Practical Guide To Pki With Windows Server Compress
Practical Guide To Pki With Windows Server Compress
Matthew Burr
Practical Guide to PKI with Windows Server
by Matthew Burr
All rights reserved. This publication is protected by copyright, and permission must be obtained prior to any reproduction of this
publication. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the
express written permission of the author.
ISBN: 978-1-7774422-0-0
ISBN: 978-1-7774422-1-7
Trademarks
• Active Directory Domain Services, Active Directory Certificate Services, Edge, File Explorer, Hyper-V, Internet Explorer,
Microsoft Certificate Server, Windows 10, Windows Server (2000, 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2, 2016
and 2019) and Windows Update are trademarked to the Microsoft Corporation.
• Android and Chrome are trademarked to Google LLC.
• Apache HTTP Server is trademarked to the Apache Software Foundation.
• Firefox is trademarked to the Mozilla Foundation.
• iOS, iPad, iPadOS, iPhone, macOS, and Safari are trademarked to Apple Inc.
• Linux is trademarked to Linus Torvalds in the U.S. and other countries.
• Nginx is trademarked to F5 Networks, Inc.
• OpenSSL is trademarked to the OpenSSL Software Foundation.
• Ubuntu is trademarked to Canonical Ltd.
• VirtualBox is trademarked to Oracle.
• VMware Workstation is trademarked to VMware Inc.
This book expresses the author’s views and opinions. The information contained within this book is provided without any
express, statutory, or implied warranties. The author will not be held liable for any damages caused by or alleged to be caused
directly or indirectly by this book. Reasonable efforts have been made to ensure the accuracy of the information and contents
of this book. Even though all precautions have been taken in the research and publication of this book, the author assumes no
responsibility for errors or omissions. No liability is assumed for damages resulting from the use of the information contained
in this book.
The examples contained within this book make references to companies, domain names, e-mail addresses, users,
organizations, and other scenarios. All references that are contained within this book are fictitious. There is no association with
any real company with any of the provided examples.
It is strongly recommended to test the steps and procedures provided in this book prior to using it in a production environment.
Details on how to test the steps and procedures in this book are provided.
The author reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Revision History
Additional Information
Contents at a Glance | v
Table of Contents
Table of Contents | ix
Add the Root CA to Active Directory . . . . . . . . . . . . . . . . . . . . . . . 199
Verify PKI Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Subordinate CA Server Restart . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Subordinate CA Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Chapter 6 - Deploy Root and Subordinate Certificates . . . . . . . . . . . . . . . 205
Prepare the Root and Subordinate Certificates . . . . . . . . . . . . . . . . . 206
Deploy the Root and Subordinate Certificates to the Domain . . . . . . . . . 208
Deploy the Root Certificate to the Domain Controller . . . . . . . . . . . . . 214
Internal Certificate File Deployment Folder . . . . . . . . . . . . . . . . . . . 215
Internal Certificate File Deployment Folder - GUI Configuration . . . . 216
Internal Certificate File Deployment Folder - CLI Configuration . . . . 216
Internal Certificate File Deployment Folder - Validation . . . . . . . . 217
Deploy Root and Subordinate Certificates Next Steps . . . . . . . . . . . . . 217
Chapter 7 - Online Responder Role Configuration . . . . . . . . . . . . . . . . . . 219
Add the Online Responder Role . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Add the Online Responder Role - GUI Installation . . . . . . . . . . . 220
Add the Online Responder Role - CLI Installation . . . . . . . . . . . . 221
Enable the Online Responder Role . . . . . . . . . . . . . . . . . . . . . . . . 222
Enable the Online Responder Role - GUI Configuration . . . . . . . . 222
Enable the Online Responder Role - CLI Configuration . . . . . . . . . 225
Enable the Online Responder Role - Validation . . . . . . . . . . . . . 225
Add the OCSP URL to the Subordinate CA . . . . . . . . . . . . . . . . . . . . 226
Add the OCSP URL to the Subordinate CA - GUI Configuration . . . . 226
Add the OCSP URL to the Subordinate CA - CLI Configuration . . . . 228
Configure and Publish the OCSP Response Signing Certificate . . . . . . . . 228
Revocation Configuration for the Online Responder Role . . . . . . . . . . . 233
Enable Auditing on the Online Responder . . . . . . . . . . . . . . . . . . . . 241
Add the OCSP URL to Group Policy . . . . . . . . . . . . . . . . . . . . . . . 244
Verify OCSP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Test OCSP Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Online Responder Role Limitations . . . . . . . . . . . . . . . . . . . . . . . . 250
Online Responder Role Next Steps . . . . . . . . . . . . . . . . . . . . . . . . 250
Chapter 8 - Private Key Archive and Recovery . . . . . . . . . . . . . . . . . . . . 251
Create the Key Recovery Agent Certificate Template . . . . . . . . . . . . . . 252
Deploy the Key Recovery Agent Certificate . . . . . . . . . . . . . . . . . . . 258
Configure the Certificate Authority for Key Recovery . . . . . . . . . . . . . . 261
Private Key Archive and Recovery Next Steps . . . . . . . . . . . . . . . . . . 263
Chapter 9 - Certificate Template Customization . . . . . . . . . . . . . . . . . . . 265
Active Directory Certificate Templates . . . . . . . . . . . . . . . . . . . . . . 266
User Certificate Template Creation . . . . . . . . . . . . . . . . . . . . . . . . 268
User Certificate Private Key Recovery . . . . . . . . . . . . . . . . . . 270
Computer Certificate Template Creation . . . . . . . . . . . . . . . . . . . . 273
Web Server Certificate Template Creation . . . . . . . . . . . . . . . . . . . . 275
Delete Unnecessary Certificate Templates . . . . . . . . . . . . . . . . . . . 278
Active Directory Certificate Services Web Enrollment . . . . . . . . . . . . . 280
Certificate Template Deployment Next Steps . . . . . . . . . . . . . . . . . . 283
Table of Contents | xi
Subordinate CA Setup - Subordinate Certificate Creation . . . . . . . 348
Subordinate CA Setup - Set Maximum Certificate Age . . . . . . . . . 351
Subordinate CA Setup - Modify the CertEnroll Virtual Directory . . . . 351
Subordinate CA Setup - CDP and AIA Configuration . . . . . . . . . . 352
Subordinate CA Setup - CPS Document . . . . . . . . . . . . . . . . . 353
Subordinate CA Setup - Windows Firewall Configuration . . . . . . . 354
Subordinate CA Setup - Add the Root CA to Active Directory . . . . . 355
Subordinate CA Setup - Verify PKI Infrastructure . . . . . . . . . . . . 355
Subordinate CA Setup - Next Steps . . . . . . . . . . . . . . . . . . . 356
AD CS Quick Start - Post-Implementation Tasks . . . . . . . . . . . . . . . . 357
Post-Implementation Tasks - Virtual Floppy Disk Deletion . . . . . . 357
Post-Implementation Tasks - Root CA Shut Down . . . . . . . . . . . 357
AD CS Quick Start - Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Graphical Tools Using Windows Server Tools . . . . . . . . . . . . . . . . . . 367
Graphical Tools Using the Microsoft Management Console . . . . . . . . . . 368
Cmdlets for Managing Windows Server . . . . . . . . . . . . . . . . . . . . . 369
Command Line Tools for Managing Windows Server . . . . . . . . . . . . . 370
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Matthew Burr is an IT Professional who has worked in the IT industry for over 12 years in
the Greater Toronto Area. During that time, he has worked in the financial, government,
healthcare, retail, scientific, social media, and software development industries. He
attended Cambrian College in Sudbury, Ontario from 2006 to 2009, where he studied
Computer Networking and Systems Administration.
Matthew is a Network Architect and Network Security expert who has provided his
services to multiple companies during his career. Aside from working in those roles, he
has also worked as a Systems Administrator for networks running both Windows and
Linux. For the last few years, he has also worked on multiple Cloud implementations
using various platforms.
Aside from working in the IT industry for over 12 years at various companies, Matthew
also holds several industry certifications from various vendors, and regularly attends
training courses and conferences to stay current.
Matthew wrote this book to demonstrate how to create a PKI using Windows Server as
this is a topic that has become more important in the last few years as security has
become more critical to the daily operations of every company. Matthew has
successfully implemented a PKI for multiple companies while working as an internal
employee and while working on a contractual basis.
Matthew also runs a blog (https://mjcb.io/) where he covers various IT related topics and
hosts other projects that he is working on.
This book also explains each step, the necessity of that step, and the importance of that
step within the Certificate Authority. The results of this book will create a Certificate
Authority that can issue certificates internally within an organization in a secure manner,
using best practices.
This book is meant for developers, network administrators and systems administrators
who have a basic understanding of Windows Server and Public Key Infrastructures and
need to deploy a Certificate Authority rapidly within their environment for various
purposes. By using the steps provided in this book, there will be a Certificate Authority
framework created that can be customized for whatever requirements are needed in any
environment.
This book is also meant to be used by developers, network administrators and system
administrators who can interpret this guide and modify it for their existing environment.
Simply following this guide will not implement a functioning PKI for your organization,
you will need to modify the steps accordingly to make it function properly. This means
creating different servers, modifying steps for different Active Directory domains,
modifying LDAP settings, modifying file paths, creating different certificates, and other
critical steps as needed.
The contents of this book are presented in a thorough, but easy to follow manner.
Screenshots are provided for important steps for verification purposes and to
demonstrate how the environment should be configured. It should take approximately
ten hours to go through this book from start to finish.
Some of the conventions are also used to convey additional information that the reader
should be aware of, including potential issues that could arise under certain
circumstances, or additional information on technologies or features that can be
implemented in the future.
Preface | xv
Text Conventions
There are multiple references to running the Command Prompt and PowerShell in an
elevated state. In the context of this book, this means running these applications as an
Administrator. By not running these commands as an Administrator, it may result in
unexpected behaviour as a result which can be difficult to troubleshoot. Depending on
what is being configured, it will either by a local Administrator or a Domain Administrator
account that is needed.
There are multiple text conventions that are used in this book, and all are used for
instructional purposes:
Steps are provided in numerical order and should be followed in the correct order to
ensure that the task being performed is setup in the correct manner. Skipping steps or
performing them in the incorrect order can cause issues with setting up the Certificate
Authority in this book, so it is strongly recommended to perform the steps in the correct
order.
Steps that are optional for the Certificate Authority implementation are stated, and not
performing those steps will not cause any issues with the functionality of the Certificate
Authority. Those steps add additional functionality to the Certificate Authority, and those
functions may not be necessary for all environments or organizations.
Information Box
Notice Box
Warning Box
Anything that appears in a Warning Box is provided to highlight a major issue that
may occur if instructions are ignored or not considered.
Anything that appears in a Configuration File Box is required for configuring the
roles and features within Windows that is used in this book. The path to the file
that is being configured will be in the Configuration File Box header.
Additionally, there is also an additional box that is used for commands that need to be
inputted through the CLI and used for inputting configuration items in configuration
boxes.
Anything that appears in a CLI Box is meant to be inputted exactly as it appears. This
includes inputs using the Command Prompt, PowerShell, or configuration boxes exactly
as it appears.
These inputs also include all formatting and line breaks, which need to be inputted
exactly as it appears. A CLI box does not have a header, and usually appears during
the configuration of a specific function.
Preface | xvii
Introduction
This book will focus on the fictional TFS Labs domain. This environment is basic in
design, and it will easily demonstrate how to build a Two-Tier Certificate Authority using
Active Directory Certificate Services (AD CS) with Windows Server. Steps are provided on
how to create this complete test environment, as well as what needs to be updated for
your implementation to be successful. This book is written in such a way that all steps
provided are incorporated into a complete Certificate Authority, and steps that are
optional are specified.
There are multiple ways to create a virtualization environment for creating a Certificate
Authority for testing purposes, and this book will focus on using the Hyper-V platform to
accomplish this goal. By using Hyper-V over other virtualization platforms, you will not
need to utilize any other third-party software for completing this guide, but that does not
mean that you cannot use other providers. Hyper-V is a Hypervisor platform that was
developed by Microsoft for virtualizing other operating systems in a Windows
environment.
Since all the required tools are provided by Microsoft and are already available in
Windows Server, there is technically no requirement for any third-party software as
absolutely everything is provided. If you have a Windows Server 2019 and a Windows 10
installation source, there is no need for an internet connection at all to complete the
steps in this book. The only thing you will need to complete the steps in this book is a
workstation or server that can run the software with the necessary hardware
requirements.
By using this book as a guide, you will be able to adapt these instructions to your existing
Active Directory domain. It is advised to go through this book at least once to see what
needs to be done for creating a Certificate Authority before attempting to implement it
for your organization. This will ensure that you can see what a functioning Certificate
Authority looks like, and this will allow you to troubleshoot any issues that may arise.
Introduction | xix
What Won’t This Book Cover?
While this book will cover the creation of a PKI using Active Directory Certificate Services,
there are many topics that will not be covered. Creating a working Two-Tier Certificate
Authority with Active Directory Certificate Services is the primary goal of this book, but
there are many applications of this that will not be covered. Among the features that will
not be covered include the following:
• 802.1X authentication
• Smartcard authentication
• Encrypting file systems
• Document and code signing
• Wireless networking
• E-mail signing and encryption
• SSL decryption
Attempting to cover additional features such as the ones that were just listed would be
extremely complicated. These features require considerable planning depending on what
vendors are involved and are beyond the scope of this book. By implementing a proper
PKI using this book, the framework will be established to add features like this in the
future.
What is also missing from this book is the option to perform a completely scripted
version of the PKI installation and configuration. This is not because it is not possible, but
it is difficult to automate many of the configuration steps that are performed in this book.
There are also a few issues with building a Two-Tier PKI using an Offline Root CA with an
unattended setup using PowerShell for automation, as there is no way to easily transmit
files and issue commands remotely on a server that is supposed to be offline. A
workaround to this would be to temporarily enable network connections to the Offline
Root CA during the setup process, but that would defeat the purpose of the security of
the Offline Root CA. Also, some features such as the Online Responder role do not
support CLI options without requiring overly complex steps. Because of these reasons, a
fully automated PKI deployment is not covered in this book.
This book uses virtualization software for creating the TFS Labs environment. The
choice of a virtualization platform is up to you, but this book uses the Hyper-V platform
for that virtualization. Hyper-V runs natively on Windows Server 2012 R2, and above and
on any professional version of Windows 10 64-bit.
Virtualization Requirements
This book uses Hyper-V as the virtualization platform for creating the TFS Labs
Environment. Hyper-V is available as a role in Windows Server 2019 and as an optional
feature in Windows 10 Pro, so no additional third-party software is required to use and
install it.
For Hyper-V to function correctly, it requires the following features to be available on the
workstation or server (these requirements do not factor in any virtual machines):
• 64-bit Processor with Second Level Address Translation (SLAT)
• CPU support for VM Monitor Mode Extension
• 4 GB Memory
Any modern computer or server will support the necessary virtualization features without
any issues if it was manufactured after 2018. The only exception is computers that are
32-bit only, as those features are not possible.
For Hyper-V to operate correctly on a particular workstation or server, there may be
various settings within the BIOS that would need to be enabled. These settings vary
based on the manufacturer, but there is usually a virtualization option within the BIOS
where those settings are configured. If you are unsure, you should refer to the
manufacturer’s documentation on your system to determine how to enable those
features.
Introduction | xxi
You will require a workstation or server that has at least 16GB of memory to properly
support the four virtual machines that are needed to support the steps provided in this
book. You can allocate less memory to the virtual machines if your system does not have
that amount of memory, but it may affect performance. With Hyper-V you can also utilize
dynamic memory if you would like to, and this would only allocate needed memory for
the virtual machines as it is needed. This should be acceptable for testing purposes but
should be avoided for production deployments.
The steps that are outlined in this book should work perfectly fine using the
Hyper-V, VirtualBox or VMware platforms for virtualization. If the virtualization
platform that you use supports Windows 10 Pro, Windows Server 2019, virtual
floppy disks, and basic networking that allows for multiple virtual machines to be
connected to each other, the steps in this book should work correctly.
This chapter is an overview of what a Public Key Infrastructure and Certificate Authority
is, as well as how it operates with Windows Server using Active Directory Certificate
Services.
This chapter explains the TFS Labs environment that is being used in this book for
creating the Certificate Authority with Windows Server.
This chapter explains how to install an Active Directory Domain Controller and
workstation. This will setup the necessary Active Directory infrastructure for supporting
Active Directory Certificate Services.
This chapter explains how to setup and secure an Offline Root Certificate Authority using
Windows Server and Active Directory Certificate Services.
This chapter explains how to setup and secure a Subordinate Certificate Authority that is
capable of issuing, managing, and revoking certificates using Active Directory Certificate
Services.
This chapter explains how the Root and Subordinate certificates are deployed to an
Active Directory domain using Group Policy.
This chapter explains how to enable the Online Responder role Service in Active Directory
Certificate Services, which allows for OCSP to be used in the TFS Labs domain.
This chapter explains how to back up Private Keys for certificates that are issued
internally, and how it can be automated and backed up with Active Directory.
This chapter explains how to deploy Certificate Templates automatically and manually
within an Active Directory domain. It also demonstrates how to deploy certificates to
other platforms such as Linux, iOS, and Android.
This chapter explains any final tasks that need to be completed once the Certificate
Authority has been successfully created and tested, as well as any recurring tasks that
are needed in the future to support it.
This chapter demonstrates how to quickly deploy a basic Two-Tier Certificate Authority
using mostly command line tools, without all features included in this book.
Introduction | xxiii
Chapter 1 - Public Key
Infrastructure Overview
A Public Key Infrastructure (PKI) exists to facilitate the secure transfer of information
between networks and is used primarily to keep sensitive data protected. Information
that is protected includes anything, including e-mail, websites, storage devices and
authentication. Without PKI, the internet, and networks in general would be inherently
insecure as sensitive data would be transmitted in plain text, and all traffic would be open
for anyone to see.
A certificate provides the primary foundation of a PKI and is the most commonly facing
method of interacting with a PKI. Certificates can represent users, workstations, servers,
and other devices. These certificates are issued by a Certificate Authority, which can
manage those certificates. Certificates that are issued by a Certificate Authority are
associated with a public key and private key pair.
The main certificates in a Certificate Authority are the Root certificate and the
Subordinate certificate. In some cases, it may be necessary to revoke a certificate before
it expires, and this is usually performed using a Certificate Revocation List (CRL).
The currently accepted standard for defining a certificate in a Public Key Infrastructure is
with the X.509 standard, which is defined in RFC 5280.
This chapter will briefly cover what a Public Key Infrastructure is and how it applies to
Windows Server and Active Directory Certificate Services. If you already have an
understanding on how a PKI works, you can skip this chapter.
There are several ways to utilize a Public Key Infrastructure. You have the option of
purchasing certificates from an online Certificate Authority or you can host your own
Certificate Authority internally within your organization. Both solutions have their
advantages and disadvantages, which solution you choose to pursue is dependent on the
needs of your organization and whether you require customization that is not available
through an online Certificate Authority.
The entire basis for PKI is dependent on Public-Private Key Encryption, which depends on
using pairs of public and private keys for the encryption and decryption of data. The
public keys are distributed to whoever needs to send encrypted data, and the private keys
are known only to the destination that needs to decrypt the secure data. The ability to
create, distribute and manage those keys in an effective, automatic, and secure manner
is the entire reason that Certificate Authorities exist.
Due to the open nature of Public Key Infrastructure, Certificate Authorities can be created
using multiple platforms and solutions. The ability to “tier” a Certificate Authority into
specific roles depending on the desired function is an important aspect of creating a
modern PKI.
The Certificate Authority (CA) and Public Key Infrastructure (PKI) terms are
interchangeable since they are the same thing, with different software
implementations depending on what is used to create those systems. A PKI is the
entire solution for providing secure certificates, and a CA is the individual
components needed to provide those services.
• Commercial Certificate Authorities will typically not issue certificates for internal
domains, especially if it is a subdomain within an internal domain. Non-routable
domains are not able to be verified and that is a primary requirement for commercial
Certificate Authorities.
• Commercial Certificate Authorities cannot normally issue custom certificates that
are able to be used for non-standard and custom purposes, especially in a development
environment.
• Commercial Certificate Authorities can be extremely expensive when many certificates
need to be issued. If a specific service requires dozens or hundreds of certificates
to be issued, the cost of purchasing and deploying those certificates can become
extremely expensive.
Self-Signed Certificates
One of the key benefits to implementing a proper Certificate Authority within your
organization is the ability to eliminate self-signed certificates. A self-signed
certificate is technically free and can be easily setup by a user, but there are many
disadvantages:
• Web browsers do not trust self-signed certificates unless it has been explicitly
added to the list of Trusted Certificates on a workstation. On a single
workstation this is not normally an issue but correcting this on an entire
network can be extremely difficult.
• Modern web browsers show errors that a certificate is self-signed and should
not be trusted. Web browsers alert users to this to keep them safe on a
website that may not be taking their security seriously.
• Some vendors that issue self-signed certificates with network appliances do
not always use the strongest encryption options. There may also be duplicate
certificates in use, which present security risks on devices where security
needs to be a priority.
SSL decryption is a method of decrypting traffic that is secured with SSL, and this
is done for the purpose of examining all traffic that goes in and out of a network.
When traffic that is secured with SSL traverses a network, the contents of that
traffic is hidden to everyone except for the device that initiated the traffic, and the
destination of the traffic. Details such as the DNS name of the destination is
usually always known, since that is required to facilitate the connection, but that is
usually all that is known. SSL decryption is performed for many reasons, the most
common reasons being:
Active Directory Certificate Services is a fully featured PKI solution that can be used to
issue certificates for multiple purposes, which can include:
• Digital Signatures
• Encrypting File System
• IPSec
• S/MIME
• Secure LDAP (LDAPS) with Active Directory
• MDM Certificates
• SSL
• VPN Access
• Smartcards
• Wireless Network Access
Active Directory Certificate Services supports several deployment scenarios, and can be
“tiered”, which breaks up a Certificate Authority into multiple servers by adding different
layers to the Certificate Authority. This can be done for to factor in scalability, security
and for custom deployments.
When Windows Server 2008 was released, the Microsoft Certificate Server
application was retired in favour of Active Directory Certificate Services, and the
role has continued to be updated since that initial release.
Certification Authority - This role is used to issue and manage certificates, with the
ability to create Root and Subordinate Certificate Authorities. Multiple Certificate
Authorities can be linked together and “tiered” to form a complete PKI. Currently the AD
CS role allows for the creation of Certificate Authorities with or without the use of Active
Directory:
• Standalone CA - These are servers that may or may not be members of an Active
Directory domain and can operate without it entirely. A Standalone CA can be used
in an online or offline state and is most often used as a Root Certificate Authority.
• Enterprise CA - These are servers that are a member of an Active Directory domain
and are typically used as a Subordinate or Issuing Certificate Authority. These types
of servers are typically always online and available.
Certificate Enrollment Policy Web Service - The Certificate Enrollment Policy Web
Service role allows users and computers to request and obtain certificates when they are
not members of an Active Directory domain or are located outside of the Active Directory
network. It is used together with the Certificate Enrollment Web Service to issue
certificates.
Certificate Enrollment Web Service - The Certificate Enrollment Web Service role allows
users and computers to enroll and renew certificates when they are not members of an
Active Directory domain or are located outside of the Active Directory network. It is used
together with the Certificate Enrollment Policy Web Service.
Certification Authority Web Enrollment - The Certification Authority Web Enrollment role
adds a simple web interface using Internet Information Services over the HTTPS protocol
that allows users to request and manage certificates as well as retrieve Certificate
Revocation Lists (CRLs).
Network Device Enrollment Service - The Network Device Enrollment Service (NDES) role
gives the AD CS role the ability to issue and manage certificates for network devices
such as switches, routers, and firewalls. These types of devices typically do not have
Active Directory accounts associated with them, so they are not able to automatically
request certificates.
Online Responder - The Online Responder role adds the OCSP functionality to Active
Directory Certificate Services, which allows for rapid revocation of certificates in large
environments.
Even though there are multiple roles available with Active Directory Certificate Services, it
does not necessarily mean that all roles are needed in a particular environment. Certain
roles require a particular type of environment, which means that some environments
would never need to use certain roles at all if that requirement were not needed.
Typically, all the Active Directory Certificate Services roles are not used in every
organization. If they are used, they are not installed on the same server. This is to
reduce the complexity of the servers that are used in the PKI, as well as to enable
greater flexibility in complex environments. For a large-scale Active Directory
Certificate Services deployment that utilizes all roles, there would be individual
servers used for each role at a minimum.
Windows Server supports multiple roles and features, which are used to add
additional functionality to a Windows server. These roles and features can be
used to add enhanced functionality to a Windows server, and roles such as Active
Directory Certificate Services and Active Directory Domain Services are among
the significant roles that can be added.
Server roles are typically used to add capabilities to your network, such as AD CS,
AD DS, IIS, DNS or DHCP. Server features are typically used to add capabilities to
the local server itself, such as BitLocker or Hyper-V.
The Root Certificate Authority signs the certificate for itself, and that certificate is used to
sign any Subordinate certificates that are in the Certificate Authority. In between there
can be multiple Subordinate Certificate Authorities that perform separate functions in the
Certificate Authority. These types of Certificate Authority hierarchies are known as a
One-Tier, Two-Tier and Three-Tier Certificate Authority. All three of these tiers are
supported in Windows Server using Active Directory Certificate Services (AD CS).
This book focuses entirely on a Two-Tier Certificate Authority as it is the most common
Certificate Authority deployment for organizations, as it is the easiest to setup and
support, and is also recommended by Microsoft with Active Directory Certificate
Services. Overviews of the other available Certificate Authority hierarchies are also
provided for reference purposes, should those types of hierarchies be encountered.
The complexity of every Certificate Authority hierarchy increases every time an additional
tier is introduced, or whenever additional servers are added to increase the functionality
of the Certificate Authority. The size of the organization or the requirements of the
Certificate Authority, this amount of technical debt is up to a particular organization to
accept as Certificate Authorities require constant maintenance to operate correctly.
Figure 1.4.1: A One-Tier Certificate Authority consists of just one Certificate Authority
server that is used to issue certificates.
This single Certificate Authority is the Root CA as well as the Issuing CA, which means it
is responsible for all roles of the Certificate Authority. This single Certificate Authority
holds all the roles that are necessary for Certificate Authority to manage and issue
certificates.
• Compromising a single CA server will immediately compromise the entire PKI. This
would mean if the Certificate Authority were ever compromised in any way, all certificates
ever issued would need to be re-issued to ensure that the certificates can be trusted
again.
• For large environments, having just a single CA could potentially become a bottleneck
if the CA server is unavailable, or if many certificates need to be issued at a single
time.
• If certificate policy requirements for certificates need to be changed in the future,
having a single CA can make that change extremely difficult, and it can be difficult to
scale out from a single CA server.
• In a production environment, a One-Tier Certificate Authority is a single point of failure
for the entire PKI. This type of CA is not scalable, and if the needs of an organization
change in the future, a single CA can cause serious issues.
There are some instances where a One-Tier Certificate Authority is used, mostly for
one-off applications that require just a single certificate to be issued for things like
application signing or for test environments. These types of scenarios do not require a
robust Certificate Authority to work correctly and are typically only used when there is a
specific need for such a setup.
This can cause multiple unexpected issues, the most common occurring if a
recovery needs to occur on the Domain Controller. This can cause any issued
certificates within the environment to be broken and invalid. Since the
requirements for running a Certificate Authority are quite low, it is advised to run a
Certificate Authority on a separate server, especially with virtualization.
Figure 1.4.2: A Two-Tier Certificate Authority consists of at least one Root CA and at least
one Subordinate CA, which is used to issue certificates.
Most organizations utilize a Two-Tier Certificate Authority as it has the best balance
between security and in ease in managing Subordinate Certificate Authorities. Compared
to a One-Tier Certificate Authority, a Two-Tier Certificate Authority has several
advantages:
• The Root Certificate Authority is usually setup and configured as a server that is not
a member of the Active Directory domain and is usually kept in an offline state unless
it is needed. These servers will also have no network connections at any time.
By introducing a Subordinate Certificate Authority and using an Offline Root CA, the
security of the PKI is increased and allows for more customization of the Certificate
Authority. Microsoft recommends that a Two-Tier Certificate Authority be used wherever
possible with the Active Directory Certificate Services role.
When dealing with an Offline Root CA there are tasks that are normally handled
automatically when the server is always online. When a Certificate Authority is
offline, the CDP and AIA records are not automatically updated, and if they expire
it can cause multiple issues with the online Subordinate CA and the entire PKI
under certain circumstances.
It is advised to set calendar reminders on a yearly recurring basis to bring the Root
CA online temporarily to update these records and publish them to the
Subordinate CA. This will ensure that there are no issues with the PKI in your
organization. The time that you set the CRL to expire on the Root CA will also
determine what interval you will need to perform maintenance tasks to keep your
environment updated.
Performing these tasks are not difficult and are relatively easy to do. How to
perform this task is demonstrated in a later chapter.
Figure 1.4.3: A Three-Tier Certificate Authority consists of at least one Root CA, one
Subordinate CA, and at least one Issuing CA. Depending on the size of the Certificate
Authority, there may be other servers involved as well.
This is the most difficult type of Certificate Authority to setup and maintain, but it does
provide the most amount of flexibility and security. It does have many of the same
advantages as a Two-Tier Certificate Authority, but does introduce some other
advantages:
• The ability to revoke Certificate Authorities for only a specific part of the PKI. If there
is an issue with a particular Subordinate CA in the PKI hierarchy, only that server and
certificate would need to be revoked without affecting the entire PKI.
• Additional security by putting more of the Certificate Authority into an offline or inaccessible
state for potential attacks.
• If one of the Issuing Certificate Authorities is compromised, the Offline Root Certificate
Authority does not need to be brought online to replace it, as the other Subordinate
Certificate Authorities would be able to issue a new certificate for that purpose.
X.509 Certificates
A certificate is used to link a user, computer, server, or services identity to a public key to
allow for secure transfer of data between those clients using that public key. There are
accepted standards for these certificates to allow for interoperability between various
clients, and the currently accepted standard for certificate is with the X.509 standard, the
latest release being version 3.
Certificates that are issued by a Certificate Authority are structured to meet certain
standards to ensure that they are usable on any device that requires a certificate, and
those standards were established by the Internet Engineering Task Force (IETF).
Figure 1.6.1: An X.509 certificate consists of multiple fields that can be used for defining
a certificate and can be customized for various purposes.
The X.509 version 3 certificate supports the following fields by default, some of which
have been supported since X.509 version 1:
• Version Number - This is the version number for the certificate, which is usually V3.
• Serial Number - This is a unique identifier for each certificate that is issued by a
Certificate Authority.
• Signature Algorithm ID - This is the algorithm that was used to sign the certificate.
• Issuer Name - This is the distinguished name of the Certificate Authority that issued
the certificate.
• Validity Period - This is time frame for the validity of the certificate.
– Not Before - The date that the certificate is valid from.
– Not After - The date that the certificate is valid to.
• Subject Name - This is the name of the computer, user, server, or service that the
certificate is issued to.
• Subject Public Key Information - This is the public key information that was used to
create the certificate.
– Public Key Algorithm - This is the algorithm that was used to sign the certificate.
– Subject Public Key - This is the public key of the certificate.
• Issuer Unique Identifier - This is an optional value that is used to make the certificate
unique if used by different entities.
• Subject Unique Identifier - This is an optional value that is used to make it possible
for the same Subject Name to be reused.
In addition to the normal X.509 fields, there are also Extension Fields that are available
for certificates. All extensions are optional, but the most common ones that you will find
on a certificate are:
• Authority Information Access (AIA) - The AIA extension provides one or more URLs
for certificate revocation purposes, including the OCSP URL if it is present.
• CRL Distribution Points (CDP) - The CDP extension provides the URLs or other locations
where a client can retrieve the CRLs for checking if certificates have been revoked.
• Subject Alternative Name - This allows for the inclusion of different information in
the certificate such as a user’s e-mail address or LDAP information. This allows for
alternate names for various purposes, most of which are used for authentication
purposes. This Extension Field can also be referred to as a Unified Communications
Certificate (UCC).
• Certificate Policies - This is used to describe what an organization does to validate
the identity of the Certificate Requestor before a certificate is issued.
You can view the certificate fields by opening any certificate and viewing the details of it:
Figure 1.6.2: The certificate fields of an X.509 certificate being viewed on a Windows
device.
Certificate Attributes
There are several attributes that are defined with an X.509 certificate that can be used
within a Certificate Authority, and these attributes can be viewed on every issued
certificate. The subject attribute has several fields as well that can be defined, all of
which are usually configured at the time when a certificate is requested and issued. The
most used subject attributes include:
• C - Country
• ST - State
• L - Locality
• O - Organization Name
• OU - Organization Unit Name
• CN - Common Name
• E - E-mail Address
• SAN - Subject Alternative Name (also known as a UCC certificate)
Depending on the certificate that is being issued, it is up to the user that is requesting the
certificate, or the administrator that is creating a Certificate Template to ensure that the
necessary attributes are specified at the time of creation. Once a certificate is issued,
there is no way to amend or correct a certificate with the updated settings.
There are two ways to define DNS names in an SSL certificate, one is using the CN
attribute and the other using the SAN attribute. The use of the Common Name
attribute has been phased out, as defined in RFC 2818. Certificates that are used
for web servers or for e-mail services most commonly require multiple DNS
records per certificate to allow for all required services to function.
There are a few reasons why the CN attribute has been phased out, mostly
because it is easier to spoof a domain name using the CN attribute. One of the
major web browsers currently in use is Google Chrome, which has enforced the
use of the SAN attribute for DNS names. Since version 65 of Google Chrome, the
use of the CN attribute has been deprecated, and the use of the SAN attribute is
enforced by default. When trying to view a website that only has the CN attribute
set, you will see the following error code:
NET::ERR_CERT_COMMON_NAME_INVALID
This issue is difficult to avoid since most modern web browsers are based on
Google Chrome. The most recent versions of Microsoft Edge, Mozilla Firefox, and
Apple Safari also no longer honour the CN attribute for the same reason.
Earlier versions of Active Directory Certificate Services had issues with issuing
SAN certificates, especially when using the Web Enrollment website service. A
workaround to this issue was to issue a command on an Enterprise CA or Issuing
CA to allow for SAN certificates to be issued:
Issuing this command can introduce several risks to your Certificate Authority
which could harm users and introduce other security issues to your environment.
This command will allow anyone to add additional information to a certificate
request and potentially impersonate other users or servers in the environment.
Microsoft also recommends not enabling this feature in your Certificate Authority.
It is best practice to maintain the Certificate Templates within the Certificate
Authority to ensure that required features are not only enabled for usage, but also
done in a safe manner.
In Active Directory Certificate Services, there are seven options that are available for
revoking a certificate:
• CA Compromise
• Cease of Operation
• Certificate Hold
• Change of Affiliation
• Key Compromise
Certificate Types
There are several commonly used filename extensions and formats that are used for
X.509 certificates. Many of these formats are used for different purposes, such as
exporting or importing public and private keys, so you will need to choose the correct
format depending on your needs. The format of the certificate will also vary depending
on its purpose and what application will be utilizing that certificate.
When dealing with the Windows Certificate Store and Active Directory Certificate
Services, there are several formats of certificates that you will primarily be dealing with.
There are several reasons why you would use one format over another, and it depends on
how you intend to use the certificate files. There are several common file extensions and
formats used with X.509 Certificates, but the most common formats in the Windows
operating system are the following:
The certificate file extension of *.CER is usually interchangeable with *.CRT, which is used
in other operating systems or applications. Certificates in the DER format might
sometimes have the file extension of *.DER and Base-64 formats might also have the file
extension of *.PEM.
Changing the file extension is usually the easiest way to convert between formats, but it
is not always that easy. Depending on the requirements it may require exporting the
certificate in a different format or converting it to the correct format entirely. There are
tools available to do these conversions under certain circumstances.
Ensure that whenever you export a certificate that includes the private key, you
should always choose a strong password. Even if you are exporting a certificate
for use within your production environment, you use a password that is strong and
secure that can protect the private key if the file is misplaced or deleted.
Using a strong password for private key exports will prevent unnecessary
revocation of certificates when it is known that those certificates have been lost
or compromised in any way.
There are a few available options for assigning a Private Enterprise Number. One of the
easiest methods is to register your organization with the Internet Assigned Numbers
Authority (IANA), and they can provide a valid number for your usage. Applying for a
Private Enterprise Number is easy and can be done free of charge. It does take several
days for the application to be reviewed and approved, so factor that in if you are going to
be using a Private Enterprise Number for a production deployment. To apply for a Private
Enterprise Number, it can be done online at the IANA website:
https://pen.iana.org/pen/PenApplication.page
Private Enterprise Numbers that are issued and managed through the IANA are public
information, and can be freely viewed online at any time at this website address:
http://www.iana.org/assignments/enterprise-numbers
If you do not require a Private Enterprise Number for your organization for whatever
reason, you can use the OID of 1.2.3.4.1455.67.89.5 instead. This OID number is used
within Microsoft’s documentation for Active Directory Certificate Services and there
should be no issues using it within your environment. The only downside to using this
OID is that you may encounter issues with having another organization trust your
certificates if they use the same OID.
For testing purposes this OID is perfectly okay to use, but for production you should
consider using a properly assigned and unique OID. Instructions on how to customize
this are provided in later chapters.
If there is even a possibility that you may require a Private Enterprise Number for
your organization in the future, you should strongly consider registering for one
prior to the deployment of your Certificate Authority. Adding a Private Enterprise
Number later to your Certificate Authority is possible, but is complicated and
could cause issues if not done correctly. Adding a Private Enterprise Number to
an existing Certificate Authority is beyond the scope of this book.
The Root CA is critical to your PKI, and you do not want to risk having the Root CA
compromised and having your private keys leaked. This would effectively invalidate every
single certificate in your organization and would require every certificate to be re-issued.
For smaller organizations this may not be a problem, but for large-scale certificate
deployments this can be a time-consuming problem to fix should it ever happen.
The best way to protect the Root CA is to have it always be unavailable and inaccessible.
Access to the Root CA is not needed for day-to-day operations, so having it online at all
times is completely unnecessary. Further to that point, it is not enough to just have it
turned off until needed, it should not be accessible by anyone even when it is temporarily
powered on.
The Certificate Store can be managed by Administrators by using Active Directory and
Group Policy, which is useful for rapid deployment and management of certificates:
Figure 1.12.1: The Windows Certificate Manager can be used to view all certificates that
are installed on a Windows device.
There are three main Certificate Stores that are used within the Windows operating
system which all have separate purposes:
• Local Computer Store - Stores certificates that are local to the device and available
to all users on the workstation.
• Service Account Store - Stores certificates that are used for Windows services that
are local on the workstation.
• User Account Store - Stores certificates that are used for individual users that utilize
the workstation. These certificates can potentially “follow” users if they use other
workstations in the Active Directory domain.
There are several different folders within these Stores that are used to place certificates
in (this table does not include the Service Account Store):
Outside of the scope of this book is the physical locations of certificates within the
Windows operating system. There are locations within the Windows Registry and within
the Certificate Store where certificates are located and can be utilized. Most of the time
these details are not relevant, but for developers or systems administrators these details
become relevant for implementation and troubleshooting purposes.
The Certificate Store utilizes the Microsoft Management Console (MMC) for
managing certificates within the Windows operating system. These are several
Snap-ins available with the MMC, which are management features within the
Windows operating system. The MMC is available in all versions of Windows
since Windows 2000.
There are two MMC Management Saved Console (MSC) files available on
Windows which makes it easy to rapidly view certificates:
For the Service Account Certificate Store, this can be viewed by adding the
Certificates Snap-in, and selecting the Service account option when selecting an
available Snap-in.
Aside from using the MMC to manage the Certificate Authority, there is also the
certutil.exe command line utility for managing the Certificate Authority. There are
also additional PowerShell Cmdlets that are available for managing certificates as
well, but not all of these Cmdlets are referenced using this book.
This will provide a complete overview of the test environment so that you will understand
what is required, what needs to be done, and how everything will work in a complete
Certificate Authority using Active Directory Certificate Services.
Creating a functioning Certificate Authority requires a lot of planning and work to ensure
that it has been done correctly. The most crucial step that should not be overlooked is
the planning of what a PKI will provide to your organization, and what is required to
support that. This involves several important steps, which requires answering the
following questions before you even begin provisioning servers:
Determining the answers to these questions will determine how the Certificate Authority
will function once it has been created. Planning this out properly is the most crucial part
of the entire PKI implementation, and if any mistakes are made in the planning process or
something is overlooked, correcting the problem later can be extremely difficult.
Even though this book focuses on the fictional TFS Labs domain, the instructions and
guidelines provided in this chapter can be easily adapted to fit with your organization.
Take note of the servers and Certificate Authority details provided in this chapter and
start thinking about how you can apply that to your domain.
This chapter will focus on the test environment that this book will be using for creating a
Certificate Authority with Active Directory Certificate Services.
The Active Directory domain that is going to be used in this book is the TFS Labs domain
(corp.tfslabs.com), which is being used by a small IT company that is based in Toronto,
Ontario, Canada.
In total, there are three Windows servers and one Windows workstation that will be used
to build and test the TFS Labs environment:
Figure 2.1.1: The TFS Labs Active Directory domain consists of three servers and one
workstation. This domain represents the bare minimum environment that is required to
demonstrate and test Active Directory Certificate Services.
All the virtual machines are Hyper-V Generation 1 virtual machines as they require the
use of virtual floppy disks, which is needed for the transfer of files between the Offline
Root CA and the Subordinate CA. If you are using Hyper-V Generation 1 virtual machines,
you do not need to add a virtual floppy drive at the time of provisioning of the virtual
machine, it is always present by default.
Software Versions
All versions of Windows Server 2019 are using Standard Edition (Desktop
Experience) in this book. There is no difference in the implementation if you use
Windows Server 2019 Datacenter Edition (Desktop Experience) instead. For the
version of Windows 10 Pro, the 21H1 release was used in this book. There should
be no issues with using earlier versions of Windows 10 Pro, but you should
consider using versions that are currently under active support from Microsoft.
For the specific versions of the software that was used for the creation of this
book, they are as follows:
The version of Windows Server that is used in this book is Windows Server 2019
Standard Edition (Desktop Experience). Windows Server Core is a method of
using Windows Server that removes a considerable part of the user interface to
reduce the attack surface on Windows Server, and most configuration on this type
of server is performed remotely or with command line tools. It is entirely possible
to deploy Active Directory Certificate Services using Windows Server Core and
remotely manage the installation and configuration. It is possible with remote
administration features that are available in Windows Server to manage this type
of environment, but this type of configuration is beyond the scope of this book.
For networking purposes all devices in this test environment are using the 10.100.1.0/24
network. Since there is only a handful of devices involved, all the IP addresses are set to
static and there is no DHCP server present to automatically distribute IP addresses. In
the test environment, the 10.100.1.0/24 network is the same as a physical network that
is being used for testing purposes, which means this will vary based on your network if
you choose to use the same Hyper-V virtual network configuration.
The installation and configuration for Active Directory Certificate Services can be
done through the GUI, but there are some steps that require the CLI to complete
the configuration. There are also some steps where the installation or
configuration is performed using the GUI, but the CLI instructions are also
provided as an alternative. Whichever method you use to configure the Certificate
Authority is up to you, but the CLI installation and configuration are typically much
faster to perform.
Now that the virtual machines that are needed for the TFS Labs domain have been
defined, there are several design considerations that will need to be made.
• The use of SHA-1 will not be used since it has been deprecated by online Certificate
Authorities and by every vendor since SHA-1 is incredibly insecure. The Certificate
Authority that will be created in this example for TFS Labs will use SHA-2 (SHA256)
by default. It will also use a key length of 4096 bits wherever possible.
• This Certificate Authority deployment will utilize an Offline Root CA for the root of the
Certificate Authority.
• This deployment will utilize a Subordinate CA for issuing certificates to the TFS Labs
domain. This Subordinate CA will always be online and will be used to issue all
certificates to the TFS Labs domain.
• The Root certificate will be valid for 10 years and the Subordinate certificate will be
valid for 5 years. All issued certificates from the Subordinate CA will be valid for only
1 year.
• All files that need to be transferred to and from the Root CA server is done with a
virtual floppy disk through the virtualization platform used for creating it. This virtual
floppy disk will be deleted at the end of the implementation phase to protect the files
that were needed to be transferred as part of the implementation. When needed in
the future, a new virtual floppy disk should be created and then immediately deleted
once it is no longer required.
• For connectivity purposes, CNAME records will be used whenever possible to allow
for the Subordinate CA server to be split up in the future if needed. The Active
Directory Certificate Services role is designed to be easily broken up and reconfigured
should the need arise.
• Server roles will be minimized and only the minimum number of roles required will
be used. It is bad practice to run multiple server roles on the same server that is
running Active Directory Certificate Services. Certificate Authority servers should
never run other server roles, as this increases complexity on the server, and can
introduce issues that are difficult to troubleshoot.
• Certificate Templates will use the highest available compatibility settings whenever
possible and will not work properly on older versions of Windows.
• Auditing is enabled for all available Certificate Authority functions for troubleshooting
and compliance purposes. All auditing logs are stored in the Windows Event Logs.
These design considerations do not factor in any type of legacy applications or services
that may be present in some network environments. It is up to you to determine if these
settings are appropriate for your network, and that is why it is important to fully plan and
thoroughly test the Certificate Authority before putting it into production.
Determining which requirements are needed for the Certificate Authority when it is
deployed in your environment is up to you, and the requirements will always vary based
on the organization.
Figure 2.3.1: The TFS Labs Certificate Authority is a Two-Tier Certificate Authority
consisting of a Root and Subordinate Certificate Authority.
The certificate structure and associated servers for the TFS Labs domain are as follows:
The validity period for the certificates in the TFS Labs domain will be set to the following:
• The Root CA certificate is set to expire after 10 years. This certificate is the Root of
the entire PKI for the TFS Labs domain. The validity period of 10 years is perfectly
acceptable for a Root CA, and that server will need to be brought online once every
52 weeks to update the CRL for the Root CA.
• The Subordinate CA certificate is set to expire after 5 years. This certificate is used
to sign all certificates that are issued in the TFS Labs domain. Unlike the Root CA,
it will always be online and available. From an Active Directory Certificate Services
role perspective, it is an Enterprise CA.
Once a fully functioning Certificate Authority is deployed on the TFS Labs domain, the
complete Certificate Authority hierarchy for the TFS Labs domain can be seen on the
Subordinate certificate:
Figure 2.1.2: The TFS Labs Certificate Authority and TFS Labs Enterprise CA certificate
can be viewed in the completed certificates for the TFS Labs domain.
For example, web browser vendors such as Google, Microsoft, Mozilla, and Apple
could force a change to disallow certificates with long validity periods within their
Browsers. This could mean that certificates with long expiration times could
become invalidated at any time, and it usually only requires one vendor to make
the change to get the other vendors to do the same.
AD CS Internal URLs
All the internal URLs that will be in use for the Active Directory Certificate Services role
will point to the TFS-CA01 server and utilize CNAME records. The following URLs will be
in use once the Active Directory Certificate Services implementation has been completed:
These URLs will all be needed to properly implement a Certificate Authority using Active
Directory Certificate Services. Even though some of them do not appear to be important,
or in some cases even appear to have anything associated with them, they are needed to
ensure that clients and services that are using the PKI can do so successfully. IIS will be
used for hosting the files for the Certificate Authority in the TFS Labs domain.
Despite there being CNAME records in place to create these URLs for the PKI, they will
still work with the regular FQDN of the TFS-CA01 server.
SSL is not enabled for many of the websites that a Certificate Authority uses, and
this is mostly to support the deployment and validation of certificates. The one
exception to this is the Active Directory Web Enrollment Service website, since it is
used to securely submit a Certificate Request to the Enterprise CA. The reason
that you cannot always use SSL is because you cannot always assume that the
devices connecting to an SSL website has your Root and Subordinate certificates
on it, and therefore the connection would not be secure anyway.
This is especially true when a device connecting to your internal secure resources
does not yet have the certificates needed for the connection, as is usually the
case for a new device that has connected to the domain.
It is extremely bad practice to ever allow the internal websites for the Active
Directory Certificate Services role to be publicly facing on the internet. Allowing
these websites to be available on the public internet exposes your organization to
many potential security risks, such as potentially leaking information about your
Active Directory information and any certificates that have been issued.
If there is ever a requirement to make the Active Directory Certificate Services role
publicly facing on the internet, there is an issue with the requirements for that type
of deployment. The internal websites for the Active Directory Certificate Services
role should never be publicly facing, and if the request is ever made to allow this,
you should push back on that requirement and deny it.
AD CS Important Files
At the end of the Active Directory Certificate Services deployment, there will be several
important file locations on several servers that are needed to host important files needed
to support the Certificate Authority.
Location Purpose
C:\CertData Contains the Root CA CRL files.
C:\Certificates Contains the Root and Subordinate
certificates for internal web deployment.
C:\CertRecovery Contains any certificate that has been
restored if the private key is lost.
C:\inetpub\wwwroot\cps.html The CPS document that is referenced in
the Root and Subordinate certificates.
C:\Windows\System32\CertLog Contains the log files for the CA.
C:\Windows\System32\CertSrv\CertEnroll Contains the Subordinate CA CRL files.
C:\Windows\System32\CertSrv\en-US Contains the Web Enrollment website
files.
C:\Windows\SystemData\ocsp Contains the files needed for the OCSP
role web service.
Aside from the files and folders that are located on the TFS-CA01 server, there is also an
important location in the Windows Registry that is used to store critical settings needed
for Active Directory Certificate Services:
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
Location Purpose
C:\Certificates Contains the Root and Subordinate certificates for Group Policy
deployment.
Since Active Directory Certificate Services is not installed on the TFS-DC01 server, there
is nothing specifically stored in the Windows Registry related to that role. There is
information stored in Active Directory relating to the Certificate Authority since there is an
Enterprise CA in the domain, and this can be viewed using the Active Directory Sites and
Services (dssite.msc) console.
Location Purpose
C:\RootCA Contains implementation files needed for
the Certificate Authority deployment.
C:\Windows\System32\CertLog Contains the log files for the Root CA.
C:\Windows\System32\CertSrv\CertEnroll Contains the Root CA CRL files which are
updated once per year.
Like the TFS-CA01 server, there is also an important location in the Windows Registry
that is used to store critical settings needed for Active Directory Certificate Services:
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
AD CS Security Considerations
There are a few security considerations that you should factor in before deploying Active
Directory Certificate Services in your environment, and most of those considerations are
just best practices. This is to ensure that the integrity of your PKI is always maintained,
and that there are no issues in supporting it. The most common security considerations
for Active Directory Certificate Services include:
• Never install any Active Directory Certificate Services roles on a Domain Controller.
• Always install Active Directory Certificate Services roles on dedicated servers. Keeping
AD CS servers more isolated than other servers is beneficial for security purposes.
• Avoid mixing and matching Windows Server versions with Active Directory Certificate
Services. Try and keep all associated AD CS roles on the same operating system
versions and editions whenever possible.
• Ensure that regular backups are kept for Active Directory Certificate Services servers.
Test the backups to ensure that the PKI infrastructure can be successfully restored
if needed.
• Ensure that Active Directory Certificate Services servers are kept up to date.
• Avoid using obsolete or legacy encryption technologies.
• Create specific Active Directory Groups for AD CS administration purposes. Try and
reduce the number of users that have access to those servers to minimize risk to the
PKI infrastructure.
• Avoid auto-enrollment for Certificate Templates that do not require it.
• Keep Offline Root Certificate Authorities in a secure location that cannot be easily
accessed.
Certificates can be used for critical infrastructure such as VPN and server authentication,
so if there are security issues with a Certificate Authority, there can be instances when
those critical services are not available to the end user.
Some things that you should take into consideration before starting a Certificate
Authority are the following:
• Use descriptive names whenever possible, even if those names can be redundant in
some instances.
• For customizable items, such as a Certificate Template, try and prefix the name of
the Certificate Template so that users are aware that the Certificate Template is for
them and that it is something that they should use instead of the default options that
may still be available within the environment.
• Ensure that the Certificate Authority has the name of your organization in it and is
not something generic that can potentially cause confusion for end users.
• Do not use the default names for the Certificate Authority, as they are not user-friendly
and do not look professional in a production environment. Using default names can
also expose the names of the servers that host the Certificate Authority, which is
not always something that an organization would want for security or compliance
purposes.
• Avoid using server names for important internal links, use CNAME records to make
them more user-friendly whenever possible.
• Only advertise the links to internal Certificate Authority services using CNAME records
whenever possible.
Worrying about how to name a Certificate Authority may not seem important at all, but
ensuring that a proper naming convention is in place will save a lot of trouble later,
especially if things are not setup correctly. Fixing the name of a Certificate Authority after
it has been created it not easy to do, so it is best to just determine the naming convention
before you even provision a server needed for it.
Figure 2.8.1: Hyper-V Manager as it appears on Windows Server 2019. Listed in the
window are the four virtual machines that are used for this book to demonstrate the TFS
Labs Certificate Authority.
Hyper-V allows you to create virtual hard disks, virtual switches, and all other virtual
devices needed to emulate real Computer Hardware. It is available as a server role in
Windows Server and as an optional feature in some versions of the client version of the
Windows operating system. With Hyper-V, you can do the following:
These limitations that are present in the client version of Hyper-V should not cause
issues for most people as those missing features are mostly used in large-scale
deployments of Hyper-V. These features are especially helpful in Datacentre deployments
of Hyper-V and would not affect users on a regular computer.
If you are already using Hyper-V and do not need any assistance with setting it up, you
can completely skip this section. If you are using another virtualization platform, you can
also skip this section. If you would like to learn how to install and configure Hyper-V on
Windows 10 Pro, you can continue reading the next few sections.
Hyper-V Requirements
Hyper-V is available as an optional feature in certain client versions of Windows. It is
available on the 64-bit versions of Windows 10 Pro, Enterprise, and Education only. It is
also available in Windows 8 and Windows 8.1 (Pro and Enterprise versions). Hyper-V is
not available on any Home Edition of Windows, or any of the versions designed for
low-end devices or non-x86 devices as it is not supported.
From a hardware support perspective, there are also additional requirements for
installing and running Hyper-V:
For memory, 4 GB is the minimum required to install and run Hyper-V, but that is not
enough memory to run all the virtual machines needed to setup the test environment. A
minimum of 16 GB of memory is recommended to properly test all virtual machines.
For Hyper-V to operate correctly, there may be various settings within the BIOS that would
need to be enabled. These settings vary based on the manufacturer, but there is usually a
virtualization section in the computer or server BIOS where those settings are configured.
If you are unsure, you should refer to the manufacturer’s documentation for your system
to determine how to enable the necessary virtualization features.
To quickly determine if your computer can run Hyper-V, there is a built-in utility in
Windows to allow you to check:
The output of the System Information application should look similar to this:
Figure 2.8.2: The System Information application can be used to view extensive
information on a Windows device. In this screenshot, it is showing the status of Hyper-V.
If all the Hyper-V settings are present and available in the System Summary window, then
you should be able to install and run Hyper-V without any issues.
Windows does not always easily support multiple virtualization platforms that are
installed at the same time. For example, Hyper-V and VMware Workstation cannot
always be installed at the same time and work correctly. If there is an issue
getting Hyper-V to operate, ensure that there is no other virtualization platform
installed and in use.
Hyper-V is built-in to the versions of Windows that supports it, so there is no need to
download anything to install it as it is already available within the operating system.
1. Click on the Start menu, type in appwiz.cpl and press the Enter key to open the
program.
2. In the Program and Features window, click on the Turn Windows features on or off
link in the left side of the window.
3. In the Windows Features window, select all the options under Hyper-V and click the
OK button to continue.
Figure 2.8.3: Hyper-V can be installed on Windows 10 using the Control Panel.
After the command has been executed you will need to restart the computer for the
installation of Hyper-V to be completed.
To install Hyper-V using PowerShell, open an elevated PowerShell prompt and run the
following command:
Figure 2.8.4: Hyper-V can be installed without the GUI using PowerShell.
After the command has been executed, you will need to restart the computer for the
installation of Hyper-V to be completed.
PowerShell Cmdlets
If there is an issue with the PowerShell command being executed properly, then
you are not running the command as an administrator. The command will also not
work if it is being executed in the Command Prompt. This is because there is no
way to run a Cmdlet from the Command Prompt, so the command will always fail.
To install Hyper-V using DISM, open an elevated Command Prompt and run the following
command:
Figure 2.8.5: Hyper-V can be installed using the Command Line using the DISM tool.
After the command has been executed you will need to restart the computer for the
installation of Hyper-V to be completed.
If there is an issue with the command being executed properly, then you are not running
the command as an administrator. The command will also not work if it is being
executed in PowerShell.
There are several ways to configure the networking to allow for shared access from the
virtual network to the physical network, and there is a lot of flexibility in virtual networks
to allow for this connection. Since this is just being used for a test environment, setting
up the virtual network is much simpler than in a production environment.
• External Network - This is a virtual switch that binds to a physical network adapter
so that virtual machines can access the network just like a physical device. This is
the most common type of Hyper-V network that is used in a production environment.
• Internal Network - This is a virtual switch that does not connect to the physical
network in any way. Any virtual machine that is connected to that virtual switch will
be able to communicate with other virtual machines that are on the same virtual
switch.
• Private Network - This is a virtual switch that is like an internal virtual switch, except
the host operating system is not able to communicate with the virtual machines on
that virtual switch.
The most common type of Hyper-V network is the External Network. This is the easiest
type of network to setup and offers the most flexibility. The other types of networks are
usually designed and meant for larger scale Datacentre environments with specific
requirements.
Networks in Hyper-V support the addition of VLAN tags to network interfaces to support
more complex networks. In the case of this test environment, that is something that will
not be used. Hyper-V also supports the ability to share the management interface of
Hyper-V with the network adapter that is being used to reduce the number of required
network adapters that are needed. This is especially useful on a desktop computer or
laptop that typically only has one network adapter. Since most users with laptops utilize
wireless networking, it is also compatible with Hyper-V networks and allows for users
with different hardware the ability to use Hyper-V with various configurations.
Since this book only creates a test environment for demonstrating the setup of a
Certificate Authority, an external network switch is being used. This allows for easy
testing of the Certificate Authority with external devices that are not being created as a
virtual machine, such as an iOS or Android device.
There are multiple differences that exist between Generation 1 and Generation 2 virtual
machines, but for the purposes of creating the test environment in this book, Generation
1 virtual machines are required to support the use of a virtual floppy disk.
There are a few scenarios where a Generation 1 virtual machine is needed over a
Generation 2 virtual machine:
For the last point of needing to support virtual floppy disks, all servers and workstations
created in Hyper-V for this book will utilize Generation 1 virtual machines in Hyper-V.
These virtual machines will have a virtual floppy drive available by default, so there is no
need to configure one. No Generation 2 virtual machines are needed at all.
There are third-party solutions that may be able to convert between Generation 1
virtual machines and Generation 2 virtual machines in Hyper-V. Those solutions
are beyond the scope of this book and not supported by Microsoft.
Hyper-V Checkpoints
Hyper-V supports Checkpoints, which is also known as Snapshots in other virtualization
platforms. A Checkpoint is a copy of a virtual machine at a particular time, which
captures everything about the virtual machine at that point in time. Hyper-V Checkpoints
are primarily used to revert or undo changes to a virtual machine in case a problem
arises can cause issues. There is the option in Hyper-V to apply multiple Checkpoints to
a virtual machine, which can be useful for testing purposes. Hyper-V Checkpoints are not
an adequate backup solution and should never be used in that manner.
• Hyper-V Checkpoints are stored as AVHD or AVHDX files whenever they are used, and
they are stored in the same folder as the Hyper-V hard disks for a virtual machine.
• Hyper-V Checkpoints can be explicitly enabled or disabled for a virtual machine, as
well as set to automatic if needed or required.
• Hyper-V Checkpoints are helpful for testing purposes and can be used to undo changes
to a virtual machine in only a few minutes.
Hyper-V Checkpoints are a useful feature for allowing you to quickly revert to a previous
point in time if you experience an issue with a virtual machine, but they do not replace the
necessity for a proper backup solution.
One downside to Hyper-V Checkpoints is once you start using them and there are
many of them in use, they can begin to slowly take up a considerable amount of
disk space. When you provision a virtual hard disk, you can specify the size of the
disk and Hyper-V will not allocate more to the disk space if it is used up. However,
with Checkpoints, the AVHD files can grow to whatever size is needed, which can
fill up the entire hard drive or storage location if left unchecked.
Ensure that if you are using a Checkpoint and are finished with it, you should either
delete it or merge in into the main virtual hard disk to prevent the size from getting
out of control, and causing issues with the computer or server that is hosting
Hyper-V.
Creating a virtual machine in Hyper-V is not difficult to do, and the only real requirement is
managing the resources on the workstation or server that is running Hyper-V. It is
important to ensure that you do not over-provision virtual machines, which can cause
resource issues for the host machine running Hyper-V.
When connecting to the Virtual Machine Connection application, you are presented with
this window:
Figure 2.8.6: The Hyper-V VMConnect application supports connections to Hyper-V virtual
machines on the local device or over the network.
Figure 2.8.7: The Hyper-V VMConnect application allows you to interact directly with
the virtual machine as if it were a physical machine. Compared to the Remote Desktop
Protocol, this is the equivalent of connecting to the console of the virtual machine.
Aside from simply connecting to a virtual machine, the Virtual Machine Connection
application also offers the following features:
There are a few differences between the Virtual Machine Connection application
and the Remote Desktop Connection application that are provided in Windows.
The Remote Desktop Connection application can be more responsive than the
Virtual Machine Connection application and allows actions such as cut and paste
to be performed much easier.
To create a virtual floppy disk in Hyper-V, it can be created using the Hyper-V Manager:
The virtual floppy disk will be saved with the .vfd extension by default. It will need to be
formatted the first time that it is used for it to be used properly. To utilize the virtual
floppy disk while using a virtual machine, it can be easily added to a running virtual
machine by performing the following steps:
1. Open the Virtual Machine Connection (vmconnect.exe) window for the virtual machine
that you want to add the virtual floppy disk to.
2. Click on the Media menu, select the Diskette Drive menu and click the Insert Disk...
option.
3. On the Open window, browse to the location where you saved the RootCAFiles.vfd
file and click the Open button.
4. The virtual floppy disk is now added to the virtual machine.
To remove the virtual floppy disk, it only requires a few steps as well (ensure that you do
not have any open files on the virtual floppy disk when you eject it):
1. Open the Virtual Machine Connection (vmconnect.exe) window for the virtual machine
that you want to remove the virtual floppy disk from.
2. Click on the Media menu, select the Diskette Drive menu and click the
Eject RootCAFiles.vfd option.
3. The virtual floppy disk has now been removed from the virtual machine.
Overall, managing virtual floppy disks in Hyper-V is not difficult and is easy to move
between different virtual machines.
It is advised that after the implementation of the Certificate Authority that the
virtual floppy disk be deleted as it is no longer needed. This will also prevent any
sensitive data that is stored on the virtual floppy disk from being lost. When files
need to be transferred between the Root CA and the Subordinate CA (such as the
CRL when it needs to be renewed), you can just create a new virtual floppy disk for
the task and then delete it when you are finished.
The TFS-DC01 Domain Controller for the TFS Labs domain is setup as a single Domain
Controller in the corp.tfslabs.com Forest. This Active Directory domain will be used for
critical functions in the TFS Labs test environment and is necessary for a proper Active
Directory Certificates Services deployment. It will utilize the Active Directory Domain
Services role that is available in Windows Server.
Aside from being the Domain Controller for the TFS Labs domain, the TFS-DC01 server
will also be responsible for hosting the DNS server and DNS Zone for the TFS Labs
domain. It will also be used for managing Group Policy, which will be used for deploying
certificates. Once the Active Directory Domain Services role has been successfully
installed and configured, the following features will be available on the TFS-DC01 server
for managing Active Directory:
These features are all required to properly configure a Certificate Authority using Active
Directory Certificate Services, as well as supporting Active Directory. These features are
available as separate applications, or through the Microsoft Management Console.
This chapter will focus on how to create an Active Directory Domain Controller for the
TFS Labs domain. It will also setup several test user accounts in Active Directory, as well
as setup a Windows 10 workstation that will be used for testing certificate deployment
later in this book.
Once the TFS-DC01 virtual machine has been created and the operating system has been
installed, there are a few tasks that need to be completed:
• Set the password for the local administrator account (ensure that you use a complex
password).
• Set the hostname of the server to TFS-DC01. Restart the server to apply the change.
Once the local Administrator account and the hostname have been setup, you will also
need to configure the network settings for the virtual machine:
IP Address 10.100.1.100
Netmask 255.255.255.0
Gateway 10.100.1.1
DNS Server 1 8.8.8.8
Once the network has been setup correctly, you can then proceed to setting up the
TFS-DC01 server as a Domain Controller by installing the Active Directory Domain
Services role.
If you are having any DNS resolution issues after the Domain Controller
promotion, check the DNS settings on the TFS-DC01 server to ensure that there is
a forwarding DNS server listed.
The local administrator account that is used during the initial setup of the
TFS-DC01 server will become the Domain Administrator account for the TFS Labs
domain once the server has been promoted to a Domain Controller.
Once the Active Directory installation has been completed, the local administrator
account that is on the TFS-DC01 server will become the TFSLABS\Administrator
account, which is the Domain Administrator account for the TFS Labs domain.
This Domain Administrator account will be used for the remainder of the
Certificate Authority implementation, except on the Offline Root CA server.
AD DS Role Installation
The Active Directory Domain Services role needs to be installed on the TFS-DC01 server
prior to configuring the server as a Domain Controller for the TFS Labs domain. The role
can be installed using Server Manager or through the command line with PowerShell, you
can decide which method you would like to use.
1. Open the Server Manager console (servermanager.exe), click on the Manage menu,
and then click on Add Roles and Features to start the installation wizard:
3. On the Select installation type screen, select the option for Role-based or feature-based
installation and click the Next button to continue:
5. On the Select server roles screen, select the Active Directory Domain Services option:
7. On the Select server roles screen, click the Next button to continue:
9. On the Active Directory Domain Services screen, click the Next button to continue:
11. When prompted with a warning about restarting the server, click the Yes button.
12. On the Confirm installation selections screen, click the Install button to continue:
Once the Active Directory Domain Services role has been installed successfully, you can
now configure the TFS-DC01 server as a Domain Controller for the TFS Labs domain.
This Cmdlet only works with PowerShell, so the Command Prompt cannot be used for
this step.
Perform the following steps on the TFS-DC01 server using PowerShell to add the Active
Directory Domain Services role:
4. Once the installation for Active Directory Domain Services has completed, you can
close the PowerShell prompt.
Once the Active Directory Domain Services role has been installed, you can now
configure the TFS-DC01 server as a Domain Controller for the TFS Labs domain.
AD DS Role Configuration
Once the Active Directory Domain Services role has been installed on the TFS-DC01
server, it will need to be properly configured to become a Domain Controller for the TFS
Labs domain. In the process of configuring the TFS Labs domain, the following Active
Directory Domain settings will be configured on the TFS-DC01 server:
The local administrator account password that is currently set on the TFS-DC01 server
will become the Domain Administrator account password once Active Directory has been
setup for the TFS Labs domain.
Ensure that the hostname for the TFS-DC01 server has been properly set before
going any further. There is no way to change the hostname on a Domain Controller
after it has been promoted, so it must be set correctly prior to being promoted.
It is essential that the Directory Services Restore Mode Password is set and
documented if there is a major issue with Active Directory. In the even that a
restore needs to be performed for Active Directory, this password must be used to
regain access to the server. Once the password has been set, it should be
documented in a secure location.
If you already have an existing Active Directory domain, and this password is
unknown, there are methods to reset this password without causing any
production issues or downtime. This is beyond the scope of this book but is
thoroughly documented on Microsoft’s website.
The Forest and Domain modes for the TFS Labs domain is set to Windows Server
2016. When using the Install-ADDSForest command there are two parameters
that are used to set the Forest and Domain Modes, DomainMode and ForestMode.
Depending on which Forest and Domain modes you require for your Active
Directory domain, there are a few different options that you can use at the time of
configuration:
There is no specific Forest of Domain mode for Windows Server 2019, and the
WinThreshold option represents the latest version that has been available since
Windows Server 2016. With Active Directory, you can always upgrade, or “raise”
the Forest and Domain Functional Levels at any point after installation.
The default option for the Install-ADDSForest Cmdlet is to set the Forest and
Domain to the Windows Server 2008 R2 Functional Level.
1. To begin the configuration of Active Directory Domain Services, open the Server
Manager console (servermanager.exe). You will notice that AD DS now shows up as
being installed on the TFS-DC01 server. Click the Notifications icon in the upper-right
hand corner and click the Promote this server to a domain controller link in the
Post-deployment Configuration box:
3. On the Domain Controller Options screen, ensure that the Forest functional level
and Domain functional level are both set to Windows Server 2016. Ensure that
the options for Domain Name System (DNS) server and Global Catalog (GC) are
both selected. For the Directory Services Restore Mode (DSRM) password, enter a
complex password in both fields (ensure that you record this password somewhere).
Once completed, click Next to continue:
5. On the Additional Options screen, for the NetBIOS domain name enter TFSLABS and
click Next to continue:
11. The TFS-DC01 server will automatically restart when the configuration has completed.
Perform the following steps on the TFS-DC01 server using PowerShell to configure the
Active Directory Domain Services role:
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "corp.tfslabs.com" `
-DomainNetbiosName "TFSLABS" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
It is essential that the Directory Services Restore Mode Password is set and
documented if there is a major issue with Active Directory. In the even that a
restore needs to be performed for Active Directory, this password must be
used to regain access to the server. Once the password has been set, it
should be documented in a secure location.
6. The TFS-DC01 server will automatically restart when the configuration has completed.
At this point, the TFS-DC01 server will have the necessary roles and features installed to
properly act as a Domain Controller for the TFS Labs domain.
Once the Active Directory Domain Services role has been successfully configured, you
can proceed to configuring the OU structure for the TFS Labs domain.
The OU structure for the TFS Labs domain is not complex, and consists of the following
structure:
• TFS Labs
• TFS Labs\TFS Labs Servers
• TFS Labs\TFS Labs Users
• TFS Labs\TFS Labs Workstations
There are two ways to add the OU structure to the TFS Labs domain, one using the Active
Directory Users and Computers console, or with the command line using PowerShell.
3. Right-click on the corp.tfslabs.com domain, select the New option, and select Organizational
Unit:
6. Right-click on the TFS Labs OU, go to New, and select Organizational Unit.
7. In the New Object - Organizational Unit window, for the Name, enter TFS Servers.
Ensure that the option to Protect container from accidental deletion is selected and
click OK.
8. Right-click on the TFS Labs OU, go to New, and select Organizational Unit.
9. In the New Object - Organizational Unit window, for the Name, enter TFS Users.
Ensure that the option to Protect container from accidental deletion is selected and
click OK.
10. Right-click on the TFS Labs OU, go to New, and select Organizational Unit.
Now that there is a basic OU structure in place in the TFS Labs domain, several test user
accounts can now be created that will be used in later chapters for testing purposes.
New-ADOrganizationalUnit `
-Name "TFS Labs" -Path "DC=corp,DC=tfslabs,DC=com"
New-ADOrganizationalUnit `
-Name "TFS Servers" -Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
New-ADOrganizationalUnit `
-Name "TFS Users" -Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
New-ADOrganizationalUnit `
-Name "TFS Workstations" -Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
Any Domain Controller in an Active Directory Domain will always be found in the
Domain Controllers OU by default. You should not move any Domain Controllers
from this OU unless the Domain Controller has been demoted and is no longer
being used for Active Directory.
Since the Domain Controllers are in a separate OU from the structure that was just
created, you will need to factor that in when you are applying Group Policy Objects
to those servers.
Several regular user accounts should be created to test functions of the Active Directory
Certificate Services functionality. This will ensure that user certificates that are being
issued are working correctly, and to test that key archive recovery is working with Active
Directory Certificate Services.
For the purposes of this book, the following three accounts will be created:
There are two ways to add user accounts to the TFS Labs domain, one using the Active
Directory Users and Computers console, and the other with the command line using
PowerShell. You only need to create the test accounts using one of those methods, and
you can choose whichever method you would like to use.
2. Click on the corp.tfslabs.com domain, and then click the arrow to the left of the
domain to expand the domain structure.
3. Expand the TFS Labs OU and select the TFS Users OU:
6. On the next window, enter a password for the user account. You can uncheck the
option for User must change password at next logon option, as this is not necessary
for testing purposes. Click the Next button to continue:
8. Repeat steps 4 to 7 to add the additional user accounts for the TFS Labs domain
until all user accounts have been added:
9. To ensure that there are no issues generating user certificates later in this book, the
e-mail addresses of the users will need to be configured on each account. Right-click
on one of the user accounts and select the Properties option.
New-ADUser `
-Name "Mary Smith" `
-GivenName "Mary" `
-Surname "Smith" `
-SamAccountName "msmith" `
-EmailAddress "[email protected]" `
-Path "OU=TFS Users,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com" `
-AccountPassword (Read-Host -AsSecureString "User Password") `
-ChangePasswordAtLogon $false `
-Enabled $true
Alternatively, the same change can be made from an elevated PowerShell prompt with
the following command:
Set-ADUser `
-Identity Administrator `
-EmailAddress "[email protected]"
Now that the test user accounts have been created, it is now easier to demonstrate that
the certificates issued by the Certificate Authority are working correctly. You can proceed
to setting up the Windows 10 workstation, which these accounts will be able to use for
testing purposes in later chapters.
Ensure that you enter the e-mail addresses for the user accounts correctly,
otherwise there will be issues with the automatic deployment of user certificates
to those accounts in later chapters of this book. Since the issue will be on the
Enterprise CA, the user will not be notified that there is an issue with their account,
they will just receive no user certificate.
Once the TFS-WIN10 virtual machine has been created and the operating system has
been installed, there are a few tasks that need to be completed:
• Set the password for the local Administrator account (ensure that you use a complex
password).
• Set the hostname of the server to TFS-WIN10. Restart the workstation to apply the
change.
IP Address 10.100.1.110
Netmask 255.255.255.0
Gateway 10.100.1.1
DNS Server 1 10.100.1.100
Once the hostname and networking has been setup successfully, you can then proceed
to join the TFS-WIN10 workstation to the TFS Labs domain.
Figure 3.6.1: The TFS-WIN10 workstation once it has been joined to the TFS Labs domain.
The TFS-WIN10 workstation should be moved from the default Computer OU in Active
Directory to one of the dedicated OUs that was created earlier for the TFS Labs domain.
This will facilitate easier application of Group Policy Objects, which are needed for Active
Directory Certificate Services. To move the TFS-WIN10 computer object, perform the
following steps on the TFS-DC01 server:
Alternatively, you can also move the TFS-WIN10 computer object by running the following
command from an elevated PowerShell prompt:
Get-ADComputer "TFS-WIN10" | `
Move-ADObject `
-TargetPath "OU=TFS Workstations,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
Once the TFS-WIN10 workstation has been moved to the correct OU in Active Directory, it
is ready to be used for testing of the Certificate Authority in the later chapters in this book.
The next section in this book looks at LDAPS with Active Directory, which is used to
encrypt LDAP traffic using certificates. This increases the security of an Active Directory
domain, and other features that rely on LDAP to function. With the use of Active Directory
Certificate Services, this functionality can be easily enabled on an Active Directory
domain.
There are no issues with using Windows 10 Pro 32-bit instead of 64-bit for the
workstation. The 32-bit version of Windows 10 Pro will not affect the functionality
of issuing and managing certificates to that workstation.
The only requirement is that Windows 10 is either the Pro or Enterprise edition,
and that it is only for the requirement that it be able to properly join an Active
Directory domain.
You may encounter an issue with connecting to the TFS-WIN10 workstation with
the Hyper-V Virtual Machine Connection when connecting with a regular user
account. This is due to the way that Hyper-V handles connections with the Virtual
Machine Connection application, which is like Remote Desktop. The Virtual
Machine Connection application requires additional permissions to allow for
Domain Users to login correctly. By default, all users in Active Directory are added
to the Domain Users group.
To facilitate testing, that Active Directory group will need to be added to the
TFS-WIN10 workstation to allow for login. Make the following changes to the
TFS-WIN10 workstation to allow for domain user logins:
At this point, the TFS-WIN10 workstation should be ready for users to login with
the Hyper-V Virtual Machine Connection application. They should also be able to
login using the Remote Desktop application as well if that feature is enabled.
There is no user interface in Active Directory Domain Services for enabling LDAPS.
Installing a valid certificate and meeting the above requirements will permit a Domain
Controller from utilizing LDAP over SSL. The easiest method to enable LDAPS is to use a
computer certificate that is already available in Active Directory Certificate Services and
issue one of those certificates to the Domain Controllers in that environment.
There are multiple third-party utilities that can be used to verify that LDAPS is enabled on
a Domain Controller, but there is a utility available in Windows Server (ldp.exe) that can
quickly verify that LDAPS is enabled. While it is still too early in this book to enable
LDAPS, you can come back to this section after completing the steps in this book to
verify that LDAPS was successfully enabled.
To check the current LDAP settings on a Domain Controller and check if LDAPS is
enabled, perform the following steps on the TFS-DC01 server:
1. Open the Ldp application by running the ldp.exe command from the Run prompt.
2. The Ldp window will appear:
6. To close the current LDAP connection, click on the Connection menu and select the
Disconnect option.
7. To test LDAPS connections, click on the Connection menu and select the Connect...
option.
8. On the Connect window, enter the following details:
• Server - TFS-DC01.corp.tfslabs.com
• Port - 636
• Connectionless - Disabled
• SSL - Enabled
Figure 3.7.1: The Ldp application will show an error message if there is an issue with
LDAPS.
The Root Certificate Authority server is setup as a standalone Windows Server and is
never meant to be a member of an Active Directory domain. There are no network
connections to the Root CA server and there never should be in this type of Two-Tier
setup. There are no domain policies being applied to the server, this means that it will
require some local security modifications that are normally handled through Group Policy
from Active Directory. Since there are also no connections to Active Directory, these
changes will need to be applied locally and are specific only to this server. These
modifications only need to be performed once on the server, as those settings will never
be changed and will remain persistent.
Aside from having no network connections to and from the Root Certificate Authority
server, there are also additional security considerations that are in place as well.
BitLocker full disk encryption can be used to secure the server when it is in an offline
state to protect the Root Certificate private keys. This step is optional, but the
instructions are provided for the Root Certificate Authority server to enforce greater
security on the Root CA server when it is in an offline state.
Moving files to and from the Root Certificate Authority server will be accomplished with
the use of a virtual floppy disk. This allows the Offline Root CA to have minimal
interaction with other devices within the environment and removes the requirement to
have a network connection on that server.
This chapter will focus on how to install and configure an Offline Root CA server using
Active Directory Certificate Services.
Since there are no active network connections to and from the TFS-ROOT-CA virtual
machine, a virtual floppy disk will need to be created that will be used for transferring
files to and from the TFS-ROOT-CA server. Name the file “RootCAFiles” and store it in a
location that will be available for all virtual machines.
The first time that the virtual floppy disk is inserted into one of the virtual machines it will
need to be formatted with the default settings for it to be usable. Keep this virtual floppy
disk available until the end of the Certificate Authority implementation, when it will be
deleted.
You will need to recreate this virtual floppy disk in the future whenever you need to move
files to and from the TFS-ROOT-CA server. Since this book uses the Hyper-V virtualization
platform for demonstration purposes, this file will be called RootCAFiles.vfd. Instructions
on how to create virtual floppy disk with Hyper-V is provided in an earlier chapter.
When provisioning the TFS-ROOT-CA server you should consider disabling all
features that allow for easily copying files to and from that virtual machine. This
feature is a convenient option for moving files to and from the TFS-ROOT-CA
server, but it can compromise the security of the virtual machine. This also
includes the Shared Clipboard feature that is often available in virtual machines
for copying and pasting text between virtual machines.
If you are using Hyper-V this setting can be disabled in the Enhanced Session
Mode settings options. If you are using VMware Workstation, this setting can be
disabled in the Guest Isolation settings. For every other virtualization platform,
there should be a way to disable those features as well.
Even though disabling these features can make dealing with the TFS-ROOT-CA
somewhat cumbersome during the implementation and configuration phase, the
added security features are worth it to protect the Root Certificate Authority. You
will deal with the Offline Root CA so infrequently after it is setup and configured, it
should not be an issue.
Once the TFS-ROOT-CA virtual machine has been created and the operating system has
been installed, there are a few tasks that need to be completed before proceeding to
configure the Root Certificate Authority:
1. Set the local Administrator account on the TFS-ROOT-CA server to a complex password
that is at least 14 characters in length and store the password securely (the local
Administrator account is renamed to CA-Admin in a later step in this chapter). Ensure
that there are no additional user accounts present on the server (this can be verified in
the Computer Management console (compmgmt.msc)). The Guest account should
already be disabled by default and this account is renamed in a later step to obfuscate
the account.
2. Set the hostname of the server to TFS-ROOT-CA. Restart the server to apply the
change.
3. Set the TFS-ROOT-CA server to be a member of the TFS-CA workgroup. Restart the
server to apply the change.
4. On the root of the C:\ drive create a folder called RootCA (C:\RootCA). This folder will
store the Root certificate, Subordinate certificate, CRL files and any other certificate
files that are needed during the entire Certificate Authority implementation process.
5. Insert the RootCAFiles.vfd virtual floppy disk into the virtual floppy drive on the TFS-ROOT-CA
virtual machine. Format the floppy disk using the default settings using Windows File
Explorer. Eject the virtual floppy disk when the formatting has been completed.
Once the TFS-ROOT-CA server has been setup, you can move onto the optional step of
setting up BitLocker Disk Encryption on the virtual machine. Otherwise, you can continue
with the Active Directory Certificate Services setup if that is not required.
• The information that is stored on the TFS-ROOT-CA server will be secure when the
server is in an offline state. This is important to have since the virtual machine may
be stored elsewhere and this will prevent users from accessing the virtual hard drive.
• BitLocker is a native feature in Windows Server, so there is no cost associated with
using BitLocker since it is part of the operating system. Since BitLocker is a native
feature in Windows Server, there is no concern about using third-party encryption
software that may require additional licensing or fees to use it.
• BitLocker is easily supported with virtualization software.
• BitLocker does not require any additional dependencies to operate and can be used
without any outside software or services.
Using BitLocker to encrypt the TFS-ROOT-CA server is an easy and effective way to
protect the data on that server to ensure that the Root Certificate Authority is secure.
It may seem as though enabling BitLocker should be one of the last tasks
performed in the implementation process, but the reason that it is advisable to
enable and test BitLocker at this stage is to ensure that there are no issues with it.
If you enable BitLocker after creating the Root CA and there is an issue with it, it is
possible that you will not be able to access the Root CA and will need to start the
process again.
If you decide that you would like to use BitLocker to secure the TFS-ROOT-CA server,
perform these steps to add the BitLocker feature to the TFS-ROOT-CA server. It can be
installed using Server Manager or through the command line with PowerShell, you can
decide which one you would like to use. You only need to choose one method for
installing the BitLocker Drive Encryption feature.
2. On the Before you begin screen, click the Next button to continue:
4. On the Select destination server screen, verify that the TFS-ROOT-CA server is selected
and click the Next button to continue:
6. On the Select features screen, select the BitLocker Drive Encryption feature:
10. When prompted with a warning about restarting the server, click the Yes button.
11. On the Confirm installation selections screen, click the Install button to continue:
The TFS-ROOT-CA server should automatically restart once the BitLocker feature has
been installed (restart the server manually if it does not restart automatically). Once
restarted, it will require some additional configuration to the TFS-ROOT-CA server to allow
it to be enabled.
The BitLocker Drive Encryption installation can also be performed using PowerShell,
which requires much fewer steps to accomplish. Perform the following steps on the
TFS-ROOT-CA server:
1. Open an elevated PowerShell prompt.
2. Run the following command to install the BitLocker Drive Encryption role and the
necessary BitLocker Administration Tools:
Install-WindowsFeature BitLocker `
-IncludeAllSubFeature `
-IncludeManagementTools `
-Restart
4. Once the installation has completed, the TFS-ROOT-CA server will automatically restart.
The TFS-ROOT-CA server should automatically restart once the BitLocker feature has
been installed (restart the server manually if it does not restart automatically). Once
restarted, it will require some additional configuration to the TFS-ROOT-CA server to allow
it to be enabled.
Figure 4.1.2: When there is no valid TPM present on a Windows device, BitLocker by
default will not allow the drive to be encrypted.
To configure the appropriate Local Group Policy settings, perform the following steps on
the TFS-ROOT-CA server:
1. Open the Local Group Policy Editor console (gpedit.msc) on the TFS-ROOT-CA server.
2. Open the Computer Configuration > Administrative Templates > Windows Components
> BitLocker Drive Encryption > Operating System Drives policy settings.
3. Double-click on the Require additional authentication at startup policy setting.
4. Make the following changes to the Policy Setting and apply the settings:
(a) Require additional authentication at startup - Enabled
(b) Allow BitLocker without a compatible TPM (requires a password or a startup
key on a USB flash drive) - Enabled
(c) Configure TPM startup: Allow TPM
(d) Configure TPM startup PIN: Allow startup PIN with TPM
(e) Configure TPM startup key: Allow startup key with TPM
(f) Configure TPM startup key and PIN: Allow startup key and PIN with TPM
5. Close the Local Group Policy Editor window.
6. Restart the TFS-ROOT-CA server to ensure that the Local Group Policy settings have
been successfully applied.
Ensure that the TFS-ROOT-CA server has been restarted before enabling BitLocker on the
server, otherwise the BitLocker setup process will not complete correctly.
The issue with requiring TPM by default with BitLocker is that it does not always
work correctly with virtual machines since the TPM is difficult to emulate. This
also means that by relying on a TPM from one device means that portability of the
virtual machine would be affected. It is recommended to just disable the checking
of a TPM when enabling BitLocker.
The BitLocker Recovery Key is a unique 48-digit numerical password that is used
to unlock an encrypted BitLocker drive. It is typically only used if the regular
password is not working correctly and will allow you to unlock the drive and
change the password if necessary. Attached to the BitLocker Recovery Key is a
unique 32-digit alphanumeric identifier that allows you to determine if the recovery
key is the correct one for a particular device.
It is important that you do not misplace or lose the BitLocker Recovery Key. There
is absolutely no way to unlock the BitLocker drive without the BitLocker Recovery
Key. If the BitLocker Recovery Key is lost, then the TFS-ROOT-CA server will never
be able to be accessed again. BitLocker does not allow you to save the key to the
same device that has been encrypted, and that is why you typically use removable
media to back up the BitLocker Recovery Key.
Ensuring that you have a working backup of the BitLocker Recovery Key for
encrypted devices is crucial to ensure that you do not encounter issues in the
future.
15. Login to the TFS-ROOT-CA server, you should receive a notification that the drive
is encrypting. You can also check the status of BitLocker at any time by going to
Windows File Explorer (explorer.exe), then to This PC, right-clicking on the C:\ drive
and selecting the Manage BitLocker option:
Now that BitLocker has been installed and verified to be working correctly, the hard drive
for the Root Certificate Authority server has been successfully secured when it is in an
offline state.
In the event the virtual hard disk that is encrypted with BitLocker is damaged or
corrupted in any way, there will be no way of retrieving the contents of the
TFS-ROOT-CA server. This is due to the way that BitLocker operates, and regular
disk repair utilities will not work correctly on an encrypted disk. Ensure that you
keep proper backups of the TFS-ROOT-CA server to ensure that the data on that
disk is never lost.
It is also possible to mount the virtual hard disk for the Root CA on another compatible
device. This may be required if there is an unrecoverable error in the Windows Server
installation for the Root CA and you need to manually retrieve critical files from the
server. Performing this task requires either another computer running Hyper-V or a
computer that is capable of mounting VHD files. If the test device is on Windows Server,
ensure that the BitLocker feature is added, otherwise this process will not work.
To mount the virtual hard disk on another device using Hyper-V, perform the following
steps:
1. Ensure that the virtual machine that you intend on mounting the virtual hard disk to
is shut down.
2. Open the Hyper-V Manager (virtmgmt.msc) on the device where you want to mount
the virtual hard disk.
3. Select the virtual machine that you want to mount the virtual hard disk to, right-click
on it and select Settings....
4. In the Hardware settings, click on the IDE Controller 0 device, and under the IDE
Controller pane, and click the Add button.
5. For the Virtual hard disk, click the Browse button and select the virtual hard disk you
want to mount.
6. Click the Apply button, and then close the Settings window.
7. Power on the virtual machine that you mounted the virtual hard disk on.
8. Open Windows File Explorer (explorer.exe) and find the virtual hard disk. It should
be assigned a drive letter and have a lock which means it is BitLocker Encrypted.
9. Double-click on the drive and enter the BitLocker password to unlock the virtual hard
disk.
To remove the virtual hard disk, power off the virtual machine and remove it using the
Hyper-V settings. Mounting a virtual hard drive is not something that you would ever
likely need to perform under ordinary circumstances, but it is possible to do should an
extreme situation arise.
It is also possible to mount a virtual hard disk using Windows 10 Pro or Enterprise.
To do this, go to the location where the VHD file is located, right-click, and select
the Mount option and that is all that is needed. For BitLocker VHD files, there will
be an additional option to Unlock the Drive if that drive is encrypted.
The first method will back up the BitLocker Recovery Key through the BitLocker Drive
Encryption Management console. This method requires using a virtual floppy disk, and
you can use the same one as what was provisioned early or provision a new one entirely:
1. Add the RootCAFiles.vfd virtual floppy disk to the TFS-ROOT-CA virtual machine. If
this is a different or new virtual floppy disk, it will need to be formatted first.
2. On the TFS-ROOT-CA server, open Windows File Explorer (explorer.exe).
3. On the left side of the Windows File Explorer window, select This PC.
4. Under Devices and drives, right-click on the C: drive and select Manage BitLocker:
5. Under the Operating system drive, select the Back up your recovery key option.
6. When the BitLocker Drive Encryption (C:) window appears, select the option to Save
to a file.
7. Browse to the A: and click the Save button. You can use the default file name.
8. Click the Finish button to complete the back up of the BitLocker Recovery Key.
1. Add the RootCAFiles.vfd virtual floppy disk to the TFS-ROOT-CA virtual machine.
2. Open an elevated Command Prompt.
3. To back up the BitLocker Recovery Key for the C:\ drive to the A:\ drive, run the
following command:
Whatever method is used to get the BitLocker Recovery Key, it is important to make sure
that you always have a copy if you need it. Ensure that you keep the BitLocker Recovery
Key stored in a safe place.
There are multiple methods of disabling the Windows Update functionality on a Windows
device, but here are two methods that can be quickly used on the TFS-ROOT-CA server:
You only need to perform one of these methods to disable the Windows Update service.
To disable the Windows Update service using the Sconfig utility, perform the following
steps on the TFS-ROOT-CA server:
sconfig.cmd
4. On the Server Configuration screen, select option 5 and press Enter to configure the
Windows Update Settings.
5. When prompted to configure the Windows Update Settings, select option M and
press Enter to set the option to manual:
To disable the Windows Update service using the Services console, perform the following
steps on the TFS-ROOT-CA server:
Regardless of which method you use to disable the Windows Update service, performing
this simple action could reduce issues in the future should the TFS-ROOT-CA server ever
be connected to a network.
Once BitLocker has been installed and enabled, and Windows Update has been disabled,
you can proceed to configuring the Local Group Policy settings on the TFS-ROOT-CA
server.
Some of these settings are not necessary since the TFS-ROOT-CA server is never
supposed to have any active network connections to it as there is no network adapter
present on the virtual machine. If the TFS-ROOT-CA server is ever connected to a network,
these settings will help alleviate any potential issues if connections are attempted to it.
Perform the following steps to enable the Local Policy changes to the TFS-ROOT-CA
server:
1. Open the Local Group Policy Editor console (gpedit.msc), confirm the following settings,
and make any changes if necessary:
(a) Modify the Local Computer Policy > Computer Configuration > Windows Settings
> Security Settings > Local Policies > Security Options settings:
i. Accounts: Administrator account status - Enabled
ii. Accounts: Block Microsoft accounts - Users can’t add or log on with Microsoft
Accounts
iii. Accounts: Guest account status - Disabled
iv. Accounts: Rename administrator account - CA-Admin
v. Accounts: Rename guest account - Administrator
vi. Interactive Logon: Don’t display last signed-in - Enabled
vii. Interactive Logon: Don’t display username at sign-in - Enabled
viii. Network security: Do not store LAN Manager hash value on next password
change - Enabled
ix. Network security: LAN Manager authentication level - Send NTLMv2 response
only. Refuse LM & NTLM (click Yes when prompted to confirm the change)
2. Close the Local Group Policy Editor console.
These Local Group Policy and Security Policy settings are required since the
TFS-ROOT-CA server is not a part of an Active Directory domain and therefore would
never receive any polices from a Domain Controller. By default, the policies on Windows
Server are weak when it comes to security settings for password complexity, lockouts,
and password age. By modifying the policies directly on the TFS-ROOT-CA server, you can
ensure that there are adequate protections in place on the server and that they will
always be in place.
With the Local Group Policy and Security Policy settings configured on the TFS-ROOT-CA
server, you can proceed to creating the CAPolicy.inf file. This file is needed to configure
the settings of the Certificate Authority at the time of creation.
After the steps performed in this section have been completed and after the
server has restarted, the local administrator account on the TFS-ROOT-CA server
has been renamed to CA-Admin from Administrator. The path to the administrator
account will still be the same and can only be changed by deleting the profile and
recreating it. Along with the other changes, the username is no longer
remembered on the Windows Login Screen, which means it will need to be
inputted every time that the server is powered on or restarted.
Since the Offline Root CA will only be used at least once a year and with the
password settings that are being applied to this virtual machine, the password to
the local administrator account will need to be reset every single time the
TFS-ROOT-CA virtual machine is powered on.
C:\Windows\CAPolicy.inf
[ Version ]
Signature =" $Windows NT$ "
[ PolicyStatementExtension ]
Policies = AllIssuancePolicy , InternalPolicy
Critical = FALSE
[ InternalPolicy ]
OID =1.2.3.4.1455.67.89.5
Notice =" The TFS Labs Certification Authority is internal only ."
URL = http :// pki . corp . tfslabs . com / cps . html
[ Certsrv_Server ]
; Renewal information for the Root CA .
RenewalKeyLength =4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits =10
A Delta CRL is not normally required for a Root Certificate Authority, especially one
that is offline since it is not normally handling certificate revocations in a PKI. The
Root CA is only ever used to issue a Base CRL when there are Subordinate
Certificate Authorities present. The only certificates that are typically revoked by a
Root CA is a Subordinate certificate, so that would necessitate the deployment of
a new Base CRL instead of a Delta CRL.
You can update the OID number in the InternalPolicy section of the CAPolicy.inf
file for your deployment if it is required for your organization. The OID number in
this example is used in Microsoft technical documentation, but it should work for
your organization if it is only ever going to be used internally. If you require a
customized OID number, you can register for a Private Enterprise Number through
the IANA.
If you would like to use your PEN number for the Certificate Authority, modify the
OID line in the InternalPolicy section to OID=1.3.6.1.4.1.X (replace the X with your
PEN number).
Ensure that the CAPolicy.inf file has been properly saved in the C:\Windows folder
(%WINDIR%). Also make sure that the file extension is set to INF and not TXT. A
common mistake is to accidentally save the file as CAPolicy.inf.txt.
If the CAPolicy.inf file is not saved in the correct directory and without the correct
file extension, all settings in the file will be ignored at the time when the Certificate
Authority is created.
2. On the Before you begin screen, click the Next button to continue:
4. On the Select destination server screen, verify that the TFS-ROOT-CA server is selected
and click Next:
6. The installation wizard will ask to install any additional Features required for the
Active Directory Certificate Services role. Select the option to Include management
tools (if applicable) to install the management tools for the role. Click the Add
Features button to continue:
10. On the Select role services screen, select the option for Certification Authority and
click the Next button to continue:
12. When prompted with a warning about restarting the server, click the Yes button.
13. On the Confirm installation selections screen, click the Install button to continue:
Once the Active Directory Certificate Services role has been installed, you can then
proceed to configuring the role and creating the Root certificate for the TFS Labs domain.
4. Once the installation for Active Directory Certificate Services has completed, you
can close the PowerShell prompt.
Once the Active Directory Certificate Services role has been installed, you can then
proceed to configuring the role and creating the Root certificate for the TFS Labs domain.
It is not advised to have the Root certificate and the Subordinate certificate set to
have the same validity period. For example, if both certificates have a 5 year
expiration date, it is possible that the Root certificate will expire before the
Subordinate certificate since it was signed first.
3. On the Role Services screen, select the option for Certification Authority and click
the Next button to continue:
5. On the CA Type screen, ensure that the Root CA option is selected (the Subordinate
CA option will be used later for the Enterprise CA). Click the Next button to continue:
7. On the Cryptography for CA screen, make the following changes and then click the
Next button to continue:
• Cryptographic Provider: RSA#Microsoft Software Key Storage Provider
• Key Length: 4096
• Hash Algorithm: SHA256
9. On the Validity Period screen, set the validity period to 10 Years and click the Next
button to continue:
11. On the Confirmation screen, verify that the options are correct and click the Configure
button to commit the changes and create the Root certificate:
At this point the Root certificate for the TFS Labs domain has been created. You can now
validate that the Certificate Authority has been successfully created.
Install-AdcsCertificationAuthority `
-CAType StandaloneRootCA `
-CACommonName "TFS Labs Certificate Authority" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-ValidityPeriod Years `
-ValidityPeriodUnits 10 `
-DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") `
-Force
4. Once the configuration for Active Directory Certificate Services has completed, you
can close the PowerShell prompt.
At this point the Root Certificate for the TFS Labs domain has been created. You can now
validate that the Certificate Authority has been successfully created.
To verify that the Active Directory Certificate Services role has been successfully
configured and the Root certificate was created, you can open the Certification Authority
console (certsrv.msc) on the TFS-ROOT-CA server to check the CA:
Figure 4.6.1: The Certification Authority console is used to manage the CA and
allows administrators to issue and revoke certificates. This console also allows further
customization of the CA.
You can also view the Root certificate and verify that it was created with the correct
values that you setup during the Active Directory Certificate Services configuration:
When the Subordinate CA is created on the TFS-CA01 server, you will be able to validate
that the Offline CA is functioning correctly. The CDP and AIA settings will be displayed,
which still requires customization to fit with the TFS Labs domain. If everything has been
setup correctly for the Root certificate, then you can proceed to configuring the CRL for
the Root CA and specifying the validity period for any signed certificates.
certutil.exe -setreg `
CA\DSConfigDN "CN=Configuration,DC=corp,DC=tfslabs,DC=com"
3. To define the Validity Period Units for all issued certificates by the Root Certificate
Authority, run following commands:
4. To define the CRL Period Units and CRL Period, run the following commands:
5. To define the CRL Overlap Period Units and CRL Overlap Period, run the following
commands:
6. Restart the Active Directory Certificate Services service to apply the changes:
Once the CRL settings have been configured on the Root Certificate Authority, you can
then proceed to configuring auditing on the Root CA.
As defined in step 4, the CRL Period on the Root Certificate Authority is set to 52
weeks. This means that every 52 weeks you will need to power on the
TFS-ROOT-CA server and renew the CRL. You should set a reminder in your
calendar to perform this task every 50 weeks to ensure that it is renewed in time
and distributed to the rest of the PKI in your environment.
There are several ways to determine the Active Directory Configuration Partition
Distinguished Name in an Active Directory domain. One of the easiest ways to
determine the correct format of this name can be accomplished in only a few
steps by using the Active Directory Users and Computers console:
1. On the TFS-DC01 Domain Controller, open the Active Directory Users and
Computers console (dsa.msc).
2. Go to the View menu and select Advanced Features.
3. Right-click on corp.tfslabs.com and select Properties.
4. Go to the Attribute Editor tab.
5. Scroll down until you find the distinguishedName Attribute Field and click the
View button. The String Attribute Editor window will appear:
6. Copy the value in the Value field, this is the information needed for later.
Aside from using the Active Directory Users and Computers console to retrieve
the Active Directory Configuration Partition Distinguished Name, you can also use
the ADSI Edit (Active Directory Service Interface Editor) tool (adsiedit.msc) to
obtain the same result.
To configure auditing on the Root Certificate Authority, perform the following steps on
the TFS-ROOT-CA server:
3. Enable auditing for all events on the Certificate Authority by running the following
command:
4. Restart the Active Directory Certificate Services service to apply the changes:
You can verify that all auditing options have been enabled by opening the Certification
Authority console (certsrv.msc) and checking the properties of the TFS Labs Certificate
Authority. Once auditing has been enabled on the Root Certificate Authority, you can now
proceed to configuring the CDP and AIA settings on the Root Certificate Authority.
With auditing enabled for Active Directory Certificate Services, events that are
enabled for auditing will be logged to the Windows Event Viewer. These events
can be viewed through the Event Viewer Console (eventvwr.msc):
Opening one of the events will show more details on the Active Directory
Certificate Services details will give further details on that event:
There are 31 Active Directory Certificate Services related events that can be
logged in the Windows Event Viewer with an Event ID between 4868 and 4898.
Events are also logged with a Task Category of Certification Services to allow for
an alternative sorting and filtering method.
3. Select the Extensions tab, verify that the CRL Distribution Point (CDP) extension is
selected under the Select extension field, and click the Add button:
http://pki.corp.tfslabs.com/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
5. On the Extensions tab, verify that the Include in CRLs. Clients use this to find Delta
CRL locations. and Include in the CDP extension of issued certificates options are
selected for the location that was just entered.
6. Select file://<ServerDNSName>/CertEnroll/TFS%20Labs%20Certificate
%20Authority.crl from the list and click the Remove button. Click the Yes button to
confirm that you want to remove the location.
7. On the Extensions tab, verify that under the Selection extension field, the Authority
Information Access (AIA) extension is selected, and click the Add button:
8. On the Add Location window, under the Location field, enter the following address
and click the OK button:
http://pki.corp.tfslabs.com/CertData/<ServerDNSName>_<CaName><CertificateName>.crt
9. On the Extensions tab, verify that the Include in the AIA extension of issued certificates
option is selected for the location that was just entered.
10. Select file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName>
<CertificateName>.crt from the list and click the Remove button. Click the Yes button
to confirm that you want to remove the location.
15. On the Publish CRL window, verify that New CRL is selected and click the OK button:
Now that the CRL settings have been successfully configured on the TFS-ROOT-CA server
and the CRL has been published, the CRL and the Root certificate can now be exported
so that the Subordinate CA server can host it for the TFS Labs domain.
3. Run the following command to configure the AIA settings for the Root certificate
(execute this command as a single line) (execute this command as a single line with
no breaks):
4. Restart the Active Directory Certificate Services service to apply the changes:
certutil.exe -crl
To verify the AIA settings that were just applied to the Root CA, run the following
command:
Now that the CRL settings have been successfully configured on the TFS-ROOT-CA server
and the CRL has been published, the CRL and the Root certificate can now be exported
so that the Subordinate CA server can host it for the TFS Labs domain.
Once the Root certificate and CRL files have been successfully copied to the virtual
floppy disk, all the initial tasks for the TFS-ROOT-CA server are now complete.
If you decided to use BitLocker for encrypting the TFS-ROOT-CA server, the BitLocker
Recovery Key should also be located on the RootCAFiles.vfd virtual floppy disk. In the
next chapter when the TFS-CA01 server is provisioned, and the virtual floppy disk is
mounted on that server, you can copy the BitLocker Recovery Key to another device at
that point.
The Root CA that was setup in the previous chapter used BitLocker Full Disk Encryption,
but that step is skipped for this chapter. Since it is assumed that the Subordinate CA will
be a proper member of an Active Directory environment, it is likely that full disk
encryption would be setup differently if it were being used in that environment. If you do
not have a different full disk encryption application in use on your domain, you may want
to consider using BitLocker to enhance the security of the Subordinate CA using the
same instructions as the Root CA.
With the Root Certificate Authority successfully setup, most of the remaining
configuration for the TFS Labs Certificate Authority is performed on the TFS-CA01 server.
This chapter will focus on how to install and configure a Subordinate CA using Active
Directory Certificate Services. There are also steps required to be completed on the
Domain Controller for the TFS Labs domain. The most configuration for the Certificate
Authority will occur in this chapter.
Provision and configure a new virtual machine called TFS-CA01 and install Windows
Server 2019 Standard (Desktop Experience) in Hyper-V using the following specifications:
Once the TFS-CA01 virtual machine has been created and the operating system has been
installed, there are a few tasks that need to be completed:
• Set the local Administrator account on the TFS-CA01 server to a complex password
that is at least 14 characters and store the password securely.
• Set the hostname to TFS-CA01. Restart the server to apply the change.
Once the local Administrator account and the hostname have been setup, you will also
need to configure the network settings for the virtual machine:
IP Address 10.100.1.101
Netmask 255.255.255.0
Gateway 10.100.1.1
DNS Server 1 10.100.1.100
Join the TFS-CA01 server to the TFS Labs domain. Restart the server to apply the change.
The TFS-CA01 server should be moved from the default Computer OU in Active Directory
to one of the dedicated OUs that was created earlier for the TFS Labs domain. This will
facilitate easier application of Group Policy objects, which are needed for Active
Directory Certificate Services. To move the TFS-CA01 computer object, perform the
following steps on the TFS-DC01 server:
1. Open the Active Directory Users and Computers console (dsa.msc) on the TFS-DC01
server.
2. Expand the corp.tfslabs.com domain and go to the Computers OU.
3. Right-click on the TFS-CA01 computer and click on Move....
4. In the Move window, expand the TFS Labs OU and select TFS Servers and click OK. If
you see a warning message about moving the computer object, click the Yes button.
5. Close the Active Directory Users and Computers console.
Get-ADComputer "TFS-CA01" | `
Move-ADObject -TargetPath "OU=TFS Servers,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
Once the TFS-CA01 server has been successfully joined to the TFS Labs domain, login
with the Domain Administrator account that was created earlier. The Domain
Administrator account will be required for the entire Active Directory Certificate Services
installation and configuration of the TFS-CA01 server. Once the server has been
completely setup and joined to the TFS Labs domain, you can proceed to the next steps
of creating DNS records to support the Active Directory Certificate Services role.
Ensure that you login as the Domain Administrator on the TFS-CA01 server before
attempting to configure the Active Directory Certificate Services role. If you
attempt to configure this role while logged in as a non-administrator, it will not
allow you to configure the role due to permission errors. The Enterprise CA role in
Active Directory Certificate Services requires an Active Directory account with the
correct permissions since it makes changes to Active Directory. Ensure that you
logon to the TFS-CA01 server using the TFSLABS\Administrator account,
otherwise you will not be able to configure the PKI correctly.
If you would like to configure BitLocker as the full disk encryption software for the
TFS-CA01 server, you can follow the same steps as the TFS-ROOT-CA server.
Those steps will work the same way on the TFS-CA01 server. You should perform
those steps now and verify it is working correctly before going any further if you
intend to use BitLocker.
There are two CNAME records that will need to be created to support the PKI on the TFS
Labs domain:
• OCSP.corp.tfslabs.com
• PKI.corp.tfslabs.com
2. Under the DNS node, expand the TFS-DC01 server and then expand Forward Lookup
Zones. Select the corp.tfslabs.com Zone:
5. Right-click on the corp.tfslabs.com DNS Zone and select the option for New Alias
(CNAME)....
6. On the New Resource Record window, in Alias name (uses parent domain if left
blank), enter PKI as the name. In the Fully qualified domain name (FQDN) field, enter
tfs-ca01.corp.tfslabs.com. and then click OK to add the CNAME record.
7. Verify that the two CNAME records have been added to the DNS Zone and point to
the TFS-CA01 server:
Add-DnsServerResourceRecordCName `
-Name "OCSP" `
-HostNameAlias "TFS-CA01.corp.tfslabs.com" `
-ZoneName "corp.tfslabs.com"
Add-DnsServerResourceRecordCName `
-Name "PKI" `
-HostNameAlias "TFS-CA01.corp.tfslabs.com" `
-ZoneName "corp.tfslabs.com"
Once the DNS records have been created, you can proceed to creating the CAPolicy.inf
file that is needed to create the Subordinate certificate.
If the ping fails with a timeout, but still resolves to the correct IP address for the
TFS-CA01 server, that does not necessarily mean that there is an issue. If the Windows
Firewall is blocking ping requests, then the ping responses will fail. A later step in this
chapter will correct any issues with ping requests.
Once the DNS records have been created and validated, you can proceed to creating the
CAPolicy.inf file that is needed to create the Subordinate certificate.
C:\Windows\CAPolicy.inf
[ Version ]
Signature =" $Windows NT$ "
[ PolicyStatementExtension ]
Policies = AllIssuancePolicy , InternalPolicy
Critical = FALSE
[ InternalPolicy ]
OID =1.2.3.4.1455.67.89.5
Notice =" The TFS Labs Certification Authority is internal only ."
URL = http :// pki . corp . tfslabs . com / cps . html
[ Certsrv_Server ]
; Renewal information for the Subordinate CA .
RenewalKeyLength =4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits =5
A Delta CRL is not normally required for a Root Certificate Authority, especially one
that is offline since it is not normally handling certificate revocations in a PKI. The
Root CA is only ever used to issue a Base CRL when there are Subordinate
Certificate Authorities. The only certificates that are typically revoked by a Root
CA is a Subordinate certificate, so that would necessitate the deployment of a
new Base CRL instead of a Delta CRL.
Since this is a Subordinate CA that is always online and used for handling all
regular Certificate Authority tasks, a Delta CRL is needed to revoke certificates
much more frequently. A Delta CRL can also be used in parallel with OCSP, which
is configured in a later chapter of this book.
You can update the OID number in the InternalPolicy section of the CAPolicy.inf
file for your deployment if it is required for your organization. The OID number in
this example is used in Microsoft technical documentation, but it should work for
your organization if it is only ever going to be used internally. If you require a
customized OID number, you can register for a Private Enterprise Number through
the IANA.
If you used a particular OID for the Root certificate, ensure that you use the same
OID here as well otherwise the PKI will likely have issues.
If you would like to use your PEN number for the Certificate Authority, modify the
OID line in the InternalPolicy section to OID=1.3.6.1.4.1.X (replace the X with your
PEN number).
Ensure that the CAPolicy.inf file has been properly saved in the C:\Windows folder
(%WINDIR%). Also make sure that the file extension is set to INF and not TXT. A
common mistake is to accidentally save the file as CAPolicy.inf.txt.
If the CAPolicy.inf file is not saved in the correct directory and without the correct
file extension, all settings in the file will be ignored at the time when the Certificate
Authority is created.
2. On the Before You Begin screen, click the Next button to continue:
6. The installation wizard will ask to install any additional features required for the
Active Directory Certificate Services role. Select the option to Include management
tools (if applicable) to install the management tools for the role. Click the Add
Features button to continue:
10. On the Select role services screen, select the option for Certification Authority and
Certificate Authority Web Enrollment:
14. On the Select role services screen, click the Next button to continue:
16. When prompted with a warning about restarting the server, click the Yes button.
17. On the Confirm installation selections screen, click the Install button to continue:
Once the Active Directory Certificate Services role has been installed, you can then
proceed to configuring the role and creating the Subordinate Certificate for the TFS Labs
domain.
Add-WindowsFeature `
-Name ADCS-Cert-Authority, ADCS-Web-Enrollment, Web-Mgmt-Service `
-IncludeManagementTools
4. Once the installation for Active Directory Certificate Services has completed, you
can close the PowerShell prompt.
Once the Active Directory Certificate Services role has been installed, you can then
proceed to configuring the role and creating the Subordinate certificate for the TFS Labs
domain.
1. To begin the configuration of Active Directory Certificate Services, open the Server
Manager console (servermanager.exe). Click the Notifications icon in the upper-right
hand corner and click the Configure Active Directory Certificate Services on the
destination server link in the Post-deployment Configuration box:
3. On the Role Services screen, select the options for Certification Authority and Certification
Authority Web Enrollment and click Next to continue:
5. On the CA Type screen, ensure that the Subordinate CA option is selected and click
the Next button to continue:
7. On the Cryptography for CA screen, make the following changes and then click the
Next button to continue:
• Cryptographic Provider: RSA#Microsoft Software Key Storage Provider
• Key Length: 4096
• Hash Algorithm: SHA256
9. On the Certificate Request screen, accept the default location for saving the Certificate
Request file. It will be saved as C:\TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req.
Click the Next button to continue:
11. On the Confirmation screen, verify that the options are correct and click the Configure
button to commit the changes:
At this point the Subordinate Certificate Authority for the TFS Labs domain has been
created, but the Subordinate certificate needs to be issued. You can now validate that the
Certificate Authority has been successfully created.
Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "TFS Labs Enterprise CA" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-Force
4. Run the following command to configure the Certification Authority Web Enrollment
role:
Install-AdcsWebEnrollment -Force
5. The command will automatically configure the Certification Authority Web Enrollment
role and output an ErrorID status of 0:
At this point the Subordinate Certificate Authority for the TFS Labs domain has been
created, but the Subordinate certificate needs to be issued. You can now validate that the
Certificate Authority has been successfully created before configuring the Subordinate
certificate.
Subordinate CA Validation
The Subordinate Certificate Authority for the TFS Labs domain has been created, so there
is now an Enterprise CA available which can be validated. The Certificate Request for the
Subordinate certificate has been created, which means it will need to be submitted to the
Root Certificate Authority to complete the request. Until this CSR is submitted and
completed, the Enterprise CA will not function correctly as there is no valid certificate
present yet.
Even though the Active Directory Certificate Services role was configured, it is not
currently running as there is no valid certificate present. If you open the Certification
Authority console (certsrv.msc) on the TFS-CA01 server, you will see that it is setup, but
the service is not running:
Figure 5.6.1: The Certification Authority console is used to manage the CA and
allows administrators to issue and revoke certificates. This console also allows further
customization of the CA.
1. Add the RootCAFiles.vfd virtual floppy disk to the TFS-CA01 virtual machine.
2. Browse to the C:\ drive and copy the TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req
to the A:\ drive.
3. Eject the RootCAFiles.vfd virtual floppy disk.
Once the Certificate Request has been successfully copied to the virtual floppy disk, you
can proceed to creating the CertData directory in IIS on the TFS-CA01 server.
1. Add the RootCAFiles.vfd virtual floppy disk to the TFS-CA01 virtual machine.
2. On the root of the C:\ drive, create a folder called CertData (C:\CertData).
3. Open the A:\ drive and copy the TFS Labs Certificate Authority.crl and TFS-ROOT-CA_TFS
Labs Certificate Authority.crt files to the C:\CertData folder.
4. Eject the RootCAFiles.vfd virtual floppy disk.
There are two methods for creating the CertData virtual directory on the TFS-CA01 server,
one using the IIS Manager and the other using the command line. Only one method for
creating the CertData folder is needed, you can choose whatever method to create the
virtual directory since the result will be the same.
The Root Certificate Authority is an Offline CA, which means that files such as the
Root certificate and the Root CRL files are not available. As part of maintaining a
healthy PKI, it is necessary that the Root CA files are made available to users,
workstations, and other devices. The CDP and AIA files for the Root CA were
configured on the Root CA in the previous chapter.
Since the TFS-ROOT-CA server is offline and the TFS-CA01 server is online, the
TFS-CA01 server can be used to host the necessary Root CA files. When the CRL
files for the Root CA are updated, those files will need to be copied to this folder
as well to ensure that the PKI remains up to date. Steps on how to perform this
are provided in a later chapter.
4. On Add Virtual Directory screen, in Alias, enter CertData. For the Physical path, enter
C:\CertData and then click OK.
5. In the Connections screen, under the Default Web Site, ensure the CertData virtual
directory is selected:
Once the directory and the directory browsing option has been enabled on the CertData
directory, double escaping can now be enabled in IIS.
cd C:\Windows\System32\inetsrv\
3. Run the following command to create the CertData virtual directory in IIS:
4. Run the following command to enable Directory Browsing on the CertData virtual
directory:
Once the directory and the directory browsing option has been enabled on the CertData
directory, double escaping can now be enabled in IIS.
http://pki.corp.tfslabs.com/CertData/
The contents of the CertData folder should be displayed in the browser, and the Root
certificate and Root CRL files should be listed.
Once the directory and the directory browsing option has been enabled on the CertData
directory, double escaping can now be enabled in IIS.
cd C:\Windows\System32\inetsrv\
After enabling double escaping in IIS, it will now be possible to distribute the Delta CRL
files in the TFS Labs domain.
If double escaping is not enabled correctly then there will be issues with deploying
the Delta CRL and with validation of the PKI. This issue will occur since the Delta
CRL files are not able to be accessed over HTTP, and that is the way that they are
distributed with the Enterprise CA in this book. If an issue arises with accessing
the Delta CRL files, it is easy to correct by checking IIS to verify that double
escaping is enabled.
Creating the Subordinate certificate requires multiple steps using both the Root CA
server and the Subordinate CA server. These steps are not complicated, but they must be
completed in the correct order and none of the steps can be skipped. The workflow for
creating the Subordinate certificate is as follows:
To create the Subordinate CA certificate, perform the following steps on the TFS-CA01
and TFS-ROOT-CA servers:
1. Add the RootCAFiles.vfd virtual floppy disk to the TFS-ROOT-CA virtual machine.
2. Copy the A:\TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req file to the C:\RootCA
folder.
3. On the TFS-ROOT-CA server open Certification Authority console (certsrv.msc).
4. Right-click on the TFS Labs Certificate Authority server, select All Tasks and click
on Submit new request...:
6. Once the Certificate Request has been submitted to the Root Certificate Authority,
go to the Pending Requests folder in the TFS Labs Certificate Authority to see the
pending Certificate Request. It should be identified as Request ID 2:
8. Once the certificate has been issued, go to the Issued Certificates folder to see the
certificate. It is still identified as Request ID 2:
10. Go to the Details tab and click on the Copy to File... button:
12. On the Export File Format screen, select the Cryptographic Message Syntax Standard
- PKCS #7 Certificate (.P7B) format. Select the option to Include all certificates in
the certification path if possible and click the Next button:
14. On the Completing the Certificate Export Wizard screen, click the Finish button to
complete the wizard:
20. Right-click on the TFS Labs Enterprise CA server, go to All Tasks and select the option
to Install CA Certificate...:
22. If you receive a warning message about installing an untrusted Root certificate, click
the OK button. The error is due to the Root certificate being untrusted and should be
referenced by the CERT_E_UNTRUSTEDROOT error message.
23. If there were no errors in installing the certificate, right-click on the TFS Labs Enterprise
CA server, select the All Tasks option, and click the Start Service option:
You can also view the Subordinate certificate and verify that it was created with the
correct values that you setup during the configuration:
Figure 5.9.1: The TFS Labs Enterprise CA is signed by the TFS Labs Certificate Authority,
with a 5 year validity period.
• C:\TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req
• C:\TFS Labs Enterprise CA.p7b
These files should be deleted as they should not remain on a server that has active
network connections for security purposes. Those files can remain on the TFS-ROOT-CA
server as it is offline, and the files cannot be accessed.
There may be instances where the installation and configuration of the Subordinate
certificate may fail for several reasons (if the Subordinate certificate was successfully
issued, skip this step). This may occur when the Subordinate CA has issues with the
Root CA CRL configuration, which is offline at the time of issuance of the Subordinate
certificate. To correct this issue when you are attempting to issue or start the services on
the Subordinate CA, run the following command in an elevated PowerShell prompt:
Once the command is issued, the Active Directory Certificate Services role will need to be
restarted. Run the following commands to restart the service:
You can proceed to setting the maximum age for any certificate that is issued by the
Certificate Authority in the next section.
To configure the maximum certificate age for the Subordinate CA, run the following
commands on the TFS-CA01 server:
1. To define the maximum age of any certificate that the Subordinate CA is capable of
issuing, run the following commands from an elevated PowerShell prompt:
2. Restart the Active Directory Certificate Services service to apply the configuration:
3. In the Connections pane, under the Default Web Site, ensure the CertEnroll virtual
directory is selected:
cd C:\Windows\System32\inetsrv\
3. Run the following command to enable Directory Browsing on the CertEnroll virtual
directory:
http://pki.corp.tfslabs.com/CertEnroll/
Figure 5.11.1: The CertEnroll folder contains the Subordinate CA certificate as well as the
Subordinate CRL files. This includes the Base CRL and Delta CRL files.
To ensure that double escaping has been correctly enabled on the IIS server, you should
be able to download all files that are listed in the CertEnroll directory. If the files are not
able to be downloaded, especially the TFS Labs Enterprise CA+.crl file, that means that
double escaping was not correctly enabled on the IIS server.
Unlike the Root CA certificate and CRL files, the contents of the CertEnroll folder are
automatically updated whenever there are updates to it through Active Directory
Certificate Services. There is no need to manually update the contents of the CertEnroll
folder, as it is completely managed through Active Directory Certificate Services
whenever a certificate needs to be revoked.
3. Enable auditing for all events on the Certificate Authority by running the following
command:
4. Restart the Active Directory Certificate Services service to apply the changes:
Once auditing has been enabled on the Subordinate Certificate Authority, you can now
proceed to configuring the CDP and AIA on the Subordinate CA.
With auditing enabled for Active Directory Certificate Services, events that are
enabled for auditing will be logged to the Windows Event Viewer. These events
can be viewed through the Event Viewer Console (eventvwr.msc).
There are 31 Active Directory Certificate Services related events that can be
logged in the Windows Event Viewer with an Event ID between 4868 and 4898.
The CRL files that are provided by the Root CA are distributed with the Subordinate CA.
This is because the Root CA is not available on the network since it is always offline, so
there is no way for clients to access the files needed for the TFS Labs domain. This is not
needed as the Subordinate CA is always online and managed, so those workarounds are
not required.
There are multiple locations where the CDP and AIA locations are used for the
Subordinate Certificate Authority:
The CDP and AIA configuration on the Subordinate Certificate Authority can be performed
using the Certification Authority console or through the command line using PowerShell.
3. Select the Extensions tab, verify that the CRL Distribution Point (CDP) extension is
selected under the Select extension field, and click the Add button:
http://pki.corp.tfslabs.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
5. On the Extensions tab, verify that the Include in CRLs. Clients use this to find Delta
CRL locations. and Include in the CDP extension of issued certificates options are
selected for the location that was just entered.
6. Select the file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix>
<DeltaCRLAllowed>.crl list item and click the Remove button. Click the Yes button
to confirm that you want to remove the location.
7. On the Extensions tab, verify that under the Selection extension field, the Authority
Information Access (AIA) extension is selected, and click the Add button:
8. On the Add Location window, under the Location field, enter the following address
and click the OK button:
http://pki.corp.tfslabs.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
9. On the Extensions tab, verify that the Include in the AIA extension of issued certificates
option is selected for the location that was just entered.
10. Select file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName>
<CertificateName>.crt from the list and click the Remove button. Click the Yes button
to confirm that you want to remove the location.
15. On the Publish CRL window, verify that New CRL is selected and click the OK button:
Once the CRL settings for the Subordinate CA have been configured, you can proceed to
configuring the CPS document for the TFS Labs domain.
3. Run the following command to configure the AIA settings for the Subordinate Certificate
(execute this command as a single line with no breaks):
4. Restart the Active Directory Certificate Services service to apply the changes:
certutil.exe -crl
There are two commands that can be run to verify that the CDP and AIA settings were
successfully applied to the Subordinate CA. To verify the CRL settings that were just
applied, run the following command:
To verify the AIA settings that were just applied to the Subordinate CA, run the following
command:
Once the CRL settings for the Subordinate CA have been configured, you can proceed to
configuring the CPS document for the TFS Labs domain.
The CPS document varies for every organization, so a placeholder will be put in place
which can be updated later to ensure that the Certificate Authority meets any compliance
standards that may be required. This is especially important in industries with strict
requirements (such as financial services), so having a CPS in place from day one can
alleviate a lot of issues in the future. There are several important items that should be
defined in a CPS document, and the IETF has published RFC 3647 which is used to set
the standards for a Certificate Policy Statement.
At the time of creation of the TFS Labs Certificate Authority on both the Root CA and the
Subordinate CA, the path to the CPS document was set. This path will be displayed
whenever any certificate that was issued by the TFS Labs Certificate Authority is
displayed. In the future, should a more detailed CPS document be required, this can be
remapped with IIS to go to another location.
To create the CPS document, perform the following steps on the TFS-CA01 server:
1. On the TFS-CA01 server, open Windows File Explorer (explorer.exe), then go to This
PC and then go to the C:\.
2. Open the C:\inetpub\wwwroot folder.
3. Create a file named cps.html (ensure the file extension is correct).
4. Copy the following text into the cps.html file, save it and close the file:
C:\inetpub\wwwroot\cps.html
<p > The TFS Labs Certification Authority is internal only . </p >
<p > All issued certificates are for internal usage only . </p >
http://pki.corp.tfslabs.com/cps.html
Figure 5.14.1: The CPS placeholder document can be modified at any time in the future
to fit the needs of an organization. This placeholder can be accessed through every
certificate that is issued by the TFS Labs Certificate Authority.
You can also get to the document by checking the certificate properties for any
Certificate issued by the TFS Labs Certificate Authority. If you open any certificate that
was issued by the TFS Labs Certificate Authority, there is a button called Issuer
Statement, which will provide a direct link to the CPS document. In the future, should you
want to use a different URL for accessing the CPS document, you can simply setup a
redirect within IIS to handle the request.
If there is an issue with the CPS document, it will not affect the normal operation of a
Certificate Authority. Keeping the CPS accessible and up to date should be a priority, as
users are able to access it so it should always be available.
Once the CPS document has been created, you can proceed to configuring the Windows
Firewall on the TFS-CA01 server.
The correct firewall rules should be automatically enabled when the Active Directory
Certificate Services role is configured, but they should be checked to ensure that they are
opened before proceeding. Quickly validating the firewall rules now can save a lot of time
later should there be an issue with the Certificate Authority.
There are three firewall rules that need to be enabled on the TFS-CA01 server for Active
Directory Certificate Services to function correctly:
To check if the firewall rules are enabled on the TFS-CA01 server, perform the following
steps:
1. Open the Windows Defender Firewall with Advanced Security console (wf.msc) on
the TFS-CA01 server:
3. For each of the firewall rules listed above, perform the following steps:
(a) Right-click on the firewall rule and select the Properties option to open the Rule
Properties window.
(b) On the General tab, select the option for Enabled.
(c) On the Advanced tab, ensure that the options for Domain, Private and Public
are selected.
(d) Click on the Apply button to apply the changes and then click the OK button to
close the window.
4. Close the Windows Defender Firewall with Advanced Security console.
Once the Windows Firewall has been correctly configured, you can proceed to adding the
Root CA to Active Directory.
If you are using a third-party firewall solution for the server, then it is possible for
the Windows Firewall to be automatically disabled as a result. If there is a
software firewall enabled on your servers, then you are following best practices.
This step will ensure that workstations that are a member of the TFS Labs domain will
trust the Root Certificate Authority. Devices that are not a part of the Active Directory
domain will still need to have the Root certificate installed for it to be trusted.
The Root certificate and CRL are already located on the TFS-CA01 server and can be
found in the C:\CertData folder. This reduces the amount of configuration that is required
to add the Root CA to Active Directory.
To add the Root CA and Root CRL to the TFS Labs domain, perform the following steps
on the TFS-CA01 server:
certutil.exe -dspublish `
-f "C:\CertData\TFS-ROOT-CA_TFS Labs Certificate Authority.crt" RootCA
certutil.exe –addstore `
–f root "C:\CertData\TFS-ROOT-CA_TFS Labs Certificate Authority.crt"
4. Run the following command to add the Root CRL to the Certificate Store in Active
Directory:
certutil.exe –addstore `
–f root "C:\CertData\TFS Labs Certificate Authority.crl"
1. Open the Active Directory Sites and Services (dssite.msc) console on the TFS-DC01
server.
2. Ensure that the Active Directory Sites and Services node is selected, click on the
View menu and select the Show Services Node option.
3. Expand the Active Directory Sites and Services > Services > Public Key Services
node.
4. Open the CDP > RootCA folder to find the CRL:
4. Under the Enterprise PKI node, click on the TFS Labs Enterprise CA (V0.0) server.
Check that the status of the CA Certificate, DeltaCRL Locations, AIA Locations and
CDP Locations have the status of OK:
Once the Root and Subordinate certificates have been created, those certificates will
need to be deployed to the TFS Labs domain for those certificates to be utilized. With an
Enterprise CA running with Active Directory Certificate Services, any Subordinate
certificates will automatically deploy to any server or workstation within the Active
Directory domain.
Since the TFS Labs Certificate Authority uses an Offline CA, this means that the Root
certificate will not be automatically deployed to the domain, since there is no network
connection on that server and it is not an Enterprise CA. Fortunately, deploying the Root
certificate is a trivial process since the use of Group Policy makes certificate deployment
easy to perform in Active Directory.
The Group Policy Objects that are created in this chapter will be used in later steps for
certificate auto-enrollment and for deploying the OCSP settings to the TFS Labs domain.
This chapter will focus on the deployment of the Root and Subordinate certificates to the
TFS Labs domain. This deployment will be automatic using Group Policy which will allow
for rapid deployment to domain servers and workstations.
As a result of the deployment that has been completed so far, the Root and Subordinate
certificates for the TFS Labs domain are already located on the TFS-CA01 server in two
different folders:
Both certificates are DER encoded and are available for usage immediately. They can be
installed through Active Directory, either manually by users or automatically by Group
Policy. To get the two certificate files ready for distribution on the TFS Labs domain,
perform the following steps on the TFS-CA01 and TFS-DC01 servers:
1. On the C:\ drive on the TFS-CA01 server, create a folder called Certificates
(C:\Certificates).
2. On the TFS-CA01 server, copy the C:\CertData\TFS-ROOT-CA_TFS Labs Certificate
Authority.crt file to the (C:\Certificates) folder.
3. On the TFS-CA01 server, copy the C:\Windows\System32\certsrv\CertEnroll\TFS-CA01.
corp.tfslabs.com_TFS Labs Enterprise CA.crt file to the (C:\Certificates) folder.
4. Rename the certificate files to the following on the TFS-CA01 server in the
(C:\Certificates) folder:
• TFS-ROOT-CA_TFS Labs Certificate Authority.crt file to TFS Labs Certificate
Authority.crt
• TFS-CA01.corp.tfslabs.com_TFS Labs Enterprise CA.crt file to TFS Labs Enterprise
CA.crt
5. On the C:\ drive on the TFS-DC01 server, create a folder called Certificates
(C:\Certificates).
6. Copy the contents of the C:\Certificates folder on the TFS-CA01 server to the
C:\Certificates on the TFS-DC01 server.
Once the certificates have been successfully renamed and copied, you can inspect them
to ensure that there are no issues with either of the certificates:
The certificates that are currently being deployed to the TFS Labs domain are in
the DER Encoded format, but what if you want to deploy them in the Base-64
Encoded format? You have the option of exporting those certificates in that
format, but there is a faster method to convert certificates using the certutil.exe
utility.
To convert from DER Encoded format to Base-64 Encoded format, run the
following command:
To convert from Base-64 Encoded format to DER Encoded format, run the
following command:
There should not be any issues with converting between certificate formats using
the certutil.exe utility. If you convert from one format to another, and then back
again, the certificate contents and file sizes will be identical.
There are default Group Policy Objects available in an Active Directory domain, but it is
advised to create your own for your specific purposes and not modify the Default Domain
Policy. This way you have complete control over the Group Policy Objects that are being
assigned to the domain.
If you are using Active Directory Certificate Services in an Active Directory domain, you
will find that the Subordinate certificate is already deployed to all the workstations and
servers in the domain since the Subordinate CA is an Enterprise CA.
To deploy the Root and Subordinate certificates using Group Policy, perform the
following steps on the TFS-DC01 server:
4. On the New GPO window, under the Name, enter TFS Labs Certificates and click the
OK button.
5. Under the TFS Labs OU, the TFS Labs Certificates OU will now be listed:
7. The Group Policy Management Editor window for the TFS Labs Certificates GPO
should open:
9. Right-click on the Trusted Root Certification Authorities folder and select the Import...
option:
(a) On the Welcome to the Certificate Import Wizard window, click the Next button
to continue.
(b) On the File to Import window, enter C:\Certificates\TFS Labs Certificate Authority.crt
as the File name and click the Next button to continue.
(c) On the Certificate Store window, ensure that the Trusted Root Certification
Authorities store is selected and click the Next button to continue.
(d) On the Completing the Certificate Import Wizard screen, click the Finish button.
(e) On the Certificate Import Wizard prompt, click the OK button to complete the
import of the Root certificate.
10. Right-click on the Intermediate Certification Authorities folder and select the Import...
option:
(a) On the Welcome to the Certificate Import Wizard window, click the Next button
to continue.
(b) On the File to Import window, enter C:\Certificates\TFS Labs Enterprise CA.crt
as the File name and click the Next button to continue.
(c) On the Certificate Store window, ensure that the Intermediate Certification Authorities
store is selected and click the Next button to continue.
(d) On the Completing the Certificate Import Wizard screen, click the Finish button.
(e) On the Certificate Import Wizard prompt, click the OK button to complete the
import of the Subordinate certificate.
11. Close the Group Policy Management console.
gpupdate.exe /force
You can check the Local Machine Certificate Store on any workstation or server in the
TFS Labs domain to ensure that both certificates are present on those devices.
Duplicate Certificates
Ensure that in a production network the certificates folder that is created on the
Domain Controller is present on all Domain Controllers. Group Policy will require
access to this folder and the contents of it, and if it is missing on a Domain
Controller the Root certificate will not be deployed correctly.
The TFS Labs Certificates GPO was created to prevent modifications to the
Default Domain Policy GPO, which is created at the time of any Active Directory
domain creation. It is bad practice to add anything to the Default Domain Policy,
as this GPO should only be used for essential account policies (such as
passwords and account lockouts), and it is applied to the root of the entire Active
Directory domain. The Default Domain Policy is applied to the root of the Active
Directory domain to ensure that all users and computers receive the policy.
Creating Group Policy Objects and applying them to specific OUs is preferred, as it
ensures that you as the Administrator are aware of everything that is being
applied to your Active Directory domain. It ensures that you are also correctly
targeting your Group Policy Objects to the correct users and workstations.
Once the new Group Policy Object has been created, you can proceed to deploying the
Root certificate to the TFS-CA01 Domain Controller.
It is best practice to never modify the Default Domain Controller Policy as this
policy contains important security information for the Domain Controllers. These
settings are critical to ensure that proper audit, security, and user settings are
correctly applied, and if modified incorrectly can cause login failures within an
Active Directory domain.
Because of the importance of the Default Domain Controllers Policy, and changes
that you intend to make to a Domain Controller should always be done in a
separate Group Policy Object.
This step is entirely optional, and not completing it does not affect the deployment of
Active Directory Certificate Services.
If you would like to create an internal website for deploying the Root and Subordinate
certificates for the TFS Labs domain, all that is needed is to add a new virtual directory in
IIS. This configuration can be completed using the IIS Manager or with the command line.
MDM Solutions
Ensure that any certificates that are included in this folder do not include any
private keys. If you accidentally include the private keys in these certificates, you
will compromise the integrity of your Certificate Authority. If you accidentally
publish a certificate with the private key, you should strongly consider revoking it.
1. Open the Internet Information Services (IIS) Manager (inetmgr.exe) console on the
TFS-CA01 server.
2. On the Connections pane, expand TFS-CA01, then expand Sites and then select
Default Web Site.
3. Right-click on Default Web Site and select Add Virtual Directory....
4. On the Add Virtual Directory window, in the Alias field, enter Certificates. For the
Physical path, enter C:\Certificates and then click OK.
5. In the Connections pane, under the Default Web Site, ensure the Certificates virtual
directory is selected.
6. In the Certificates Home pane, double-click on Directory Browsing.
7. In the Actions pane, click the Enable button.
8. Close the Internet Information Services (IIS) Manager console.
Once the certificates virtual directory has been successfully configured, you can move on
to validate the virtual directory.
cd C:\Windows\System32\inetsrv\
3. Run the following command to create the CertData virtual directory in IIS:
4. Run the following command to enable Directory Browsing on the CertData Virtual
Directory:
Once the certificates virtual directory has been successfully configured, you can move on
to validate the virtual directory.
http://pki.corp.tfslabs.com/Certificates/
Figure 6.4.1: The Certificates folder contains the Root and Subordinate certificates in a
format that can be easily deployed across multiple platforms.
Once the virtual directory has been successfully configured and tested, you can move on
to the next chapter.
The ability to issue and manage certificates is the primary purpose of a Certificate
Authority, but if the integrity of any of those certificates is ever compromised then it is up
to an administrator to revoke those certificates since they can no longer be trusted.
Typically, a Certificate Revocation List is used to revoke certificates, but a CRL is not
always updated often enough. The Online Certificate Status Protocol is a service that is
available that speeds up the revocation of certificates and reduces overhead on the CRL.
In Active Directory Certificate Services, this feature is implemented as the Online
Responder role.
For large environments using Active Directory Certificate Services, the Online Responder
role is convenient because it allows for rapid revocation of certificates. In smaller
environments the Online Responder role is not always needed, so this chapter is optional
if you do not believe it is required for your organization. Fortunately, the Online
Responder role can be added to Active Directory Certificate Services at any time in the
future should it be required.
This chapter will focus on installing and configuring the Online Responder role within
Active Directory Certificate Services. The OCSP feature simplifies the revocation of
certificates and makes it much faster to revoke a certificate that should no longer be
trusted.
1. Open the Server Manager console (servermanager.exe), click on the Manage menu,
and click on Add Roles and Features to start the installation wizard:
2. On the Before You Begin screen, click the Next button to continue.
3. On the Installation Type screen, select the option for Role-based or feature-based
installation and click the Next button to continue.
4. On the Server Selection screen, verify that the TFS-CA01.corp.tfslabs.com server is
selected and click Next to continue.
6. The installation wizard will ask to install any additional features required for the
Active Directory Certificate Services role. Select the option to Include management
tools (if applicable) to install the management tools for the role. Click the Add
Features button to continue.
7. On the Server Roles screen, click the Next button to continue.
8. On the Features screen, click the Next button to continue.
9. On the Confirm installation selections screen, select the option to Restart the destination
server automatically if required.
10. When prompted with a warning about restarting the server, click the Yes button.
11. On the Confirm installation selections screen, click the Install button to continue.
12. Once the installation is completed, click the Close button.
Once the Online Responder role has been added to the TFS-CA01 server, you can proceed
to enabling it for the TFS Labs domain.
Once the Online Responder role has been added to the TFS-CA01 server, you can proceed
to enabling it for the TFS Labs domain.
1. To begin the configuration of the Online Responder Service, open the Server Manager
console (servermanager.exe). Click the Notifications icon in the upper-right hand
corner and click the Configure Active Directory Certificate Services on the destination
server link in the Post-deployment Configuration box:
3. On the Role Services screen, select the option for Online Responder and click Next
to continue:
Once the Online Responder role has been enabled on the TFS-CA01 server, you can
proceed to adding the OCSP URL to the Subordinate CA.
Install-AdcsOnlineResponder -Force
3. Once the Online Responder role has been enabled, you can close the PowerShell
prompt.
Once the Online Responder role has been enabled on the TFS-CA01 server, you can
proceed to adding the OCSP URL to the Subordinate CA.
To do this, open the Internet Information Services (IIS) Manager console and expand the
TFS-CA01 > Sites > Default Web Site folder. The ocsp folder should be listed as one of
the available directories:
certutil.exe -vocsproot
The IIS service will need to be restarted afterwards if this command is run to apply the
changes. You can restart IIS by running the following command in an elevated
PowerShell prompt:
iisreset.exe
Once the Online Responder role has been enabled on the TFS-CA01 server, you can
proceed to adding the OCSP URL to the Subordinate CA.
7. When prompted by the Certification Authority dialog box to restart Active Directory
Certificate Services, click Yes.
8. Close the Certification Authority console.
Once the OCSP URL has been added to the Subordinate CA, you can proceed to
configuring and publishing the OCSP Response Signing Certificate.
3. Restart the Active Directory Certificate Services service to apply the changes:
4. Once the Online Responder role has been configured, you can close the PowerShell
prompt.
Once the OCSP URL has been added to the Subordinate CA, you can proceed to
configuring and publishing the OCSP Response Signing Certificate.
To configure the OCSP Response Signing Certificate, perform the following steps on the
TFS-CA01 server:
2. Ensure that the TFS Labs Enterprise CA server is expanded in the console tree.
3. Right-click on the Certificate Templates folder and then click Manage:
6. The Properties of New Template window will open for the Duplicated Certificate.
7. On the Compatibility tab, make the following changes in the Compatibility Settings
pane:
• Certification Authority - Windows Server 2016
• Certificate recipient - Windows 10 / Windows Server 2016
8. When the Resulting changes window appears, click the OK button to continue.
9. On the General tab, change the name of the Certificate Template from Copy of OCSP
Response Signing to TFS Labs OCSP Response Signing. The Validity period and
Renewal period times can remain at the default values.
10. On the Cryptography tab, make the following changes for the Cryptography settings:
• Provider Category - Key Storage Provider
• Algorithm name - RSA
• Minimum key size - 4096
• Request hash - SHA256
11. On the Security tab, select Authenticated Users and enable the Enroll permission.
12. On the Security tab, add the TFS-CA01 server and enable the Read and Enroll permissions.
There are a few extra steps required for adding server and computer objects
to the security settings as those objects are not searchable by default. To be
able to add a server object, perform the following steps to be able to search
for those objects:
17. In the Enable Certificate Templates window, select the TFS Labs OCSP Response
Signing Certificate Template and then click OK:
Once the OCSP Response Signing certificate has been created and issued, you can
proceed to the revocation configuration on the TFS-CA01 server.
To perform the revocation configuration for the TFS Labs domain, complete the following
steps on the TFS-CA01 server:
4. On the Name the Revocation Configuration screen, enter TFS Labs Enterprise CA
OCSP in the Name field, and then click Next to continue:
12. On the Revocation Provider Properties window, for the HTTP location in the Base
CRLs pane, clear the Refresh CRLs based on their validity periods option. In the
Update CRLs at this refresh interval (min) field, enter 15 as the value, and then click
OK to close the window:
15. Click on the View Signing Certificate link to view the OCSP Certificate. Click OK to
close the Certificate:
Once the revocation configuration has been completed for the Online Responder role, you
can proceed to configure auditing for the Online Responder role.
To configure auditing for the Online Responder role, perform the following steps:
1. Open the Online Responder Management console (ocsp.msc) on the TFS-CA01 server:
4. On the Audit tab, select all the auditing options and click the OK button:
Once auditing has been enabled for the Online Responder role, you can proceed to adding
the OCSP URL to Group Policy.
With auditing enabled for the Online Responder Service, events that are enabled
for auditing will be logged to the Windows Event Viewer. These events can be
viewed through the Event Viewer console (eventvwr.msc):
Opening one of the events will show more details on the Online Responder Service
details will give further details on that event:
There are 8 Online Responder Service events that can be logged in the Windows
Event Viewer with an Event ID between 5120 and 5127. Events are also logged
with a Task Category of Certification Services to allow for an alternative sorting
and filtering method.
6. In the TFS Labs Enterprise CA properties window, click on the OCSP tab and in the
text field to the right of the Add URL button, enter http://ocsp.corp.tfslabs.com/ocsp
and click the Add URL button. Click the OK button to close the window:
Once the OCSP URL has been added to Group Policy, allow up to 1 hour for the OCSP URL
to be deployed to the entire Active Directory domain. You can now proceed to validating
the OCSP configuration on the TFS-CA01 server.
If the OCSP Location in the Enterprise PKI console is showing an error, then the issue is
most likely with the CA Exchange Certificate in the Certificate Authority. That particular
certificate does not know about OCSP since it was generated before the Online
Responder role was configured, so it will need to be recreated for it to be valid.
Fortunately, this is not a major issue, and this task can be performed without causing any
issues with the Certificate Authority.
Figure 7.8.1: The OCSP Location is invalid since the Online Responder role was added
after several certificates were created. This can be corrected by revoking a certificate and
recreating it, as the new certificate will be aware of the OCSP Location.
To fix the error with the OCSP Location, perform the following steps:
Once the OCSP status has been verified and there are no errors, you can proceed to
checking the OCSP connectivity.
1. On the TFS-CA01 server, export the TFS Labs Enterprise CA certificate as a DER
Encoded Binary to the root of the C:\ drive (C:\TFS Labs Enterprise CA.cer).
2. Run the following command in an elevated PowerShell prompt to launch the URL
Retrieval Tool, and load the certificate to be checked:
4. In the Retrieve pane, select the option for Certs (from AIA) and then click the Retrieve
button. The results that are returned should include the Enterprise CA locations with
a Verified status:
5. In the Retrieve pane, select the option for CRLs (from CDP) and then click the Retrieve
button. The results that are returned should include the Base CRL and Delta CRL
locations with a Verified status:
This step may not return a result immediately and that is nothing to be concerned
about. If you run this test and nothing is returned in the results, you may want to
run this test later using the TFS-WIN10 workstation once the Active Directory
Certificate Services deployment has been completed. If the previous test of
verifying OCSP connectivity was successful, then there are no issues with OCSP.
With the use of certificates and a PKI in an Active Directory domain, a lot of enhanced
functionality can be utilized that depends on a valid PKI. This functionality relies on the
public and private keys always being available and ensuring the integrity of those keys.
An important thing to factor in with certificates is to ensure that the private keys are
backed up correctly, which most users would not understand how to do. Fortunately, this
is a straightforward process to automate and can be performed natively with no
third-party software or utilities required in Windows Server.
This chapter will focus on the setup and deployment of the Certificate Templates needed
to enable Private Key Archival. This will allow for the recovery of the private keys for a
user if their private key is lost for whatever reasons.
5. The Properties of New Template window will open for the Duplicated Certificate.
6. On the Compatibility tab, make the following changes in the Compatibility Settings
pane (when the Resulting changes windows appears, click the OK button to continue):
• Certification Authority - Windows Server 2016
• Certificate recipient - Windows 10 / Windows Server 2016
8. On the Issuance Requirements tab, un-check the option for CA certificate manager
approval:
10. On the Security tab, verify that Authenticated Users group only has the Read permission
enabled:
12. On the Security tab, select the Enterprise Admins group and enable the Read, Write
and Enroll permissions:
13. Click the OK button to close the Properties of New Template window.
14. Close the Certificate Templates console window.
17. The TFS Labs Key Recovery Agent Certificate Template should now appear in the
Certificate Templates folder:
Once the Key Recovery Agent Certificate Template has been created, you can proceed to
issuing the certificate to the Domain Administrator account.
1. On the TFS-CA01 server, open the Certificates console (certmgr.msc) for the Current
User Account, which should be the Domain Administrator account:
2. Right-click on the Personal folder and select the All Tasks > Request New Certificate
option:
4. On the Select Certificate Enrollment Policy screen, the Active Directory Enrollment
Policy will be automatically selected. Click the Next button to continue:
Once the Key Recovery Agent certificate has been issued for the Domain Administrator
account, you can proceed to configuring the Certificate Authority to use Key Recovery.
It is not advised to setup the Domain Administrator account for the Key Recovery
Agent for large organizations. It is better to use a dedicated account for Key
Recovery if the task of restoring certificates has been delegated to other users in
the organization.
Adding additional or dedicated accounts also allows for better delegation to other
members of the IT department and removes extra tasks that must be run as the
Domain Administrator account.
5. On the Recovery Agents tab, under the Key recovery agent certificates pane, click the
Add... button and select the Key Recovery Agent Certificate that was just requested
by clicking the OK button:
7. Click the OK button. When prompted to restart Active Directory Certificate Services,
click the Yes button.
8. Close the Certification Authority console.
Once the Certificate Authority has been configured to allow for key recovery, Certificate
Templates can now be created to allow for the automatic back up of private keys.
Active Directory Certificate Services provides multiple default Certificate Templates that
are available for use within your Active Directory domain. Most of these default
Certificate Templates are completely adequate and would work well in most
organizations, but they can sometimes require some additional customization from the
default settings.
By creating custom Certificate Templates for your Active Directory domain, you are
ensuring that the security settings for those certificates are correct and that the correct
servers can manage certificates. There are also additional Certificate Templates present
by default which can be deleted.
This chapter will focus on the modification and deployment of various Certificate
Templates for Active Directory Certificate Services. There will also be a focus on how to
modify those Certificate Templates to follow the best security practices as well and
modifying them to work with automatic deployment.
Administrator IPSec
Authenticated Session IPSec (Offline request)
Basic EFS Kerberos Authentication
CA Exchange Key Recovery Agent
CEP Encryption OCSP Response Signing
Code Signing RAS and IAS Server
Computer Root Certification Authority
Cross Certification Authority Router (Offline request)
Directory Email Replication Smartcard Logon
Domain Controller Smartcard User
Domain Controller Authentication Subordinate Certification Authority
EFS Recovery Agent Trust List Signing
Enrollment Agent User
Enrollment Agent (Computer) User Signature Only
Exchange Enrollment Agent Web Server
Exchange Signature Only Workstation Authentication
Exchange User
These Certificate Templates are available for usage and can be customized to fit the
needs of your organization. Certificate Templates are be published in Active Directory,
which allows for greater ease of Certificate Deployment within an organization. There are
a few best practices that should be followed when dealing with Certificate Templates:
• You should always duplicate existing Certificate Templates that you intend to use
and then modify the duplicate Certificate Template accordingly. Some of the default
Certificate Templates can be modified without duplicating them, but this is not a
recommended way to modify Certificate Templates.
• Always use descriptive names for the Certificate Templates to ensure that you know
that it is a Certificate Template that was duplicated. If the name is too similar to the
default Certificate Template, it can be easy to confuse which Certificate Templates
are default and which ones are duplicated.
For the TFS Labs domain, the following Certificate Templates will be created and
published so that they can be utilized by users, workstations, and servers:
These Certificate Templates will be used to issue certificates to the TFS Labs domain.
Some of these certificates will be issued automatically using Group Policy, and the other
certificates can be requested by users as needed. The procedure for creating these
Certificate Templates is mostly the same, and only requires slight modifications from the
default settings.
When working with Certificate Templates there are several compatibility settings that you
will need to factor in depending on your environment. In Active Directory Certificate
Services there are two types of compatibility settings that can be modified, and that is
the Certificate Authority and the Certificate Recipient settings.
For the Certificate Authority options, there are six options for what the minimum level of
support is:
Typically, it is best practice to support the previous operating system to ensure that you
experience no issues within the environment. For example, if your environment is
primarily using Windows Server 2016 and Windows 10, you should choose Windows
Server 2012 R2 and Windows 8.1 to ensure the greatest compatibility in the network.
Since this book only focuses on the latest versions of Windows and is just for
demonstration purposes, only the highest compatibility settings are used.
• File encryption
• E-mail signing
• 802.1X authentication
• VPN authentication
Since User Certificates are used for critical purposes that can effectively lock a user out
of important data, it is strongly advised that these certificates utilize the Key Recovery
Agent that was setup in the previous chapter.
To create the User Certificate Template, which can be automatically issued later and
enrolled, perform the following steps on the TFS-CA01 server:
There are a few extra steps required for adding server and computer objects
to the security settings as those objects are not searchable by default. To be
able to add a server object, perform the following steps to be able to search
for those objects:
11. On the Security tab, select the Domain Users group and assign the Read, Enroll and
Autoenroll permissions.
12. Click the OK button to close the Properties of New Template window.
13. Close the Certificate Templates console window.
14. In the Certification Authority console, right-click on Certificate Templates, then select
New and then select Certificate Template to Issue.
15. In the Enable Certificate Templates dialog box, click TFS Labs User Certificate and
then click OK.
The User Certificate is now ready to be utilized on the TFS Labs domain and can be
requested manually by users or enrolled automatically if that option is enabled.
Ensure that the user has their e-mail address entered into their user account
details in Active Directory, otherwise this certificate will not deploy correctly to the
user account. If you are missing the e-mail address in the Active Directory user
object, you will receive errors while attempting to issue the certificate:
Once the e-mail address is entered for the affected user accounts, the certificate
should then be able to be issued correctly by re-requesting the certificate.
Most of the time, a user could just request a new User certificate from the Certificate
Authority, but that could cause the following issues when existing items have been
attached to that private key:
By setting up private key archive and private key recovery in the previous chapter,
Certificate Templates that are configured with the archive option will have their private
keys automatically archived. It is a straightforward process to recover a private key
should it ever need to be restored.
In this example, the private key for the Mary Smith user account that was created in an
earlier chapter will be retrieved from the private key archive by performing the following
steps on the TFS-CA01 server:
1. On the root of the C:\ drive, create a folder called CertRecovery (C:\CertRecovery).
2. On the TFS-CA01 server open Certification Authority console (certsrv.msc).
3. Expand the TFS Labs Enterprise CA console tree and select the Issued Certificates
folder.
4. Find the User Certificate that you are trying to recover the Private Key from
(TFSLABS\msmith), right-click on it and select Open.
5. On the Certificate window, go to the Details tab.
6. Find the Serial number field, which contains the 38-digit alphanumeric serial number
for the certificate:
10. Run the following command to recover the private key for the certificate (insert the
file name with a .PFX extension). You will also be prompted to enter a password
which will be used to import the certificate:
The outputted PFX file will contain the public and private keys for the user’s certificate, as
well as the Root and Subordinate certificates. A user can install the certificate in the
Personal Store for their user account to make their private key available again for usage.
Ensure that you keep the outputted certificate safe and secure as it contains the
public and private key for the user account that was recovered. If possible, try and
avoid sending the recovered certificate through e-mail and use more secure
manners for transmission.
The Computer Certificate Template typically works independently of the User Certificate
Template, and the user on a particular workstation is usually unaware that it is being
used. There are some features within the Windows operating system which work without
requiring any information or input from the user, and this is usually the case with Active
Directory domains with advanced security or authentication features.
To create the Computer Certificate Template, which can be automatically issued later
and enrolled using Group Policy, perform the following steps on the TFS-CA01 server:
There are a few extra steps required for adding server and computer objects
to the security settings as those objects are not searchable by default. To be
able to add a server object, perform the following steps to be able to search
for those objects:
11. On the Security tab, select the Domain Computers group and assign the Read, Enroll
and Autoenroll permissions.
12. Click the OK button to close the Properties of New Template window.
13. Close the Certificate Templates console window.
14. In the Certification Authority console, right-click on Certificate Templates, then select
New and then select Certificate Template to Issue.
15. In the Enable Certificate Templates dialog box, click TFS Labs Computer Certificate
and then click OK.
The Computer Certificate is now ready to be utilized on the TFS Labs domain, and can be
requested manually by users, or enrolled automatically.
The settings for a Web Server Certificate Template are slightly different from the
previously configured certificates, and this is due to those certificates being used
primarily in a Windows environment. A web server certificate requires less strict settings
to maximize the compatibility between the most devices where the website will be used,
and which web browsers are used. Some settings are intentionally relaxed to ensure the
maximum compatibility with other devices that may be using the certificate.
The Web Server Certificate Template will be used to enable SSL on the IIS server that is
being used for the Active Directory Certificate Services Web Enrollment role.
There are a few extra steps required for adding server and computer objects
to the security settings as those objects are not searchable by default. To be
able to add a server object, perform the following steps to be able to search
for those objects:
The Web Server Certificate Template is now ready to be utilized on the TFS Labs domain
and can be requested by authenticated users.
In this example, the Domain Admins security group is the only group of users that
can request a Web Server certificate. Depending on how your environment is
setup, you may add additional groups to the security settings to allow for easier
access to issue that certificate. For example, an Active Directory group could be
added for web developers, to allow them access to request a Web Server
certificate, without requiring an administrator to assist them in that task.
For example, the Subordinate Certification Authority Certificate Template should never be
available on a production Certificate Authority since it can potentially cause security
issues. Other Certificate Templates provide some overlap with the customized
Certificate Templates that were previously configured and can cause support issues
should users utilize the incorrect Certificate Templates.
The Certificate Templates that were present at the beginning of the TFS Labs Certificate
Authority deployment and at the end of the deployment are listed below (optional
Certificate Templates are also listed):
To remove the unnecessary Certificate Templates that are present in the TFS Labs
domain, perform the following steps on the TFS-CA01 server:
It does not affect the operation of the Certificate Authority to keep extra
Certificate Templates available, but you should consider removing Certificate
Templates that you do not intend to support. This can reduce complexity of the
Certificate Authority and make it easier for upgrades in the future.
Once the SSL certificate has been created, it will need to be applied to the IIS website to
ensure that it is used, and to ensure that SSL is enforced on the Active Directory
Certificate Services Web Enrollment website. Perform the following steps on the
TFS-CA01 server:
1. Open the Internet Information Services (IIS) Manager (inetmgr.exe) console on the
TFS-CA01 server.
2. In the Connections pane, select the TFS-CA01 server and expand Sites.
3. Select the Default Web Site and in the Actions pane, select Bindings....
4. In the Site Bindings window, click the Add... button.
5. On the Add Site Binding window, use the following settings and then click the OK
button:
• Type: https
• IP Address: All Unassigned
• Port: 443
• SSL Certificate: TFS-CA01.corp.tfslabs.com
6. Click the Close button to close the Site Binding window.
7. Expand Default Web Site and select the CertSrv folder.
8. In the /CertSrv Home pane, double-click on the SSL Settings icon.
9. In the SSL Settings window, select the option for Require SSL and then click the
Apply button in the Actions pane.
10. Close the Internet Information Services (IIS) Manager console.
iisreset.exe
You can easily and quickly verify that SSL is working correctly on the Active Directory
Certificate Services Web Enrollment website by opening the Active Directory Certificate
Services Web Enrollment (https://pki.corp.tfslabs.com/CertSrv/) website (you can login
with a Domain Administrator account to test it).
The Active Directory Certificate Services Web Enrollment website should now be properly
secured with SSL:
Since there are CNAME records that are in place for accessing services on the
Subordinate CA, there are several URLs that are not available since there are no
SSL certificates in place for those CNAME records. To allow for proper SSL
access to URLs such as https://pki.corp.tfslabs.com/, you would need to ensure
that a proper SAN certificate has been issued to the TFS-CA01 server. Without a
proper SAN certificate in place, those URLs will not be secured properly.
It is easy to request and issue certificates using Active Directory Certificate Services, but
the ability to rapidly deploy certificates within a domain is critical in large organizations.
Most users do not understand how a PKI works so it would be a large burden on them to
have them manually go through the process of requesting certificates on their own.
Fortunately, with Active Directory and Group Policy, it is easy to automatically deploy
certificates with no interaction required by any users.
This chapter will focus on the automatic deployment of certificates within an Active
Directory domain using Group Policy. This will reduce the amount of time and effort
required in deploying certificates to large numbers of users and workstations. This
chapter will also demonstrate how to install the TFS Labs certificates on Linux servers,
iOS devices, Android devices and macOS workstations.
1. Open the Group Policy Management console (gpmc.msc) on the TFS-DC01 server:
7. Right-click on the Certificate Services Client - Auto-Enrollment object and select the
Properties option.
You can confirm that the auto-enrollment of the TFS Labs User Certificate is working
correctly by logging in on the TFS-WIN10 workstation and checking the Certificate Store
after Group Policy has taken enough time to update. The TFS Labs User Certificate can
be viewed by opening the Local User Certificate Store (certmgr.msc) on the TFS-WIN10
workstation. The TFS Labs User Certificate can be found in the Personal Store.
Once the auto-enrollment options have been added to Group Policy for the User
Certificate, allow up to 1 hour for the update to be propagated in the entire Active
Directory Forest.
You can confirm that the auto-enrollment of the TFS Labs Computer Certificate is
working correctly by logging in on the TFS-WIN10 workstation and checking the
Certificate Store after Group Policy has taken enough time to update. The TFS Labs
Computer Certificate can be viewed by opening the Local Machine Certificate Store
(certlm.msc) on the TFS-WIN10 workstation. The TFS Labs Computer Certificate can be
found in the Personal Store.
Once the auto-enrollment options have been added to Group Policy for the
Computer Certificate, allow up to 1 hour for the updates to be propagated in the
entire Active Directory Forest.
Additional sections in this chapter detail the process in creating and using an SSL
certificate for Linux with a certificate that was issued from Active Directory Certificate
Services. There are also sections on deploying the Root and Subordinate certificates to
Android, iOS, and macOS. If these scenarios are not required, you can proceed to the next
chapter.
If you do not use Linux in your environment or are not planning to use it, you can skip this
section.
The network settings for the TFS-LINUX-WWW virtual machine are as follows:
IP Address 10.100.1.120
Netmask 255.255.255.0
Gateway 10.100.1.1
DNS Server 1 10.100.1.100
For the DNS settings, there is one A record and one CNAME record that was created in
the TFS Labs DNS Zone to support the virtual machine and to facilitate testing of the
issued SSL certificate:
• A record - TFS-LINUX-WWW.corp.tfslabs.com
• CNAME record - WWW.corp.tfslabs.com
In the next step, you will create the CSR request for the Linux server containing the two
DNS entries needed for the SSL certificate.
To create the CSR and submit the request, perform the following steps on the
TFS-LINUX-WWW and TFS-CA01 servers:
/etc/ssl/TFS-LINUX-WWW/tfs-linux-www.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
commonName = TFS - LINUX - WWW . corp . tfslabs . com
countryName = CA
stateOrProvinceName = Ontario
localityName = Toronto
organizationName = TFS Labs
organizationalUnitName = IT
emailAddress = administrator@corp . tfslabs . com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS .1 = TFS - LINUX - WWW . corp . tfslabs . com
DNS .2 = WWW . corp . tfslabs . com
4. Run the following command to create the CSR file and the private key for the
TFS-LINUX-WWW server:
openssl req \
-out tfs-linux-www.csr \
-newkey rsa:2048 \
-nodes \
-keyout tfs-linux-www.key \
-config tfs-linux-www.cnf
7. To submit the CSR, click on the Request a certificate link which is listed under Select
a task.
8. On the Advanced Certificate Request page, click on the Submit a certificate request
by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by
using a base-64-encoded PKCS #7 file link to continue:
10. On the Certificate Issued page, select the option for Base 64 encoded and download
both the Certificate and Certificate Chain files. These files should be saved as certnew.cer
and certnew.p7b:
11. Close the Active Directory Certificate Services Web Enrollment website.
12. Copy the certnew.cer and certnew.p7b files to the TFS-LINUX-WWW server and place
them in the /etc/ssl/TFS-LINUX-WWW folder.
15. Rename the Certificate file to the correct name by running the following command:
cp certnew.cer tfs-linux-www.cer
16. There should now be the following files located in the /etc/ssl/TFS-LINUX-WWW
directory:
• certnew.cer
• certnew.p7b
• tfs-labs-ca
• tfs-linux-www.cer
• tfs-linux-www.cnf
• tfs-linux-www.csr
• tfs-linux-www.key
Once the SSL certificate has been installed on the TFS-LINUX-WWW server, the Apache or
Nginx web servers can be configured to use it.
3. Modify the SSL settings for the default website by editing the configuration file that
is provided with Apache (/etc/apache2/sites-available/default-ssl.conf):
/etc/apache2/sites-available/default-ssl.conf
SSLCertificateFile / etc / ssl / TFS - LINUX - WWW / tfs - linux - www . cer
SSLCertificateKeyFile / etc / ssl / TFS - LINUX - WWW / tfs - linux - www . key
SSLCertificateChainFile / etc / ssl / TFS - LINUX - WWW / tfs - labs - ca
6. Run the following command to enable the Apache service to start when the server is
booted:
7. If there were no errors with the Apache service, the configuration is now complete.
If there were no issues with configuring SSL on Apache, you can test that SSL is working
by going to the following website:
http://tfs-linux-www.corp.tfslabs.com/
The Apache placeholder document should be displayed in the web browser:
Figure 10.3.1: The Apache test website is installed by default on an Ubuntu server. The A
record for the TFS-CA01 server is being used to access the page.
http://www.corp.tfslabs.com/
Once the Apache service has been confirmed to be working correctly with SSL, there are
no additional steps to complete.
/etc/nginx/sites-available/default
ssl_certificate / etc / ssl / TFS - LINUX - WWW / tfs - linux - www . cer ;
ssl_certificate_key / etc / ssl / TFS - LINUX - WWW / tfs - linux - www . key ;
4. Run the following command to enable the Nginx service to start when the server is
booted:
5. If there were no errors with the Nginx service, the configuration is now complete.
If there were no issues with configuring SSL on Nginx, you can test that SSL is working by
going to the following website:
http://tfs-linux-www.corp.tfslabs.com/
Figure 10.3.3: The Nginx test website is installed by default on an Ubuntu server. The A
record for the TFS-CA01 server is being used to access the page.
Since the certificate for the TFS-LINUX-WWW server was setup using a SAN certificate,
the website can also be reached using the CNAME record as well:
http://www.corp.tfslabs.com/
Once the Nginx service has been confirmed to be working correctly with SSL, there are no
additional steps to complete.
If you do not have an Android device for testing or require this functionality, you can skip
this section.
3. Click on the link for the TFS Labs Certificate Authority.crt. You will be prompted to
enter your password to continue.
10. To view the Root and Subordinate certificates that are located on the Android device,
open the Settings app, and go to Security > Encryption & credentials > Trusted
credentials > User. The two certificates should be listed:
11. If there were no issues with the certificates on the Android device, the configuration
is now complete.
Once the Root and Subordinate certificates have been verified to be installed on the
Android device, the TFS Labs domain certificates are verified to be working correctly.
If you do not have an iOS device for testing or require this functionality, you can skip this
section.
To install and test the Root and Subordinate certificates on an iOS device, perform the
following steps:
3. Click on the link for the TFS Labs Certificate Authority.crt. You will get a prompt
stating, This website is trying to download a configuration profile. Do you want to
allow this?. Click the Allow button to continue. The Profile Downloaded prompt will
appear, click the Close button to continue.
12. If there were no issues with the certificates on the iOS device, the configuration is
now complete.
Once the Root and Subordinate certificates have been verified to be installed on the iOS
device, the TFS Labs domain certificates are verified to be working correctly.
If you do not have a macOS device for testing or require this functionality, you can skip
this section.
11. To verify that the two certificates have been successfully installed on the macOS
device, you can confirm it by going Finder > Applications > Utilities > Keychain Access
and checking that the certificates are present.
12. If there were no issues with the certificates on the macOS device, the configuration
is now complete.
Once the Root and Subordinate certificates have been verified to be working on the
macOS device, the TFS Labs domain certificates are verified to be working correctly.
If you have been following the steps in this book correctly and have made it this far, you
should now have a complete and working Certificate Authority using Active Directory
Certificate Services. There are a few minor steps remaining to complete the setup, and
that is cleaning up files created during the implementation process and shutting down
the TFS-ROOT-CA server.
This chapter will focus on finalizing the setup of the Certificate Authority and what needs
to be done as an administrator to maintain Active Directory Certificate Services in the
future. It will also outline some suggested steps that can be taken to test Active Directory
Certificate Services within your existing environment.
Prior to deleting the virtual floppy disk, if there are any BitLocker Recovery Keys, they
should be backed up. Should the virtual floppy disk be required in the future, specifically
for updating the Root CA CRL files, it can be easily recreated for that purpose.
Ensure that you do not delete this virtual machine. If you delete this virtual machine, it
will break your entire PKI and there will be no way of recovering from it.
Since the Root CA is an Offline CA, renewing the CRL file is the only time you will turn on
the TFS-ROOT-CA server as there is no other tasks that are needed to be performed on
the server.
To renew the CRL on the Root Certificate Authority, perform the following steps on the
TFS-ROOT-CA server:
certutil.exe -crl
Once the CRL file has been renewed, use a virtual floppy disk to copy the file to the
TFS-CA01 server. You will need to create a virtual floppy disk to move the file, which will
also need to be formatted before it can be used. To copy the CRL file to the TFS-CA01
server, perform the following steps on the TFS-ROOT-CA server:
1. Add the virtual floppy disk to the TFS-ROOT-CA virtual machine. Format the virtual
floppy disk if necessary.
2. Copy the C:\Windows\System32\CertSrv\CertEnroll\TFS Labs Certificate Authority.crl
file to the C:\RootCA folder. Overwrite the existing file that is already in that directory.
3. Copy the C:\RootCA\TFS Labs Certificate Authority.crl file to the A:\ drive.
4. Eject the virtual floppy disk.
Once the CRL file has been copied from the Root CA server, it can then be placed on the
TFS-CA01 server so that it can be utilized:
Now that the CRL file has been copied to the TFS-CA01 server, the virtual floppy disk can
be deleted as it is no longer required.
The final task is to publish the renewed Root CA CRL to Active Directory. This can be
completed by running the following command from an elevated PowerShell prompt on
the TFS-CA01 server:
certutil.exe –addstore `
–f root "C:\CertData\TFS Labs Certificate Authority.crl"
Renewing the Root CA CRL file is a trivial process, the most difficult step is ensuring that
you do not forget to renew the CRL. Not renewing the CRL can cause issues with the
entire PKI and renewing it before it expires can save a lot of trouble.
To manually back up just the Certificate Authority files using tools already available on
the server, perform the following steps on the TFS-CA01 server:
5. On the Items to Back Up window, select the following options and click the Next
button to continue:
• Private key and CA certificate - Enabled
• Certificate database and certificate database log - Enabled
• Back up to this location - C:\CA-Backup
7. On the Completing the Certification Authority Backup Wizard window, click the Finish
button to close the wizard:
11. On the Export Registry File window, select the C:\CA-Backup folder, enter TFS Labs
Enterprise CA.reg in the File name field, and click the Save button to continue:
At this point, the Certificate Authority has now been manually backed up. To backup any
other Certificate Authority servers in the environment, perform the same steps on those
servers.
Ensure that the files that have been backed up from the Certificate Authority are
kept in a safe location. Even though the files are saved with a password, they
should not be left in a location where they could be obtained by an attacker.
Just like every important infrastructure server in your environment, you must
ensure that the Root and Subordinate Certificate Authority servers are backed up
regularly and can be restored successfully. If there is an issue with backups and
the Root CA is lost, then the PKI for your environment is effectively broken forever,
and the only way to fix it is to create a new PKI and then re-issue all certificates.
There are several ways that a former Certificate Authority can cause issues with a new
Active Directory Certificate Services deployment:
The first step should be to check Active Directory to see if there was a former Certificate
Authority in your domain. On any of the Domain Controllers in your domain, perform the
following steps:
1. Open the Active Directory Sites and Services (dssite.msc) console on a Domain
Controller in your domain:
3. Expand the Active Directory Sites and Services > Services > Public Key Services
node:
certutil.exe -dump
The output will display all known Enterprise CA servers that are configured in Active
Directory:
Figure 11.5.1: The certutil.exe tool will list the Enterprise CA servers that are registered
within Active Directory.
It is important to check if there are former Certificate Authorities in your domain prior to
attempting to deploy a new one. Removing former Certificate Authorities is easier before
adding a new one to the environment, and leaving an old Certificate Authority in place can
cause unexpected issues later that are not immediately apparent with a new Active
Directory Certificate Services deployment. By performing this simple check, you can save
yourself a lot of time and troubleshooting later.
Regardless of which method you choose to use for getting a Domain Controller for your
existing Active Directory domain, ensure that you perform the following steps prior to
attempting to deploy Active Directory Certificate Services:
• Place the Domain Controller on a network segment that has no connections to your
production network.
• Update the DNS records on the Domain Controller to allow it to handle its own DNS
resolution.
• If the Domain Controller does not have all FSMO roles available, seize those roles to
ensure that all FSMO roles are on that Domain Controller.
Once the Domain Controller has been properly isolated and setup for proper
authentication and DNS resolution, you can then proceed to testing the deployment of
Active Directory Certificate Services on your domain. This book used the TFS Labs
domain as an example, and you can easily modify the deployment steps to fit with your
Active Directory domain.
Figure 11.6.1: The MJCB Active Directory domain consists of three servers and one
workstation.
The certificate hierarchy for the MJCB domain might look like this:
Figure 11.6.2: The MJCB Certificate Authority hierarchy is a Two-Tier Certificate Authority
consisting of a Root and Subordinate CA.
You should make it a habit to occasionally check the Certification Authority and the
Enterprise PKI console on the TFS-CA01 server. You should verify that there are no
certificates in a pending state and that the Certificate Authority is always healthy.
This chapter will focus on quickly deploying a Two-Tier Certificate Authority using Active
Directory Certificate Services. This chapter will use a subset of the instructions that were
provided in the previous chapters of this book. This chapter uses a simplified and basic
Active Directory environment for demonstration purposes, which represents the bare
minimum that is required for Active Directory Certificate Services to operate correctly. To
make the deployment of Active Directory Certificate Services faster, all configurations will
be done using the CLI instead of the GUI, whenever possible.
This chapter is optional, and if you have already completed the Certificate Authority using
the steps in previous chapters, you can skip this chapter as it is not needed.
There are several items that are intentionally omitted from this chapter to make the
deployment faster, and those items include:
Even though this chapter focuses on quickly deploying a Certificate Authority using
Active Directory Certificate Services using all available CLI commands, it does not offer
an automated or scripted method of setting it up in that manner.
This chapter will focus on setting up a basic Two-Tier Certificate Authority, with the
option to add any additional features to the Certificate Authority at any given time after it
has been created.
Figure 12.1.1: The TFS Labs Active Directory domain consists of three servers and one
workstation. This domain represents the bare minimum environment required to test
Active Directory Certificate Services.
The virtual machines that are being used in this chapter for the test environment are
using the following specifications:
Figure 12.1.2: The TFS Labs Certificate Authority is a Two-Tier Certificate Authority
consisting of a Root and Subordinate Certificate Authority.
Now that the TFS Labs domain has been explained, including the required virtual
machines and the format of the certificate structure, you can proceed to provisioning the
Domain Controller for the TFS Labs domain.
Once the TFS-DC01 virtual machine has been created and the operating system has been
installed, there are a few tasks that need to be completed:
• Set the password for the local administrator account (ensure that you use a complex
password).
• Set the hostname of the server to TFS-DC01. Restart the server to apply the change.
Once the local Administrator account and the hostname have been setup, you will also
need to configure the network settings for the virtual machine:
IP Address 10.100.1.100
Netmask 255.255.255.0
Gateway 10.100.1.1
DNS Server 1 8.8.8.8
Once the network has been setup correctly, you can then proceed to setting up the
TFS-DC01 server as a Domain Controller.
If you are having any DNS resolution issues after the Domain Controller
promotion, check the DNS settings on the TFS-DC01 server to ensure that there is
a forwarding DNS server listed.
The password that is set for the local administrator account during the initial
setup of the TFS-DC01 server will become the password for the Domain
Administrator account for the TFS Labs domain once the server has been
promoted to a Domain Controller. Ensure that this is a strong password since it is
going to be the most privileged account in the TFS Labs domain.
Once the Active Directory installation has been completed, the local administrator
account that is on the TFS-DC01 server will become the TFSLABS\Administrator
account, which is the Domain Administrator account for the TFS Labs domain.
This Domain Administrator account will be used for the remainder of the
Certificate Authority implementation, except for any configurations made on the
Offline Root CA server.
AD DS Setup - AD DS Installation
To install the Active Directory Domain Services role on the TFS-DC01 server, perform the
following steps:
1. Open an elevated PowerShell prompt.
2. Run the following command to install the Active Directory Domain Services role and
the necessary Remote Server Administration Tools:
3. The command will automatically install the Active Directory Domain Services role
and output a Success status of True.
4. Once the installation for Active Directory Domain Services has completed, you can
close the PowerShell prompt.
Once the Active Directory Domain Services role has been installed on the TFS-DC01
server, you can proceed to configuring the role to create the Domain Controller.
AD DS Setup - AD DS Configuration
Once the Active Directory Domain Services role has been installed on the TFS-DC01
server, it will need to be properly configured to become a Domain Controller for the TFS
Labs domain. In the process of configuring the TFS Labs domain, the following Active
Directory Domain settings will be configured on the TFS-DC01 server:
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "corp.tfslabs.com" `
-DomainNetbiosName "TFSLABS" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
Once the TFS-DC01 server has restarted, there is now a functioning Domain Controller of
the TFS Labs domain.
AD DS Setup - OU Configuration
It is optional to create an OU structure for organizing the objects in the Active Directory
domain, so creating one is your choice. The OU structure for the TFS Labs domain is not
complex, and consists of the following structure:
• TFS Labs
• TFS Labs\TFS Labs Servers
• TFS Labs\TFS Labs Users
• TFS Labs\TFS Labs Workstations
New-ADOrganizationalUnit `
-Name "TFS Labs" `
-Path "DC=corp,DC=tfslabs,DC=com"
New-ADOrganizationalUnit `
-Name "TFS Servers" `
-Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
New-ADOrganizationalUnit `
-Name "TFS Users" `
-Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
New-ADOrganizationalUnit `
-Name "TFS Workstations" `
-Path "OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
Once the OU structure has been created for the TFS Labs domain, the Domain
Administrator account needs to have the e-mail address field set.
Set-ADUser `
-Identity Administrator `
-EmailAddress "[email protected]"
Now that the e-mail field has been set for the Domain Administrator account, there
should be no problems in issuing certificates for that account.
Once the TFS-ROOT-CA virtual machine has been created and the operating system has
been installed, there are a few tasks that need to be completed before proceeding to
configure the Root Certificate Authority:
1. Set the local Administrator account on the TFS-ROOT-CA server to a complex password
that is at least 14 characters and store the password securely. Ensure that there
are no additional user accounts present on the server (this can be verified in the
Computer Management console (compmgmt.msc)). The Guest account should already
be disabled by default and is renamed in a later step to obfuscate the account.
2. Set the hostname of the server to TFS-ROOT-CA. Restart the server to apply the
change.
3. Set the TFS-ROOT-CA server to be a member of the TFS-CA workgroup. Restart the
server to apply the change.
4. On the root of the C:\ drive create a folder called RootCA (C:\RootCA). This folder will
store the Root certificate, Subordinate certificate, CRL files and any other certificate
files that are needed during the entire Certificate Authority implementation process.
5. Create a virtual floppy disk named RootCAFiles.vfd and then insert the RootCAFiles.vfd
virtual floppy disk into the virtual floppy drive. Format the floppy disk using the
default settings using Windows File Explorer. Eject the virtual floppy disk when the
formatting has been completed.
If these policy changes are required, the steps are thoroughly documented in an earlier
chapter, otherwise you can proceed to configuring the CAPolicy.inf file for the Root CA.
C:\Windows\CAPolicy.inf
[ Version ]
Signature =" $Windows NT$ "
[ PolicyStatementExtension ]
Policies = AllIssuancePolicy , InternalPolicy
Critical = FALSE
[ InternalPolicy ]
OID =1.2.3.4.1455.67.89.5
Notice =" The TFS Labs Certification Authority is internal only ."
URL = http :// pki . corp . tfslabs . com / cps . html
[ Certsrv_Server ]
; Renewal information for the Root CA .
RenewalKeyLength =4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits =10
A Delta CRL is not normally required for a Root Certificate Authority, especially one
that is offline since it is not normally handling certificate revocations in a PKI. The
Root CA is only ever used to issue a Base CRL when there are Subordinate
Certificate Authorities. The only certificates that are typically revoked by a Root
CA is a Subordinate CA, so that would necessitate the deployment of a new Base
CRL instead of a Delta CRL.
You can update the OID number in the InternalPolicy section of the CAPolicy.inf
file for your deployment if it is required for your organization. The OID number in
this example is used in Microsoft technical documentation, but it should work for
your organization if it is only ever going to be used internally. If you require a
customized OID number, you can register for a Private Enterprise Number through
the IANA.
If you would like to use your PEN number for the Certificate Authority, modify the
OID line in the InternalPolicy section to OID=1.3.6.1.4.1.X (replace the X with your
PEN number).
Ensure that the CAPolicy.inf file has been properly saved in the C:\Windows folder
(%WINDIR%). Also make sure that the file extension is set to INF and not TXT. A
common mistake is to accidentally save the file as CAPolicy.inf.txt.
If the CAPolicy.inf file is not saved in the correct directory and without the correct
file extension, all settings in the file will be ignored at the time when the Certificate
Authority is created.
3. The command will automatically install the Active Directory Certificate Services role
and output a Success status of True.
4. Once the installation for Active Directory Certificate Services has completed, you
can close the PowerShell prompt.
Once the Active Directory Certificate Services role has been installed, you can then
proceed to configuring the role and creating the Root certificate for the TFS Labs domain.
During the configuration of Active Directory Certificate Services, the option to create a
new private key for the Root Certificate Authority is presented. This is because this a new
CA installation and the private key is not being restored from a previous server and this is
the Root of the PKI. The private key for the Root certificate will reside on the
TFS-ROOT-CA server.
Install-AdcsCertificationAuthority `
-CAType StandaloneRootCA `
-CACommonName "TFS Labs Certificate Authority" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-ValidityPeriod Years `
-ValidityPeriodUnits 10 `
-DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog") `
-Force
3. The command will automatically configure the Active Directory Certificate Services
role and output an ErrorID status of 0.
4. Once the configuration for Active Directory Certificate Services has completed, you
can close the PowerShell prompt.
At this point the Root Certificate for the TFS Labs domain has been created. You can now
validate that the Certificate Authority has been successfully created.
You can also view the Root certificate and verify that it was created with the correct
values that you setup during the Active Directory Certificate Services configuration:
Figure 12.3.1: The TFS Labs Certificate Authority issued the certificate to itself, as it is the
root of the PKI.
When the Subordinate CA is created on the TFS-CA01 server, you will be able to validate
that the Offline CA is functioning correctly. If everything has been setup correctly for the
Root certificate, then you can proceed to configuring the CRL for the Root CA and
specifying the validity period for any signed certificates.
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
To configure the CRL settings on the Root Certificate Authority, perform the following
steps on the TFS-ROOT-CA server:
certutil.exe -setreg `
CA\DSConfigDN "CN=Configuration,DC=corp,DC=tfslabs,DC=com"
3. To define the Validity Period Units for all issued certificates by the Root Certificate
Authority, run following commands:
4. To define the CRL Period Units and CRL Period, run the following commands:
5. To define the CRL Overlap Period Units and CRL Overlap Period, run the following
commands:
6. Restart the Active Directory Certificate Services service to apply the changes:
Once the CRL settings have been configured on the Root Certificate Authority, you can
then proceed to configuring auditing on the Root CA.
There are several ways to determine the Active Directory Configuration Partition
Distinguished Name in an Active Directory domain. One of the easiest ways to
determine the correct format of this name can be accomplished it in only a few
steps by using the Active Directory Users and Computers console:
1. On the TFS-DC01 Domain Controller, open the Active Directory Users and
Computers console (dsa.msc).
2. Go to the View menu and select Advanced Features.
3. Right-click on corp.tfslabs.com, which is the root of the Domain, and select
Properties.
4. Go to the Attribute Editor tab.
5. Scroll down until you find the distinguishedName Attribute Field and click the
View button. The String Attribute Editor window will appear:
6. Copy the value in the Value field, this is the information needed for later:
Aside from using the Active Directory Users and Computers console to retrieve
the Active Directory Configuration Partition Distinguished Name, you can also use
the ADSI Edit (Active Directory Service Interface Editor) tool (adsiedit.msc) to
obtain the same result.
3. Run the following command to configure the AIA settings for the Root certificate
(execute this command as a single line with no breaks):
4. Restart the Active Directory Certificate Services service to apply the changes:
certutil.exe -crl
Once the Root certificate and CRL files have been successfully copied to the virtual
floppy disk, all the initial tasks for the TFS-ROOT-CA server are now complete.
Once the TFS-CA01 virtual machine has been created and the operating system has been
installed, there are a few tasks that need to be completed:
• Set the local Administrator account on the TFS-CA01 server to a complex password
that is at least 14 characters and store the password securely.
• Set the hostname to TFS-CA01. Restart the server to apply the change.
Once the local Administrator account and the hostname have been setup, you will also
need to configure the network settings for the virtual machine:
IP Address 10.100.1.101
Netmask 255.255.255.0
Gateway 10.100.1.1
DNS Server 1 10.100.1.100
Join the TFS-CA01 server to the TFS Labs domain. Restart the server to apply the change.
The TFS-CA01 server should be moved from the default Computer OU in Active Directory
to one of the dedicated OUs that was created earlier for the TFS Labs domain. This will
facilitate easier application of Group Policy objects, which are needed for Active
Directory Certificate Services should you choose to add them in the future. To move the
TFS-CA01 computer object, run the following command from an elevated PowerShell
prompt on the TFS-DC01 server:
Get-ADComputer "TFS-CA01" | `
Move-ADObject -TargetPath "OU=TFS Servers,OU=TFS Labs,DC=corp,DC=tfslabs,DC=com"
Once the TFS-CA01 server has been successfully joined to the TFS Labs domain, login
with the Domain Administrator account that was created earlier. The Domain
Administrator account will be required for the entire Active Directory Certificate Services
installation and configuration of the TFS-CA01 server. Once the server has been
completely setup and joined to the TFS Labs domain, you can proceed to the next steps
on creating DNS records to support the Active Directory Certificate Services role.
Add-DnsServerResourceRecordCName `
-Name "PKI" -HostNameAlias "TFS-CA01.corp.tfslabs.com" -ZoneName "corp.tfslabs.com"
Once the DNS record has been created, you can proceed to creating the CAPolicy.inf file
that is needed to create the Subordinate certificate.
C:\Windows\CAPolicy.inf
[ Version ]
Signature =" $Windows NT$ "
[ PolicyStatementExtension ]
Policies = AllIssuancePolicy , InternalPolicy
Critical = FALSE
[ InternalPolicy ]
OID =1.2.3.4.1455.67.89.5
Notice =" The TFS Labs Certification Authority is internal only ."
URL = http :// pki . corp . tfslabs . com / cps . html
[ Certsrv_Server ]
; Renewal information for the Subordinate CA .
RenewalKeyLength =4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits =5
You can update the OID number in the InternalPolicy section of the CAPolicy.inf
file for your deployment if it is required for your Organization. The OID number in
this example is used in Microsoft technical documentation, but it should work for
your organization if it is only ever going to be used internally. If you require a
customized OID number, you can register for a Private Enterprise Number through
the IANA.
If you used a particular OID for the Root certificate, ensure that you use the same
OID here as well.
If you would like to use your PEN number for the Certificate Authority, modify the
OID line in the InternalPolicy section to OID=1.3.6.1.4.1.X (replace the X with your
PEN number).
Ensure that the CAPolicy.inf file has been properly saved in the C:\Windows folder
(%WINDIR%). Also make sure that the file extension is set to INF and not TXT. A
common mistake is to accidentally save the file as CAPolicy.inf.txt.
If the CAPolicy.inf file is not saved in the correct directory and without the correct
file extension, all settings in the file will be ignored at the time when the Certificate
Authority is created.
Add-WindowsFeature `
-Name ADCS-Cert-Authority, ADCS-Web-Enrollment, Web-Mgmt-Service `
-IncludeManagementTools
3. The command will automatically install the Active Directory Certificate Services role
and output a Success status of True.
4. Once the installation for Active Directory Certificate Services has completed, you
can close the PowerShell prompt.
Install-AdcsCertificationAuthority `
-CAType EnterpriseSubordinateCA `
-CACommonName "TFS Labs Enterprise CA" `
-KeyLength 4096 `
-HashAlgorithm SHA256 `
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
-Force
3. The command will automatically configure the Active Directory Certificate Services
role and output a Success status of True.
4. Run the following command to configure the Certification Authority Web Enrollment
role:
Install-AdcsWebEnrollment -Force
5. The command will automatically configure the Certification Authority Web Enrollment
role and output an ErrorID status of 0.
At this point the Subordinate Certificate Authority for the TFS Labs domain has been
created, but the Subordinate certificate needs to be issued. You can now validate that the
Certificate Authority has been successfully created.
Even though the Active Directory Certificate Services role was configured, it is not
currently running as there is no valid certificate present. If you open the Certification
Authority console (certsrv.msc), you will see that it is setup, but the service is not running:
Figure 12.4.1: The Certification Authority console is used to manage the CA and
allows administrators to issue and revoke certificates. This console also allows further
customization of the CA.
Once the Certificate Request file has been successfully generated, it will need to be
copied to the RootCAFiles.vfd virtual floppy disk since the Root CA on TFS-ROOT-CA
needs the request file to issue the Subordinate Certificate.
1. Add the RootCAFiles.vfd virtual floppy disk to the TFS-CA01 virtual machine.
2. Browse to the C:\ drive and copy the TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req
to the A:\ drive.
3. Eject the RootCAFiles.vfd virtual floppy disk.
Once the Certificate Request has been successfully copied to the virtual floppy disk, you
can proceed to creating the CertData directory in IIS on the TFS-CA01 server.
1. Add the RootCAFiles.vfd virtual floppy disk to the TFS-CA01 virtual machine.
2. On the root of the C:\ drive, create a folder called CertData (C:\CertData).
3. Open the A:\ drive and copy the TFS Labs Certificate Authority.crl and TFS-ROOT-CA_TFS
Labs Certificate Authority.crt files to the C:\CertData folder.
4. Eject the RootCAFiles.vfd virtual floppy disk.
You can create the CertData virtual directory using the command line instead of using the
Internet Information Services (IIS) Manager:
cd C:\Windows\System32\inetsrv\
3. Run the following command to create the CertData virtual directory in IIS:
4. Run the following command to enable Directory Browsing on the CertData virtual
directory:
Once the directory and the directory browsing option has been enabled on the CertData
directory, double escaping can now be enabled in IIS.
To enable double escaping in IIS, perform the following steps on the TFS-CA01 server:
cd C:\Windows\System32\inetsrv\
After enabling double escaping in IIS, it will now be possible to distribute the Delta CRL
files in the TFS Labs domain.
Creating the Subordinate certificate requires multiple steps using both the Root CA
server and the Subordinate CA server. These steps are not complicated, but they must be
completed in the correct order and none of the steps can be skipped.
The workflow for creating the Subordinate certificate on the TFS-CA01 and TFS-ROOT-CA
servers is as follows:
Figure 12.4.2: The TFS Labs Enterprise CA is signed by the TFS Labs Certificate Authority,
with a 5 year validity period.
If there were no issues with creating the Subordinate certificate, delete the following files
from the TFS-CA01 server as they are no longer needed:
• C:\TFS-CA01.corp.tfslabs.com_corp-TFS-CA01-CA.req
• C:\TFS Labs Enterprise CA.p7b
There may be instances where the installation and configuration of the Subordinate
certificate may fail for several reasons (if the Subordinate certificate was successfully
issued, skip this step). This may occur when the Subordinate CA has issues with the
Root CA CRL configuration, which is offline at the time of issuance of the Subordinate
certificate. To correct this issue when you are attempting to issue the Subordinate CA,
run the following command in an elevated PowerShell prompt:
Once the command is issued, the Active Directory Certificate Services role will need to be
restarted. Run the following commands to restart the service:
To configure the maximum certificate age for the Subordinate CA, run the following
commands on the TFS-CA01 server:
1. To define the maximum age of any certificate that the Subordinate CA is capable of
issuing, run the following commands from an elevated PowerShell prompt:
2. Restart the Active Directory Certificate Services service to apply the configuration:
Once the maximum age for certificates has been specified on the Certificate Authority,
you can proceed to modifying the CertEnroll virtual directory settings, which is used for
certificate deployment.
cd C:\Windows\System32\inetsrv\
3. Run the following command to enable Directory Browsing on the CertEnroll virtual
directory:
Once the directory browsing option has been enabled on the CertEnroll directory, you can
now proceed to configuring CDP and AIA on the Subordinate CA.
The CRL files that are provided by the Root CA are distributed with the Subordinate CA.
This is because the Root CA is not available on the network since it is always offline, so
there is no way for clients to access the files needed for the TFS Labs domain. This is
accomplished by configuring CDP and AIA on the Subordinate CA.
There are multiple locations where the CDP and AIA locations are used for the
Subordinate Certificate Authority:
The CDP and AIA configuration on the Subordinate Certificate Authority can be performed
using the Certification Authority console or through the command line using PowerShell.
To configure CDP and AIA on the Subordinate Certificate Authority using PowerShell,
perform the following steps on the TFS-CA01 server:
3. Run the following command to configure the AIA settings for the Subordinate Certificate
(execute this command as a single line with no breaks):
4. Restart the Active Directory Certificate Services service to apply the changes:
certutil.exe -crl
Once the CRL settings for the Subordinate CA have been configured, you can proceed to
configuring the CPS document.
To create the CPS document, perform the following steps on the TFS-CA01 server:
1. On the TFS-CA01 server, open Windows File Explorer (explorer.exe), then go to This
PC and then go to the C:\.
2. Open the C:\inetpub\wwwroot folder.
3. Create a file named cps.html (ensure the file extension is correct).
4. Copy the following text into the cps.html file, save it and close the file:
C:\inetpub\wwwroot\cps.html
<p > The TFS Labs Certification Authority is internal only . </p >
<p > All issued certificates are for internal usage only . </p >
http://pki.corp.tfslabs.com/cps.html
Once the CPS document has been created, you can proceed to configuring the Windows
Firewall for the TFS-CA01 server.
There are three firewall rules that need to be enabled on the TFS-CA01 server for Active
Directory Certificate Services to function correctly:
To check if the firewall rules are enabled on the TFS-CA01 server, perform the following
steps:
1. Open the Windows Defender Firewall with Advanced Security console (wf.msc) on
the TFS-CA01 server.
2. Under the Windows Defender Firewall with Advanced Security on Local Computer,
click on Inbound Rules.
3. For each of the firewall rules listed above, perform the following steps:
(a) Right-click on the firewall rule and select the Properties option to open the Rule
Properties window.
(b) On the General tab, select the option for Enabled.
(c) On the Advanced tab, ensure that the options for Domain, Private and Public
are selected.
(d) Click on the Apply button to apply the changes and then click the OK button to
close the window.
4. Close the Windows Defender Firewall with Advanced Security console.
Once the Windows Firewall has been correctly configured on the TFS-CA01 server, you
can proceed to verifying the PKI infrastructure for the TFS Labs domain.
certutil.exe -dspublish `
-f "C:\CertData\TFS-ROOT-CA_TFS Labs Certificate Authority.crt" RootCA
3. Run the following command to add the Root CA to the Certificate Store in Active
Directory:
certutil.exe –addstore `
–f root "C:\CertData\TFS-ROOT-CA_TFS Labs Certificate Authority.crt"
4. Run the following command to add the Root CRL to the Certificate Store in Active
Directory:
certutil.exe –addstore `
–f root "C:\CertData\TFS Labs Certificate Authority.crl"
Now that the Root CA has been added to Active Directory, you can proceed to verifying
the PKI infrastructure on the TFS Labs domain.
To validate the PKI configuration for the TFS Labs domain, perform the following steps
on the TFS-CA01 server:
4. Under the Enterprise PKI node, click on the TFS Labs Enterprise CA (V0.0) server.
Check that the status of the CA Certificate, DeltaCRL Locations, AIA Locations and
CDP Locations have the status of OK:
Prior to deleting the virtual floppy disk, if there are any BitLocker Recovery Keys, they
should be backed up. Should the virtual floppy disk be required in the future, specifically
for updating the Root CA CRL files, it can be easily recreated for that purpose.
Ensure that you do not delete this virtual machine. If you delete this virtual machine, it
will break your entire PKI and there will be no way of recovering from it.
Base CRL A Base CRL is a large list of certificates that have been revoked
previously by the Certificate Authority. It is a large file that
is updated infrequently and is tied to the Delta CRL as it
incorporates those revocations.
BDE BitLocker Drive Encryption is a full disk encryption application
developed and maintained by Microsoft for the Windows
operating system.
Delta CRL A Delta CRL is a small list of certificates that have been
revoked since the last time a Base CRL was published.
DISM Deployment Imaging Servicing and Management is a
command line tool that is used to mount and update
Windows images. It can also be used to add or remove
Windows features as needed.
DER Distinguished Encoding Rules is a certificate format that is in
Binary Format.
DNS The Domain Name System is a hierarchical naming system for
devices that are connected to a private network or the public
internet. It is critical for an Active Directory environment and
is usually installed on a Domain Controller using the Active
Directory integrated DNS feature. DNS relies on UDP port 53
for communication.
DNS Zone A DNS Zone is a domain space that holds all records for a
particular domain.
The following commands were used in this book for installing and configuring Active
Directory Domain Services and Active Directory Certificate Services, as well as various
other required components that are needed to support a Certificate Authority.
Many of the commands used in this book are shortcuts to graphical tools that are already
available within the Windows operating system, some are shortcuts to the Microsoft
Management Console, some are custom PowerShell Cmdlets that are required for
installation and configuration and the rest are legacy command line tools.
Command Purpose
appwiz.cpl Programs and Features is a Control Panel application that
allows for the installation, modification, and removal of
applications on a Windows device.
explorer.exe Windows File Explorer is used to manage local and remote file
systems.
inetmgr.exe Internet Information Services (IIS) Manager is used to manage
IIS services on a Windows server.
ldp.exe Ldp is a Graphical Interface for connecting to LDAP directories
for troubleshooting purposes.
mmc.exe Microsoft Management Console is a modular framework for
accessing management features within the Windows operating
system using Snap-ins.
msinfo32.exe System Information provides information on the local system,
such as hardware, driver, and software versions.
mstsc.exe Remote Desktop Connection provides a method or connecting
to Windows devices using the RDP protocol.
servermanager.exe Server Manager is a management console used in Windows
Server that provides access to all roles and features on
Windows Server.
regedit.exe Registry Editor provides a graphical interface for managing the
Windows Registry.
vmconnect.exe Virtual Machine Connection provides a graphical interface for
managing Hyper-V virtual machines. This tool can manage
local and remote Hyper-V virtual machines.
Cmdlet Purpose
Add-DnsServerResourceRecordCName This Cmdlet is used to add DNS records to
a DNS Zone, specifically CNAME records.
Add-WindowsFeature This Cmdlet is used to add optional
features to a Windows workstation or
server.
Enable-WindowsOptionalFeature This Cmdlet is used to enable optional
features to a Windows workstation or
server.
Get-ADComputer This Cmdlet is used to search for and
retrieve computer objects within Active
Directory.
Import-Module This Cmdlet is used to import a specific set
of Cmdlets into a PowerShell session which
are not present by default.
Install-AdcsCertificationAuthority This Cmdlet is used to install and configure
an AD CS Certificate Authority once the AD
CS role has been installed.
Install-AdcsWebEnrollment This Cmdlet is used to install and configure
the AD CS Web Enrollment role for AD CS,
plus any additional required features.
Install-AdcsOnlineResponder This Cmdlet is used to install and configure
the AD CS Online Responder role for AD CS.
Install-ADDSForest This Cmdlet is used to install and configure
an AD DS Forest once the AD DS role has
been installed.
Install-WindowsFeature This Cmdlet is used to enable optional
features to a Windows workstation or
server.
Move-ADObject This Cmdlet is used to move objects within
Active Directory.
New-ADOrganizationalUnit This Cmdlet is used to add Organizational
Units to Active Directory.
New-ADUser This Cmdlet is used to add users to Active
Directory.
Set-ADUser This Cmdlet is used to modify user
properties in Active Directory.
Symbols CSR 14, 16, 33, 140, 163, 167, 168, 174,
802.1X xx, 268, 273 275, 280, 291, 292, 346, 348
A D
AD CS xix, 1, 4, 7, 12, 16, 23, 51, 89, 141, Delta CRL 17, 110, 134, 136, 147, 172,
205, 219, 265, 311, 325 184, 191, 249, 334, 340, 348
AD DS 7, 51, 53, 60, 69, 108, 330, 333 DER 18, 206
AIA 10, 12, 14, 128, 129, 132, 134, 139, DHCP 7, 28, 327
168, 184, 188, 194, 202, 226, DNS 4, 7, 15, 51, 52, 134, 143, 322, 329,
319, 340, 352 340, 343
Android xxiii, 42, 43, 215, 285, 290, 298 DNS Zone 51, 143, 145, 291, 343
Apache 282, 291, 295 Domain Controller xxii, 9, 28, 34, 51, 52,
Apple Safari 15, 32, 302 59, 60, 67, 74, 85, 109, 141, 144,
AVHD 45 213, 214, 279, 319, 322, 327,
AVHDX 45 330, 332, 354
E
B
EFS xx, 5
Base CRL 17, 110, 134, 147, 184, 239,
Enterprise CA 12, 28, 79, 122, 141, 167,
249, 312, 334, 340, 357
205, 248, 275, 291, 319, 327,
Base-64 18
346
BIOS xxi, 38
BitLocker 7, 28, 87, 89, 141, 143 F
FQDN 32, 83, 146
C FSMO 322
CDP 10, 12, 14, 128, 129, 132, 134, 139, Functional Level xxi, 28, 61, 327
168, 184, 188, 194, 202, 319,
340, 352 G
Certificate 1 Google Chrome 15, 32
Certificate Authority xv, 1, 51, 311 GPO 74, 81, 205, 208, 213, 244, 287, 289,
Certificate Store 17, 21, 23, 83, 200, 213, 322
288, 290, 322, 355 Group Policy xxiii, 28, 51, 70, 87, 98, 108,
Cmdlet 23, 40, 41, 59, 61, 67, 367 142, 204, 206, 208, 244, 267,
CNAME 29, 32, 36, 143, 283, 291, 297, 273, 283, 285, 288, 322, 333,
298, 343 342, 354
CPS 34, 195, 353
CRL 1, 6, 10, 14, 16, 17, 28, 30, 88, 128, H
129, 134, 140, 143, 168, 172, HTTP 134, 173, 189, 340, 354
189, 199, 202, 219, 248, 280, HTTPS 6, 282, 298, 302, 308, 354
312, 337, 341, 347, 348, 352, Hyper-V xix, xxi, xxii, 7, 37, 52, 79, 88, 89,
355, 357 142, 291
Index | 371
Hypervisor xix, 362 R
RFC 1, 15, 195
I Root CA xx, 8, 9, 12, 20, 29, 49, 53, 87,
IANA 19, 111, 148, 335, 344 109, 128, 130, 140, 141, 168,
IETF 12, 195 189, 199, 312, 313, 318, 325,
IIS 6, 7, 32, 148, 172, 184, 187, 195, 215, 333, 355
306, 348 RSA 119, 158, 336, 345
Intermediate CA 10, 12
iOS xxiii, 42, 43, 111, 148, 215, 285, 290, S
302, 306 S/MIME 5
IPSec 5 SAN 15, 280, 283, 291, 297, 298
Issuing CA 8, 12, 141 SSL xx, 2, 5, 11, 15, 31, 33, 215, 280, 283,
291
L SST 18
LDAP 14, 82, 134, 189, 239, 340, 352, Subordinate CA xxiii, 9, 12, 29, 49, 128,
354 139, 141, 147, 205, 208, 215,
LDAPS 5, 82, 86, 214 224, 227, 228, 261, 283, 312,
Linux xxiii, 215, 282, 285, 291 334
M
T
macOS 285, 290, 308, 310
TPM 97, 99
MDM 5, 215, 273
Microsoft Edge 15, 27, 32
U
MMC 23, 51, 367
Ubuntu 291, 296, 298
Mozilla Firefox 15, 32
UCC 14, 15, 291
N
Nginx 282, 291, 295, 297 V
VFD 47, 49
O VHD 103
OCSP xx, 6, 14, 17, 28, 142, 143, 147, VHDX 38
202, 205, 217, 219, 228 VirtualBox xxii
OID 14, 19, 111, 148, 335, 344 VLAN 20, 43
OpenSSL 291 VMware xxii, 39, 88
Organizational Unit 70, 73, 74, 208 VPN 2, 5, 268, 273
P W
P7B 18, 178, 349 Windows Server xix, 1, 4, 7, 26, 27, 51,
PEN 19, 111, 148, 335, 344 87, 141
PFX 18, 273
PKI xv, xix, xxii, 1, 5, 110, 143, 147, 168, X
184, 251, 334 X.509 1, 12, 15, 17