Windows Server 2016 Active Directory Certificate Services Lab Build – Part 1

This guide was written previously in another role and had been published via the TechNet Gallery. While it is still located there, I decided that I would also make it available here for those who might want to create a AD CS lab. Understand, this guide is really just a lab and an introduction to issues which you may need to consider. You’ll need to customize the configuration for any production environments.

Windows Server 2016 Active Directory Certificate Services Lab Build – Part 2

Windows Server 2016 Active Directory Certificate Services Lab Build – Part 3

This guide does not utilize a Capolicy.inf file for configuration. However, the following articles discuss these in greater detail. If you are planning a PKI deployment which is on a larger scale, utilizing this config file might be very useful.

Root CA Build Guide

Lab Servers

ROOTCA01: Offline Root CA; Workgroup Member

INTCA01: Online Issuing CA; Domain Member

Note: The information provided in this guide is intended to help you get started with a basic PKI infrastructure for issuing certificates to domain joined machines. It is not a fully comprehensive guide. Each organization will have unique requirements which must be accounted for and incorporated into their own PKI. This guide is intended as a basic introduction establishing a foundation for future PKI expansion and use.

Step 1 – Standalone Root CA Initial Installation

Begin by building the standalone Root CA. This machine will not be domain joined. Install the Active Directory Certificates Services – Certification Authority Role.

Machine generated alternative text:
Select role services 
Before You Begin 
Installation Type 
Server Selection 
Server Roles 
Features 
CS 
Role Services 
Confirmation 
Select the mle services to install for Active Directory Certificate 
Role services 
Certification Authori 
Certificate Enrollment Policy Web Service 
Certificate Enrollment Web Service 
Certification Authority Web Enrollment 
Network Device Enrollment Service 
Online Responder

After the Certificate Authority role has successfully installed, the server must then be configured. Within the Server Manager console, we will now see a post configuration task action item to complete. Select the action icon next to the notification flag at the upper right and select Configure Active Directory Certificate Services on the destination server.

Post-deployment Configu ration 
Configuration required for Active Directory 
Certificate Services at ROOTCAOI 
Configure Active Directory Certificate Services on th... 
O Feature installation 
Configuration required. Installation succeeded on 
ROOTCAOI. 
Add Roles and Features 
Task Details

We will then be greeted with the AD CS Configuration screen for the Offline Root CA. Let’s proceed through the wizard to finalize the post installation items for the server.

Credentials: We will be using the built in local administrator account. This is due to the fact that the server is an offline root CA. This means that it is not domain joined and therefore only has local accounts. Select Next at this screen to proceed.

AD CS Configuration 
Credentials 
Credentials 
Role Services 
Cc:nfrmetior 
DESTINATION SERVER 
Spec 
To install the following role services you must belong to the local Administrators group: 
Standalone certification authority 
Certification Authority Web Enrollment 
Online Responder 
To install the following role services you must belong to the Enterprise Admins græp: 
Enterprise certification authority 
Certificate Enrollment Policy Web Service 
Certificate Enrollment Web Service 
Network Device Enrollment Service 
Credentials: ROOTCAOI Administrator 
More about AD CS Server Roles 
Previous 
Change.„ 
Next 
Configure 
Cancel

Role Services: At the Role Services screen we must now identify which of the various role services to use. For the offline root CA, we will use Certification Authority.

AD CS Configuration 
Role Services 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Confirmation 
FesL'ts 
DESTINATION SERVER 
Select Role Services to configure 
g] Certification Authority 
C) Certification Authority Web Enrollment 
Online Responder 
Network Device Enrollment Service 
C) Certificate Enrollment Web Service 
C) Certificate Enrollment Policy Web Service 
More about AD CS Server Roles 
Configure 
Cancel

Setup Type: At the Setup Type screen we will select Standalone CA. Again, we are selecting this option as it is an offline root CA. By definition, the Enterprise CA must be a member of an Active Directory domain. Since our offline root CA is only a member of a workgroup it is impossible for it to be an Enterprise CA.

AD CS Configuration 
Setup Type 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Confirmation 
DESTINATION SERVER 
Specify the setup type of the CA 
Enterprise certification authorities (CAE) can use Active Directory Domain Sevices (AD DS) to 
simpli%' the management of certificates. Standalone CAS do not use AD DS to issue or manage 
certificates. 
O 
Enterprise CA 
Enterprise CAS must be domain members and are typically online to issue certificates or 
certificate policies. 
@ Standalone CA 
Standalone CAS can be members or a workgroup or domain. Standalone CAS do not require AD 
DS and can be used without a network connection (offline). 
More about Setup Type 
Configure 
Cancel

CA Type: For CA Type we will select Root CA. This is self-explanatory due to the type of CA which we are setting up.

AD CS Configuration 
CA Type 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Confirmation 
DESTINATION SERVER 
Specify the type of the CA 
When you install Active Directory Certificate Services (AD CS), you are creating or extending a 
public key infrastructure (PKI) hierarchy. A root CA is at the top of the PKI hierarchy and issues its 
own self-signed certificate. A subordinate CA receives a certificate from the CA above it in the PKI 
hierarchy. 
@ Root CA 
Root CAS are the first and may be the only CAS configured in a PKI hierarchy. 
O Subordinate CA 
Subordinate CAS require an established PKI hierarchy and are authorized to issue certificates by 
the CA above them in the hierarchy. 
More about CA Type 
Configure 
Cancel

Private Key: Since this is a new deployment, we will utilize the Create a new private key option. Utilization of an existing private key is outside the scope of this guide.

AD CS Configuration 
Private Key 
Credentials 
Role Services 
Setup Type 
ca Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Confirmation 
DESTINATION SERVER 
Specify the type of the private key 
To generate and issue certificates to clients, a certification authority (CA) must have a private key. 
@ Create a new private key 
use this option if you do not have a private key or want to create a new private key. 
O use existing private key 
use this option to ensure continuity with previously issued certificates when reinstalling a CA. 
O 
Select a certificate and use its associated private key 
Select this option if you have an existing certificate on this computer or if you want to 
import a certificate and use its associated private key. 
O 
Select an existing private key on this computer 
Select this option if you have retained private keys from a previous installation or want to 
use a private key from an alternate source. 
More about Private Key 
Configure 
Cancel

Cryptography for CA: We need to use a minimum of SHA256. A critical takeaway here is to avoid using SHA1, MD5, MD4, or MD2. These cryptographic algorithms are older, weaker, and have shown signs of compromise in the past. You must select the appropriate cryptographic provider, key length, and hash algorithm for your deployment. See the following post to learn more about cryptographic providers:

CNG Key Storage Providers

For this deployment we, will utilize:

  1. Cryptographic Provider: RSA#Microsoft Software Key Storage Provider
  2. Key Length: 2048 (Increasing to 4096 in CY2020 and beyond would likely be wise)
  3. Hash Algorithm: SHA256

At the time of writing this guide, these meet all public requirements. However, as a CA administrator/engineer, ensure that you keep track of current developments regarding acceptable PKI implementations.

AD CS Configuration 
Cryptography for CA 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificate Detebese 
Confirmation 
FesL'ts 
Specify the cryptographic options 
Select a cryptographic provider: 
RSA#Microsoft Software Key Storage Provider 
DESTINATION SERVER 
Key length: 
Select the hash algorithm for signing certificates issued by this CA: 
SHA256 
SHA3U 
SHA512 
SHAI 
Allow administrator interaction when the private key is accessed by the CA. 
More about Cryptography 
Configure 
Cancel

CA Name: For the offline root CA, we will utilize the default naming context. However, if you require your offline root CA to have another common name, provide it at this screen.

AD CS Configuration 
CA Name 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Crwptogrephw 
CA Name 
Validity Period 
Certificate Detebese 
Confirmation 
DESTINATION SERVER 
Specify the name of the CA 
Type a common name to identify this certification authority (CA). This name is added to all 
certificates issued by the CA. Distinguished name suffix values are automatically generated but can 
be modified. 
Common name for this CA: 
Distinguished name suffix: 
Preview of distinguished name: 
CN=ROOTCAOI CA 
More about CA Name 
Configure 
Cancel

Validity Period: The validity period for the certificate which will be generated for the offline root CA is dependent upon your organizational requirements. For the purpose of this guide, and due to the fact that this build exists within a lab, I have opted to use 20 years. However, in a real-world scenario there are additional considerations and constraints that factor into making this determination:

      • It is recommended that you consult with a local Cyber Security technician to determine if there is an established recommendation/guideline/requirement for this setting.
      • The shorter the validity, the sooner you’ll have to issue a new CA chain.
      • The longer the validity, the higher the probability that the chain can be compromised.
      • If you anticipate that the root CA will be replaced/upgraded in the future, plan to keep the validity period for at least 1 year after that projected date. This allows you some flexibility within your upgrade project to ensure that your root CA’s certificate does not expire prior to implementing a new CA chain with a new root CA.

AD CS Configuration 
Validity Period 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA 
Validity Period 
Certificate Database 
Confirmation 
FesL'ts 
DESTINATION SERVER 
Specify the validity period 
Select the validity period for the certificate generated for this certification authority (CA): 
CA expiration Date: 1/19/2037 44100 PM 
The validity period configured for this CA certificate should exceed the validity period for the 
certificates it will issue. 
More about Validity Period 
Configure 
Cancel

CA Database: We must now specify the path for the CA database. Considering that this is an offline root CA, utilizing the default location is likely acceptable. Since this CA should only issue certificates to intermediate CA’s on a very irregular basis, the drive on which the DB and Logs reside do not need to be high performance drives.

  • Pro Tip: I always recommend that any system that homes a DB, and thus transaction logs (TLOGS), have a dedicated drive for the DB and a separate dedicated drive for the TLOGS. However, each scenario must be evaluated to determine if this is necessary. Systems with low IO do not mandate this. However, systems with high IO should be configured with this at a minimum. Additionally, if the system is a virtual machine, each of these drives should utilize a dedicated storage controller for each drive; sharing a single storage controller can result in poor performance even with dedicated drives.
  • Example:
    • C: = System Drive with OS and Programs
    • D: = Database Drive
    • T: = Transaction Log Drive

AD CS Configuration 
CA Database 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity' Period 
Certificate Database 
Confirmation 
FesL'ts 
DESTINATION SERVER 
Specify the database locations 
Certificate database location: 
Certificate database log location: 
More about CA Database 
Configure 
Cancel

Confirmation: We have now arrived at the Confirmation page. This is the final screen prior to implementing the configuration for the offline root CA. Validate that the settings on this page are accurate, correct, and sustainable. Once we configure the offline root CA, it will be difficult, if not impossible, to make changes. If all the settings are correct select Configure.

AD CS Configuration 
Confirmation 
Credentials 
Role Services 
Setup Type 
CA Type 
Private Key 
Cryptography 
CA Name 
Validity Period 
Certificete 
Confirmation 
FesL'ts 
DESTINATION SERVER 
To configure the following roles, mle services, or features, click Configure. 
Active Directory Certificate Services 
Certification Authority 
CA Type: 
Cryptographic provider: 
Hash Algorithm: 
Key Length: 
Standalone Root 
RSA#Microsoft Software Key Storage Provider 
SHA256 
Allow Administrator Interaction: Disabled 
Certificate Validity Period: 
Distinguished Name: 
Certificate Database Location: 
Certificate Database Log 
Location: 
1/19/2037 441:oo PM 
CN=ROOTCAOI-CA 
C rtLog 
< Previous 
Next

Progress: The Progress screen should briefly appear as the CA is configured. It should then proceed to the Results screen.

Results: At the Results screen, we should receive Configuration Succeeded. If any other result was received, review the output for the configuration transaction and make the necessary corrections. Specifics are outside the scope of this guide.

AD CS Configuration 
Results 
The following roles, role services, or features were configured: 
DESTINATION SERVER 
Active Directory Certificate Services 
Certification Authority 
More about CA Configuration 
_ ryptogrep•l- 
Certificät± 
Results 
Configuration succeeded 
Cancel

Step 2 – Standalone Root CA Certificate Export

Having performed the initial Root CA setup, we now have some specific action items that we must take for the offline root CA post setup. Let’s start by exporting the offline root CA’s certificate. This will be required for a couple of items later as we setup the Intermediate CA and the Certificate Trust Chain within Active Directory Domain Services.

  • Within Server Manager, select Tools, then select Certification Authority.
  • We should now have the Certificate Authority snap-in open.
  • Right-click the certification authority name, and select Properties.

Certification Authority (Local) 
v ROOTAn1-rn 
R, All Tasks 
Refresh 
Export I ist 
P ropetties 
Help 
Na

  • We are now presented with the ROOTCA01-CA Properties window.
  • On the General tab, we will see the offline root CA’s certificate. Select View Certificate.
  • Then select the Details tab.
  • Then select the Copy to file radio button. This will allow us to export the offline root CA’s certificate. This certificate is required to establish and deploy the trusted root chain within the Active Directory domain. This is addressed later in this guide.

Certification Authority (Local) 
v ROOTCAOI-CA 
ROOTCAOI -CA Properties 
Enrollment Agents 
General 
Name 
Storage 
Certificate 
Certificate Managers 
General 
Show: 
De tails 
<AII srcset=
Certficabon Path
Auditing
Recovery Agents Security
Pohcy Module
Certification authority (CA)
ROOTCAOICA
CA certificates
‘Catificat±
V’ew Certificate
Crypt ographic settings
Ver sion
Signature algorithm
Signature hash algorithm
avalid from
ovalid to
Hash algorithm
Microsoft Software Key Storage Provider
SHA256
2c f4 2f70 d3db 84 3b
sha256RSA
ROOTCAOI-CA
Thursday, January 19, 2017 7.
Monday, January 19, 2037
Cop,’ to File… “>

Welcome to the Certificate Export Wizard: We are now presented with the certificate export wizard which will guide us through exporting the offline root CA’s certificate. This wizard will allow us to save the certificate in a .CER format which we will later use to distribute within the Active Directory domain. At this screen select Next.

Certificate Export Wizard 
Welcome to the Certificate Export Wizard 
This wizard helps pu cop,' certificates, certficate trust lists and certficate revuabon 
lists from a certificate store to your disk. 
A certficate, which is issued by a certifcaton authority, is a confrmaton of pur identty 
and contains informaton used to protect data or to establish secure net,Nork 
connections. A certificate store is the system area where certificates are kept. 
To continue, dick Next. 
Cancel

Export File Format: We need to export the file in a DER encoded binary X.509 (.CER) format. For trust chain establishment and distribution, we do not require any additional values of the offline root CA’s certificate.

Certificate Export Wizard 
Certficates can be exported in a variety of file formats. 
Select the format you want to use: 
@DER encoded binary X. 509 CER) 
O aase-64 encoded X. 509 (.CER) 
C) Cryptographic Message Syntax Standard -PKCS Certficates (.P7B) 
Include all certificates in the certfcaton path if possible 
O 
Personal Informaton Exchange - PKCS (.PFX) 
Include all certificates in the certfcaton path if possible 
Delete the private key if the export is 
Export all extended proper tes 
Enable certificate privacy 
O 
Microsoft Serialized Certificate Store (I SST) 
Cancel

File to Export: Specify the file name. In other words, identify the path to which we need to save the .CER file along with the name that we are going to assign to the .CER file.

  • Pro Tip:
    • Create a folder on the server, such as C:\Software, which you can utilize for saving files which you need to retain. Some admins create a folder called C:\Temp. I leave this to your discretion within your organization. However, having a common path on all servers for this purpose is valuable. This ensures that all administrators are saving data into non-profile specific locations. This becomes extremely valuable in specific scenarios which at present are beyond the scope of this guide.
    • Utilize Value Added File Names. As an example, for the offline root CA, I would name the exported certificate file as ServerName_Date_VersionNumber.cer. See the screenshot for a graphic example. By doing so, we ensure that we clearly understand what this file is. Certificate naming format is critical. As you begin to deal with many certificates over an expanding period-of-time, having a sustainable and easily understood naming context will greatly simplify your work. Extend this same naming framework to the Friendly Name for certificates.

Certificate Export Wizard 
to 
Specify the name of the file you want to export 
Browse...

Completing the Certificate Export Wizard: This screen will validate all the prior options for exporting the certificate. Select Finish.Certificate Export Wizard 
Completing the Certificate Export Wizard 
You have successMIy completed the Certficate Export wizard. 
You have specified the following settings: 
File Name 
Export Keys 
Include all certficatesin the certficabonpath No 
File Format 
DER Encoded Binary X. 509 (*.cer) 
Finish 
Cancel

Step 3 – Standalone Root CA Security Configuration

By default, the Root CA provides more permissions than we would like to see. While this is a stand-alone CA, and not joined to a domain, let’s take an easy step to slightly bump security up.

On the Security tab of the root CA’s properties window, let’s remove the Everyone group. Complete this by Selecting the Everyone group and then selecting Remove.

X 
品 呈 》 82 工 品 呈 = 。 」 〔 山 
色 2 euen 2 型 2 い 
2 「 POW 一 「 
ロ ロ ロ ロ 
ロ ロ ロ 国 
0 」 新 u 一 up ′ 5 い 100 匹 巴 0 」 u 一 up 強 
2 「 POW = Od 
2 2 」 0 あ 
型 セ 帑 い 2 euen pue 2 コ 
52 2d0 」 d ・ 54D100 
2u0 と 2 》 」 0 」 き 0 あ ヒ ed 
一 巴 耄 コ b 
的 」 」 2 的 コ 」 0 d コ 0 」 9 
ロ ど 2 、 山 
い 2 曰 euen

We should be left with simply Administrators within the Security tab. Let’s select Allow Read and Allow Request Certificates.

X 
品 呈 》 82 工 品 呈 = 。 」 〔 山 
色 2 euen 2 型 2 い 
2 「 POW 一 「 
ロ ロ ロ ロ 
冖 〔 〔 国 周 〔 凵 
。 恒 虧 un-up 5 ト 00 匹 色 。 恒 虧 翼 当 
2 「 POW = Od 
2 2 」 0 あ 
型 セ 帑 い 2 euen pue 2 コ 
色 0 」 虧 IL"LL-JP 強 」 0 」 LIO あ ヒ ed 
52 2d0 」 d ・ 54D100 
一 巴 耄 コ b 
」 」 2 的 コ 」 0 d コ 0 」 9 
い 2 曰 euen

Auditing: ALL EFFECTIVE SECURITY POSTURES INCLUDE AUDITING. Auditing is a critical component of security. Without auditing, we have no effective means to view historical transactions. In respect to our topic, enabling an effective auditing policy is required. Auditing provides us a method by which we can see the historical behavior on our systems. Let’s review some caveats:

  • First, this is an offline root CA. Auditing it provides insights into the actions which occur on the CA. However, we will be challenged to export the audit data from this server. In your environment you may want to consider how you plan to export, and SECURE, the audit data from the offline root CA. The audit data alone is valuable to an enterprise adversary in that it provides insight into your infrastructure. Protect your logs.
  • As a stop gap, I strongly recommend that you identify a means within your environment to track when the offline root CA is powered on/modified. That is to say, if the offline root CA is a virtual machine, how have you secured the virtual machine to prevent export and exfiltration of the VM itself and ensure that that data within the VM is encrypted and secure? HOW ARE YOU SECURING YOUR VIRTUAL INFRASTRUCTURE? This is a critical question that expands beyond the scope of this guide and into the enterprise services scope, such as Active Directory Domain Services, as well as other critical infrastructure services (think DNS, DHCP, etc.). If the machine is a physical machine, what physical safeguards are in place to secure the CA?

Closing the Gap: Why did we perform this? First, we are eliminating the possibility of any user other than an offline root CA administrator from performing functions against the offline root CA. Second, we are ensuring that administrators on the offline root CA are not inhibited from performing their tasks. I recommend that you review the built-in Administrators security group of the offline root CA to validate that there are not any unauthorized members within this group.

Security Consideration: The offline root CA is the base/root/core of the PKI trust chain. If the root CA is compromised then the entire chain has been compromised and in turn, every certificate which has been issued within the root CA’s chain is therefore compromised and no longer valid. This means that every certificate must be revoked, an updated certificate revocation list (CRL) must be published, and every certificate must be replaced with a new certificate from a new certificate chain. In a large organization this could theoretically be impossible, not to mention the financial implications of this. Protect the Root CA. Let me say that one more time. PROTECT THE ROOT CA!

At the time of writing this guide, the following article had been published:

Securing PKI: Planning a CA Hierarchy

I highly recommend that you review the details and guidance provided within this publication. PKI is one of the most critical components of any enterprise. Failure to properly secure and protect the PKI can, and likely will, result in a security incident.

Step 4 – Standalone Root CA Extensions and Properties

After finalizing the post deployment tasks, the location for the CRL Distribution Point needs to be configured. We can store this data in two places. First, we can store it within Active Directory by importing the CRL into the LDAP CDP. The second location is on the Intermediate CA within its CDP. We will configure both.

Target Configuration –

CRL Distribution Point (CDP) Extension:

  • C:\Windows\System32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
      • Publish CRLs to this location
      • Publish Delta CRLs to this location
  • ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=srv,DC=lab<CDPObjectClass>
      • Include in all CRLs. Specifies where to publish in Active Directory when publishing manually.
      • Include in the CDP extension of issued certificates.
  • http://intca01.srv.lab/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
      • Include in CRLs. Clients use this to find Delta CRL locations.
      • Include in the CDP extension of issued certificates.

Authority Information Access (AIA) Extension:

  • C:\Windows\System32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
  • Ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=srv,DC=lab<CAObjectClass>
    • Include in the AIA extension of issued certificates
  • http://intca01.srv.lab/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
      • Include in the AIA extension of issued certificates
      • Critical Note: There is an underscore “_” between <ServerDNSName> and <CaName>. That is not visible with the hyperlink.
      • Without Hyperlink “…CertEnroll/<ServerDNSName>_<CaName>…”

Notes: If you intend of utilize a highly available HTTP CDP location then you may use a DNS name that will be configured in a load balanced array or DNS Round Robin configuration for both the HTTP CDP and AIA extensions.

Why might I wish to do this?

Not everything that utilizes a CA may be able to query LDAP. In turn, the CDP and AIA information should be available to clients that instead will utilize HTTP.

Field Feedback: Why is the CDP and AIA HTTP location not secured with SSL?

I’ve been asked this a few times. Let’s first establish what the HTTP CDP (CRL Distribution Point) location is doing. Its use is to validate the revocation status of certificates. A client will connect to the CDP to validate that a certificate assigned to a service it is attempting to access is valid. If the CDP location were secured with SSL then the client would then have to validate the CDP HTTP service’s certificate. However, it would not be able to as the CRL is within the HTTP CDP path. This in turn would result in revocation failing.

Well, why not use an external CA with an external CDP location to validate the HTTP CDP SSL certificate status?

You would not want to do this. It means that you must rely on a third party for you and others to validate your PKI, thus allowing a third party to interfere with your established PKI. Additionally, that would be over HTTP as well. Finally, the data that we are transferring through calls to the CDP does not require protection. We want it to be public and accessible.

If you would like to read further about configuring HA for the HTTP AIA and CDP Repositories the following blog is a good start:

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part IX, Configuring High Availability for the HTTP AIA and CDP Repositories

Also, if you intend to use your PKI to issue certificates which will be used for externally available services, such as services located within the DMZ, you will need to consider how you plan to setup an external CDP or OSCP Responder. That is beyond the scope of this guide.

Begin by opening the Certification Authority MMC Snap-in. Once opened right click the CA and select Properties. At the Root CA properties window select the Extensions tab.

By default we are presented with the following:

ROOTCAOI-CA Properties 
Enrollment Agents 
Select 
Auditing 
Reco very Agents 
Security 
P olicy Modula 
Storage 
Certificate Managers 
CRL Distribution Point (CDP) 
Specify Bcations from which users can obtain a certificate revocation list 
(CRL) 
C: SWind0',i'eSs• •stem tCRLName Suffix 7 
'dap 
http://<ServarD NS Name "Celt Enroll/<Ca 
fila //<ServarDNS Nama srcset=/Cert Enroll/

Let’s remove everything except the file path. We are doing this as this is going to be an offline Root CA. The path defined in the last two values will not be valid as the server is offline.

We should be left with the following settings:

ROOTCAOI-CA Properties 
Enrollment Agents 
Select 
Auditing 
Reco very Agents 
Security 
Policy Module 
Storage 
Certificate Managers 
CRL D,stnbution (CDP) 
Specify Bcations from which users can obtain a certificate revocation list 
(CRL) 
:CRLName Sufi 
Z] Publish CRLs to this location 
Include in all CRIs Spacifias where to publish in the Active Directory 
whan publishing manual'" 
Include in CRA Clients use this to find Delta CRL locatione 
Include in the CDP of issued certificates 
Z] Publish Delta CRLs to this location 
Include in the IDP of issued CRLs

Now, we need to add the path to the CDP located on the Intermediate CA. (We will build that CA later in this guide.) For our purposes, the Intermediate CA’s name will be INTCA01.SRV.LAB. Therefore, the path will be:

  • http://intca01.srv.lab/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: We are able to add this path on the Intermediate CA due to the fact that we are also going to install the Web Enrollment role service on the Intermediate CA server. However, if you opt to separate the web enrollment role service onto another machine, you will need to use a valid path to that machine. Alternatively, this path can be any valid internal web address. It does NOT have to be located on the Intermediate CA, we’re just opting to do that in this lab scenario.

If you would like to read further about configuring HA for the HTTP AIA and CDP Repositories the following blog is a good start:

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part IX, Configuring High Availability for the HTTP AIA and CDP Repositories

Add the path by selecting the Add radio button.

Add Location 
A location can be any valid URL or path Enter an HTTP. LDAP. file address. 
or enter a LINC or local path To insert a variable into tha URL or path. select 
the variable below and click Insert 
http /hntcaOI 
Variable: 
Description of selected variable: 
used in URLs and paths 
Inserts the DNS nama of tha server 
aampla location: http

Select Ok once completed.

Once we have returned to the Root CA Properties screen, and we are still on the Extensions tab, update the new path to include:

  • Include in CRLs. Client use this to find Delta CRL locations.
  • Include in the CDP extensions of issued certificates.

We must also add the LDAP path. We are going to perform this manually as we want to also publish the CRL into Active Directory.

  • ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=srv,DC=lab<CDPObjectClass>
    • Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.
    • Include in CRLs. Clients use this to find Delta CRL locations.
    • Include in the CDP extension of issued certificates.

ROOTCAOI-CA Properties 
Enrollment Agents 
Select 
Auditing 
Reco very Agents 
Security 
P olicy Module 
Storage 
Certificate Managers 
CRL Distribution (CDP) 
Specify Bcations from which users can obtain a certificate revocation list 
(CRL) 
htt V,fintcaCI srv 
Ida tCRLNameSuffte.CN= (ServerSh01tNal 
Publish CRLs to this location 
Z] Includa in all CRA Specifies where to publish in the Active Directory 
when publishing manually 
Z] Include in CRLs Clients use this to find Delta CRL locations 
Z] Includa in tha CDP a&nsion of issued certificates 
Publish Delta CRLs to this location 
Include in the IDP of issued CRLs

We now need to add a new location for the Authority Information Access (AIA). On the extensions tab under Select Extension:, ensure that the Authority Information Access (AIA) extension is selected.

ROOTCAOI-CA Properties 
Enrollment Agents 
Select 
Auditing 
Reco very Agents 
Security 
P olicy Modula 
Storage 
Certificate Managers 
Authority Information Access (AA) 
Specify locations from which users can obtain the certificate for this CA 
tCaName 
Idap Key Services CN=S 
http://<ServarDNSName srcset=/CertEnroII/
fila
Include in the AIA of issued certificates
Include in the Qnline certificate status protocol (OCS?) “>

Now, again, let’s remove all paths except the file path location so that we are left with the following:

ROOTCAOI-CA Properties 
Enrollment Agents 
Select e&nsion 
Auditing 
Reco very Agents 
Security 
Policy Module 
Storage 
Certificate Managers 
Authority Information Access (AA) 
Specify locations from which users can obtain the certificate for this CA 
Ota Nam 
Include in the AIA of issued certificates 
Include in the online certificate status protocol (OCS?) aMension

We now need to add the path to the AIA locations:

  • http://intca01.srv.lab/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
    • Remember, there is an underscore “_” between <ServerDNSName> and <CaName>.
    • Include in the AIA extension of issued certificates.
  • Ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=srv,DC=lab<CAObjectClass>
    • Include in the AIA extension of issued certificates.

If you wish to validate that you have configured the CRT path name correctly, browse to C:\Windows\System32\CertSrv\CertEnroll. There you will find the CA’s CRT file:

Home 
CertEnroII 
Share 
View 
o 
Windows 
Name 
E] 
Syste m32 
CertSrv 
CertEnroII 
OTCA01-CA.crl 
Date modified 
1/25/2017 10:53 AM 
1/19/2017 7:57 PM 
Search CertEnroII 
Type 
Certificate Revocation List 
Security Certificate 
Size 
* Quick access 
Desktop 
Downloads 
Documents 
[e] Pictures 
Softwa re 
This pc 
Network 
2 items 
ROOTCAOI 
ROOTCA01-CA.crt

Now, we must update the CA’s CRL publication interval. We perform this by right-clicking the Revoked Certificates node and selecting Properties.

Certification Authority (Local) 
v ROOTCAOI-CA 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Name 
Revcked C 
Issued Cert 
Pending Re 
Failed Req 
All Tasks 
Refresh 
Properties 
Help

Update the CRL Publication Interval to an appropriate length of time for your environment.

Notes: The offline root CA should only be brought online when it is necessary to renew or issue new certificates for the issuing CAs. This means that you should not have a short publication interval. If your publication date expires without publishing a new CRL from the CA then CRL checks for any certificate issued by the Root CA will fail. In this lab, we will configure the interval for 1 year. This means that within 1 year I must bring this CA back online and publish a new CRL. This setting can be easily changed.

Revoked Certificates Properties 
CR L Publishing Parameters View CRLs 
A Certificate Revocation List (CRL) describes certificates that clients should 
consider valid 
CRL publication interval 
update 
Publish Delta CRLs 
Publication interval 
update 
1/25/2018 12 18 PM

Delta CRLs are published in between CRL publications. For the offline root CA this should not be necessary as we will ALWAYS publish a new CRL when we issue/revoke certificates from the offline root CA.

We must now publish the CRL. Right click the Revoked Certificates node and select All Tasks and then Publish. At the Publish CRL screen select New CRL and then select Ok.

  • The CRL is located at C:\Windows\System32\CertSrv\CertEnroll.

Certification Authority (Local) 
v ROOTCAOI-CA 
Revoked Certificates 
Issued Certificates 
Pending Requests 
Failed Requests 
Name 
Revck 
Issued 
Pendi 
Failed 
All Tasks 
Refresh 
Properties 
Help 
Publish

Publish CRL 
The latest published Certificate Revocation Ljst (CRL) is Qill valid Clients may not 
receive a new CRL until after their currant ona expires 
Type of CRL to publish 
@ Naw CRL 
Issues a complete CRL. which contains upko-date revocation information 
for tha CA 
Delta CRL only 
Issues an abbreviated version of the CRL, which contains only the updates to 
the CRL that have been made since the last time it was published

Machine generated alternative text:
Home 
CertEnroII 
Share 
View 
o 
Windows 
Name 
E] 
Syste m32 
CertSrv 
CertEnroII 
OTCA01-CA.crl 
Date modified 
1/25/2017 10:53 AM 
1/19/2017 7:57 PM 
Search CertEnroII 
Type 
Certificate Revocation List 
Security Certificate 
Size 
* Quick access 
Desktop 
Downloads 
Documents 
[e] Pictures 
Softwa re 
This pc 
Network 
2 items 
ROOTCAOI 
ROOTCA01-CA.crt

Now, copy the contents from C:\Windows\System32\CertSrv\CertEnroll to the same location that the exported Root CA certificate was saved from Step 2 of this guide. Copy the all three items to the Intermediate CA.

  1. Root CA CRT File
  2. Root CA CER File
  3. Root CA CRL File

Home 
Softwa re 
Share 
View 
o 
This PC Local Disk Software 
Name 
ROOTCAOI ROOTCA01-CA.crt 
C] ROOTCAOI CA.crl 
RootCA01 CA 19Jan2017 vi.cer 
Date modified 
1/19/2017 7:57 PM 
1/25/2017 12:25 PM 
1/19/2017 8:48 PM 
Sea rch Software 
Type 
Security Certificate 
Certificate Revoca... 
Security Certificate 
Size 
* Quick access 
Desktop 
Downloads 
Documents 
[e] Pictures 
CertEnroII 
Softwa re 
This pc 
Network 
3 items

Step 5 – Standalone Root CA Issuance Term

By default, the Root CA will issue certificates for 1 year only. This creates an issue in that the subordinate CA certificate will be restricted to 1 year. In turn, this means that the subordinate CA can never issue a certificate which is older than its own. Ultimately, this is not ideal in that it will result in a high rate of turnover of certificates via expiration and re-issuance.

The two keys in the registry that we are specifically interested in are:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits

To resolve this issue, we must extend the issuance term of the root CA. We can perform this by utilizing the certutil command. This command is built into Windows Server and no additional software/feature is required.

First, let’s review what the settings are to begin with. We can do this at the administrative command prompt.

  • Run the following command to determine the current value for the issuance length. We can see in the example below that the value is 1. This period is too short for our use so we will increase this.

Certutil -getreg ca\validityperiodunits

Administrator: Command Prompt 
C: -getreg ca\validityperiodunits 
HKEY_LOCAL 
ValidityPeriodUnits REG DWORD = 1 
CertUti1: -getreg command completed successfully .

  • The following command will allow us to see the type of time used to determine the validity duration. We can tell from this output that the time is measured in years and therefore does not require a change.

Certutil – getreg ca\validityperiod

Administrator: Command Prompt 
C: -getreg ca\validityperiodunits 
HKEY_LOCAL 
ValidityPeriodUnits REG DWORD = 1 
CertUti1: -getreg command completed successfully . 
C: -getreg ca\validityperiod 
HKEY_LOCAL 
ValidityPeriod REG_SZ = Years 
CertUti1: -getreg command completed successfully .

  • Run the following command to increase the validity period. In this lab I am increasing the period to 5 years.

Certutil -setreg ca\validityperiodunits 5

Administrator: Command Prompt 
C: -setreg ca\validityperiodunits S 
HKEY_LOCAL 
Old Value: 
ValidityPeriodUnits REG DWORD 
Value: 
ValidityPeriodUnits REG DWORD - 
Certutil : 
-setreg command completed successfully . 
The CertSvc service may need to be restarted for changes to take effect .

Note: You should restart the CA server.

We are now ready to begin work on the Subordinate CA build. See Part 2 for a guide on this.

2 thoughts on “Windows Server 2016 Active Directory Certificate Services Lab Build – Part 1”

Comments are closed.