Microsoft PKI Planning and Deploying Certificate Services Part 2

KB ID 0001310 

Problem

In Part One we deployed our offline Root CA Server, now we are going to deploy a ‘Certificate Revocation Location’ server.

Solution

Before you start:

Create a DNS record for ‘pki‘ that points to the IP address, that you will have the CRL web server hosted on.

I’m installing my CRL server on a separate web server because thats good practice. Starting with a domain joined member server, launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server > Next.

Select Web Server IIS > Add Features > Next > Next.

Next > No additional features are required > Next.

Next > Install > Close.

Create a Folder called PKI on the Root of your web server and share it as PKI$ (The dollar denotes hidden share).

Set the share permissions as follows;

  • SYSTEM: Full Control
  • Domain Admins: Full control
  • Cert Publishers: Change
  • Servers That Will Publish CRLs: Full Control

Launch Internet Information Services (IIS) > Server-name > Sites > Default Web Site > Add Virtual Directory.

  • Alias: PKI
  • Physical Path: C:\PKI

Select your new PKI directory > Edit Permissions.

  • Cert Publishers: Modify.
  • DefaultAppPool: Read and Execute.

Note: You cannot browse to DefaultAppPool > Change the source to local computer-name > type in the username ‘IIS AppPool\DefaultAppPool’.

For your PKI  Virtual Directory select ‘Configuration Editor’.

System.webServer > Security > requestFiltering > allowDoubleEscaping > Change to ‘True’ > Apply.

Now select ‘Directory Browsing’.

Enable.

At this point I copy in the .crl file you exported from your Offline Root CA. (I also copy in the RootCA certificate, so I know where I can get a copy!)

When you setup your CA Servers in the CAPolicy.inf file theres a section of the ‘Legal Policy Statement’ and the URL I used points to this server as well, (it was http://pki.cabench.com/pki/cps.txt). So create the cps.txt file in the same directory. To decide what text will go in the file, read RFC 7382.

The next most logical step depends on whether you are building a two tier, or three tier PKI environment. If it’s a three tier, then you are going to deploy your Intermediate Sub CA server next. If it’s a two tier then you are going to deploy your Issuing CA next.

Microsoft PKI Planning and Deploying Certificate Services Part 3

Related Articles, References, Credits, or External Links

NA

Windows Certificate Services – Setting up a CRL

KB ID 0000957

Problem

One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).

Solution

I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.

1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.

2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{your-domain-extension}/crld

Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.

3. In the variable section, select then ‘Insert’ the following onto the end of the URL;

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

Finally end the URL with .crl > OK.

Note: Is ‘should’ look like http://{FQDN-Of-Server}/crld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

4. With the CRL entry you have just created selected > Enable the following two options;

  • Include in CRL’s. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issues certificates.

Apply > OK > Yes.

5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

And then (as above) add .crl onto the end of the path > OK.

6. With the CDP selected > Select the following options;

  • Publish CRL’s to this location
  • Publish Delta CRL’s to this location

Apply > OK > Yes.

Windows DNS Requirements for CRL

7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.

Windows IIS Requirements for CRL

8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.

Note: in IIS URL’s are not case sensitive.

9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.

10. Select server-name > Directory Browsing

Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.

11. Enable.

12. Select the CRLD directory (Click refresh if you cant see it) > Configuration Editor.

13. Navigate to System.webServer > security > RequestFiltering.


Note: On older versions of IIS, it’s under ‘System.webServer > security > authentication > RequestFiltering.’

14. Change allowDoubleEscaping to ‘True’ > Apply.

Windows Folder Permission Requirements for CRL

15. Navigate to the folder you just created (i.e C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.

Note: This simply creates a ‘hidden’ share, that cannot be seen when browsing the server shares.

Note: In Addition, Set the Windows NTFS Permissions for the Server(s) to Full Control also.

16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.

17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.

18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.

19. If you check the folder you created earlier, you will see it now contains the CRL files.

Related Articles, References, Credits, or External Links

Microsoft Certificate Services Configuring OCSP

Publish CRL Error – Access Denied 0x80070005

Exchange 2010 Service Pack 2 Fails ‘Readiness Checks’

KB ID 0000720

Problem

When attempting to install Service Pack 2 on an Exchange 2010 Server the ‘Readiness Checks’ fail for the Client Access Role,

Client Access Role Prerequisites
Failed
Error:
The 'IIS 6 WMI Compatibility' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=0a71c4f6-68de-40f7-94cf-74b73cbda37b
Error:
The 'Client Certificate Mapping Authentication' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Directory Browsing' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Errors' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Logging' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'HTTP Redirection' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Tracing' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Request Monitor' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236
Error:
The 'Static Content' component is required. Install the component via Server Manager.
Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=41a25c5e-0d39-4e55-a1f0-7be885982236

Solution

There are simply more server roles now required for an Exchange Server that has the Client Access Server role.

You can bypass the error by running the update with the ‘/Mode:Upgrade /InstallWindowsComponents’ switch on the end of it like so;

[box]Setup /Mode:Upgrade /InstallWindowsComponents[/box]

Adding required CAS Roles for Exchange SP2 Manually

I prefer to do things myself, so you can add all the roles from PowerShell.

1. All Programs > Accessories > Windows PowerShell > execute the following command;

[box]Import-Module ServerManager[/box]

2. Then execute the following command;

[box]Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content[/box]

3. Then re-run the SP2 setup.

Related Articles, References, Credits, or External Links

NA