Documente Academic
Documente Profesional
Documente Cultură
aspx
Introduction
Exercise 1 - Deploy Stand-alone CA
Exercise 2 - Configure an Enterprise Subordinate CA
Summary
Introduction
The Install and Configure Offline Root CA module provides you with the
instruction and server hardware to develop your hands-on skills in the defined topics.
This module includes the following exercises:
Deploy Stand-alone CA
Configure an Enterprise Subordinate CA
Exam Objectives
Lab Diagram
During your session, you will have access to the following lab configuration.
1 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
In this module, you will be working on the following equipment to carry out the steps
defined in each exercise.
For further information and technical support, please see our Help and Support
2 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
page.
Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2017. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than
the following:
1. You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2. You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express written
permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any
other website or other form of electronic retrieval system.
Organizations that implement restrictive network security policies have the option of
installing stand-alone CA that can be configured as an offline trusted root CA by simply
disconnecting it from the network or putting it in an isolated network segment. A
stand-alone CA is the starting point of certificate issuance in an organization and
therefore must be protected from unauthorized personnel.
In this exercise, you will install and configure a stand-alone CA on one of the servers in
the existing Active Directory domain called PRACTICELABS.COM.
Please refer to your course material or use your preferred search engine to research
this topic in more detail.
3 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
In this task, you will add the Windows feature called Active Directory Certificate
Services and Certificate Web Enrollment using Windows PowerShell.
Step 1
Ensure that you have powered on the required devices indicated in the Introduction of
this lab.
Connect to PLABDM01.
On the Server Manager > Dashboard window, click on the Tools menu and select
Windows PowerShell.
Step 2
Windows PowerShell commands are not case sensitive.
Press Enter.
4 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 3
Please wait while installation is in progress. This will take a few minutes.
Step 4
Windows PowerShell confirms the successful installation of the Active Directory
Certificate Services.
5 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
In the earlier task, you simply added the AD Certificate Services. This will not make
Certification Authority fully functional as it will not be able to issue certificates to
requesting computers or users.
It is essential that the service be installed first with its respective system settings like
encryption strength or key length, CA name and validity of issued certificates among
others to make it capable of issuing certificates to requesting users, computers or
services.
Step 1
6 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Please note that you can install the Stand-alone CA with default system settings. In the
next command, you will configure the Stand-alone CA with specific system settings.
Install-AdcsCertificationAuthority -CAType
StandaloneRootCA -KeyLength 4096 -CACommonName
PLABDM01-RootCA -ValidityPeriod Years
-ValidityPeriodUnits 10
Press Enter.
Press Enter.
7 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 2
The installation of AD Certification Authority is successfully confirmed with ErrorId
of “0.”
8 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 3
In the next prompt, to configure AD Certificate Web Enrollment type the following
command:
Install-AdcsWebEnrollment
Press Enter.
9 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Press Enter.
Step 4
When the ErrorId indicates a value of “0” minimize Windows PowerShell
window.
10 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 5
To verify that AD CS is working, in the Server Manager > Dashboard window,
click on Tools menu and select Certification Authority.
Step 6
In the Certification Authority window, expand PLABDM01-RootCA node.
11 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Active Directory Certificate Services (AD CS) tracks down all issued certificates to
users, computers or network services. If for any reason that an issued certificate’s
security is compromised, the AD CS administrator has the authority to cancel or
revoke the certificate to prevent unauthorized access to corporate assets.
Certificate Revocation List (CRL) is a list of certificates that have been revoked or
canceled due to security-related issues that have been identified by the Certification
Authority administrator. The CRL is retrieved by the client and caches the information
for a limited period of time. The CRL is used to look up the revoked certificates and
verify if the certificate can still be used in a variety of network applications.
12 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Authority Information Access (AIA) are Uniform Resource Locators (URLs) added to a
certificate. These URLs can be used by a network service or application to retrieve
information about the CA that issued the certificate. Once the issuing CA is verified,
AIA information is used to validate the certificate signature and build a path to the
trusted certificate.
Step 1
On PLABDM01 server, the Certification Authority console window is open.
13 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 2
In the PLABDM01-RootCA Properties dialog box, click the Extensions tab.
Step 3
Under the Extensions tab, observe the Selection extension drop-down list and
verify that it is set to CRL Distribution Point (CDP).
Step 4
In the Add Location dialog box, click in the Location text box and type:
14 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
http://plabdm01.practicelabs.com/certdata/
Access the Variable drop-down list and verify that it is set to <CaName>.
Step 5
The Location text box, will now display:
15 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
http://plabdm01.practicelabs.com/certdata/<CaName>
Step 6
In the Add Location dialog box, access the Variable drop-down list and change it to
<DeltaCRLAllowed>>
16 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 7
The Location text box will now display:
http://plabdm01.practicelabs.com/certdata/<CaName>
<DeltaCRLAllowed>
17 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 8
Place the cursor or insertion point at the end of the Location string and type:
.crl
http://plabdm01.practicelabs.com/certdata/<CaName>
18 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
<DeltaCRLAllowed>.crl
Click OK.
Step 9
You are directed back to PLABDM01-RootCA Properties dialog box.
With the new Location just added, enable the following check boxes:
Click Apply.
19 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 10
In the Certification Authority message box, click No as you will need to set the AIA
properties of the stand-alone CA.
20 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 11
In the PLABDM01-RootCA Properties dialog box, ensure that you are in
Extensions tab.
Under the Extensions tab, go the Select extension drop-down list and change it to
Authority Information Access (AIA).
21 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 12
In the Add Location dialog box, click in the Location text box and type:
http://plabdm01.practicelabs.com/certdata/
Verify that the Variable drop-down list is set to <ServerDNSName> and then click
Insert.
22 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 13
Still in the Add Location dialog box, in the Location text box, ensure that the cursor
is at the end of the string and type an underscore.
http://plabdm01.practicelabs.com/certdata
/<ServerDNSName>_
23 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 14
Still in the Add Location dialog box, access the Variable drop-down list and select
<CaName> and click Insert.
24 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 15
The Location string now looks like:
http://plabdm01.practicelabs.com/certdata
/<ServerDNSName>_<CaName>
25 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 16
In the Add Location dialog box, access the Variable drop-down list and set it to
<CertificateName> then click Insert.
26 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 17
The Location string now looks like:
http://plabdm01.practicelabs.com/certdata
/<ServerDNSName>_<CaName><CertificateName>
27 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 18
In the Location text box, place the cursor or insertion point at the end of the
generated string.
Then type:
.crt
Click OK.
28 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 19
In the PLABDM01-RootCA Properties dialog box, enable Include in the AIA
extension of issued certificates check box.
Click OK.
29 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 20
Click Yes in the Certification Authority message box.
Step 21
Back in the Certification Authority console window, right-click Revoked Certificates
folder and point to All Tasks then select Publish.
30 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 22
In the Publish CRL dialog box, the New CRL option is selected.
Click OK.
31 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Keep the devices you have powered on in their current state and proceed to the
next exercise.
32 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Please refer to your course material or use your preferred search engine to research
this topic in more detail.
Most Windows features can be installed either using Server Manager or Windows
PowerShell.
In this task, you will install an enterprise subordinate CA using Windows PowerShell.
Step 1
Connect to PLABSA01.
33 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 3
A local user named PLABSA01\Administrator is logged on to PLABSA01.
runas /user:practicelabs\administrator
powershell.exe
34 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Press Enter.
Passw0rd
Press Enter.
Step 3
A new Windows PowerShell window opens. Notice the title bar indicates “(running
as practicelabs\administrator.”
35 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Press Enter.
Step 4
Please wait while installation of the feature is in progress.
36 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 5
Windows PowerShell will confirm a successful installation of the AD Certification
Authority.
Step 6
On the next prompt, to install AD Certificate Services standalone subordinate CA, type:
Install-AdcsCertificationAuthority -CAType
37 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Press Enter.
Press Enter.
38 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 7
Since PLABSA01 is trying to contact a machine that is not a member of the domain,
you will receive a warning that the Active Directory Certificate Services installation is
incomplete.
Please take note of the WARNING message that will be required in a later step to
complete the Active Directory Certificate Services setup.
39 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
In the earlier task, the installation of the subordinate CA failed as it requires the
processing of a request file that must first be submitted to the root CA.
To process the generated certificate request file, perform the following steps:
Step 1
On PLABSA01, click File Explorer on the taskbar.
Step 2
In the File Explorer window, under This PC node click Local Disk C drive.
Observe the details pane at the right displaying the contents of C drive.
40 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 3
In the message box that appears, click Try an app on this PC web link.
Step 4
In the “How do you want to open this file?” dialog box, click Notepad.
Select OK.
41 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Figure 2.8 Screenshot of PLABSA01: In the How do you want to open this file
dialog box, Notepad application is selected.
Step 5
The request file opens.
Note: Similarly, you can click Edit menu and choose Select All.
Note: Similarly, you can click Edit menu and choose Copy.
If you are using HTML5 client to connect to the lab, a small clipboard window will
42 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Figure 2.9 Screenshot of PLABSA01: The certificate request file is open and
the signature is selected.
Step 6
In the next few steps, you will use the contents of the request file to request for a
certificate from the stand-alone root CA.
Step 7
43 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
When Internet Explorer opens, the Setup Internet Explorer 11 message box
appears. Select Use recommended settings and compatibility settings option.
Click OK.
Step 8
The Tools and resources intranet web page.
http://plabdm01/certsrv
Press Enter.
44 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 9
In the Microsoft Active Directory Certificate Services - PLABDM01-RootCA,
Welcome page, click Request a certificate web link.
Step 10
In the Request a certificate page, click advanced certificate request web link.
45 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 11
In the Advanced Certificate Request page, click Submit a certificate request
by using a base 64-encoded CMC or PKCS #10 file, or submit a renewal
request by using a base-64-encoded PKCS #7 file web link.
46 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 12
In the Submit a Certificate Request or Renewal Request page, click under the
Saved Request text box.
Note: Similarly, you can right-click on the empty text box and select Paste.
47 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 13
A Certificate Pending request is displayed.
However, you don’t have to wait for x number of days to get the certificate.
48 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
After processing the certificate request file in the previous task, you will now go to the
root CA to approve and export the issued certificate.
Step 1
Connect to PLABDM01.
In the Server Manager > Dashboard window, click Tools menu and select
Certification Authority.
49 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 2
In the Certification Authority window, click Pending Requests folder.
In the details pane on the right, right-click the pending certificate and point to All
Tasks and select Issue.
Step 3
Now that the certificate has been issued, the next step is to export this issued
certificate to a file.
50 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 4
In the Certificate dialog box, select Details tab.
Step 5
In the Details tab, ensure that Show section indicates <All>.
51 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 6
In the Welcome to the Certificate Export Wizard page, click Next.
Step 7
In the Export File Format page, select Cryptographic Message Syntax
Standard - PKCS #7 Certificates (.P7B) option button.
Enable Include all certificates in the certification path if possible check box.
Click Next.
52 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 8
In the File to Export page, in the provided text box, type:
C:\PLABSA01-CA
Click Next.
53 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 9
In the Completing the Certificate Export Wizard page, click Finish.
54 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
To verify the functionality of the enterprise subordinate CA, perform the following
steps:
Step 1
Connect to PLABSA01.
Restore Server Manager > Dashboard window from taskbar if not yet open.
Step 2
55 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Then right-click PLABSA01-IssueCA and point to All Tasks and select Start
service.
Step 3
In the Microsoft Active Directory Certificate services message box, click Yes to
install this certificate.
56 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 4
In the Select to complete the CA installation dialog box, click in the File name
text box.
\\plabdm01\c$\PLABSA01-CA.p7b
Click Open.
57 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 5
If the Microsoft Active Directory Services message box indicating the certificate
chain cannot be verified is displayed, click OK.
58 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 6
Please wait while Certificate Services is being started on PLABSA01-IssueCA.
Notice that after a few seconds, the green tick/check mark appears which indicates
that PLABSA01-IssueCA is now functional.
59 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
In this task, you will export the root CA certificate to a file. The exported certificate will
be used to publish the root CA certificate using GPO.
Step 1
Connect to PLABDM01.
Step 2
60 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 3
In the PLABDM01-RootCA Properties dialog box, click View Certificate.
61 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 4
In the Certificate dialog box, click Details tab.
Step 5
Under the Details tab, click Copy to File.
62 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 6
In the Welcome to the Certificate Export Wizard page, click Next.
Step 7
In the Export File Format page, the DER encoded binary X.509 (.CER) is
selected.
Click Next.
63 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 8
In the File to Export page, in the File name text box, type:
C:\plabdm01-rootCA
Click Next.
64 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 9
In the Completing the Certificate Export Wizard page, click Finish.
65 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 1
Connect to PLABDC01.
In the Server Manager > Dashboard window, click Tools menu and select Group
Policy Management.
Step 2
In the Group Policy Management console, expand Forest:
66 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Note if the Group Policy Management Console message box appears, click Do
not show the message again check box and click OK.
Step 3
In the Group Policy Management Editor window, expand Computer
Configuration > Policies > Windows Settings > Security Settings > Public
Key Policies.
67 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 4
In the Welcome to the Certificate Import Wizard page, click Next.
Step 5
In the File to Import page, in the File name text box, type:
68 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
\\plabdm01\c$\plabdm01-rootCA.cer
Click Next.
Step 6
In the Certificate Store page, the location of the store is automatically filled in for
you.
Click Next.
69 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 7
In the Completing the Certificate Import Wizard page, click Finish.
70 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 8
You will be directed back to the Group Policy Management Editor window.
71 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Step 9
The PLABDM01-rootCA certificate is now in the Trusted Root Certification
Authorities folder.
Close the Group Policy Management Editor and the Group Policy
Management console.
72 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Result - You have completed the essential tasks to install an offline root CA and an
enterprise subordinate CA.
Shutdown all virtual machines used in this lab by using the power functions
located in the Tools bar before proceeding to the next module. Alternatively, you
can log out of the lab platform.
Summary
In this module you covered the following topics:
Deploy Stand-alone CA
73 of 74 24-01-2020, 15:29
Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
74 of 74 24-01-2020, 15:29