There are eight major steps in this step-by-step guide as listed below (each includes several sub tasks).
To install the Fabrikam.com forest:
In some installations of Windows Server 2008 R2, the Group Policy Management console is added automatically. In other installations, it is not. If your installation does not automatically include the Group Policy Management tools upon AD DS installation, then you can add them using the following procedure:
Allowing double escaping makes it possible for the web server to host Delta CRLs. For more information, see KB Article 942076- Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
Note - Include the terminating “.” in the FQDN in the previous step. In a production environment this alias can resolve to a load balancer which distributes requests to any number of web servers that contain the CA certificates and CRLs.
[Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 Notice="Legal Policy Statement" URL=http://pki.fabrikam.com/cps.txt [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 AlternateSignatureAlgorithm=1 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0
[Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=InternalPolicy
[InternalPolicy] OID= 1.2.3.4.1455.67.89.5 Notice="Legal Policy Statement" URL=http://pki.fabrikam.com/cps.txt
[Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 AlternateSignatureAlgorithm=1 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0
Notes:
5. Click File and Save to save the CAPolicy.inf file under C:\Windows directory. Warning: Be sure to save the CAPolicy.inf with the .inf extension. If you do not specifically type .inf at the end of the file name and select the options as described, the file will be saved as a text file and will not be used during CA installation. 6. Close Notepad.
To install the standalone offline root CA:
Additional information
CA auditing depends on system Audit Object Access to be enabled. The following instructions describe how to use Local Security Policy to enable object access auditing.
Additional Information
There are multiple different methods for configuring the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. You can use the user interface (in the Properties of the CA object), certutil, or directly edit the registry. The AIA is used to point to the public key for the certification authority (CA). The CDP is where the certificate revocation list is maintained, which allows client computers to determine if a certificate has been revoked. In this lab there will be three locations for the AIA and four locations for the CDP.
Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you will be configuring a static file system location, a lightweight directory access path (LDAP) location, and http location for the AIA. The certutil command to set the AIA modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command: certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt" After you have run that command, run the following command to confirm your settings: certutil -getreg CA\CACertPublicationURLs If you look in the registry, under the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\Fabrikam Root CA, you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt 2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt You can also see this in the the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click Fabrikam Root CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings. Additional Information
Clients will use the CDP to locate the CRL for the certificates issued by the CA. This allows certificate clients to ensure that the certificates have not been revoked. You can also configure the CDP with the user interface, certutil, and registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you will be configuring a static file system location, an LDAP location, an http location, and a file system location. Note: The file system location that you will be setting will allow the CRL to be copied over the network to the web server (SRV1), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on SRV1. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually. The certutil command to set the CDP modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command: certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.fabrikam.com/CertEnroll/%3%8%9.crl" After you run that command, run the following certutil command to verify your settings: certutil -getreg CA\CRLPublicationURLs
In the registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Fabrikam Root CA you can open the REG_MULTI_SZ value and see the configuration of these values: 1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl 10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 2:http://pki.fabrikam.com/CertEnroll/%3%8%9.crl Additional Information
You can also see this in the the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, ensure that Certificate Authority (Local) is expanded. Right-click Fabrikam Root CA and then click Properties. On the Extensions tab, under Select extension, click CRL Distribution Point (CDP) and you will see the graphical representation of the CDP settings. At an administrative command prompt, run the following commands to restart Active Directory Certificate Services and to publish the CRL. net stop certsvc && net start certsvc certutil -crl
Enterprise CAs must be joined to the domain. Before you install the Enterprise Issuing CA (CA02), you must first join the server to the domain. Then you can install the Certification Authority role service on the server.
To join CA02 to the domain:
[Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 URL=http://pki.fabrikam.com/cps.txt [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10 LoadDefaultTemplates=0 AlternateSignatureAlgorithm=1
5. Click File and Save to save the CAPolicy.inf file under C:\Windows directory. Important: Ensure that the CAPolicy.inf is saved as an .inf file. The file will not be used if it is saved with any other file extension. 6. Close Notepad. Notes
To publish the root CA certificate and certificate revocation list (CRL):
Additional information TechNet Library: Appendix A: Directory Objects TechNet Library: Certutil Syntax
To install the subordinate issuing CA on CA02.fabrikam.com:
Copy C:\CA02.fabrikam.com_Fabrikam Issuing CA.req to your removable media. For example, if you want to copy to a floppy disk drive using the drive letter A:, you would run the following command from a command prompt:
To submit the certificate request and issue the requested certificate:
To install the certificate and start the Certification Authority service on CA02:
There are multiple settings to configure to complete the installation of the issuing CA. These are similar to the tasks that were needed to complete the configuration of the root CA.
To configure certificate revocation and CA certificate validity periods:
Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you will be configuring a static file system location, a lightweight directory access path (LDAP) location, and http location for the AIA. The certutil command to set the AIA modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command: certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt" After you have run that command, run the following command to confirm your settings: certutil -getreg CA\CACertPublicationURLs If you look in the registry, under the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\Fabrikam Issuing CA, you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt 2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt You can also see this in the the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-clickFabrikam Root CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings. From an administrative command prompt, run the following command to copy the Fabrikam Issuing CA certificate to the http AIA location: copy "c:\Windows\System32\certsrv\certenroll\CA02.fabrikam.com_Fabrikam Issuing CA.crt" \\srv1.fabrikam.com\c$\certenroll\
Clients will use the CDP to locate the CRL and delta CRLs for the certificates issued by the CA. This allows certificate clients to ensure that the certificates have not been revoked. You can also configure the CDP with the user interface, certutil, and registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you will be configuring a static file system location, an LDAP location, an http location, and a file system location. Note: The file system location that you will be setting will allow the CRL to be copied over the network to the web server (SRV1), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on SRV1. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually. The certutil command to set the CDP modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command: certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://pki.fabrikam.com/CertEnroll/%3%8%9.crl\n65:file://\\srv1.fabrikam.com\CertEnroll\%3%8%9.crl" After you run that command, run the following certutil command to verify your settings: certutil -getreg CA\CRLPublicationURLs
In the registry location:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Fabrikam Issuing CA you can open the REG_MULTI_SZ value and see the configuration of these values: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 6:http://pki.fabrikam.com/CertEnroll/%3%8%9.crl 65:file://\\srv1.fabrikam.com\CertEnroll\%3%8%9.crl Additional Information
To configure the OCSP response signing certificate:
In this section you will use a few different methods and tools to verify your PKI Hierarchy health:
To obtain a certificate for WIN7 and verify PKI health: