Microsoft PKI Planning and Deploying Certificate Services Part 2

KB ID 0001310 

Problem

In Part One we deployed our offline Root CA Server, now we are going to deploy a ‘Certificate Revocation Location’ server.

Solution

Before you start:

Create a DNS record for ‘pki‘ that points to the IP address, that you will have the CRL web server hosted on.

I’m installing my CRL server on a separate web server because thats good practice. Starting with a domain joined member server, launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server > Next.

Select Web Server IIS > Add Features > Next > Next.

Next > No additional features are required > Next.

Next > Install > Close.

Create a Folder called PKI on the Root of your web server and share it as PKI$ (The dollar denotes hidden share).

Set the share permissions as follows;

  • SYSTEM: Full Control
  • Domain Admins: Full control
  • Cert Publishers: Change
  • Servers That Will Publish CRLs: Full Control

Launch Internet Information Services (IIS) > Server-name > Sites > Default Web Site > Add Virtual Directory.

  • Alias: PKI
  • Physical Path: C:\PKI

Select your new PKI directory > Edit Permissions.

  • Cert Publishers: Modify.
  • DefaultAppPool: Read and Execute.

Note: You cannot browse to DefaultAppPool > Change the source to local computer-name > type in the username ‘IIS AppPool\DefaultAppPool’.

For your PKI  Virtual Directory select ‘Configuration Editor’.

System.webServer > Security > requestFiltering > allowDoubleEscaping > Change to ‘True’ > Apply.

Now select ‘Directory Browsing’.

Enable.

At this point I copy in the .crl file you exported from your Offline Root CA. (I also copy in the RootCA certificate, so I know where I can get a copy!)

When you setup your CA Servers in the CAPolicy.inf file theres a section of the ‘Legal Policy Statement’ and the URL I used points to this server as well, (it was http://pki.cabench.com/pki/cps.txt). So create the cps.txt file in the same directory. To decide what text will go in the file, read RFC 7382.

The next most logical step depends on whether you are building a two tier, or three tier PKI environment. If it’s a three tier, then you are going to deploy your Intermediate Sub CA server next. If it’s a two tier then you are going to deploy your Issuing CA next.

Microsoft PKI Planning and Deploying Certificate Services Part 3

Related Articles, References, Credits, or External Links

NA

Windows Certificate Services – Setting up a CRL

KB ID 0000957

Problem

One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).

Solution

I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.

1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.

2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{your-domain-extension}/crld

Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.

3. In the variable section, select then ‘Insert’ the following onto the end of the URL;

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

Finally end the URL with .crl > OK.

Note: Is ‘should’ look like http://{FQDN-Of-Server}/crld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

4. With the CRL entry you have just created selected > Enable the following two options;

  • Include in CRL’s. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issues certificates.

Apply > OK > Yes.

5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

And then (as above) add .crl onto the end of the path > OK.

6. With the CDP selected > Select the following options;

  • Publish CRL’s to this location
  • Publish Delta CRL’s to this location

Apply > OK > Yes.

Windows DNS Requirements for CRL

7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.

Windows IIS Requirements for CRL

8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.

Note: in IIS URL’s are not case sensitive.

9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.

10. Select server-name > Directory Browsing

Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.

11. Enable.

12. Select the CRLD directory (Click refresh if you cant see it) > Configuration Editor.

13. Navigate to System.webServer > security > RequestFiltering.


Note: On older versions of IIS, it’s under ‘System.webServer > security > authentication > RequestFiltering.’

14. Change allowDoubleEscaping to ‘True’ > Apply.

Windows Folder Permission Requirements for CRL

15. Navigate to the folder you just created (i.e C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.

Note: This simply creates a ‘hidden’ share, that cannot be seen when browsing the server shares.

Note: In Addition, Set the Windows NTFS Permissions for the Server(s) to Full Control also.

16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.

17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.

18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.

19. If you check the folder you created earlier, you will see it now contains the CRL files.

Related Articles, References, Credits, or External Links

Microsoft Certificate Services Configuring OCSP

Publish CRL Error – Access Denied 0x80070005

Microsoft Certificate Services Configuring OCSP

KB ID 0001084 

Problem

I seem to have done a lot of PKI the last 18 months. This week I needed an OCSP server deploying for the CA server on my test bench so I took the time to document it for future use. One of the most overlooked parts of a PKI deployment, is how to cope with ‘revoking’ certificates.

Traditionally this has been done with a CRL, but there is a downside to CRL’s. Network devices tend to cache them, and they don’t get updated as often as they should. Which is why OCSP is a lot better, it runs as a service and answers revocation requests immediately.

Solution

This is a walk though on configuring OCSP, I’m assuming you already have your PKI and your CRL is already setup, if not take a look at the following article;

Windows Certificate Services – Setting up a CRL

1. Launch the certificate services management console > Certificate Templates > Manage.

2. Locate the OCSP Response Signing Certificate > Properties.

3. Security Tab > Add in the server that will be hosting the OCSP service, (I always use the same server that’s serving my CRL).

4. Grant the server read and enroll rights > Apply > OK.

5. Then issue the OCSP Responder Template.

6. Open the properties of the Certificate Services Server.

7. Extensions Tab > Change the drop-down to Authority Information Access (AIA) > Add >Enter the URL of the server that will serve OCSP, this will need to be resolvable internally and of the service is presented to the outside works the URL will need registering in public DNS > OK.

8. Select the URL you have just entered > Tick ‘Include in the online certificate status protocol (OCSP) extension’ > Apply > OK.

9. On the server that you want to install the OCSP service > Launch Server Manager > Manage > Add Roles and Services > Add in the Active Directory Certificate Services Role.

10. On the Role Services page, remove ‘Certificate Authority’ and then add ‘Online Responder’ > Complete the wizard.

11. Run through the post install wizard, and accept all the defaults.

12. Launch the Online Responder Management console.

13. Revocation Configuration > Add Revocation Configuration > Enter a name > Next.

14. Select your method of locating a CA certificate > Next.

15. Locate your CA Certificate.

16. Select your OCSP Template > Next.

17. Finish.

18. The configuration should go green and say ‘Working’.

19. To make sure the certificate is issued > Array Configuration > {server-name} > View Signing Certificate.

 

Related Articles, References, Credits, or External Links

Windows Certificate Services – Setting up a CRL