Deployinig Certification Authority on Windows Server 2016

Posted: January 11, 2017 in Windows Server

Installing Web Server:

install-windowsfeature web-server -IncludeManagementTools

Create DNS CNAME record for web server

1.png

Create shared folder where Certificate Revocation List (CRL) and certifiates  from Certificate Authority (CA) will be available

A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.

New-Item c:\cert -type directory
New-SMBShare –Name 'cert'–Path 'C:\cert' -ChangeAccess 'test\cert publishers'

Download NTFS Security module and import it

import-module .\NTFSSecurity.psd1

Give NTFS Read permissions to Everyone and Anonymous logon

add-NTFSAccess -Path C:\cert -Account 'ANONYMOUS LOGON' -AccessRights Read
add-NTFSAccess -Path C:\cert -Account 'Everyone' -AccessRights fullcontrol

Create Virtual Directory

In IIS console right click Default Web Site-Add Virtual Directory

2.png

3.png

While virtual drectory is selected on left double click Request Filtering

4.png

Click Edit Feture Settings

5

Check Allow double escaping

6.png

Configuring Certification Authority Server 

On C:\Windows create new file CAPolicy.inf

10.png

In this file is specified CRL location

[Version]  
Signature="$Windows NT$"  
[PolicyStatementExtension]  
Policies=InternalPolicy  
[InternalPolicy]  
OID=1.2.3.4.1455.67.89.5  
Notice="Legal Policy Statement"  
URL=http://cert.test.com/cert/cps.txt  
[Certsrv_Server]  
RenewalKeyLength=2048  
RenewalValidityPeriod=Years  
RenewalValidityPeriodUnits=5  
CRLPeriod=weeks  
CRLPeriodUnits=1  
LoadDefaultTemplates=0  
AlternateSignatureAlgorithm=1  
[CRLDistributionPoint]  
[AuthorityInformationAccess]

Install Certification Authority role on DC:

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA

Open CA console click Extensions tab in Select Extensions select CRL Distribution Point (CDP).

Delete last 3 entries:(ldap,http,file)

11.png

After deleting these entries click add

12.png

and enter http:\\cert.test.com\cert\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

check Include in CRL… and include in CDP…

.13.png

 

Now,from select extension choose Authority Information (AIA)

Authority Information (AIA) is used to publish where a copy of the issuer’s certificate may be downloaded.Paths specofoed in this extension can be used by an application or service to retrieve the issuing CA certificate. These CA certificates are then used to validate the certificate signature and to build a path to a trusted certificate

Delete ldap,http and file entries

15.png

Then click add and enter

http:\\cert.test.com\cert\<ServerDNSName>_<CaName><CertificateName>.crt

check Include in the AIA extension of issued certificates

1.png

 

All paths specified above points to network share on web server (\\web\cert) and to web virtual directory (http:\\cert.test.com)

Publish the CRL

certutil -crl

Copy CA Certificate and CRL to network share

copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB\cert
copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB\cert

 

1.png

 

Check CA “health”

type pkiview.msc

 

1.png

 

Auto-Enrollement certificates using GPO

Computer Configuration-Windows Settings-Security Settings-Public Key-Certificate Services Client-Auto Enrollment-Configuration Model:Enabled

 

19.png

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s