Microsoft PKI – Single Tier Server (Command Line Setup)

If you have not already read the first page in this MS PKI series, 
you should do so before continuing.

The following is useful for setting up a single ADCS PKI server in a very small environment such as a lab. It provides instructions using a mixture of both PowerShell and the command line interfaces. It provides examples of the various commands for publishing the CDP/AIA points to computers that are both on and off the domain.

If HTTP is needed to publish CRL/AIA, it must be on a different server (Maybe, I’ve had issues getting CRL/AIA publishing to work on the same server). The requirements can be used from the “Two Tier” setup instructions located on a different page.

Note that a single tier PKI is not typically appropriate in a production environment.

A second page is provided elsewhere that uses a the standard Microsoft GUI for building and configuring the server.

Build up the server and add to the domain.

The CAPolicy.inf is not necessary so as an example it is skipped in this example. The settings will be added via the command line below.

Otherwise: Copy CAPolicy.inf to C:\windows  (%systemroot%) of root CA server. See the Single Tier Server (GUI) page for the example CAPolicy.inf file if needed.

Warning:  If creating a new replacement issuing (including single tier) server, use the CAPolicy.inf with the “LoadDefaultTemplates=0” line added.  When server is ready to issue, manually add the certificate templates.

This is both an enterprise root CA and issuing CA so it must be on the domain before running the following commands.

Install CA Role:

In the PowerShell terminal as administrator:

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools 

Install-AdcsCertificationAuthority –CAType EnterpriseRootCA –CACommonName "ContosoRootCA" –KeyLength 4096 –HashAlgorithmName SHA256 –CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

Post Install Configuration:

Open command prompt as administrator. Don’t make these too short if using LDAP. Consider OCSP instead.

NOTE:  There are many settings.  These are pretty minimal.

Certutil -setreg CA\RenewalKeyLength 4096
Certutil -setreg CA\RenewalValidityPeriod "Years"
Certutil -setreg CA\RenewalValidityPeriodUnits 20
Certutil -setreg CA\AlternateSignatureAlgorithm 0
Certutil -setreg CA\CRLPeriodUnits 1 
Certutil -setreg CA\CRLPeriod "Weeks"  
     -- Next two if CRL Deltas are used (which I usually don't)--
Certutil -setreg CA\CRLDeltaPeriodUnits 1 
Certutil -setreg CA\CRLDeltaPeriod "Days"

Add CDP (CRL Distibution Point) – (The order of these matters):

You may not need all of these. I listed all as examples of how to do them because good examples are hard to find else where. Select only the ones you need and read the examples carefully.

First remove the default CDP points using PowerShell:

$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};

Use the following as needed (copy/paste not necessarily a good idea here):

Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer

In “Certificate Authority” (certsrv GUI), check the following:

"Publish CRLs to this location"
"Publish delta CRLs to this location"

In PowerShell window:

Add-CACRLDistributionPoint -Uri "ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10" -AddToCrlCdp -AddToCertificateCdp -PublishToServer

In “Certificate Authority” (certsrv GUI), check the following:

"Publish CRL's to this location"
"Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually"
"Include in the CDP extension of certificates"

In PowerShell window:

Add-CACRLDistributionPoint -Uri http://www.contoso.com/pki/%3%8%9.crl -AddToCertificateCDP -AddToFreshestCrl

In “Certificate Authority” (certsrv GUI), check the following:

"Include in CRLs. Clients use this to find delta CRL locations"
"Include in the CDP extension of issued certificates"

In PowerShell window:

Add-CACRLDistributionPoint -Uri file://\\App1.corp.contoso.com\pki\%3%8%9.crl -PublishToServer -PublishDeltaToServer

In “Certificate Authority” (certsrv GUI), check the following:

"Publish CRLs to this location"
"Publish Delta CRLs to this location"

Add AIA  (Authority Information Access) – (The Order Matters):

First remove the default CDP points using PowerShell:

Get-CAAuthorityInformationAccess | where {$_.Uri -like '*ldap*' -or $_.Uri -like '*http*' -or $_.Uri -like '*file*'} | Remove-CAAuthorityInformationAccess -Force

Use the following as needed (copy/paste not necessarily a good idea here):

Add-CAAuthorityInformationAccess -AddToCertificateAia "ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"

In “Certificate Authority” (certsrv GUI), check the following:

"Include in the AIA extension of issued certificates"

In PowerShell window:

Add-CAAuthorityInformationAccess -AddToCertificateAia http://www.contoso.com/pki/%1_%3%4.crt

In “Certificate Authority” (certsrv GUI), check the following:

"Include in the AIA extension of issued certificates"

In PowerShell window:

Add-CAAuthorityInformationAccess -AddToCertificateAia file://\\App1.corp.contoso.com\pki\%1_%3%4.crt

Check our work:

Restart certificate services to activate this configuration in a PowerShell window:

restart-service certsvc

Trigger a manual publish of a certificate revocation list:

certutil -crl

C:\Windows\System32\CertSrv\CertEnroll – .crl’s date modified should change when CRL is published.

Check PKI health:

pkiview

Also check “Manage AD Containers” from the pkiview menu.

If CA Object Access Auditing is needed, see the page here.