutil -getreg CA\CRLPublicationURLs
To ensure that ertificate clients can locate the root CA certificate, you must copy it to the AIA location that you previously defined: http://pki.fabrikam.com/CertEnroll. You may recall that this is the CertEnroll shared directory on SRV1. To do so:
To ensure that certificate clients can locate the CRL, you must ensure that the CRL is published to the locations where you indicated that it would be available. There are a couple of methods for publishing the CRL. You can run the certutil -crl command or you can use the user interface. To use the user interface:
There are a couple of ways to check that your PKI hierarchy is working properly. One is to use the Enterprise PKI utility to check the health of the AIA and the CDP. Another is to actually distribute a certificate to a client computer.