Sunteți pe pagina 1din 33

A Microsoft PKI Quick Guide – Part 3: Installation

Page 1 of 33

Certificate Authority Scalable, robust, high-security CA for high-performance applications www.cryptomathic.com
Certificate Authority
Scalable, robust, high-security CA for high-performance applications
www.cryptomathic.com

Articles

Authors

Blogs

ISA Server Articles

Links

Message Boards

Newsletter

RSS

Security Tests

Services

Software

White Papers

Security Tests • Services • Software • White Papers Site Search Search Site Advanced Search Enviar
Site Search Search Site Advanced Search Enviar Consulta Installation
Site Search Search Site Advanced Search Enviar Consulta Installation

Site Search Search Site

Advanced Search

Enviar Consulta

Site Search Search Site Advanced Search Enviar Consulta Installation

Installation

Site Search Search Site Advanced Search Enviar Consulta Installation

A Microsoft PKI Quick Guide – Part 3:

How to install a PKI based on Microsoft Certificate Services in Windows Server 2003.

A Microsoft PKI Quick Guide – Part 3: Installation

Page 2 of 33

PKI Quick Guide – Part 3: Installation Page 2 of 33 • Published: Aug 15, 2007

• Published: Aug 15, 2007

• Updated: Sep 19, 2007

• Section: Articles :: Authentication, Access Control & Encryption

• Author: Martin Kiaer

Printable Version

• Adjust font size:

• Rating: 3.8/5 - 24 Votes

Version • Adjust font size: • Rating: 3.8/5 - 24 Votes • 1 n m l

• 1 nmlkj

• 2 nmlkj

• 3 nmlkj

• 4 nmlkj

5 nmlkj

k j • 3 n m l k j • 4 n m l k j

If you missed the other articles in this series please go to:

A Microsoft PKI Quick Guide - Part 1: Planning

A Microsoft PKI Quick Guide – Part 2: Design

A Microsoft PKI quick guide – Part 4: Troubleshooting

If you would like to be notified when Martin Kiaer releases A Microsoft PKI Quick Guide - Part 4 please sign up to the WindowSecurity.com Real time article update newsletter.

We have now gotten to the third article in our Microsoft PKI quick guide four part series. In our first article we gave you a quick overview on how to prepare and plan your Microsoft PKI. In our second article we went into design mode and looked at some best practice settings. In this article we will get a lot more technical and show you how to install a PKI based on Microsoft Certificate Services in Windows Server 2003.

Installing the PKI

Based on some of the design issues from our previous article, it is time to start the installation of your PKI. Since this is a quick guide, we will cover a few things along the way, even though they actually belong to the design stage. For the rest of this article, we will show you how to install a 2- level hierarchy consisting of an offline root CA and an online issuing CA in the same PKI using best practice methods. However before we start the installation, let us get a few practical things in place.

In figure 1, we have illustrated a best practice validity period for each CA at each level (based on a 3-level hierarchy for a complete overview). The advantage with this model is that it will ensure you

A Microsoft PKI Quick Guide – Part 3: Installation

Page 3 of 33

always have a consistency for the issued certificates at each level. If you only want to deploy a 2- level hierarchy, simply remove the CA in level-3. The model will still apply.

simply remove the CA in level-3. The model will still apply. Figure 1: A best practice

Figure 1: A best practice validity period for each CA at each level

The other thing you should prepare before we start the installation is a text file called CAPolicy.inf. This file is used to customize your configuration of Windows Certificates Services. In this file, you will find important things such as:

• The CDP statement

• Certificate renewal settings such as validity period and key size

• The links for the CDP and AIA paths

• How often the CRL should be published

Create the file using Notepad and save it to %windir%\capolicy.inf (e.g. C:\Windows\capolicy.inf).

We have made this task a lot easier for you, by supplying the files in our step-by-step guides below. With these things in mind, it is time to get technical.

Installing an offline root CA

To install an offline root CA, you will have to complete the following:

• Prepare a CAPolicy.inf file

• Install Windows Certificate Services

• Publish the CRL list

• Run the post-Configuration script

Here is how it should be done:

1. Install a server with Windows Server 2003 Standard Edition incl. SP1 or newer and make sure that it runs as a stand-alone server (i.e. it should not be a member of any domain)

2. Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)

A Microsoft PKI Quick Guide – Part 3: Installation

Page 4 of 33

PKI Quick Guide – Part 3: Installation Page 4 of 33 Figure 2: Filename: CAPolicy.inf 3.

Figure 2:

Filename: CAPolicy.inf

3. Copy the CAPolicy.INF file to %windir%\capolicy.inf

4. Navigate to the Start Menu / Control Panel / Add or Remove Programs |click Add/Remove Windows Components

5. In Windows Components Wizard, you select Certificates Services and click Next

6. Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes

the Windows Certificate Services are installed. Click Yes Figure 3 7. In the CA Type field,

Figure 3

7. In the CA Type field, you click Stand-alone root CA, and put a checkmark at “Use custom settings to generate the key pair and CA certificate” check box and click Next

Note:

It is normal that the Enterprise root CA and Enterprise subordinate CA options cannot be selected, since this server is not member of a domain

A Microsoft PKI Quick Guide – Part 3: Installation

Page 5 of 33

PKI Quick Guide – Part 3: Installation Page 5 of 33 Figure 4 8. Select the

Figure 4

8. Select the CSP you want to use for your offline root CA. For simplicity, we’ve selected the Microsoft Strong Cryptographic Provider v1.0, however you can also select another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure.

Select the default hash algorithm SHA-1

Set the key length to 4096

Make sure that both the “Allow this CSP to interact with the desktop” and “Use an existing key” options are not checked. Click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 6 of 33

PKI Quick Guide – Part 3: Installation Page 6 of 33 Figure 5 9. Enter a

Figure 5

9. Enter a common name for your root CA, configure the Distinguished name suffix (O=domain, C=local) and set the validity period to 20 years, then click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 7 of 33

PKI Quick Guide – Part 3: Installation Page 7 of 33 Figure 6 10. Accept the

Figure 6

10. Accept the default suggestion for the certificate database and log files (or change it at will) and click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 8 of 33

PKI Quick Guide – Part 3: Installation Page 8 of 33 Figure 7 11. Since this

Figure 7

11. Since this is an offline root CA, there is no need to install IIS (Internet Information Services) and thus the reason why this dialog is displayed. Click OK

and thus the reason why this dialog is displayed. Click OK Figure 8 12. Click Finish

Figure 8

12. Click Finish

A Microsoft PKI Quick Guide – Part 3: Installation

Page 9 of 33

PKI Quick Guide – Part 3: Installation Page 9 of 33 Figure 9 13. Click Start

Figure 9

13. Click Start / Programs / Administrative Tools / Certificate Authority

14. Expand your CA server pane and right-click Revoked Certificates. Click All tasks / Publish

A Microsoft PKI Quick Guide – Part 3: Installation

Page 10 of 33

PKI Quick Guide – Part 3: Installation Page 10 of 33 Figure 10 15. Select New

Figure 10

15. Select New CRL and click OK

16. Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need these files for the next subordinate CA that will be installed

17. You should also copy these files to the CDP HTTP location as indicated in the caconfig.inf file listed earlier.

18. Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt

A Microsoft PKI Quick Guide – Part 3: Installation

Page 11 of 33

PKI Quick Guide – Part 3: Installation Page 11 of 33

A Microsoft PKI Quick Guide – Part 3: Installation

Page 12 of 33

Figure 11

19. You are done installing the root CA.

We mentioned earlier that there are good security reasons to keep the root and policy CAs offline, which includes turning them off. Only the issuing CAs should be kept online. Because the root and policy CAs are kept offline, they should not be a member of a domain.

Installing an online issuing enterprise CA

To install an online issuing Enterprise CA, you will have to complete the following:

• Prepare a CAPolicy.inf file

• Install IIS (Internet Information Services)

• Install Windows Certificate Services

• Submit the sub CA certificate request to the parent CA

• Issue the sub CA certificate

• Install the sub CA certificate at the enterprise subordinate CA

• Run the post-Configuration script

• Publish the CRL list

Here is how you do it:

1. Install a server with Windows Server 2003 Enterprise Edition incl. SP1 or newer and make sure it is a member of a domain

2. Make sure that IIS (internet Information Services) has been installed. There is a note to this however. If you really want to do this right, then omit the IIS part. The only caveat doing so, is that you definitely need to know your PKI before you omit the IIS component. The advantage is a more simple setup, and one attack vector less.

3. Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)

in the CAPOlicy.inf file below (highlighted with red) Figure 12: Filename: CAPolicy.inf 4. Copy the CAPolicy.INF

Figure 12: Filename: CAPolicy.inf

4. Copy the CAPolicy.INF file to %windir%\capolicy.inf

5. Navigate to the Start Menu / Control Panel / Add or Remove Programs / click Add/Remove Windows Components

6. In Windows Components Wizard, you select Certificates Services and click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 13 of 33

PKI Quick Guide – Part 3: Installation Page 13 of 33 Figure 13 7. Notice what

Figure 13

7. Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes

8. In the CA Type field, you click Enterprise subordinate CA and put a checkmark at “Use custom settings to generate the key pair and CA certificate” check box and click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 14 of 33

PKI Quick Guide – Part 3: Installation Page 14 of 33 Figure 14 9. Select the

Figure 14

9. Select the CSP you want to use for your issuing CA. For simplicity, we have selected the Microsoft Strong Cryptographic Provider v1.0, however you could also have selected another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure.

Select the default hash algorithm SHA-1

Set the key length to 2048

Make sure that both the “Allow this CSP to interact with the desktop” and “Use an existing key” options are not checked. Click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 15 of 33

PKI Quick Guide – Part 3: Installation Page 15 of 33 Figure 15 10. Enter a

Figure 15

10. Enter a common name for your issuing CA and set the validity period to 5 years, then click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 16 of 33

PKI Quick Guide – Part 3: Installation Page 16 of 33 Figure 16 11. Accept the

Figure 16

11. Accept the default suggestion for the certificate database and log files (or change at will) and click Next

12. A CA Certificate Request window is displayed. Select Save the request to a file and enter a path and a filename (the wizard will automatically add a .req extension to the filename). Copy the file to a USB key for later use. Click Next. We will be using this request file later on in this quick guide

A Microsoft PKI Quick Guide – Part 3: Installation

Page 17 of 33

PKI Quick Guide – Part 3: Installation Page 17 of 33 Figure 17 13. Some certificate

Figure 17

13. Some certificate IIS application components will be added. Click Yes

IIS application components will be added. Click Yes Figure 18 14. (Optional) If you have not

Figure 18

14. (Optional) If you have not enabled ASP support in IIS, then the following dialog box is display. Click Yes

in IIS, then the following dialog box is display. Click Yes Figure 19 15. You are

Figure 19

15. You are not quite done yet. As indicated in the dialog box, then you will need to generate a private key for your new issuing CA.

A Microsoft PKI Quick Guide – Part 3: Installation

Page 18 of 33

PKI Quick Guide – Part 3: Installation Page 18 of 33 Figure 20 Click OK and

Figure 20

Click OK and continue.

16. Click Finish

of 33 Figure 20 Click OK and continue. 16. Click Finish Figure 21 17. Before you

Figure 21

17. Before you continue, you should publish the certificate and revocation list for your root CA to Active Directory. This is easily done by doing the following:

a. Copy both the *.crt and *.crl files generated during the installation of the root CA to the

A Microsoft PKI Quick Guide – Part 3: Installation

Page 19 of 33

%systemroot%\system32\certsrv\certenroll folder on the issuing CA server.

b. Run the script below from a command line prompt in the same folder on your issuing CA. You have to run the script as a user who is a member of the Cert Publishers Group in Active Directory (normally someone with domain admin rights).

Directory (normally someone with domain admin rights). Figure 22 The script will automatically process the entire

Figure 22

The script will automatically process the entire filename and complete the needed commands.

18. Make sure you have the certificate request file generated in Step 12. Log on to the root CA server

19. From the root CA server you click Start / Programs / Administrative Tools / Certificate Authority

20. Expand your CA server pane and right-click the server name. Click All tasks / Submit new request…

the server name. Click All tasks / Submit new request… Figure 23 21. Locate the request

Figure 23

21. Locate the request file generated in Step 12 and click OK

22. In the left pane, click Pending Requests. Locate the certificate request in the right pane / Right-click the certificate request and select All Tasks / Issue

A Microsoft PKI Quick Guide – Part 3: Installation

Page 20 of 33

23. Next we need to export the certificate. In the left pane you click Issued Certificates. In the right pane you right-click the certificate and click Open

right pane you right-click the certificate and click Open Figure 24 24. Click the details tab

Figure 24

24. Click the details tab and click Copy to file…

A Microsoft PKI Quick Guide – Part 3: Installation

Page 21 of 33

PKI Quick Guide – Part 3: Installation Page 21 of 33 Figure 25 25. The Certificate

Figure 25

25. The Certificate Export Wizard is displayed. Click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 22 of 33

PKI Quick Guide – Part 3: Installation Page 22 of 33 Figure 26 26. Select ”

Figure 26

26. Select ”Cryptografic Message Syntax Standard ….” and ”Include all certificates in the certification path if possible”. Click Next

in the certification path if possible ”. Click Next Figure 27 27. Save the certificate to

Figure 27

27. Save the certificate to the same USB key used in Step 12. Click Next

A Microsoft PKI Quick Guide – Part 3: Installation

Page 23 of 33

PKI Quick Guide – Part 3: Installation Page 23 of 33 Figure 28 28. Click Finish

Figure 28

28. Click Finish and the click OK

29. Now you go back to issuing the CA and click Start / Programs / Administrative Tools / Certificate Authority

30. Expand the CA server pane and right-click the server name. Click All tasks / Install CA certificate…

A Microsoft PKI Quick Guide – Part 3: Installation

Page 24 of 33

PKI Quick Guide – Part 3: Installation Page 24 of 33 Figure 29 31. Locate the

Figure 29

31. Locate the certificate you issued in Step 27 and click OK

32. Expand your CA server pane and right-click the server name. Click Start service

pane and right-click the server name. Click Start service Figure 30 33. Copy

Figure 30

33. Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need to copy these files to your web servers that are being used as Certificate Distribution Points

A Microsoft PKI Quick Guide – Part 3: Installation

Page 25 of 33

(CDP) using the HTTP protocol. This is the HTTP based CDP URL you defined in the issuing CAs caconfig.inf earlier.

Note:

This task should be scheduled and run automatically

34. Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt

A Microsoft PKI Quick Guide – Part 3: Installation

Page 26 of 33

PKI Quick Guide – Part 3: Installation Page 26 of 33

A Microsoft PKI Quick Guide – Part 3: Installation

Page 27 of 33

Figure 31

35. Expand your CA server pane and right-click Revoked Certificates. Click All tasks / Publish

Revoked Certificates . Click All tasks / Publish Figure 32 36. Select New CRL and click

Figure 32

36. Select New CRL and click OK

37. And finally, you are done.

Conclusion

In this article, we have given you some quick guidelines and best practice advice on how to best implement a PKI consisting of a combination of both offline standalone CAs and enterprise based online issuing CAs. You should know that the script used for publishing the root CAs certificate and CRL file to the local store of the issuing CA and Active Directory needs modifications if you are using a 3-level hierarchy. This is because the policy CA also needs to be published to the local certificate store of our enterprise based issuing CA and also needs to be published to Active Directory.

To a certain extent you may find this third article a bit cumbersome, especially during the implementation of an online issuing CA. But once you try it, you find out that it is really not that difficult to implement a full blown PKI that is both scalable and secure. In our last article in this PKI quick guide series, we will show you how to verify our installation as well as maintain and troubleshoot a PKI using a few simple steps.

External resources

This article series is done with the help of a lot of great resources. All the excellent Microsoft PKI articles are collected in one place which you can find on the Microsoft PKI Web Portal Public Key Infrastructure for Windows Server 2003

A Microsoft PKI Quick Guide – Part 3: Installation

Page 28 of 33

Want to see how Microsoft does PKI, then check out the IT Showcase -Deploying PKI Inside Microsoft Deploying PKI Inside Microsoft

And this is a great book – Microsoft Windows Server 2003 PKI and Certificate Security Microsoft Windows Server 2003 PKI and Certificate Security

If you missed the other parts in this article series please go to

A Microsoft PKI Quick Guide - Part 1: Planning

A Microsoft PKI Quick Guide – Part 2: Design

A Microsoft PKI quick guide – Part 4: Troubleshooting

If you would like to be notified when Martin Kiaer releases A Microsoft PKI Quick Guide - Part 4 please sign up to the WindowSecurity.com Real time article update newsletter.

About Martin Kiaer

Real time article update newsletter . About Martin Kiaer Martin Kiaer is a Microsoft MVP in

Martin Kiaer is a Microsoft MVP in Windows Security and works as a Principal Consultant for LogicaCMG, a Microsoft Gold Partner in Security and Enterprise solutions. Martin has worked in IT for over 16 years, specializing in IT security since 1994. In his spare time he works as a freelance journalist and is the founder of IT-experts.dk, the largest Microsoft online community for Danish IT pros.

Click here for Martin Kiaer's section.

Share this article

here for Martin Kiaer's section. Share this article Receive all the latest articles by email! Get

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.

gfedcb Real-Time Article Update (click for sample

gfedcb Monthly Article Update (click for sample

)

Enter email address

Article Update ( click for sample ) Enter email address )

)

A Microsoft PKI Quick Guide – Part 3: Installation

Page 29 of 33

Latest articles by Martin Kiaer

Multifactor authentication in Windows – Part 2: Preparing Devices on XP and Windows

2003

Multifactor authentication in Windows – Part 1: Smart Cards and USB Tokens

A Microsoft PKI quick guide – Part 4: Troubleshooting

A Microsoft PKI Quick Guide – Part 2: Design

A Microsoft PKI Quick Guide - Part 1: Planning

Related links

What’s New with Windows Server 2003 Certificate Services?

A Microsoft PKI Quick Guide - Part 1: Planning

Implementing EFS in a Windows Server 2003 Domain

Securing Wireless LANs with Certificate Services

A Microsoft PKI Quick Guide – Part 2: Design

Featured Links*

Automatic Event Log Monitoring Let GFI EventsManager do the dirty work - Have event logs monitored automatically and get warned about critical events! It's New - SpamTitan Virtual Email Appliance, runs on VMware - Includes Kaspersky AV! 99% spam protection, anti phishing, in/out bound scanning, disclaimers, end user quarantine, reporting suite, simple installation, all from $500-100 users - 30 day free trial!

Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!

Click for Real-Time sample

& Monthly sample

Enter Email

for Real-Time sample & Monthly sample Enter Email Become a WindowSecurity.com member! Discuss your security

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts.

Community Area

Log in | Register

Click here to join!

A Microsoft PKI Quick Guide – Part 3: Installation

Page 30 of 33

PKI Quick Guide – Part 3: Installation Page 30 of 33 ISDecisions.com Ads by Google Solution

ISDecisions.com Ads by Google

Solution Center

Articles & Tutorials

Authentication, Access Control & Encryption

Content Security (Email & FTP)

Firewalls & VPNs

Intrusion Detection

Misc Network Security

Product Reviews

Viruses, trojans and other malware

Web Application Security

Web Server Security

Windows 2003 Security

Windows Networking

Windows OS Security

Wireless Security

Authors

Jesper M. Christensen

Derek Melber

A Microsoft PKI Quick Guide – Part 3: Installation

Page 31 of 33

Don Parker

Jakob H. Heidelberg

Martin Kiaer

Ricky M. Magalhaes

Thomas Shinder

Brien Posey

Deb Shinder

Justin Troutman

Mitch Tulloch

Robert J. Shimonski

Blogs

Message Boards

Newsletter Signup

RSS Feed

Security Tests

Services

Email Security Services

Managed security services

Software

Anti Virus

Authentication / Smart cards

Email Anti-Virus

Email Content Security

Email Encryption

Encryption

Endpoint Security

Event Log Monitoring

File integrity checkers

Firewall security log analyzers

Firewalls

Group Policy Management

Intrusion Detection

Misc. Network Security Tools

Network Auditing

Patch Management

Security Scanners

VPNs

Web Application Security

Web Content Security

White Papers

Featured Products

Web Content Security • White Papers Featured Products GFI LANguard - v9 Download FREEWARE!

GFI LANguard - v9 Download FREEWARE!

Featured Products GFI LANguard - v9 Download FREEWARE!

A Microsoft PKI Quick Guide – Part 3: Installation

Page 32 of 33

PKI Quick Guide – Part 3: Installation Page 32 of 33 SecurityGateway for Exchange/SMTP Servers Readers'

SecurityGateway for Exchange/SMTP Servers

Readers' Choice

Which is your preferred Email Antivirus solution?

nmlkj Antigen for Microsoft Exchange

nmlkj BitDefender Security

nmlkj Frontgate Perimeter Defense

nmlkj GFI MailSecurity

nmlkj Kaspersky Security for Mail Server

nmlkj Panda Security for Enterprise

nmlkj Sophos Email Security & Control

nmlkj Symantec AntiVirus for Messaging

nmlkj Other please specify

for Messaging • n m l k j Other please specify Vote! TechGenix Sites ISAserver.org The
Vote!
Vote!

TechGenix Sites

ISAserver.org The No.1 ISA Server 2006 / 2004 / 2000 resource site. MSExchange.org The leading Microsoft Exchange Server 2007 / 2003 / 2000 resource site. WindowsNetworking.com Windows Server 2008 / 2003 & Windows Vista networking resource site. VirtualizationAdmin.com The essential Virtualization resource site for administrators.

Articles

Authors

Blogs

Books

ISA Server Articles

Links

Message Boards

Newsletter

RSS

Security Tests

Services

Software

White Papers

A Microsoft PKI Quick Guide – Part 3: Installation

Page 33 of 33

About Us : Email us : Product Submission Form : Advertising Information WindowsSecurity.com is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.

Copyright © 2009 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms & Conditions.