Barracuda Email Security Gateway Setup and Deployment

KB ID 0001253 

Problem

This is the process for setting up both physical and virtual Barracuda Email Security Gateway Appliances, (formally Barracuda Spam Firewall).

Note: This walk though sets out the basic functions to get your appliance working and inspecting email, it’s not an exhaustive list of all the features of the appliance.

Solution

Before you start, I’m making the assumption if you have a physical appliance, it’s racked and connected to the correct network. Or if you are using a virtual appliance it’s been deployed from OVA and connected to the correct network.

Barracuda Email Gateway Initial Setup

To get access to the appliance the default username password is admin and admin.

Navigate to TCP/IP Configuration > Enter the IP addressing information, then ensure you SAVE the config.

You will also need to enter the licence token, that was supplied to you from your reseller, again make sure you SAVE the configuration.

Exit, and you are prompted to type YES, the system will reboot.

Barracuda Email Gateway Mail Configuration.

Once the appliance has rebooted, you can connect to it though a web browser (via https). The username and password will still be admin/admin. First task is to update the appliance to the latest version. (Advanced > Firmware Update) You may need to do this a few times and each update will require a reboot of the appliance.

Basic > Administration > Email Notifications: Setup an email address for system alerts, and a system contact email address. Save the changes.

On the same tab > Change the tine zone > (This may require another reboot).

Basic > IP Configuration: Destination Mail Serber TCP/IP Configuration > Enter the details of your exchange server (MS Exchange Note:  that already has a configured receive connector). Use the ‘Test Email Connection’ button to make sure it’s working. Also set a local hostname and domain name, WARNING don’t use the default one of Barracuda, as this is displayed to the outside world, (best not to advertise, your email filter vendor).

Domains > Domain Manager: Add in all the domains the you want to filter email for

Barracuda Manage Domains or Manage Globally

IMPORTANT: You can change settings for each individual domain, (handy if you filter email domains for a lot of different customers). Or you change settings globally. To manage an individual domain, navigate to Domain > Domain Manager > Select the domain and click Manage Domain. From this point forward you are only changing settings for this managed domain. You return to global configuration by clicking ‘Manage System“.

I’ve mentioned this now, because the next steps are carried out ‘per domain’.

For each Exchange Managed (i.e. Active Directory Domain.) Users > LDAP Configuration >  Change Exchange Accelerator /LDAP Verification  to “Yes” > Enter the FQDN of one of your domain controllers > LDAP Port (use 389 or 3268)  > Then enter the ‘Distinguished Name’ and password for a domain user. Make sure the test passes before you proceed.

How to Find a Distinguished Name? Run the following dsquery command;

[box]dsquery user –name “User Name”[/box]

Why Have you just done this? Because now Barracuda will reject all mail sent to this domain, for users that do not exist. This is because spammers will bulk mail known good domain names with random names in the hope of getting lucky. Repeat for any other domains you are authoritative for. But Ensure you use a machine email address of the domain you are protecting like so;

Back in global configuration > I’m going to set Quarantine, on a user by user basis (rather than globally). Basic > Quarantine enable per-user, then enter an email and the FQDN of the Barracuda appliance > Save.

Basic > Spam Checking: The actual levels you want may require some tuning, this is a good place to start. You would normally use either Quarantine or Tagging, Im setting the appliance to block at level 6 and quarantine at level 3. (Note: These levels are scores that Barracuda assigns to the emails, that grade the likelihood of them being spam). 

The Barracuda, (like most email platforms) wont accept email from any ip/host/subnet unless you allow it. So that your email server can send mail though the Barracuda you need to add it in. Basic > Outbound > Relay Using Trusted IP/Range >Enter either the IP addresses of your mail servers, or the subnet they are on.

Configure Exchange 2013/2016 To Send Mail via Barracuda

I know there are many Email platforms but I’m using Exchange 2016, to send email via this appliance you need to add it as a “Smart Host” on the Exchange Organisations ‘Send Connector’. Log into Exchange Admin Center > Mail Flow > Send Connector > Select the connector > Edit.

Delivery Tab > Enter the FQDN or IP of the Barracuda > Save.

Then restart the Microsoft Exchange Transport Service. 

Exchange Receive Connector: You probably already have a receive connector, configured for internet email (i.e set to anonymous, for port 25). In some Exchange deployments, you may need to add a connector for the Barracuda and allow it to relay mail through Exchange.

Repoint Mail ‘Feed’ To Barracuda

How you do this depends on your network setup, and firewall vendor. If you already have mail coming into your mail server then you are probably doing one of the following;

  • Port Forwarding SMTP (TCP Port 25) from your public IP, to the internal IP of the mail server.
  • Statically NATTED a public IP address, to the internal/private IP of the Mail server, and opened SMTP (TCP Port 25) to that IP.

In either case, you need to change the private IP address that mail is pointing to from your mail server to the Barracuda IP. If you are using a Cisco Firewall or Router, Ive already written some articles that may help, take a look at the following.

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

Cisco Routers – Port Forwarding

Changing Pubic IP Address Warning

Be aware if you change the public IP address that you accept mail on, you need to change your DNS MX Records to match, (if you use SPF records those may also need changing). See the following article;

Setting up the Correct DNS Records for your Web or Mail Server

All being well, you should now see mail flowing through the Barracuda (Massage Log).

Related Articles, References, Credits, or External Links

NA

Outlook Web App :-( Something Went Wrong

KB ID 0001252 

Problem

I tried to get access to OWA on my Exchange 2016 server, and was greeted with this;

🙁
Something Went Wrong
We’re having trouble getting to your mailbox right now.Please refresh the page or try again later

Solution

I’ve pointed it out on the image above, but it’s easy to miss, look at the time stamp on the error, and compare it to the correct time. The two are not the same.

This is a known problem on both Exchange 2013, and Exchange 2016. It’s fixed in one of the cumulative updates, I was still on the RTM install version, so I updated it.

After that it worked fine.

Related Articles, References, Credits, or External Links

Microsoft Exchange Server Build Numbers

Exchange – Event ID 205 and Event ID 16025

KB ID 0001251 

Problem

At a client this week, they were having a LOT of mail flow problems. Looking at the queue viewer, I could see that all their mail was sat in queues waiting to go into their mails stores. There was a queue for each mail store, and the error on each was “451 4.4.0 DNS query failed Exchange Server error in message queue“. Looking in the Application log it was full of Event ID 205, and 16025 Errors Stating;

Source MSExchange Common

No DNS servers could be retrieved from network adapter {GUID} Check that the computer is connected to a network and that the Get-NetworkConnectionInfo cmdlet returns results.

OR

No DNS servers could be retrieved from network adapter {GUID}. Verify that the computer is connected to a network and that the Get-NetworkConnectionInfo cmdlet returns results.

Solution

First you need to get the ‘Identity” of your actual network card with a Get-NetworkConnectionInfo command, (make sure the correct DNS settings are set for this NIC, i.e. it’s not pointing to a PUBLIC DNS server!)  Once you have it, change the Transport service to use this new ID, with a Set-TransportServer command.

[box]Set-TransportServer {Name-Of-Server} -InternalDNSAdapterGUID {GUID} -ExternalDNSAdapterGUID {GUID}[/box]

Then Restart the Microsoft Exchange Transport Service and the Microsoft Exchange Mailbox Transport Service.

Related Articles, References, Credits, or External Links

NA

Install and Configure Certificate Enrolment Policy Web Service

KB ID 0001250

Problem

A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed. 

Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined machines, or machines that cannot contact your PKI environment. This was just what I needed, I just need to test the concept. So I built a domain, setup a CA, and a DMZ (with the same firewall as my client, a Cisco ASA). Then moved a domain client into the DMZ, domain authentication as setup as follows;

Cisco ASA – Allowing Domain Trusts, and Authentication

 

Solution

Before starting I would suggest creating a ‘service account’  to run the enrolment service, you need to be an admin to install the services but this account does not need to be. (It does need to be in the LOCAL IIS_USERS group on your CES/CEP server(s)). Below you will see I’ve named my user svc_ca.

You need to already have a PKI/CA setup. You can split the CES ‘Web Service’ and CEP ‘Policy Web Service’ across different hosts if you want, but for this example I’m simply putting both roles on the same server.

Then you need to run the post deployment configuration.

Again I’m configuring both roles at the same time.

I’ve only got one, but choose the CA server on which to house the CES role.

As I mentioned above, I’m using Windows authentication, if you are deploying certs to a DMZ, yours may be better set to username/password.

Specify your service account, you created earlier.

Again choose your authentication method.

Now you need to create a ‘Service Principle Name’ SPN for your service account, that’s tied to your Certificate Enrolment Web Services server. Open an Administrative Command Window on the CES server and issue the following command;

[box]setspn -s http:/{FQDN-OF-Server} {Domain-Name}\{User-Name}[/box]

Now your user has an SPN, they will get another ‘Tab’ on their user object, called ‘Delegation‘ Add in the CES server for the following service types.

  • HOST
  • rpcss

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos > Application Settings.

Locate the Friendly Name section > Locate the ‘Value‘ > Change its last hexadecimal character (0 to 9 or A to F) from what it is currently > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Setup Enrolment Policies

To actually use the CES/CEP service your client needs to know where it is, there are TWO methods of letting them know, you can either use the certificate snap-in, or use a ‘Local Group Policy’ on the target machines.

Managing Enrolment Policies With Certificates Snap-In

Windows Key+R > MMC {Enter} > File > Add/Remove Snap-In > Certificates > Local Computer > When the console opens > Action > All Tasks > Advanced Operations > Manage Enrolment Policies.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Note: To access via https, you may need to manually add a Web Server certificate for the URL/Common name of the CEP server. See the following article;

IIS: How to Create a Certificate Request

Validate Server > Add-

Managing Enrolment Policies With Certificates Local Group Policy

Windows Key+R > gpedit.msc {Enter} > Computer Configuration > Windows Settings > Security Settings > Public-Key Policies > Certificate Services Client – Certificate Enrolment Policy.

Add > Enter the URI of the CEP Server;

[box]https://{FQDN-Of-CES-Server}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP[/box]

Validate Server > Add.

If you already have an Active Directory Enrolment Policy listed, make sure it’s NOT selected, and your newly created CES policy is set as default > Apply.

Enrol Or Renew Certificates From CES

Now if you attempt to enrol for a certificate, your machine will use the CES policy.

 

Related Articles, References, Credits, or External Links

URI Was Validated Successfully But there Was No Friendly Name Returned

Certificate Enrolment – URI This ID conflicts with an Existing ID

URI Was Validated Successfully But there Was No Friendly Name Returned

KB ID 0001249 

Problem

When attempting to connect a host to a Certificate Enrolment Policy Server it worked but had the following complaint;

WARNING: The URI “https://{Host-Name}ADPolicyPRovice_CEP_{Method}/service.svc/CEP” was validated sucessfully but there was no friendly name returned by the remote machine.

 

Solution

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos, (yours may not end with kerberos) > Application Settings.

Locate the Friendly Name section > Enter a descriptive name for your CEP portal > OK.

Open an Administrative Command Window > Issue an IISRESET command.

 

Related Articles, References, Credits, or External Links

NA

Certificate Enrolment – URI This ID conflicts with an Existing ID

KB ID 0001248

Problem

When attempting to connect a host to a Certificate Enrolment Policy Server I got this error;

The URI Entered above had ID : “{Random-GUID}”. This ID conflict with an existing ID

Solution

On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos, (yours may not end with kerberos) > Application Settings.

Open the ID field, and add a character to the end of it > OK.

Open an Administrative Command Window > Issue an IISRESET command.

Related Articles, References, Credits, or External Links

NA

MAC TFTP Software (OS X )

Mac TFTP KB ID 0001247

Problem

Every time I go to a networking event theres a sea of MacBooks in the audience, If techs like MacBooks so much why is there such a lack of decent Mac TFTP software?

Solution

The thing is, I’m looking at the problem with my ‘Windows User’ head on. When I have a task to perform I’m geared towards looking for a program do do that for me. OS X is Linux (There I said it!) Linux in a pretty dress, I’ll grant you, but scratch the surface a little bit and there it is.

Why is that important? Well your already holding a running TFTP server on your hand, your MAC is already running a TFTP server, you just need to learn how to use it.

MAC TFTP Server (OS X Native)

As I said it’s probably running anyway, but to check, open a Terminal window and issue the following command;

[box]netstat -atp UDP | grep tftp[/box]

If it’s not running you can manually start and stop the TFTP server with the following commands;

[box]Start TFTP

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist

Stop TFTP

sudo launchctl unload -F /System/Library/LaunchDaemons/tftp.plist[/box]

Note: In macOS Catalina, it’s disabled by default, so if you don’t manually start it, you will see errors like;

[box]

%Error reading tftp://192.168.1.20/cisco-ftd-fp1k.6.6.0-90.SPA (Timed out attempting to connect)
[/box]

It would normally go without saying, but If I don’t say it, the post will fill up with comments! Make sure your Mac is physically connected to the same network as the network device, and has an IP address in the same range.

And make sure the device, and the Mac can ‘ping’ each other.

Use Mac TFTP Deamon To Copy a File To a Network Device

I’ve got a Cisco ASA 5505, but whatever the device is, does not really matter. You will have a file that you have downloaded, and you want to ‘send’ that file to a device. This file will probably be in your ‘downloads’ folder, the TFTP deamon uses the /private/tftpboot folder so we are going to copy the file there. Then set the correct permissions on the file.

[box]

cd ~/Downloads
cp FILENAME /private/tftpboot
cd /private/tftpboot
chmod 766 FILENAME

[/box]

Note: You can also use;

sudo chmod 777 /private/tftpboot
sudo chmod 777 /private/tftpboot/*

To set permissions on ALL files in this directory.

You can then execute the command on your device to copy the file across;

[box]

ciscoasa# copy tftp flash

Address or name of remote host []? 192.168.1.5

Source filename []? asa825-59-k8.bin

Destination filename [asa825-59-k8.bin]? {Enter}

Accessing tftp://192.168.1.5/asa825-59-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa825-59-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15482880 bytes copied in 12.460 secs (1290240 bytes/sec)
ciscoasa#

[/box]

Use Mac TFTP Deamon To Copy a File From a Network Device

There is a gotcha with the TFTP daemon, which is you cant copy a file to the TFTP daemon if that file does not already exist there.  Which at first glance sort of defeats the object, but what it really means id you have to have a file there with the same name and the correct permissions on it. In Linux you can create a file with the ‘Touch’ command.

[box]

cd /private/tftpboot
touch FILENAME
chmod 766 FILENAME

[/box]

You can then sent the file to your Mac from the device;

[box]

ciscoasa# copy flash tftp

Source filename []? asa825-59-k8.bin

Address or name of remote host []? 192.168.1.5

Destination filename [asa825-59-k8.bin]? {Enter}

Writing file tftp://192.168.1.5/asa825-59-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
15482880 bytes copied in 9.940 secs (1720320 bytes/sec)
ciscoasa#

[/box]

I Want Mac OS X TFTP Software!

Well you have a limited choice, if you don’t like using the Mac TFTP Daemon. You can install and use a GUI front end that uses the built in TFTP software. 

But if you want a ‘stand-alone’ piece of software then the only other one I’ve found is PumpKIN, you will need to disable the built in TFTP daemon or it will throw an error.

Related Articles, References, Credits, or External Links

FortiGate TFTP : Backup To & Restore From

Backup and Restore Cisco IOS (Switches and Routers)

Backup and Restore a Cisco Firewall

CentOS – Install and Configure a TFTP Server

Cisco IOS ‘Crypto’ Unrecognized Command?

KB ID 0001246

Problem

I was working on a Cisco 3750-G last week, and I was in the process of setting up SSH access. When I went to generate the crypto key and enable SSH, It fired an error at me. In fact it wouldn’t execute any crypto commands;

[box]

Core-SW(config)#crypto ?
% Unrecognized command

[/box]

 

Now I have seen this before, (but not for a while). You need to be running a K9 version of the code. A quick ‘show version‘ will tell you.

[box]

Core-SW#show version
Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(25)SEB2, RELEASE SOFTWARE (fc1)

[/box]

Solution

So you can either, just use TELNET to manage the switch, or upgrade it to a K9 version of the code, (in my case c3750-ipserviceslmk9-tar.122-55.SE11). I chose to upgrade.

Upgrade Cisco Catalyst 3750G

First I tried to TFTP in the bin file, but I kept getting a lot of ‘O’ (‘out of sequence’ errors,) and the process failed. After discussions with a colleague, he recommended I simply use the archive-download command and use the TAR upgrade file instead.

WARNING: These old G series switches only have a 16MB flash in them, the TAR file is about 13.5MB you will need to delete the boot file and folder from flash to upgrade the IOS, but I suggest you copy the bin file out to TFTP in case theres a drama, and you need top copy it back in, before you continue. (In fact backup the switch config as well to be on the safe side!)

Setup your TFTP server, and download your image (c3750-ipserviceslmk9-tar.122-55.SE11.tar).

Delete the .bin file from the flash on the switch, and any associated folders (Note: to delete a folder, the syntax is different). Obviouly you may have different files and folders.

[box]

Core-SW delete flash:/c3750-ipservices-mz.122-25.SEB2.bin
Core-SW delete /force /recursive flash:/c3750-i5-mz.121-19.EA1d

[/box]

Perform the upgrade;

[box]

Core-SW archive download-sw /overwrite tftp://192.168.254.250/c3750-ipserviceslmk9-tar.122-55.SE11.tar

[/box]

It can take 10 minutes or so, but when complete, check the boot variable is set to the new image, and then reload the switch (It may restart a couple of times that’s OK).

[box]

Core-SW(config)#do show boot
BOOT path-list : flash:c3750-ipservicesk9-mz.122-55.SE11/c3750-ipservicesk9-mz.122-55.SE11.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Core-SW(config)#do reload
[CONFIMRM] Y

[/box]

Related Articles, References, Credits, or External Links

 NA

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

KB ID 0001244 

Problem

This is pretty much PART TWO of two posts addressing the need to migrate away from SHA1 before February 2017. Back in PART ONE we looked at how to upgrade the ROOT CA. It does not matter if it’s an offline or online root CA the process is the same. In many organisations their PKI is multi tiered, they either have a RootCA <> SubCA, or a ROOTCA <> IntermediateCA <> IssuingCA. (which is actually two SubCA’s).

 

Below I’ll run though the process to upgrade the SubCA once the RootCA has already been done, Ill also look at how that’s going to affect things like NDES (Network Device Enrolment System).

Solution

Before we think about SubCA’s the RootCA needs to be upgraded first, if it’s offline bring it online and follow the steps outlined in the previous article.

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

So your RootCA will now look like this before we start;

Note: If it’s normally offline leave it on, (we need it to issue the SubCA certificate).

The command to change the CA from SHA1 to SHA256 is the same one we used on the RootCA, you will then need to restart the Certificate Services.

[box]

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc

[/box]

As with the RootCA, we need to re-generate the CA certificate.

 

If your RootCA is online, and an Enterprise CA, you can submit the request directly to it, and skip the next few steps, but let’s take the ‘worst case’ scenario, and assume our Root CA is offline, (and even when online has no network connections) we have to do the submission manually, (via floppy disk).

Floppy Disks? What Year Is This? Well moving files between virtual machines is simple using virtual floppy disks, if you have physical machines, then you need to go hunting in drawers and cupboards!

Either way, we are doing this manually so select CANCEL.

 

Copy your certificate request from the root of the system drive to your floppy drive.

Then present the floppy to your RootCA, and issue the following command;

[box]

certreq -submit "A:\02-SUB-CA.cabench.com_cabench-02-SUB-CA-CA.req"

[/box]

You will be given a ‘RequestID‘, write it down, (you will need it in a minute). Leave the command window open!

In the Certificate Services Management Console > Open ‘Pending Requests’ > Locate the RequestID number you noted above, and issue the certificate.

Back at your command window, retrieve the certificate with the following command, (use the RequestID again);

[box]

certreq -retrieve 4 “A:\02-SUB-CA.cabench.com_cabench-02-SUB-CA-CA.crt

[/box]

 Take your floppy back to the SubCA, and install the certificate. (Change file types to ‘All Files’).

Now your SubCA is using a SHA256 certificate.

Repeat the process for any further SubCA’s

 

I Use NDES How Will That Be Affected?

 

Having had problems with certificates and NDES before, I was concerned about this the most, because I have to look after a lot of Cisco equipment, that gets certs from NDES, (or SCEP if you prefer). I’m happy to say NDES worked fine with SHA256 certificates. Below I successfully issued certs to a Cisco ASA (Running 9.2(4)).

 

Related Articles, References, Credits, or External Links

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Windows Server 2012 – Install and Configure NDES

Cisco ASA – Enrolling for Certificates with NDES

Cisco IOS – Enrolling for Certificates with NDES

Certificate Services – Migrate from SHA1 to SHA256

SHA1 to SHA256 KB ID 0001243 

Problem

It’s time to start planning! Microsoft will stop their browsers displaying the ‘lock’ icon for services that are secured with a certificate that uses SHA1. This is going to happen in February 2017 so now’s the time to start thinking about testing your PKI environment, and making sure all your applications support SHA2.

Note: This includes code that has been signed using SHA1 as well!

Solution: SHA1 to SHA256

Below I’m just using an ‘offline root CA’ server, if you have multi tiered PKI deployments, then start at the root CA, fix that, then reissue your Sub CA certificates to your intermediate servers, fix them, then repeat the process for any issuing CA servers. Obviously if you only have a two tier PKI environment you will only need to do the root and Sub CA servers.

For your SubCA’s see PART TWO of this article.

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

What about certificates that have already been issued? 

We are NOT going to revoke any CA certificates that have already been issued so existing certificates will remain unaffected.

Here we can see my CA server is using SHA1

Note: If your server says the provider is Microsoft Strong Cryptographic Provider and not Microsoft Software Key Storage Provider then skip down a bit.

You may have multiple Certificates (that is not unusual).

Open a PowerShell Window (run as administrator), issue the following command;

[box]

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

[/box]

Restart Certificate Services.

[box]

net stop certsvc
net start certsvc

[/box]

 

Now you need to generate a new CA certificate.

Now you can see your new cert is using SHA256.

Mine Won’t Change From SHA1 to SHA256?

That’s because your cryptographic provider does not support higher than SHA1, for example ‘The command to change to SHA256 was successful, but the new certificate still says SHA1. If you look the Provider is set to ‘Microsoft Strong Cryptography Provider‘.

As you can see the strongest hash algorithm that supports is SHA1 that’s why it refuses to change.

How Do I Change the CA Cryptographic  Provider SHA1 to SHA256?

Make a backup of the CA Settings and the CA registry Settings.

[box]

Backup-CARoleService –path C:\CA-Backup -Password (Read-Host -Prompt "Enter Password" -AsSecureString) 
TYPE IN A PASSWORD
reg export HKLM\SYSTEM\CurrentControlSet\services\CertSvc c:\Reg-Backup\CAregistry.reg 

[/box]

Note: You might want to create the Reg-Backup folder first and grant some rights to it.

Now we need to delete the certificates this CA uses (don’t panic we’ve backed them up!) But first we need to find the certificate’s hashes to delete. Open an administrative command prompt, stop certificate services, and then issue the following command;

Note:  ROOT-CA is the name of YOUR CA.

[box]

Stop-service certsvc

Certutil –store my ROOT-CA >output.txt 

[/box]

Open output.txt then take a note of the hashes for the certificate(s)

Then Open an Administrative PowerShell window and delete them;

[box]

cd cert:\localmachine\my 
Del –deletekey <Certificate HASH>

[/box]

Now we need to import the p12 file we backed up earlier, then export that as a PFX file. Change ROOT-CA to the name of YOUR CA and the path to your backup folder and certificate as approriate.

[box]

Certutil –csp “Microsoft Software Key Storage Provider” –importpfx C:\CA-Backup\ROOT-CA.p12
Certutil –exportpfx my ROOT-CA C:\CA-Backup\Exported-ROOT-CA.pfx 
ENTER AND CONFIRM A PASSWORD

[/box]

 

Then restore the key from your PFX file.

[box]

Certutil –restorekey C:\CA-Backup\Exported-ROOT-CA.pfx 

[/box]

Now you need to import a couple of Registry files, in the examples below replace ROOT-CA with the name of your CA

Save the file as CA-Registry-Merge.reg (set the save as file type to All Files)

[box]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOT-CA\CSP] 
"ProviderType"=dword:00000000 
"Provider"="Microsoft Software Key Storage Provider" 
"CNGPublicKeyAlgorithm"="RSA" 
"CNGHashAlgorithm"="SHA1" 

[/box]

Merge the file into the registry.

Repeat the process with the following regisry file save this one as CA-Registry-Merge2.reg

[box]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOT-CA\EncryptionCSP] 
"ProviderType"=dword:00000000 
"Provider"="Microsoft Software Key Storage Provider" 
"CNGPublicKeyAlgorithm"="RSA" 
"CNGEncryptionAlgorithm"="3DES" 
"MachineKeyset"=dword:00000001 
"SymmetricKeySize"=dword:000000a8 

[/box]

Now change the hashing algorithm to SHA256, open an administrative command prompt and issue the following two commands;

[box]

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net start certsvc

[/box]

Renew the CA Cert.

You can now see the new cert is using SHA256.

 

 

Related Articles, References, Credits, or External Links

Moving Certificate Services To Another Server