Share via

ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment

  • Article

The purpose of this Step-by-Step Guide is to enable you to create a single-tier public key infrastructure (PKI) hierarchy using Windows Server® 2008 R2 Active Directory Certificate Services (AD CS).

This guide contains instructions for installation/configuration of Windows Server 2008 R2 Enterprise root CA (using a single-tier PKI hierarchy), configuration of LDAP as well as HTTP CRL Distribution Point (CDP) and Authority Information Access (AIA). Also included are instructions for the installation and configuration of Online Responder (OCSP) for revocation checking.

Note

The configuration of the computers and network in this guide was designed to give you hands-on practice in creating a single-tier PKI hierarchy. The design decisions made in this guide were geared toward increasing your hands-on experience and may not reflect a best practices configuration. For best practice information, see Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure and PKI Design Brief Overview.

Test Lab Overview

There are four computers involved in this single-tier PKI hierarchy.

  • A domain controller that will run Active Directory-integrated DNS and host the LDAP CDP and AIA
  • An Enterprise Root CA
  • A Internet Information Services (IIS) Web Server that will host the HTTP CDP and AIA
  • A Windows 7 Client computer.

Virtual Machine

Role(s)

 OS Type

IP Address

 Subnet Mask Preferred DNS Server

DC01.Fabrikam.com

Domain controller, DNS server, LDAP host for CDP and AIA

 Windows Server 2008 R2

192.168.1.10

 255.255.255.0 192.168.1.10

CA01.Fabrikam.com

Enterprise Root CA

 Windows Server 2008 R2

192.168.1.11

 255.255.255.0 192.168.1.10

SRV1.Fabrikam.com

Web Server, HTTP host for CDP and AIA

 Windows Server 2008 R2

192.168.1.13

 255.255.255.0 192.168.1.10

WIN7.Fabrikam.com

Windows Client Computer

 Windows 7

192.168.1.14

 255.255.255.0 192.168.1.10

Computer Requirements

Make sure that following requirements are met for the computers or virtual machines to be installed for this lab:

  • Windows Server 2008 R2 Standard, Enterprise, or Datacenter edition operating system for the servers. For more information about Windows Server Editions and capabilities, see Active Directory Certificate Services Overview.
  • Windows 7 Professional, Ultimate, or Enterprise edition because it must be able to join the domain.
  • All current service packs and updates applied
  • Initial membership: Workgroup
  • Network configuration: You may have a custom network configuration for your environment. If so, you can configure that instead and make the appropriate substitutions as needed. In this lab the assumption will be made that you are using the IP address scheme shown in the table.

Major Steps

There are six major steps in this step-by-step guide as listed below (each includes several sub tasks).

  1. Install Active Directory Forest
  2. Prepare HTTP Web Server for CDP and AIA Publication
  3. Install Enterprise Root CA
  4. Perform Post Installation Configuration On Enterprise Root CA
  5. Install and Configure Online Responder (OCSP Responder)
  6. Verify PKI Hierarchy Health

Install Active Directory Forest

In this Step-by-Step guide, an Active Directory Domain Services (AD DS) forest named Fabrikam.com is used. DC01 functions as the domain controller. The Forest Functional Level is set to Windows Server 2008 R2.

Configure Server Name and Network Settings

To ensure the server is named DC01 and the network settings are configured properly for this lab:

  1. Log on to DC01 as the local administrator.
  2. Click Start, type ncpa.cpl and press ENTER.
  3. In Network Connections, right-click the Local Area Connection and then click Properties.
    • If there are more than one Local Area Connection icons in the Network Connections, you want to modify the one that is connected to network segment shared by all the computers that you have installed for this lab.
  4. Click the Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
  5. Select the Use the Following IP address. Configure the IP address,Subnet mask, and Default gateway appropriately for your test network.
    • IP Address: 192.168.1.10
    • Subnet mask: 255.255.255.0
    • Default gateway: <optional>
  6. Select the Use the following DNS server address. Configure the Preferred DNS server for the IP address of your domain controller. Click OK. Click Close.
    • Preferred DNS Server: 192.168.1.10
  7. Click Start, type sysdm.cpl and press ENTER. Click Change.
  8. In Computer name, type DC01 and then click OK.
  9. When prompted that you need to restart the computer, click OK. Click Close. Click Restart Now.

 

**Install a new forest by using Server Manager **

  1. Log onto DC01 as DC01\Administrator.

  2. Open Server Manager. To do so, you can click the Server Manager icon in the toolbar or click Start, click Administrative Tools, and then click Server Manager.

  3. In the console tree, right-click Roles and then click Add Roles.

  4. On the Before You Begin page, click Next.

  5. On the Select Server Roles page, select Active Directory Domain Services. Click Next.

    • If prompted by the Add Roles Wizard, click Add Required Features and then click Next.

  6. On the Active Directory Domain Services page, click Next.

  7. On the Confirm Installation Selections page, click Install.

  8. On the Installation Results page, click the Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe) link (in blue).

  9. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

    • The Use advanced mode installation check box could be used to get additional installation options. However, you will not do so in this lab.

  10. On the Operating System Compatibility page, click Next.

  11. On the Choose a Deployment Configuration page, select Create a new domain in a new forest, and then click Next.

  12. On the Name the Forest Root Domain page, in FQDN of the forest root domain, type fabrikam.com, and then click Next.

  13. On the Set Forest Functional Level page, in the Forest functional level drop down menu, select Windows Server 2008 R2 and then click Next.

  14. On the Additional Domain Controller Options page, click Next.

  15. DNS server is selected by default so that your forest DNS infrastructure can be created during AD DS installation. In our scenario we are going to use Active Directory–integrated DNS so we have selected to install DNS.

    • If you do not have static IP address assigned to your network adapter, a warning message appears advising you to set static addresses.

  16. The wizard displays a message indicating that it cannot create a delegation for the DNS server, this is normal when creating a new forest and root domain. Click Yes to continue.

  17. On the Location for Database, Log Files, and SYSVOL page, click Next.

  18. On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline.

  19. On the Summary page, review your selections and click Next to install Active Directory Domain Services.

  20. Select the Reboot on completion check box to have the server restart automatically after Active Directory installation is completed.

    • If you are using Active Directory-integrated DNS, the IP address for the Preferred DNS server for the first domain controller in the forest is automatically set to the loopback address of 127.0.0.1. This helps assure that the IP address of the first domain controller will be resolved in DNS even if the static IP address of the server is changed. If you prefer to configure actual IP address of the DNS sever rather than loopback address, then replace it with 192.168.1.10 after the restart.

Install the Group Policy Management Console

In some installations of Windows Server 2008 R2, the Group Policy Management console is added automatically. In other installations, it is not. If your installation does not automatically include the Group Policy Management tools upon AD DS installation, then you can add them using the following procedure:

  1. Log onto DC01.Fabrikam.com as Fabrikam\Administrator.
  2. Open Server Manager.
  3. In the console tree, click Features. In the Features pane, click Add Features.
  4. In the Add Feature Wizard dialog box, select Group Policy Management from the list of available features.
  5. Click Install.
  6. Close Server Manager when the installation completes.

Prepare HTTP Web Server for CDP and AIA Publication

Join SRV1 to the domain

  1. Log on to SRV1 as the local administrator.
  2. Click Start, type ncpa.cpl and press ENTER.
  3. In Network Connections, right-click the Local Area Connection and then click Properties.
    • If there are more than one Local Area Connection icons in the Network Connections, you want to modify the one that is connected to network segment shared by all the computers that you have installed for this lab.
  4. Click the Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
  5. Select the Use the Following IP address. Configure the IP address, Subnet mask, and Default gateway appropriately for your test network.
    • IP Address: 192.168.1.13
    • Subnet mask: 255.255.255.0
    • Default gateway: <optional>
  6. Select the Use the following DNS server address. Configure the Preferred DNS server for the IP address of your domain controller. Click OK. Click Close.
    • Preferred DNS Server: 192.168.1.10
  7. Click Start, type sysdm.cpl and press ENTER. Click Change.
  8. In Computer name, type SRV1 and then click OK.
  9. When prompted that you need to restart the computer, click OK. Click Close. Click Restart Now.
  10. After SRV1 restarts, log on as a local administrator.
  11. Click Start, type sysdm.cpl and press ENTER. Click Change.
  12. In Member of, select Domain, and then type fabrikam.com. Click OK.
  13. In Windows Security, enter the User name and password for the domain administrator account. Click OK.
  14. You should be welcomed to the Fabrikam domain. Click OK.
  15. When prompted that a restart is required, click OK. Click Close. Click Restart Now.

Install Web Server (IIS) Role

  1. Log on to SRV1.Fabrikam.com as Fabrikam\Administrator.
    • Note: Ensure that you log on to the domain using the domain account, not just using the local computer account.
  2. Open Server Manager.
  3. Right click on Roles and then select Add Roles.
  4. On the Before You Begin page select Next.
  5. On the Select Server Roles page select Web Server (IIS) and then click Next.
  6. On Web Server (IIS) page, click Next.
  7. Leave the defaults on Select Role Services page and then click Next.
  8. On Confirm Installation Selections page, click Next.
  9. On the Installation Results page, click Close.

Create CertEnroll Folder and grant Share & NTFS Permissions to Cert Publishers Group

LINUX

  1. Log onto SRV1.Fabrikam.com as Fabrikam\Administrator.  
  2.  Click Start and select Computer to open Windows Explorer and then go to C: drive.
  3. Create folder called CertEnroll at the root of C: drive.
  4.  Right click on CertEnroll folder and select Properties.
  5. On CertEnroll Properties page select Sharing tab to configure share permissions.
  6. Click on Advanced Sharing option and then select Share this folder.
  7. Click on Permissions and then click Add.
  8. On Select Users or Groups page, type in Fabrikam\Cert Publishers under the Enter the object names to select field and then click OK.
  9. On Permissions for CertEnroll page highlight Cert Publishers group and then select Change permission and then click OK twice to go back to CertEnroll Properties page.
  10. Select Security tab and click Edit to configure NTFS permissions.
  11. On Permissions for CertEnroll page click Add.
  12. On Select Users or Groups page, type in Fabrikam\Cert Publishers under the Enter the object names to select field and then click OK.
  13. On Permissions for CertEnroll page highlight Cert Publishers group and then select Modify permission and then click OK.
  14. On CertEnroll Properties page, click Close.

Create CertEnroll Virtual Directory in IIS

  1. Ensure you are logged on to SRV1.Fabrikam.com as Fabrikam\Administrator.
  2. Click Start, Administrative Tools and then select Internet Information Services (IIS) Manager.
  3. On the Connections, expand SRV1 and then expand Sites.
  4. Right click on Default Web Site and select Add Virtual Directory.
  5. On Add Virtual Directory page, in Alias, type CertEnroll. In Physical path, type C:\Certenroll, and then click OK.
  6. In the Connections pane, under the Default Web Site, ensure the CertEnroll virtual directory is selected.
  7. In the CertEnroll Home pane, double-click on Directory Browsing.
  8. In Actions pane click Enable.

Enable Double Escaping on IIS Server

Allowing double escaping makes it possible for the web server to host Delta CRLs.

For more information, see KB Article 942076 - Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"  

  1. Ensure you are logged on to SRV1.Fabrikam.com as Fabrikam\Administrator.
  2. Open a Command Prompt. To do so, click Start, click Run, and then type cmd. Click OK.
  3. Then type cd %windir%\system32\inetsrv\ and press ENTER.
  4. Type following command and press Enter. Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
  5. Restart IIS service. To do so, type iisreset and press ENTER.

Create CNAME (pki.fabrikam.com) in DNS

  1. Ensure that you are logged on to DC01.Fabrikam.com as Fabrikam\Administrator.
  2. Open the DNS Console. You can do so by clicking Start, click Run, and then type dnsmgmt.msc. Click OK.
  3. Expand Forward Lookup Zones, select and then right-click Fabrikam.com zone. Click New Alias (CNAME).
  4. In Alias name (uses parent domain if left blank), type PKI.  In the Fully qualified domain name (FQDN) for target host field, type SRV1.Fabrikam.com. and then click OK.

 

Note

Include the terminating “.” in the FQDN in the previous step. In a production environment this alias can resolve to a load balancer which distributes requests to any number of web servers that contain the CA certificates and CRLs.

 

Install Enterprise Root CA

Enterprise CAs must be joined to the domain. Before you install the Enterprise Root CA, you must first join the server to the domain. Then you can install the Certification Authority role service on the server.

Join CA01 to the domain

  1. Log on to CA01 as the local administrator.
  2. Click Start, type ncpa.cpl and press ENTER.
  3. In Network Connections, right-click the Local Area Connection and then click Properties.
    • If there are more than one Local Area Connection icons in the Network Connections, you want to modify the one that is connected to network segment shared by all the computers that you have installed for this lab.
  4. Click the Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
  5. Select the Use the Following IP address. Configure the IP address, Subnet mask, and Default gateway appropriately for your test network.
    • IP Address: 192.168.1.11
    • Subnet mask: 255.255.255.0
    • Default gateway: <optional>
  6. Select the Use the following DNS server address. Configure the Preferred DNS server for the IP address of your domain controller. Click OK. Click Close.
    • Preferred DNS Server: 192.168.1.10
  7. Click Start, type sysdm.cpl and press ENTER. Click Change.
  8. In Computer name, type CA01 and then click OK.
  9. When prompted that you need to restart the computer, click OK. Click Close. Click Restart Now.
  10. After CA01 restarts, log on as a local administrator.
  11. Click Start, type sysdm.cpl and press ENTER. Click Change.
  12. In Member of, select Domain, and then type fabrikam.com. Click OK.
  13. In Windows Security, enter the User name and password for the domain administrator account. Click OK.
  14. You should be welcomed to the Fabrikam domain. Click OK.
  15. When prompted that a restart is required, click OK. Click Close. Click Restart Now.

Create CAPolicy.inf for Enterprise Root CA

  1. Log onto CA01.Fabrikam.com as Fabrikam\Administrator. (Ensure you use the domain administrator account and not the local administrator account).

  2. Click Start, select Run and then type notepad C:\Windows\CAPolicy.inf and press ENTER. 

  3. When prompted to create new file, click Yes.

  4. Type in following as content of the file.

    [Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 Notice="Legal Policy Statement" URL=http://pki.fabrikam.com/cps.txt [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10 LoadDefaultTemplates=0 AlternateSignatureAlgorithm=1

     

    Note

- [Windows Server 2008 R2 CAPolicy.inf Syntax](http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx "CAPolicy.inf syntax") - The CAPolicy.inf contains various settings that are used when installing the Active Directory Certification Service (ADCS) or when renewing the CA certificate.The CAPolicy.inf file is not required to install AD CS with the default settings, but in many cases the default settings are insufficient. The CAPolicy.inf can be used to configure CAs in these more complicated deployments.
- AlternateSignatureAlgorithm will not work with Windows XP client computers.
- The OID shown in the example is the Microsoft OID. Individual organizations should obtain their own OIDs. For more information about OIDs, see Obtaining a Root OID from an ISO Name Registration Authority (<http://msdn.microsoft.com/library/windows/desktop/ms677621.aspx>.
- If any entries in CAPolicy.inf file are misspelled, they will be ignored.

  1. Click File and Save to save the CAPolicy.inf file under C:\Windows directory.

    Important: Ensure that the CAPolicy.inf is saved as an .inf file. The file will not be used if it is saved with any other file extension.

  2. Close Notepad.

Install Enterprise Root CA using Server Manager

  1. Ensure that you are logged on to CA01.Fabrikam.com as Fabrikam\Administrator.
  2. Open Server Manager.
  3. Right click on Roles and then select Add Roles.
  4. On the Before You Begin page select Next.
  5. On the Select Server Roles page select Active Directory Certificate Services and then click Next.
  6. On the Introduction to Active Directory Certificate Services page, click Next.
  7. On the Select Role Services page, ensure that Certificate Authority is selected, and then click Next.
  8. On the Specify Setup Type page, select Enterprise and then click Next.
    • The Enterprise option is not available if you are not logged on as a member of the Enterprise Admins group or if the computer is not a member of the domain.
  9. On the Specify CA Type page, select Root CA and then click Next.
  10. On the Set Up Private Key page select Create a new private key and then click Next.
  11. Leave the defaults on the Configure Cryptography for CA page, and then click Next.
    • Important: CSP, Hash Algorithm and Key length must be selected to meet application compatibility requirements.
  12. On Configure CA Name page, enter Fabrikam Root CA in the Common name for this CA field, and then click Next.
  13. On Set Validity Period page enter 10 Years, then select Next.
  14. Keep the default on the Configure Certificate Database page, and then click Next. Click Install.
  15. Review the information on the Installation Results page to verify that the installation is successful and then click Close.

Perform Post Installation Configuration for Enterprise Root CA

  1. Ensure that you are logged on to CA01.Fabrikam.com as Fabrikam\Administrator.
  2. Open a command prompt. To do so, you can click Start, click Run, type cmd and then click OK.
  3. To define CRL Period Units and CRL Period, type each of the following commands and then press ENTER.

Certutil -setreg CA\CRLPeriodUnits 1 Certutil -setreg CA\CRLPeriod "Weeks"  Certutil -setreg CA\CRLDeltaPeriodUnits 1 Certutil -setreg CA\CRLDeltaPeriod "Days"  

CRLPeriodUnits - You can use this setting to specify the number of days, weeks, months, or years, that a CRL will be valid.

CRLPeriod - You can use this setting to specify whether the validity period of a CRL will be defined in days, weeks, months, or years.

CRLDeltaPeriodUnits - You use this setting to specify the number of days, weeks, months, or years that delta CRLs will be valid. If a CA is to be offline, you should disable delta CRL publication.

CRLDeltaPeriod - You use this setting to specify whether delta CRL lifetimes will be defined in days, weeks, months, or years. The delta CRL publication interval setting is similar to the CRL publication interval setting. If a CA is to be offline, you should disable delta CRL publication.

 

Note: The use of delta CRLs needs to be based on a need to publish revocation knowledge quickly while minimizing bandwidth consumption issues that can result with base CRL usage only. CRLPeriodUnits and CRLDeltaPeriodUnits settings should not be less than Active Directory convergence time if you are planning to publish CRLs to Active Directory.

4. To define CRL Overlap Period Units and CRL Overlap Period, run the following commands:

Certutil -setreg CA\CRLOverlapPeriodUnits 12 Certutil -setreg CA\CRLOverlapPeriod "Hours"

 

CRLOverlapPeriodUnits - You use this setting to specify the number of days, weeks, months, or years that CRLs can overlap. When a large number of certificates are revoked, such as during an employee layoff, the delta CRL size might increase significantly because of the large number of entries, and almost all clients will refer to the older base CRL. You can reduce the size of the overlap period to speed the propagation process for the new base CRL and help minimize the size of delta CRLs.

CRLOverlapPeriod - This setting specifies whether the overlap period for CRLs will be defined in days, weeks, months, or years.

 

Note: The overlap period for CRLs is the amount of time at the end of a published CRLs lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10% of the CRL lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually.

5. To define Validity Period Units for all issued certificates by this CA, type following commands and then press ENTER. In this single-tier PKI hierarchy scenario, end-entity certificates should not be valid for more than 5 years.

Certutil -setreg CA\ValidityPeriodUnits 5 Certutil -setreg CA\ValidityPeriod "Years"

 

ValidityPeriodUnits - You can use this setting to define the number of days, weeks, months, or years that a certificate issued by the CA will be valid. The validity period for a certificate cannot be greater than the validity period of the CA that issued the certificate. The default value depends on the type of certificate.

ValidityPeriod - You can use this setting to specify whether the validity period of certificates issued by the CA will be defined in days, weeks, months, or years. The default value depends on the type of certificate.

6. Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring AuditFilter registry key setting. To configure Auditing for all CA related events, type following command:

Certutil -setreg CA\AuditFilter 127

 

Note

CA\AudtiFilter 127 enables all forms of auditing. You can enable use this setting to enable specific or all auditing events for CA.

 

Enable Object Access Auditing on the CA

CA auditing depends on system Audit Object Access to be enabled. You can enabled Object Access Auditing through Active Directory Domain Services (AD DS) Group Policy or the Local Security Policy. The following instructions describe how to do so using Local Security Policy.

  1. Click Start, Administrative Tools and then select Local Security Policy.
  2. Expand Local Policies and then select Audit Policy.
  3. Double click Audit Object Access and then select Success and Failure then click OK.
  4. Close Local Security Policy editor.

Additional Information

Configure the AIA and CDP

There are multiple different methods for configuring the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. You can use the user interface (in the Properties of the CA object), certutil, or directly edit the registry. The AIA is used to point to the public key for the certification authority (CA). The CDP is where the certificate revocation list is maintained, which allows client computers to determine if a certificate has been revoked. In this lab there will be three locations for the AIA and four locations for the CDP.

Configure the AIA

Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you will be configuring a static file system location, a lightweight directory access path (LDAP) location, and http location for the AIA. The certutil command to set the AIA modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command:

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt"****

After you have run that command, run the following command to confirm your settings:

certutil -getreg CA\CACertPublicationURLs 

 

 

 If you look in the registry, under the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\Fabrikam Root CA, you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following:

1:C:\Windows\system32\CertSrv\CertEnroll\1_%3%4.crt

2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11

2:http://pki.fabrikam.com/CertEnroll/%1_%3%4.crt

You can also see this in the the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click Fabrikam Root CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings.

Additional Information

  • CACertPublicationURLs - This setting identifies the URL of the authority information access (AIA) point where a client can find a CA certificate. Because the authority information access point is the location of the certificate that was used to sign the certificate.
  • Each number value listed above preceding each URL means specific configuration setting. You can find more information about these values at AIA Publishing Properties.
  • These settings can be configured from the Extensions tab in the Certificate Authority manager as well.
  • The HTTP path to pki.fabrikam.com is being used as an alias (CNAME configured earlier), which provides flexibility for load balancing scenarios.
  • TechNet Article - CRL Distribution Point Replacement Token.

Configure the CDP

Clients will use the CDP to locate the CRL and delta CRLs for the certificates issued by the CA. This allows certificate clients to ensure that the certificates have not been revoked. You can also configure the CDP with the user interface, certutil, and registry. Using a certutil command is a quick and common method for configuring the CDP. When you run the following certutil command, you will be configuring a static file system location, an LDAP location, an http location, and a file system location.

Note: The file system location that you will be setting will allow the CRL to be copied over the network to the web server (SRV1), which is why we earlier allowed the Cert Publishers group access to the share and folder. All CAs are members of the Cert Publishers group, so we effectively allowed all CAs to copy to the CertEnroll folder on SRV1. Some administrators decide to configure a separate group of specific computers for that purpose or even grant permissions to the CAs individually.

The certutil command to set the CDP modifies the registry, so ensure that you run the command from an command prompt run as Administrator. Run the following command:

certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://pki.fabrikam.com/CertEnroll/%3%8%9.crl\n65:file://\\Srv1.fabrikam.com\CertEnroll\%3%8%9.crl"

After you run that command, run the following certutil command to verify your settings:

certutil -getreg CA\CRLPublicationURLs

In the registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Fabrikam Root CA you can open the REG_MULTI_SZ value

and see the configuration of these values:

 

 65:C:\Windows\system32\CertSrv\CertEnroll\3%8%9.crl

79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10

6:http://pki.fabrikam.com/CertEnroll/%3%8%9.crl

65:file://\Srv1.fabrikam.com\CertEnroll\3%8%9.crl

 

 CRLPublicationURLs - This setting identifies CRL distribution points where a client can find the CRL that is related to a certificate. The CRL distribution point of a root CA should be empty. For intermediate and issuing CAs, you use t he Certification Authority snap-in to define CRL distribution points. These values are then stored in the registry.

 

TechNet Article - Each number value listed above preceding each URL means specific configuration setting. You can find more information about these values at CRL Publishing Properties. By granting Cert Publishers group Share and NTFS Permission to the CertEnroll folder and having the file path file:///CertEnroll/%253%258%259.crl in the Extensions tab on Enterprise Root CA, the CRL can be automatically published to the CertEnroll share when you run the command certutil –crl

because Enterprise Root CA system account is part of the Cert Publishers group in their local domain.

TechNet Article - CRL Distribution Point Replacement Token

You can also see this in the the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, ensure that Certificate Authority (Local) is expanded. Right-click Fabrikam Root CA and then click Properties. On the Extensions tab, under Select extension, click CRL Distribution Point (CDP) and you will see the graphical representation of the CDP settings.

Publish the Fabrikam Root CA Certificate to the AIA

To ensure that certificate clients can locate the root CA certificate, you must copy it to the AIA location that you previously defined: http://pki.fabrikam.com/CertEnroll. You may recall that this is the CertEnroll shared directory on SRV1. To do so:

  1. Ensure that you are logged on to CA01.Fabrikam.com as Fabrikam\Administrator.
  2. Open a command prompt and run the following commands:
    • cd c:\windows\system32\certsrv\certenroll
    • copy "CA01.fabrikam.com_Fabrikam Root CA.crt" \Srv1.Fabrikam.com\C$\CertEnroll
  3. To implement the CDP and AIA changes that you made, you should restart the Certificate Service by running the following command:
    • net stop certsvc && net start certsvc
Publish the Fabrikam CRL to the CDP

To ensure that certificate clients can locate the CRL, you must ensure that the CRL is published to the locations where you indicated that it would be available. There are a couple of methods for publishing the CRL. You can run the certutil -crl command or you can use the user interface. To use the user interface:

  1. Click Start, Administrative Tools and then select Certificate Authority to open Certificate Authority console.
  2. Ensure that Certificate Authority (Local) is expanded.
  3. Expand Fabrikam Root CA. Right-click Revoked Certificates and then click All Tasks, and then click Publish.
  4. The Publish CRL dialog box appears. In Type of CRL to publish, ensure New CRL selected and then click OK.
  5. Select the Extensions tab and review the CRL Distribution Points (CDP) and Authority Information

Join Win7 to the domain

  1. Log on to WIN7 as the local administrator.
  2. Click Start, type ncpa.cpl and press ENTER.
  3. In Network Connections, right-click the Local Area Connection and then click Properties.
    • If there are more than one Local Area Connection icons in the Network Connections, you want to modify the one that is connected to network segment shared by all the computers that you have installed for this lab.
  4. Click the Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
  5. Select the Use the Following IP address. Configure the IP address, Subnet mask, and Default gateway appropriately for your test network.
    • IP Address: 192.168.1.14
    • Subnet mask: 255.255.255.0
    • Default gateway: <optional>
  6. Select the Use the following DNS server address. Configure the Preferred DNS server as the IP address of your domain controller. Click OK. Click Close.
    • Preferred DNS Server: 192.168.1.10.
  7. Click Start, type sysdm.cpl and press ENTER. Click Change. (Ensure the computer name is already set to WIN7 - otherwise change it)
  8. In Member of, select Domain, and then type fabrikam.com. Click OK.
  9. In Windows Security, enter the User name and password for the domain administrator account. Click OK.
  10. You should be welcomed to the Fabrikam domain. Click OK.
  11. When prompted that a restart is required, click OK. Click Close. Click Restart Now.

Verify PKI Hierarchy Health

There are a couple of ways to check that your PKI hierarchy is working properly. One is to use the Enterprise PKI utility to check the health of the AIA and the CDP. Another is to actually distribute a certificate to a client computer.

Validate PKI Hierarchy Health using PKIView.msc (Enterprise PKI)

  1. Ensure you are logged on to CA01.Fabrikam.com as Fabrikam\Administrator.
  2. Open Server Manager.
  3. In Server Manager expand Roles, Active Directory Certificate Services, and select Enterprise PKI.
    • The tool can also be launched by running PKIView.msc from command line.
  4. Expand Enterprise PKI node and then select Fabrikam Root CA and verify the status for the CA Certificate, AIA URLs, and CDP URLs are showing status OK.
  5. Right click Enterprise PKI and then select Manage AD Containers.
  6. On NTAuthCertificates tab, verify the Fabrikam Root CA certificate object appears with a status OK.
  7. On AIA Container tab, verify both Fabrikam Root CA certificate is present with a status OK.
  8. On CDP Container tab, verify Fabrikam Root CA Base CRL & Delta CRL are present with a status OK.
  9. On Certificate Authorities Container, verify Fabrikam Root CA certificate is present with a status OK.
  10. On Enrollment Services Container, verify Fabrikam Root CA certificate is present with a status OK.

Perform Certificate Enrollment and Validate Revocation Status and Chain Retrieval

  1. Ensure you are logged on to CA01.Fabrikam.com as Fabrikam\Administrator.

  2. Open the Certificate Authority console (certsrv.msc).

  3. In the navigation pane, expand Fabrikam Root CA, right click on Certificate Templates, select New and select Certificate Template to Issue.

  4. In the Enable Certificate Templates dialog box, click Workstation Authentication and then click OK.

  5. In the navigation pane, click Certificate Templates. In the Details pane you see the Workstation Authentication template appear.

  6. Log into Win7.Fabrikam.com as Fabrikam\Administrator. Ensure that you are logging on to the domain, instead of the local computer. To do so, you will have to type fabrikam\administrator as the user name.

  7. Click Start, type mmc, and then press ENTER.

  8. In Console1, click File, click Add/Remove Snap-in.

  9. On the Add or Remove Snap-ins dialog box, under Available Snap-ins, click Certificates, then click Add.

  10. In the Certificates snap-in dialog box, select Computer account, and then click Next.

  11. In the Select Computer dialog box, ensure that Local computer: (the computer the console is running on) is selected. Click Finish .

  12. On the Add or Remove Snap-ins dialog box, click OK.

  13. In the navigation pane, expand Certificates (Local Computer), right click Personal, click All Tasks, and then click Request New Certificate.

  14. In the Certificate Enrollment dialog box, click Next.

  15. On the Select Certificate Enrollment Policy screen, under Configured by your administrator, ensure that Active Directory Enrollment Policy is displayed. Click Next.

  16. On the Request Certificates screen, under Active Directory Enrollment Policy, select Workstation Authentication. Click Enroll.

  17. When the request displays STATUS: Succeeded, click Finish.

  18. In the navigation pane, expand Personal and then expand Certificates.

  19. In the details pane, right-click the WIN7.fabrikam.com certificate, click All Tasks, click Export.

  20. In the Certificate Export Wizard, on the Welcome to Certificate Export Wizard screen, click Next.

  21. On the Export Private Key screen, click Next.

  22. On the Export File Format screen, ensure DER encoded binary X.509 (.CER) selected, and then click Next.

  23. On the File to Export screen, in File name, type C:\win7, and then click Next.

  24. On the Completing the Certificate Export Wizard screen, click Finish.

  25. When the Certificate Export Wizard reports that the export was successful, click OK.

  26. Open a command prompt. To do so, you can click Start, type cmd and press Enter.

  27. Type cd\ and then press ENTER. This changes to the C:\ folder.

  28. Run the following command to open the URL Retrieval Tool using Win7.fabrikam.com certificate.

    certutil –url c:\win7.cer

  29. Ensure that Select CRLs (from CDP) is selected, and then click Retrieve. The Status column should be Verified for each item.

  30. Select the Certs (from AIA) option and then click Retrieve. The Status column should be Verified for each item

  31. Click Exit to close URL Retrieval Tool.

  32. From the command prompt run following command to verify certificate chain retrieval and revocation status.

    certutil –verify –urlfetch c:\win7.cer

  33. Review the output and make sure all the chain retrieval and revocation status successfully verified.