Home » Posts tagged 'PKI'

Tag Archives: PKI

Certification Authority Root Signing

Table of Contents

This article provides descriptional information about enterprise Certification Authority signing by commercial Certification Authority (sometimes, external root is referred as "common root").

What is Certification Authority Root Signing?

Consider the following scenario:
You work for an organization that requires many digital certificates. You want to ensure that these certificates are trusted by other organizations, such as external partners and customers. For example, you might want to use a code signing certificate for an application or a digital signature certificate for signing a document or email.

If you setup your own public key infrastructure (PKI), also known as a private PKI, the certificates you issue will only be trusted internally. For example, you can publish the root certification authority certificate into your Active Directory Domain Service (AD DS) and quickly have your organization’s computers trustting certificates issued by your PKI. However, external organizations, such as your customers and partners, would not (by default) trust the certificates issued by your PKI. This means they would see a validity or trust error message, if they viewed or tried to validate a certificate issued by your PKI.
If instead, you subordinate your PKI to one of the commercial PKI root certificates that are trusted by Microsoft Windows installations, you do not have the same problem. By default, Microsoft Windows applications install a set of predefined root CA certificates (well known commercial root CAs), which certificates are trusted on any Windows installation by default. For example, if you access https://login.live.com/ web site, no additional actions are required from a user. This is because SSL certificate is issued by a trusted CA.
Contrarily, if a remote user tries to access a web site that utilizes SSL certificate from a private PKI, the user receives an error message indicating certificate trust issues. When a user application (like Internet Explorer) does not specifically trust a PKI, an error message is presented each time that private PKI’s certificate is presented to the user.

To overcome such an issue, you may decide to implement a PKI that utilizes the trust of a well-known and trusted PKI. This allows your organization to issue certificates that can be trusted and recognized worldwide.

Target Audience for Certification Authority Root Signing

The target audience for CA root signing is organizations that require a large number of digital certificates to be considered as universally trusted. These organizations should have or be planning to have a certificate management strategy, tools, and expertise to perform internal certificate management.

Even if an organization fits that description, it does not necessarily mean that your PKI requires external signing. In most cases it is reasonable to implement private PKI for organization wide purposes only, and purchase individual certificates from a commercial CA for specific externally require uses. For example, an organization may want to buy an SSL certificate for a commerce web site and use their own PKI for securing communication with their internal web sites.  However, if management and costs for individual certificate purchases are significant enough, an organization may want to compare the costs of using a PKI that is subordinate to and trusted by a commercial CA.

How much does it cost?

There is no publicly available information about service pricing. Due to the fact, that if your have a PKI that is signed by the external root, you are eligible to issue almost unlimited certificate count to your company*. The Root Signing service is provided on a annual contract with a defined price basis, therefore the price is quite high.
Note: Root Signing is implemented in a Qualified Subordination or Cross-Certification form. This means that your PKI (under an external root) will be eligible to issue certificates only for a set of specified purposes, such as Server/Client Authentication, Code/Document/Email signing and so on. In addition, your CA will be restricted to issue certificates for the domains owned by the trusted organization. This includes an inherent limitation of issuing certificates to third-party domains, without mutual agreement with all relying parties.

Are there any requrements to implement an external root?

In all cases where commercial Certification Authorities define special requirements for an organization’s PKI to be trusted, these requirements typically include:

  • all CAs in your PKI must use Hardware Security Modules (HSM) to protect CA keys from tampering and theft.
  • in most cases you will have to define and follow your own Certificate Practice Statement (CPS).
  • in most cases, your company will have to pass annual external audits to prove does conform with CPS and certificate security.
  • additional requirements may take a place.

For example, a brief service description can be found at the TrustCenter web site (PDF document):http://www.trustcenter.de/media/TCRootSign-StatementServices-0907-en.pdf

Which commercial CA’s provide Root Signing service?

A number of commercial CA’s offer this type of service, including but not limited to (in no particular order):

Source: http://social.technet.microsoft.com/wiki/contents/articles/5973.certification-authority-root-signing.aspx

Certificate Templates and their Storage within Active Directory

Table of Contents

Applies to Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012
Enterprise certification authority (CA) and Active Directory Domain Services (AD DS)

Location of certificate templates in the Configuration container

When a certificate template is defined, the definition of the certificate template must be available to all CAs in the forest. This is accomplished by storing the certificate template information in the Configuration naming context (CN=Configuration,DC=ForestRootName). Look at the following example that demonstrates how to view the stored certification templates in AD DS:
Note: In the following example, the "ForestRootName" is Contoso.local and I executed the adsiedit.msc MMC on a server with AD DS role installed.




The replication of this information depends on the Active Directory replication schedule, and the certificate template may not be available to all CAs until replication is completed. The storage and replication are accomplished automatically.

Source: http://social.technet.microsoft.com/wiki/contents/articles/8464.certificate-templates-and-their-storage-within-active-directory.aspx

Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services

Applies to Windows Server 2012 and Windows 8

Table of Contents

This Test Lab Guide Mini-Module describes how to deploy certificates between Active Directory Domain Services (AD DS) forests using Certificate Enrollment Web Services. In this Test Lab Guide you will learn how to obtain certificates in one AD DS domain for use in a different AD DS domain. You will also learn how to configure Certificate Enrollment Web Services and Group Policy to automatically renew the certificates between domains.


Prerequisites

Requirements before you start this mini-module:

  1. Use the Test Lab Guide: Windows Server 2012 Base Configuration to install DC1 and APP1. You can install the other computers, but you will not need them for this lab.
  2. Complete the Steps 3 through 5 of the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy . You can perform all the steps, but will not need all of them to complete this lab.
  3. Complete Steps 2 through 5 of the Test Lab Guide: Demonstrating Certificate Key-Based Renewal . You can perform all the steps, but will not need all of them to complete this lab.

return to top


Configuration

The configuration that you will prepare will consist of two AD DS forests: corp.contoso.com (created using the Base Configuration) and Litwareinc.com, created in this TLG mini-module. In the prerequisite configuration you will install a two-tier public key infrastructure (PKI) hierarchy as well as configure Certificate Enrollment Web Services. Ultimately, you will have two AD DS forests and will see how to enroll for computer certificates between them. You will also be able to test a new feature added to Windows Server 2012 and Windows 8 called key-based renewal. The computer certificates you obtain will be for the computers in the Litwareinc.com forest. There is no need to have a forest trust between the two forests.

return to top


Install and configure Litwareinc.com

Litwareinc.com will be the forest that has a web server to which you will deploy an SSL certificate from APP1.corp.contoso.com. To get to that point, you must first create the new forest and DNS structure.

Install the operating system on Litwareinc-DC1

To install the operating system on Litwareinc-DC1

  1. Start the installation of Windows Server 2012 Standard
  2. Follow the instructions to complete the installation, specifying Windows Server 2012 Standard (full installation) and a strong password for the local Administrator account. Log on using the local Administrator account.
  3. Connect Litwareinc-DC1 to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2012.
  4. Connect Litwareinc-DC1 to the Corpnet subnet.

return to top

Configure the TCP/IP properties on Litwareinc-DC1

Next, configure the TCP/IP protocol with a static IP address of 10.0.0.7 and the subnet mask of 255.255.255.0.

To configure TCP/IP on Litwareinc-DC1

  1. In Server Manager, click Local Server in the console tree. Click the link next to Ethernet in the Properties tile. Note that the "Ethernet" interface name may be different on your computer. Note: The link may not immediately appear. Wait for the network interfaces to be enumerated.
  2. In Network Connections, right-click Ethernet, and then click Properties.
  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  4. Select Use the following IP address. In IP address, type 10.0.0.7. In Subnet mask, type 255.255.255.0. SelectUse the following DNS server addresses. In Preferred DNS server, type 127.0.0.1.
  5. Click OK and then close the Ethernet Properties dialog.
  6. Close the Network Connections window.
  7. In Server Manager, click Local Server in the console tree. Click the link next to Computer name in the Properties tile.
  8. On the Computer Name tab of the System Properties dialog, click Change.
  9. In Computer name, type Litware-DC1, click OK twice, and then click Close. When you are prompted to restart the computer, click Restart Now.
  10. After restarting, sign-in using the local Administrator account.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Note that the "Ethernet" interface name may be different on your computer. Use the ipconfig /all command to list the interfaces.

New-NetIPAddress 10.0.0.7 -InterfaceAlias "Ethernet" -PrefixLength 24

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 127.0.0.1

Rename-Computer Litwareinc-DC1

Restart-Computer

return to top

Configure Litwareinc-DC1 as a domain controller and DNS server

To configure DC1 as a domain controller and DNS server

  1. Open Server Manager.
  2. On the Dashboard screen, under Configure this local server, click Add roles and features.
  3. Click Next three times to get to the server role selection screen.
  4. In the Select Server Roles dialog, select Active Directory Domain Services. Click Add Features when prompted, and then click Next.
  5. In the Select features page, click Next.
  6. In the Active Directory Domain Services page, click Next.
  7. In the Confirm installation selections page, click Install. Wait for the installation to complete.
  8. In the Installation Progress dialog, click the Promote this server to a Domain Controller link.
  9. In the Deployment Configuration page, select Add a new forest. In the Root domain name field, typelitwareinc.com. Click Next.
  10. In the Domain Controller Options dialog, leave the default values, specify a strong DSRM password twice, and then click Next four times to accept default settings for DNS, NetBIOS, and directory paths.
  11. In the Review Options dialog, review your selections and then click Next.
  12. In the Prerequisites Check dialog, allow the validation to complete and verify that no errors are reported.  Since this is the first DNS server deployment in the forest, you can safely ignore all warnings regarding DNS delegation. Click Install to start the domain controller promotion. Allow the installation to complete.
  13. Allow the domain controller to restart. After the server restarts, logon using the LITWAREINC\Administratorcredentials.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Install-ADDSForest -DomainName litwareinc.com

return to top

Create a user account in AD DS on Litware-DC1

To create a user account in AD DS

  1. From the Server Manager screen, click Active Directory Administrative Center.
  2. In the console tree, click the arrow to expand litwareinc (local), and then double-click Users.
  3. In the Tasks pane, click New, and then click User.
  4. In the Create User page, type User1 next to Full name and type User1 next to User SamAccountName logon: litwareinc\.
  5. In Password, type the password that you want to use for this account, and in Confirm password, type the password again.
  6. Under Password options, select Other password options, and select Password never expires.
  7. Scroll down to access the Member of section of the Create User page, and click Add. Type Domain Admins; Enterprise Admins, and then click OK.
  8. Click OK to close the Create User dialog.
  9. Exit the Active Directory Administrative Center.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Long command lines are indented for readability. Note that the first command results in a prompt to supply the User1 account password.

New-ADUser -SamAccountName User1 -AccountPassword (read-host "Set user password" -assecurestring) -name "User1" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false

Add-ADPrincipalGroupMembership -Identity "CN=User1,CN=Users,DC=litwareinc,DC=com" -MemberOf "CN=Enterprise Admins,CN=Users,DC=litwareinc,DC=com","CN=Domain Admins,CN=Users,DC=litwareinc,DC=com"

return to top


Install and configure Litwareinc-Web1

Litwareinc-Web1 will be configured as a web server in the litwareinc.com domain. Litwareinc-Web1 will be used to make certificate requests from the issuing CA in corp.contoso.com: APP1.

Install the operating system on Litwareinc-Web1

Next, install the operating system on Litwareinc-Web1.

To install the operating system on Litwareinc-Web1

  1. Start the installation of Windows Server 2012 Standard.
  2. Follow the instructions to complete the installation, specifying a strong password for the local Administrator account. Log on using the local Administrator account.
  3. Connect Litwareinc-Web1 to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2012.
  4. Connect Litwareinc-Web1 to the Corpnet subnet.

return to top

Configure the TCP/IP properties on Litwareinc-Web1

Next, configure the TCP/IP protocol with a static IP address of 10.0.0.8 and the subnet mask of 255.255.255.0.

To configure TCP/IP protocol for Litwareinc-Web1

  1. In Server Manager, click Local Server in the console tree. Click the link next to Ethernet in the Properties tile. Note that the "Ethernet" interface name may be different on your computer.
  2. In Network Connections, right-click Ethernet, and then click Properties.
  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  4. Select Use the following IP address. In IP address, type 10.0.0.8. In Subnet mask, type 255.255.255.0.
  5. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.7.
  6. Click OK, and then click Close. Close the Network Connections window.
  7. From Windows PowerShell, type ping dc1.litwareinc.com in the command prompt window and press ENTER.
  8. Verify that there are four replies from 10.0.0.7.
  9. Close the Windows PowerShell prompt.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Long command lines are indented for readability. The "Ethernet" interface name may be different on your computer. Use ipconfig /all to list the interfaces.

New-NetIPAddress 10.0.0.8 -InterfaceAlias "Ethernet" -PrefixLength 24

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 10.0.0.7

return to top

Join Litwareinc-Web1 to the Litwareinc.com domain

To join Litwareinc-Web1 to the Litwareinc domain

  1. In Server Manager, click Local Server in the console tree. Click the link next to Computer name in the Properties tile.
  2. In the System Properties dialog box, on the Computer Name tab, click Change.
  3. In Computer Name, type Litwareinc-Web1. Under Member of, click Domain, and then type Litwareinc.com.
  4. Click OK.
  5. When you are prompted for a user name and password, type litwareinc\User1 and its password, and then clickOK.
  6. When you see a dialog box welcoming you to the litware.com domain, click OK.
  7. When you are prompted that you must restart the computer, click OK.
  8. On the System Properties dialog box, click Close.
  9. When you are prompted to restart the computer, click Restart Now.
  10. After the computer restarts, click the Switch User arrow icon, then click Other User and log on to the LITWAREINC domain with the User1 account.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. You must supply the User1 account domain credentials after entering the Add-Computer command.

Add-Computer -NewName Web1 -DomainName litwareinc.com -Credential litwareinc\user1

restart-computer

return to top

Install the Web Server (IIS) role on Litwareinc-Web1

Next, install the Web Server (IIS) role to make Litwareinc-Web1 a web server.

To install the Web Server (IIS) server role

1.    Sign-in as User1 in the Litwareinc domain. In the Dashboard console of Server Manager, click Add roles and features.

2.    Click Next three times to get to the server role selection screen.

3.    In the Select Server Roles page, select Web Server (IIS), and then click Next.

4.    Click Next three times to accept the default Web Server role settings, and then click Install.

5.    Allow the installation to complete, and then click Close.

The following Windows PowerShell command, run at an administrator-level Windows PowerShell command prompt, performs the same function as the preceding procedure.

Install-WindowsFeature Web-WebServer -IncludeManagementTools

return to top


Configure DNS conditional forwarding for both forests

To ensure name resolution between the AD DS forests, you must configure DNS selective forwarding between the DNS servers of each forest.

Configure DNS conditional forwarding on the corp.contoso.com domain

To configure DNS Conditional Forwarding for the corp.contoso.com domain:

  1. On DC1 ensure that you sign-in as corp\User1
  2. In Server Manager, click Tools and then click DNS.
  3. In the navigation pane, expand DC1, right-click Conditional Forwarders, and then click New Conditional Forwarder.
  4. In the New Conditional Forwarder dialog box, under DNS Domain, type litwareinc.com.
  5. Under IP addresses of the master servers, type 10.0.0.7, press ENTER, and then click OK.

The following Windows PowerShell command, run at an administrator-level Windows PowerShell command prompt, performs the same function as the preceding procedure.

Add-DnsServerConditionalForwarderZone -Name litwareinc.com -MasterServers 10.0.0.7

return to top

Configure DNS conditional forwarding on the litwareinc.com domain

To configure DNS conditional forwarding for the litwareinc.com domain:

  1. On Litwareinc-DC1 ensure that you sign-in as litwareinc\User1
  2. In Server Manager, click Tools and then click DNS.
  3. In the navigation pane, expand DC1, right-click Conditional Forwarders, and then click New Conditional Forwarder.
  4. In the New Conditional Forwarder dialog box, under DNS Domain, type corp.contoso.com.
  5. Under IP addresses of the master servers, type 10.0.0.1, press ENTER, and then click OK.

The following Windows PowerShell command, run at an administrator-level Windows PowerShell command prompt, performs the same function as the preceding procedure.

Add-DnsServerConditionalForwarderZone -Name corp.contoso.com -MasterServers 10.0.0.1

return to top


Create a new GPO in Litwareinc.com

To create a Group Policy Object (GPO) to allow clients in Litwareinc.com to contact the CA in corp.contoso.com for certificates

  1. On Litwareinc-DC1 ensure that you sign-in as litwareinc\User1
  2. In Server Manager, click Tools and then click Group Policy Management.
  3. In Group Policy Management, expand Forest: litwareinc.com and Domains.
  4. Right-click litwareinc.com and then click Create a GPO in this domain, and Link it here.
  5. In the New GPO dialog box, under Name, type SSL Certificate Policy and then click OK.
  6. In the Group Policy Management navigation pane, right-click SSL Certificate Policy and then click Edit.
  7. Under Computer Configuration, expand Policies, expand Windows Settings, Security Settings, and Public Key Policies.
  8. Insert the removable media that contains the certificate of the Contoso Root CA.
  9. Right-click Trusted Root Certification Authorities and then click Import.
  10. On the Welcome to the Certificate Import Wizard page, click Next.
  11. On the File to Import screen, click Browse. Use the Open dialog box to locate the removable media that contains the orca1_ContosoRootCA certificate, select the certificate, and then click Open.
  12. On the File to Import page, click Next.
  13. On the Certificate Store page, click Next.
  14. On the Completing the Certificate Import Wizard page, click Finish.
  15. When you see that the import was successful, click OK. Do not close the Group Policy Management Editor.
  16. Open Windows PowerShell as an Administrator and run the following command: gpupdate /force. Wait for the update to complete successfully.
  17. Return to the Group Policy Management Editor, in the navigation pane, click Public Key Policies.
  18. In the details pane, under Object Type, double-click Certificate Services Client – Certificate Enrollment Policy.
  19. In the Certificate Services Client – Certificate Enrollment Policy dialog box, in Configuration Model, selectEnabled.
  20. Under Certificate enrollment policy list, click Add.
  21. In Certificate Enrollment Policy Server dialog box, under Enter enrollment policy server URI type:https://cep1.corp.contoso.com/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
  22. Under Authentication type, select Username/password and then click Validate Server.
  23. The Windows Security dialog box, enter User1 for User name and type the appropriate password for Password (this should be the password for User1 in corp.contoso.com) and then click OK. If the operation times out, try again. It sometimes takes a few tries to validate the server.
  24. Select Priority. Set the priority to 2. Click Add. You are setting the priority to 2 because later you will add the X.509 Certificate authentication and set that for a priority of 1, which means that X.509 Certificate authentication will be preferred over Username/Password authentication.
  25. On the Certificate Services Client – Certificate Enrollment Policy dialog box, under Certificate enrollment policy list, clear the Default checkbox next to Active Directory Enrollment Policy. Select the checkbox next to the SSL Server Certificates policy. Click OK.
  26. In the Group Policy Management Editor details pane, under Object Type, double-click Certificate Services Client – Auto-Enrollment.
  27. In the Certificate Services Client -Auto-Enrollment dialog box, next to Configuration Model, select Enabled.
  28. Select the Renew expired certificates, update pending certificates, and remove revoked certificates.
  29. Select Update certificates that use certificate templates and then click OK.

return to top


Obtain an SSL certificate across the forest

In this section of the lab you will use Litwareinc-Web1 to cross the forest boundary and obtain an SSL certificate from the CA in corp.contoso.com.

Request a certificate from Litwareinc-Web1

Next, you will enroll for an SSL certificate from APP1.corp.contoso.com using Litwareinc-Web1

  1. Ensure that you sign-in on Litwareinc-Web1 as Litwareinc\User1.
  2. Open Windows PowerShell as an administrator and run gpupdate /force.
  3. Once the update is complete, run mmc.
  4. Click File and then click Add/Remove Snap-in.
  5. In Available snap-ins, click Certificates and then click Next.
  6. In the Certificates snap-in dialog box, select Computer account, and then click Next.
  7. On Select Computer click Finish. Click OK.
  8. In the Console1 navigation pane, expand Certificates (Local Computer).
  9. Right-click Personal, click All Tasks, and then click Request New Certificate.
  10. On the Before You Begin page, click Next.
  11. On the Select Certificate Enrollment Policy page, ensure that SSL Server Certificates is selected. Click Next.
  12. In the Windows Security dialog box, type User1 and the password for the corp.contoso.com User1 account. If the operation times out, try again. It sometimes takes a few tries to connect to the server.
  13. On the Request Certificates screen, under SSL Server Certificates, select Internet Server.
  14. Click the link that reads More information is required to enroll for this certificate. Click here to configure settings.
  15. In Certificate Properties, in the Subject tab, under Subject name, set Type to Common name and then inValue type Litwareinc-Web1. Click Add. Under Alternative name, set Type to DNS and in Value typeLitwareinc-Web1.litwareinc.com and then click OK. Click Add. Click OK. Click Enroll.
  16. On the Windows Security dialog box, enter User1 and the appropriate password for User1 in the corp.contoso.com domain. If it does not work the first time, try again.
  17. Once you have successfully enrolled for the certificate, click Finish.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure.

Get-Certificate -template InternetServer -Url "https://cep1.corp.contoso.com/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -SubjectName "CN=Litwareinc-Web1" -DnsName "litwareinc-Web1.litware.com" -Credential (Get-Credential) -CertStoreLocation "cert:\LocalMachine\My"

return to top

Issue the certificate

Next, you will use APP1 in the corp.contoso.com domain to issue the certificate.

To issue the certificate:

  1. Ensure that you sign-in using Corp\User1 on APP1.
  2. Open the Certification Authority console, ensure that IssuingCA-APP1 is expanded.
  3. In the navigation pane, click Pending Requests.
  4. In the details pane, right-click the certificate request from Litwareinc-Web1, click All Tasks, and then clickIssue.

return to top

Retrieve the certificate on Litwareinc-Web1

Next, retrieve the certificate using Litwareinc-Web1

To retrieve the certificate

  1. On Litwareinc-Web1, in the Console1 navigation pane, right-click Certificates (Local Computer), click All Tasks, and then click Automatically Enroll and Retrieve Certificates.
  2. On the Before You Begin page, click Next.
  3. On the Request Certificates page, ensure that Internet Server is selected, and then click Enroll. If the operation times out, retry. It sometimes takes a couple of tries. If you are asked to enter credentials, ensure that you enter the user name and password for User1 of the corp.contoso.com domain.
  4. Once the enrollment succeeds, click Finish.
  5. In the Console1 navigation pane, expand Personal and then click Certificates. In the details pane the certificate issued to Litwareinc-Web1 is visible.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure.

Cd Cert:\LocalMachine\Request

Dir | Get-Certificate -Credential (Get-Credential)

So far this lab has demonstrated how to get a certificate from a CA in one forest to a client computer in another forest. However, it has yet to cover the case of renewal. You can certainly renew the certificate manually using the Certificates snap-in or the Windows PowerShell commands. However, you can also configure the computer to utilize key-based renewal using the certificate that it already has in order to renew its certificate. You can do this by configuring Group Policy on the local computer or even on the domain controller to allow for certificate enrollment. The following sections describe how to implement this using the SSL Certificate Policy that was created earlier.

return to top


Configure the Litwareinc.com domain GPO to allow for certificate key-based renewal

To configure the Litwareinc.com domain to allow for certificate key-based renewal, you must first obtain a certificate for the domain controller from the corp.contoso.com public key infrastructure. This is needed because the domain controller must validate the policy that is to be distributed to the client computers in the domain.

Request a certificate for Litwareinc-DC1

In order to validate the GPO, you will need a certificate that allows for Workstation authentication. This is part of the enhanced key usage that was assigned to the Internet Server template on APP1.corp.contoso.com.

To request a certificate for Litwareinc-DC1

  1. On DC1, ensure that you sign-in as Litwareinc\User1.
  2. Open Windows PowerShell and run mmc.
  3. Click File and then click Add/Remove Snap-in.
  4. In Available snap-ins click Certificates and then click Next.
  5. In the Certificates snap-in dialog box, select Computer account, and then click Next.
  6. On Select Computer click Finish. Click OK.
  7. In the Console1 navigation pane, expand Certificates (Local Computer).
  8. Right-click Personal, click All Tasks, and then click Request New Certificate.
  9. On the Before You Begin page, click Next.
  10. On the Select Certificate Enrollment Policy page, ensure that SSL Server Certificates is selected. Click Next.
  11. In the Windows Security dialog box, type User1 and the password for the corp.contoso.com User1 account. If the operation times out, try again. It sometimes takes a few tries to connect to the server.
  12. On the Request Certificates screen, under SSL Server Certificates, select Internet Server.
  13. Click the link that reads More information is required to enroll for this certificate. Click here to configure settings.
  14. In Certificate Properties, in the Subject tab, under Subject name, set Type to Common name and then inValue type Litwareinc-DC1. Click Add. Under Alternative name, set Type to DNS and in Value typeLitwareinc-DC1.litwareinc.com and then click OK. Click Add. Click OK. Click Enroll.
  15. On the Windows Security dialog box, enter User1 and the appropriate password for User1 in the corp.contoso.com domain. If it does not work the first time, try again.
  16. Once you have successfully enrolled for the certificate, click Finish.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure.

Get-Certificate -template InternetServer -Url "https://cep1.corp.contoso.com/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -SubjectName "CN=Litwareinc-DC1" -DnsName "litwareinc-DC1.litware.com" -Credential (Get-Credential) -CertStoreLocation "cert:\LocalMachine\My"

return to top

Approve the certificate request

Next, you must approve the certificate request on APP1.

To approve the certificate request

  1. Ensure that you sign-in using Corp\User1 on APP1.
  2. Open the Certification Authority console, ensure that IssuingCA-APP1 is expanded.
  3. In the navigation pane, click Pending Requests.
  4. In the details pane, right-click the certificate request from Litwareinc-DC1, click All Tasks, and then click Issue.

return to top

Retrieve the certificate on Litwareinc-DC1

Next, retrieve the certificate on Litwareinc-DC1

To retrieve the certificate

  1. In Litwareinc-DC1, in the Console1 navigation pane, right-click Certificates (Local Computer), click All Tasks, and then click Automatically Enroll and Retrieve Certificates.
  2. On the Before You Begin page, click Next.
  3. On the Request Certificates page, ensure that Internet Server is selected, and then click Enroll. If the operation times out, retry. It sometimes takes a couple of tries. If you are asked to enter credentials, ensure that you enter the user name and password for User1 of the corp.contoso.com domain.
  4. Once the enrollment succeeds, click Finish.
  5. In the Console1 navigation pane, expand Personal and then click Certificates. In the details pane the certificate issued to Litwareinc-DC1 is visible.

The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure.

Cd Cert:\LocalMachine\Request

Dir | Get-Certificate -Credential (Get-Credential)

return to top

Modify GPO to allow for certificate key-based renewal

Next, you will modify the SSL Certificate Policy GPO that you created earlier in this lab. This time you will configure the GPO to contain the address for the authentication type of X.509 Certificate.

To modify the SSL Certificate Policy GPO

  1. Open the Group Policy Management console. Ensure that Domains and Litwareinc.com are expanded.
  2. Right-click the SSL Certificate Policy and then click Edit.
  3. Under Computer Configuration, expand Policies, expand Windows Settings, Security Settings, and then clickPublic Key Policies.
  4. In the details pane, under Object Types, double-click Certificate Services Client – Certificate Enrollment Policy.
  5. Click Add.
  6. Under Enter enrollment policy server URI, typehttps://cep1.corp.contoso.com/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
  7. Under Authentication type select X.509 Certificate and then click Validate server.
  8. Ensure that the Litwareinc-DC1 certificate is selected and then click OK. If the request times out, try again. Sometimes it takes a few of tries to validate the server.
  9. Select Priority. Ensure that priority is set to 1. Click Add.
  10. Click Properties. You should see that Username/password Authentication Type is set at a Priority of 2 and that X.509 Certificate Authentication Type is set at a Priority of 1. This means that X.509 Certificate authentication will be attempted first. Click OK.
  11. Close the Group Policy Management Editor.

return to top

Renew the certificate on Litwareinc-Web1

To simulate automated key-based renewal of the certificate for Litwareinc-Web1

  1. Open Windows PowerShell as an Administrator and run the following commands:
    • GPUpdate /force
    • Cd Cert:\LocalMachine\My
    • Dir | format-list
  2. Copy the certificate thumbprint from the output. (You can copy by selecting the text and right-clicking.)
  3. Run the following command in to delete the policy cache:
    • certutil -f -policyserver * -policycache delete
  4. Run the following command to renew the certificate. Replace <thumbprint> with the actual characters of the certificate thumbprint that you copied. (You can paste by right-clicking.)
    • certreq -machine -q -enroll -cert <thumbprint> renew
    • Note: If the command times out, try again. It may take multiple tries to actually renew the certificate. You may also see an error that reads "Provider could not perform the action since the context was acquired as silent," which indicates that the certificate authentication failed. Even if you see that error, try again. Eventually, you should be able to renew the certificate. Also check that the Certificate CES was installed using both -RenewalOnly and -AllowKeyBasedRenewal options (this is needed for certreq -q to work)
  5. Run the following commands to see that the certificate thumbprint has changed because the certificate was renewed:
    • Cd Cert:\LocalMachine\My
    • Dir | format-list

Source: http://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx

Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)

These are the steps to troubleshoot autoenrollment problems. The basis for this article was produced by a veteran field troubleshooting engineer, Roger Grimes. The article assumes that certificates that a user or machine should be receiving automatically from an issuing CA server on the network are not showing up in the end-users’s certificate store (i.e. Personal store in the Certificates console – certmgr.msc).

Table of Contents

Verify Setup

  1. Issuing CA’s computer account is in Cert Publishers group for the domain. You can verify this by using Active Directory Users and Computers (dsa.msc) and looking the Users folder for the membership of Cert Publishers.
  2. Ensure the group policy objects have Autoenrollment enabled, see Configuring Group Policy  for more information.
  3. User or computer has Read, Enroll, and Autoenroll permissions on the certificate template being requested.
  4. You can run certutil.exe –Template when logged in as the end-user to see if the end-user has Read and Enroll permissions (but it will not reveal which certs the user has Autoenroll permissions to)
  5. Make sure certificate request isn’t pending or failed status in Certification Authority console.

Ensure Autoenrollment is enabled in Group Policy

  • View appropriate effective GPOs (using Active Directory Users and Computers or the Group Policy Management console)
  • On the client computer, run rsop.msc and check both user and computer configuration objects,
  • Rsop results will only show what was pushed by GPOs, not what actually was applied.
  • To see that autoenrollment is actually turned on the computer, check the following registry keys for a DWord value of 7 in AEPolicy:
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Cryptography\AutoEnrollment (for user certs)
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\AutoEnrollment (for PC certs
      • If no values are there, check the non-GPO locations (but it means AD GPOs are not working):
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\AutoEnrollment
    • HKEY_CURRENT_USER\Software\ Microsoft\Cryptography\AutoEnrollment

If none of these keys have AEPolicy = 7, Autoenrollment is not turned on.

Force Autoenrollment and View the Results

If previous steps above are set correctly, force Autoenrollment and look into Application log to see what happens when Autoenrollment takes place. First, set new registry key to turn on more detailed autoenrollment auditing: InHKCU\Software\Microsoft\Cryptography\Autoenrollment andHKLM\Software\Microsoft\Cryptography\Autoenrollment, create a new DWORD value named AEEventLogLeveland set its value to 0.

Open up Application Log in Event Viewer (eventvwr.exe).

Force Autoenrollment:

gpupdate /force

In the Application event log, refresh the log to see what happens during autoenrollment.

Two computer autoenrollment messages (start, stop) should occur first, followed by two user autoenrollment messages (start, stop) in 30 sec. – 2 minutes. Any issued certs should appear in the log as Event ID 18’s or 19’s. Stop and Start messages are event IDs 2 and 3.

If there are any valid autoenrollment certificates to be issued, they should issue here.

Note: If the CA administrator configured the templates to not duplicate certificates if one already exists in Active Directory, you will have to delete the user’s certificate in Active Directory in order for Autoenrollment to pull down a new certificate.

Troubleshooting GPO Errors

If you do see any GPO errors, you can turn on Group Policy logging on the client. Trigger Group Policy manually (gpupdate /force). Then check the policy log.

For XP:

– Set the following registry flag:

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Flag – DWORD: UserEnvDebugLevel
  • Value: 0x00030002

– Rename the current GPO log file, userenv.log, to userenv.old

Check the following log file for any errors: %windir%\debug\usermode\userenv.log

Additional Resources

Source: http://social.technet.microsoft.com/wiki/contents/articles/3048.troubleshooting-certificate-autoenrollment-in-active-directory-certificate-services-ad-cs.aspx

How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub

It is highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterprise Sub CA certificates. It is recommended to minimize the access to the Offline Root CA as possible. The Root CA is not a domain joined machine and can be turned off without any problem.


One of the Key issues is the CRL generated from the Root CA, you need to set the CRL interval for a large value so that we don’t need to copy the CRL to an online location frequently and do not implement delta CRLs, because the publication of each delta CRL would require access to the offline root CA in order to copy the delta CRL to an online publication location. In order to change the CRL interval you need to:

 

  1. Turn on the Offline Root CA machine and login with local Admin account
  2. Open the Certification Authority Console
  3. Right Click on the "Revoked Certificates" and click Properties.
  4. Set “CRL Publish interval” to a large value (Default is 26 Weeks) and  uncheck “Publish Delta CRL” check-box.

  


 

In order to Publish a new CRL from the offline Root CA to the Enterprise Sub CA you need to do the following:

 

  1. Publish a new CRL on the Root CA, this can be done by Right Click the "Revoked Certificates" – All Tasks – Publish                                                                                                                                                                                                                                                         

      

                                                                                                                                                                    

  2. Copy the CRL file from the Root CA located under %systemroot%\system32\certsrv\certenroll to the Sub CA Server
  3. Turn off the Root CA
  4. Copy the above file to the InetPub folder (HTTP Path) in the Sub CA server which is by default located under the C:\inetpub\wwwroot\Certdata
  5. Open an Admin Command Prompt and run the following command to publish it to the Active Directory (LDAP Path).                                                                                           certutil -f -dspublish " C:\Inetpub\wwwroot\certdata\RootCA.crl


This process of renewing the CRL and publishing a new one is manually done since the Root CA is offline and thats why its better to make the CRL publish interval more than the default value so you won’t do it frequently. You may also want to set an automated reminder before the next renewal date.

Source: http://social.technet.microsoft.com/wiki/contents/articles/19160.how-to-publish-new-certificate-revocation-list-crl-from-offline-root-ca-to-active-directory-and-inetpub.aspx

Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line

 

Applies to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Certutil.exe is a command-line program that is installed as part of Active Directory Certificate Services (AD CS). You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. This article was created to show examples of certutil commands. Sections in this article include:

View CA Configuration

If you want to view the configuration settings for the CA, which includes the type of information that is set by the CAPolicy.inf or afterward installation by running post configuration scripts, you can issue the following commands:

certutil -dump

certutil -getreg

certutil -getreg CA

Publish expired certificates in the CRL

If you want to maintain a revoked certificate in the CRL beyond the certificate’s expiration date, you can enable the publication of expired certificates to the CRL by running the following command at a command-line prompt and then restarting Certificate Services.

certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CR

Dump certificate templates and settings from the CA

certutil -v -template

Variations of that command

certutil -v -template > templatelist.txt

certutil -v -template clientauth > clientauthsettings.txt

Copy a CRL to a file

If you want to copy a certificate revocation list and name it corprootca.crl to removable media (like a floppy drive of a:), then you can run the following command:

certutil -getcrl a:\corprootca.crl

View Certificate Templates

If you want to dump a list of certificate templates and their settings to a text file (MyTemplates.txt), you can run the following command:

    certutil -v -template > MyTemplates.txt

View AIA container

To view the contents of the AIA container in Active Directory Domain Services (AD DS) for a domain named contoso.com, run the following command:

certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?

cACertificate?base?objectclass=certificationAuthority"

View Intermediate CA certificate store

To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore CA

View NTAuth Container

To view the content of the NTAuth container in AD DS for a domain named Corp.contoso.com, you would type the following command on a single line and press ENTER:

certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"

View Trusted Root CAs

To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore Root

Purge policy cache

When you are working with Certificate Enrollment Policy Web Services servers, there is a cache located on the local computer of cached policies. You may want to clear when the resulting certificate policies are not what you expect. You can clear this certificate policy cache by running the following command:

certutil -f -policyserver * -policycache delete

Check the certificate revocation chain

certutil -verify -urlfetch <certificatename>

certutil -URL <certificatename>

For more information on these commands, see the end of the Step by Step Guide – Two Tier PKI Hierarchy Deployment

Certutil Q & A

This could become a Frequently Asked Questions (FAQ) about Certutil at some point. For now, we will just keep it here:

When do you use ‘certutil –addstore’ versus ‘certutil –importcert?

  • Use Certutil -addstore to add a .cer file to anystore. Adds a raw certificate to a certificate store. A .cer file does not contain the private key, .pfx file usually contains the private key.
  • Use Certutil –importpfx to import a .pfx, usually to personal store (My store). Certutil –importcert is meant to import a cert into a CA’s database. This is useful when using the CA to archive certs and keys that were not issued by the CA, or to be able to manage CRLs for a cert lost from the CA’s database for some reason.
  • Certutil -repairstore can be used to associate a certificate with the matching private key. This could be useful if someone deleted a certificate from the store and lost the CERT_KEY_PROV_INFO_PROP_ID that points at the private key.
  • Certreq -accept installs an issued certificate when there is an pending certificate request in the Request store)
    • The command should be used if there is a pending request as it will pick up the CERT_KEY_PROV_INFO_PROP_ID property, friendly name, and other properties from the pending (also known as dummy) certificate. Then, it attaches to the new certificate and removes the pending (dummy) certificate.
    • The sequence of this flow follows this command order:
      • Certreq -new (creates a new request and dummy certificate)
      • Certreq -submit (or using some manual submission method via a Web page)
      • Certreq -retrieve (if there is a pending request that is later issued)
      • Certreq -accept (installs the certificate)

Additional references for CertUtil Examples

Certificate Revocation and Status Checking  – A link to the whitepaper in the TechNet Library; the appendices (Appendixes) have many examples

Basic CRL checking with certutil  – A link to an entry in the PKI blog

Additional details about certificate status codes

CERT_TRUST_STATUS Structure  – provides certificate status code meanings

Command line references for CertUtil

Certutil on MSDN  – A task oriented reference for the Certutil command, with great details.

Certutil Certificates  – A link to TekWeb.dk, which is very much like a command reference

Certutil  – The Windows Server 2008 command line reference in the TechNet Library

Certutil tasks for managing certificates  – Windows Server 2003 Whitepaper that has command reference like information

Certutil tasks for key archival and recovery  
– Windows Server 2003 document 

Source: http://social.technet.microsoft.com/wiki/contents/articles/3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx

Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line

 

Applies to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Certutil.exe is a command-line program that is installed as part of Active Directory Certificate Services (AD CS). You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. This article was created to show examples of certutil commands. Sections in this article include:

View CA Configuration

If you want to view the configuration settings for the CA, which includes the type of information that is set by the CAPolicy.inf or afterward installation by running post configuration scripts, you can issue the following commands:

certutil -dump

certutil -getreg

certutil -getreg CA

Publish expired certificates in the CRL

If you want to maintain a revoked certificate in the CRL beyond the certificate’s expiration date, you can enable the publication of expired certificates to the CRL by running the following command at a command-line prompt and then restarting Certificate Services.

certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CR

Dump certificate templates and settings from the CA

certutil -v -template

Variations of that command

certutil -v -template > templatelist.txt

certutil -v -template clientauth > clientauthsettings.txt

Copy a CRL to a file

If you want to copy a certificate revocation list and name it corprootca.crl to removable media (like a floppy drive of a:), then you can run the following command:

certutil -getcrl a:\corprootca.crl

View Certificate Templates

If you want to dump a list of certificate templates and their settings to a text file (MyTemplates.txt), you can run the following command:

    certutil -v -template > MyTemplates.txt

View AIA container

To view the contents of the AIA container in Active Directory Domain Services (AD DS) for a domain named contoso.com, run the following command:

certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?

cACertificate?base?objectclass=certificationAuthority"

View Intermediate CA certificate store

To view the content of the client computer’s Intermediate Certification Authorities certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore CA

View NTAuth Container

To view the content of the NTAuth container in AD DS for a domain named Corp.contoso.com, you would type the following command on a single line and press ENTER:

certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"

View Trusted Root CAs

To view the content of the client computer’s Trusted Root Certification Authorities Enterprise certificate store, type the following command at a command-line prompt.

certutil -enterprise -viewstore Root

Purge policy cache

When you are working with Certificate Enrollment Policy Web Services servers, there is a cache located on the local computer of cached policies. You may want to clear when the resulting certificate policies are not what you expect. You can clear this certificate policy cache by running the following command:

certutil -f -policyserver * -policycache delete

Check the certificate revocation chain

certutil -verify -urlfetch <certificatename>

certutil -URL <certificatename>

For more information on these commands, see the end of the Step by Step Guide – Two Tier PKI Hierarchy Deployment

Certutil Q & A

This could become a Frequently Asked Questions (FAQ) about Certutil at some point. For now, we will just keep it here:

When do you use ‘certutil –addstore’ versus ‘certutil –importcert?

  • Use Certutil -addstore to add a .cer file to anystore. Adds a raw certificate to a certificate store. A .cer file does not contain the private key, .pfx file usually contains the private key.
  • Use Certutil –importpfx to import a .pfx, usually to personal store (My store). Certutil –importcert is meant to import a cert into a CA’s database. This is useful when using the CA to archive certs and keys that were not issued by the CA, or to be able to manage CRLs for a cert lost from the CA’s database for some reason.
  • Certutil -repairstore can be used to associate a certificate with the matching private key. This could be useful if someone deleted a certificate from the store and lost the CERT_KEY_PROV_INFO_PROP_ID that points at the private key.
  • Certreq -accept installs an issued certificate when there is an pending certificate request in the Request store)
    • The command should be used if there is a pending request as it will pick up the CERT_KEY_PROV_INFO_PROP_ID property, friendly name, and other properties from the pending (also known as dummy) certificate. Then, it attaches to the new certificate and removes the pending (dummy) certificate.
    • The sequence of this flow follows this command order:
      • Certreq -new (creates a new request and dummy certificate)
      • Certreq -submit (or using some manual submission method via a Web page)
      • Certreq -retrieve (if there is a pending request that is later issued)
      • Certreq -accept (installs the certificate)

Additional references for CertUtil Examples

Certificate Revocation and Status Checking  – A link to the whitepaper in the TechNet Library; the appendices (Appendixes) have many examples

Basic CRL checking with certutil  – A link to an entry in the PKI blog

Additional details about certificate status codes

CERT_TRUST_STATUS Structure  – provides certificate status code meanings

Command line references for CertUtil

Certutil on MSDN  – A task oriented reference for the Certutil command, with great details.

Certutil Certificates  – A link to TekWeb.dk, which is very much like a command reference

Certutil  – The Windows Server 2008 command line reference in the TechNet Library

Certutil tasks for managing certificates  – Windows Server 2003 Whitepaper that has command reference like information

Certutil tasks for key archival and recovery  
– Windows Server 2003 document 

Source: http://social.technet.microsoft.com/wiki/contents/articles/3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx