Saturday, July 17, 2010

Windows 2008 R2 Certification Authority installation guide

Blog Has Moved

Link to the same post in the new blog: Windows 2008 R2 Certification Authority installation guide

This step-by-step guide explains how to install and configure public key infrastructure, based on:
* Windows 2008 R2 Server core - offline Root CA
* Windows 2008 R2 domain controller
* Windows 2008 R2 enterprise edition - Subordinate Enterprise CA server

Offline Root CA - OS installation phase
1. Boot the server using Windows 2008 R2 bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose "Windows Server 2008 R2 (Server Core Installation)" -> click Next.
4. Accept the license agreement -> click Next.
5. Choose "Custom (Advanced)" installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose "Administrator" account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the command prompt window, run the command bellow:
sconfig.cmd
10. Press "2" to replace the computer name -> specify new computer name -> click "Yes" to restart the server.
11. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
12. From the command prompt window, run the command bellow:
sconfig.cmd
13. Press "5" to configure "Windows Update Settings" -> select "A" for automatic -> click OK.
14. Press "6" to download and install Windows Updates -> choose "A" to search for all updates -> Choose "A" to download and install all updates -> click "Yes" to restart the server.
15. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
16. From the command prompt window, run the command bellow:
sconfig.cmd
17. In-case you need to use RDP to access and manage the server, press "7" to enable "Remote Desktop" -> choose "E" to enable -> choose either "1" or "2" according to your client settings -> Press OK.
18. Press "8" to configure "Network settings" -> select the network adapter by its Index number -> press "1" to configure the IP settings -> choose "S" for static IP address -> specify the IP address, subnet mask and default gateway -> press "2" to configure the DNS servers -> click OK -> press "4" to return to the main menu.
19. Press "9" to configure "Date and Time" -> choose the correct "date/time" and "time zone" -> click OK
20. Press "11" to restart the server to make sure all settings take effect -> click "Yes" to restart the server.

Offline Root CA - Certificate Authority server installation phase
1. To login to the server, press CTRL+ALT+DELETE -> specify the "Administrator" account credentials.
2. Install Certificate services:
start /w ocsetup.exe CertificateServices /norestart /quiet
3. To check that the installation completed, run the command:
oclist find /i "CertificateServices"
4. Download the file “setupca.vbs” from:
http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
To:
C:\Windows\system32
5. Run the command bellow to configure the Root CA:
Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn <ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
6. In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
Install complete! Passed
7. Run the command bellow to enable remote management of the Root CA:
netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
8. Run the command bellow to stop the CertSvc service:
Net stop CertSvc
9. Run the command bellow to change new certificate validity period time:
reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /f
Note: The command above should be written in one line.
10. Run the command bellow to start the CertSvc service:
Net start CertSvc

Enterprise Subordinate CA - OS installation phase
Pre-requirements:
• Active Directory (Forest functional level – Windows 2008 R2)
• Add “A” record for the Root CA to the Active Directory DNS.

1. Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
2. Specify the product ID -> click Next.
3. From the installation option, choose "Windows Server 2008 R2 Enterprise Edition Full installation" -> click Next.
4. Accept the license agreement -> click Next.
5. Choose "Custom (Advanced)" installation type -> specify the hard drive to install the operating system -> click Next.
6. Allow the installation phase to continue and restart the server automatically.
7. To login to the server for the first time, press CTRL+ALT+DELETE
8. Choose "Administrator" account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
9. From the “Initial Configuration Tasks” window, configure the following settings:
o Set time zone
o Configure networking – specify static IP address, netmask, gateway, DNS
o Provide computer name and domain – add the server to the domain
o Enable Remote Desktop
10. In-order to be able to remotely manage the Root CA, run the command bellow:
cmdkey /add:<RootCA_Hostname> /user:Administrator /pass:<RootCA_Admin_Password>


Enterprise Subordinate CA - Certificate Authority server installation phase
Pre-requirements:
• DNS CNAME record named "wwwca" for the Enterprise Subordinate CA.

1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
2. Start -> Administrative Tools -> Server Manager.
3. From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
• Web Server
o Common HTTP Features
Static Content
Default Document
Directory Browsing
HTTP Errors
HTTP Redirection
o Application Development
.NET Extensibility
ASP
ISAPI Extensions
o Health and Diagnostics
HTTP Logging
Logging Tools
Tracing
Request Monitor
o Security
Windows Authentication
Client Certificate Mapping Authentication
IIS Client Certificate Mapping Authentication
Request Filtering
o Performance
Static Content Compression
• Management Tools
o IIS Management Console
o IIS Management Scripts and Tools
o IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
4. Click Next -> click Install -> click Close.
5. From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
6. From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
• Certification Authority
• Certification Authority Web Enrollment
• Certificate Enrollment Policy Web Service
7. Click Next.
8. Configure the following settings:
• Specify Setup Type: Enterprise
• CA Type: Subordinate CA
• Private Key: Create a new private key
• Cryptography:
Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
Key length: 2048
Hash algorithm SHA256
• CA Name:
Common name: specify here the subordinate server NetBIOS name
Distinguished name suffix: leave the default domain settings
• Certificate Request: Save a certificate to file and manually send it later
• Certificate Database: leave the default settings
• Authentication Type: Windows Integrated Authentication
• Server Authentication Certificate: Choose and assign a certificate for SSL later
9. Click Next twice -> click Install -> click Close.
10. Close the Server Manager.
11. Start -> Administrative Tools -> Certification Authority
12. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
13. Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
• Uncheck "Publish Delta CRLs to this location".
• Mark the line begins with "LDAP", and click remove.
• Mark the line begins with "HTTP", and click remove.
• Mark the line begins with "file", and click remove.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
• Click on the line begins with "HTTP", and make sure the only option checked is: "Include in CDP extension of issued certificates".
• Click on the line begins with "C:\Windows", and make sure the only option checked is: "Publish CRLs to this location"
14. Extensions tab -> extension type: Authority Information Access (AIA):
• Mark the line begins with "LDAP", and click remove.
• Mark the line begins with "HTTP", and click remove.
• Mark the line begins with "file", and click remove.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
15. Click OK and allow the CA server to restart its services.
16. From the "Certification Authority" left pane, right click on "Revoked certificates"-> Properties:
• CRL publication interval: 180 days
• Make sure "Publish Delta CRLs" is not checked
• Click OK
17. Right click on the CA name -> All tasks -> Stop service
18. Right click on the CA name -> All tasks -> Start service
19. Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com"
certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
Note: Replace "DC=mycompany,DC=com" according to your domain name.
20. From the "Certification Authority" left pane, right click on "Revoked certificates"-> All tasks -> Publish -> click OK.
21. Close the "Certification Authority" snap-in and logoff the subordinate CA server.
22. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
23. Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt
24. Start -> Administrative Tools -> Group Policy Management.
25. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
26. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
27. Logoff the domain controller.
28. Return to the subordinate enterprise CA server.
29. Start -> Administrative Tools -> Certification Authority.
30. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
31. Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
32. Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
33. From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name - <subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
34. Run the command bellow from command line to avoid offline CRL errors:
Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
35. From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
36. Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
37. Right click on the subordinate CA server name -> All Tasks -> Start Service.
38. Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
• Mark the line begins with "HTTP" -> click Remove -> click Yes.
• Mark the line begins with "file" -> click Remove -> click Yes.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<subordinate_CA_Server_Name>.crl
• Click on the line begins with "HTTP", and make sure the following options are checked: "Include in CRLs" and "Include in the CDP".
39. Extensions tab -> extension type: Authority Information Access (AIA):
• Mark the line begins with "HTTP" -> click Remove -> click Yes.
• Mark the line begins with "file" -> click Remove -> click Yes.
• Click on Add -> on the location, put:
http://wwwca/CertEnroll/<SubordinateCA-FQDN_Subordinate_NetBIOS_Name>.crt
Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt
• Click on the line begins with "HTTP", and make sure the following option is checked: "Include in the AIA".
40. Click OK and allow the CA server to restart its services.
41. From the "Certification Authority" left pane, right click on "Revoked certificates"-> All tasks -> Publish -> click OK.
42. Close the "Certification Authority" snap-in
43. Copy the files bellow from the Root CA to the subordinate CA (same location):
C:\Windows\System32\CertSrv\CertEnroll\*.crl
C:\Windows\System32\CertSrv\CertEnroll\*.crt
44. Logoff the subordinate CA server.
45. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
46. Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file
47. Start -> Administrative Tools -> Group Policy Management.
48. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
49. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
50. Logoff the domain controller.

Labels: , , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home