Microsoft PKI – Two Tier Configuration

If you have not already read the first page in this MS PKI series, 
you should do so before continuing.

It is suggested that you read through all of this article prior to doing anything. In fact, you should understand what a “two-tier” PKI is and how it is used before continuing.

The instructions below are broken into two main parts. The first main part is for the root CA server and the second main part is for the issuing servers. Note that issuing server(s) is plural, but only one set of instructions are provided. You must adapt the instructions to each additional server that you build.

Note also that within both sections are configuration items that involve setting up IIS for the CRL/AIA points. You should build the IIS server out as a separate server, not as part of the issuing server as I have done here (to save time and VM resources in my test environment).

Root CA server configuration

Install and setup the base server – BUT DO NOT place it on domain. Also, you cannot change the server name after the role is installed!

Example CAPolicy.inf:

Create and copy CAPolicy.inf BEFORE installing role. “RenewalValidityPeriodUnits” and “CRLPeriodUnits” should be high as this is for a rootCA and it will be offline unless needed.

[Version] 
Signature="$Windows NT$" 
[Certsrv_Server] 
RenewalKeyLength=4096 
RenewalValidityPeriod=Years 
RenewalValidityPeriodUnits=10
CRLPeriod=Years 
CRLPeriodUnits=10
AlternateSignatureAlgorithm=0 
[CRLDistributionPoint] 
[AuthorityInformationAccess]

Copy the CAPolicy.inf to C:\windows  (%systemroot%) of root CA server.

Install CA Role:

Standalone root CA (i.e. - not on domain)
"Certification Authority" only.

RootCA – Configure ADCS:

 "Certification Authority"
 "Standalone CA"
 "Root CA"
 "Create Private Key"
  RSA default is ok, key length 4096, SHA256
 Common name
 "Validity period" - should be set by CAPolicy.inf, or equal to. 

After this is complete, check the certificate with MMC CertSRV.  It should match above settings.

 "Server Manger", "Tools", "Certification Authority"
      R-click CA, "Properties", "General" tab, "View Certificate" 

You must do the following (CDP and AIA) before issuing subordinate certificates!

Don’t screw these up or you have to start over because issued root certificates will be bad.

In other words – plan ahead for ALL the required servers! Again, see the top of this page.

NOTE:  I have seen it stated that the AIA/CDP information should not be established on the root server. We will do it here because the MS examples set it up.

 "Server Manger", "Tools", "Certification Authority" (or MMC CertSRV - same thing)
      R-click CA, "Properties", "Extensions" tab 

Add CDP (CRL Distibution Point):

 Click ADD, use as examples and add HTTP path utilizing "Variable" and Insert.
      http://pki.contoso.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
 
Check "Include in CRL's", "Include in the CDP extentions of issued certificates"
Remove default ones except C:\windows\... (standalone - so no file, ldap, anyway), or uncheck all boxes for each. 

Add AIA  (Authority Information Access):

 Click ADD, use as examples and add HTTP path utilizing "Variable" and Insert.
      http://pki.contoso.com/pki/<ServerDNSName>_<CAName><CertificateName>.crt

 Check "Include in the AIA of issued certificates"
 Remove default ones except C:\windows\... (standalone - so no file, ldap, anyway), or uncheck all boxes for each. 

Publish CRL (certutil -crl):

 R-click "Revoked Certificates"
 All Tasks, Publish

 CD to C:\Windows\system32\certsrv\certenroll
 Copy the CRL and root certificate to c:\pki on subordinate servers (store on usb drive/share to do that later) 

Publish Root Certificate to AD:

 Copy the root certificate to a domain joined server such as the issuing server.
      Open PowerShell terminal as admin.
           certutil -dspublish -f <name>.crt RootCA 


Issuing (subordinate) server configuration

NOTE:  IIS is recommended as the distribution point for the CRL Distribution Point (CDP) and the Authority Information Access (AIA) point. It should typically be a separate server, possibly in the DMZ, depending on the PKI requirements.  Here I am installing it on the issuing server, but this is not recommended.  This can also create problems when later moving to a new PKI system, so just be aware of that.

Subordinate CA’s – Intermediate (policy) and/or issuing CA’s.   Enterprise (on domain) or standalone. We will place ours on the domain.

Setup base server – Place on domain and name it. You cannot change the server name after the role is installed!

Add Root Certificate and Root CRL to the issuing server’s local store:

NOTE: Not totally necessary but this is supposed to help with issuing server setup that follows. Otherwise, the root cert can be obtained via GPO and the root CRL via CDP location if both are configured.

Copy the root certificate and root CRL to the domain joined issuing server.
 
Open PowerShell terminal as admin.
 certutil -addstore -f root <name>.crt
 certutil -addstore -f root <name>.crl 

NOTE: Not sure if this is necessary or helpful, but I do it anyhow:

Install ROOT-CA certificate on subordinate server:

 D-click ROOT-CA certificate, "Install Certificate". "Local Machine",
      "Place all Certificates in the following store", select "Trusted Root Certification Authority"

 Check in browser that rootCA certificate shows up in the certificate store. 

Create DNS cname for the following in DNS server:

 pki.contoso.com  --> issuingca.contoso.com 

Install the IIS Role:

Should be obvious to a MS admin.

Setup CDP and AIA distribution point directory for web access:

Create directory: C:\pki
      New-Item -Path C:\pki -type directory

Create a share:
      New-SmbShare -Name pki -Path C:\pki -FullAccess SYSTEM,"contoso\Domain Admins" -ChangeAccess "contoso\Cert   Publishers"
  
Copy ROOT-CA certificate and Certificate Revocation List to C:\pki 

In IIS – Setup a Virtual Directory:

Sites, r-click "Default Web Site", "Add Virtual Directory"
      Alias = "pki"
      Physical path = "c:\pki"
 
Select "pki", "Edit permissions", Security tab, edit
      Grant access to "anonymous logon", "Everyone" (read and list)
 
"Request Filtering", "Edit Feature Settings",  
      Check "Allow Double Escaping"
 
Restart IIS 

Example CAPolicy.inf:

“RenewalValidityPeriodUnits” cannot be higher than on the rootCA

 [Version]  
 Signature="$Windows NT$"  
 [Certsrv_Server]  
 RenewalKeyLength=4096  
 RenewalValidityPeriod=Years  
 RenewalValidityPeriodUnits=9
 AlternateSignatureAlgorithm=0
 LoadDefaultTemplates=0 
 [CRLDistributionPoint]  
 [AuthorityInformationAccess] 

Copy CAPolicy.inf to C:\windows  (%systemroot%) of the server.

Install CA Role:

NOTE: If you need other roles such as “Certification Authority Web Enrollment” (I don’t yet cover these other roles in the blog), also do them now.

 "Active Directory Certificate Services"
 "Certification Authority"
     Read descriptions for others you may need. 

Configure ADCS Subordinate (Issuing):

What you chose above may also affect the choices here.

 Select "Certification Authority"
 "Enterprise CA"
 "Subordinate CA"
 "Create Private Key"
 RSA default is ok, key length 4096, SHA256
 Common name
 "Request a certificate from parent CA":
      If rootCA online, choose "Send a certificate request to parent CA"
      If rootCA offline, choose "Save a certificate request to file on target machine"
 Finish configuration wizard steps 

Copy the issuing server request to the rootCA.

In root CA MMC certsrv:

 R-click "ROOT-CA", "All Tasks", "Submit new request", select request file
 Open "Pending Requests", R-click, "All tasks", "Issue"
 Open "Issued Certificates", R-click, "Open", "Details", "Copy to file", (.P7B)" 

Copy certificate back to subordinate CA server.

In the issuing server MMC certsrv:

 R-click CA server, "All Tasks", "Install CA Certificate", select certificate
 From C:\pki, copy ROOT-CA certificate and Certificate Revocation List to C:\Windows\system32\certsrv\certenroll
 R-click CA server,  "All Tasks", "Start Service" 

Post Install Configuration:

Set CDP (this is all in one command):

 certutil -setreg CA\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://pki.contoso.com/pki/%3%8%9.crl\n65:file://\\cert-issue.contoso.com\pki\%3%8%9.crl" 

Set AIA (this is all in one command):

 certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.contoso.com/pki/%1_%3%4.crt" 

Additional settings from the command line as administrator: *Set short for testing only*

 Certutil -setreg CA\CRLPeriodUnits 2
 Certutil -setreg CA\CRLPeriod "Days"
 Certutil -setreg CA\CRLDeltaPeriodUnits 1
 Certutil -setreg CA\CRLDeltaPeriod "Days"
 Certutil -setreg CA\CRLOverlapPeriodUnits 3
 Certutil -setreg CA\CRLOverlapPeriod "Hours"
 Certutil -setreg CA\ValidityPeriodUnits 5
 Certutil -setreg CA\ValidityPeriod "Years" 

Copy Issuing CA Certificate to C:\pki AIA Location:

 Copy "C:\Windows\System32\certsrv\certenroll\< Issuing CA Cert>.crt" to C:\pki\ 

Restart service and publish CRLs:

restart-service certsvc
 
certutil -crl 

Check AIA and CDP PKI health:

 MMC, add snapin "Enterprise PKI" (pkiview.msc)
      AIA location "OK"
      CDP location "OK" 

View AIA and CDP settings:

 certutil -getreg CA\CACertPublicationURLs
 certutil -getreg CA\CRLPublicationURLs
      -or-
 Open "Tools", "Certification Authority" (MMC CertSRV), "Properties", "Extensions" tab 

Microsoft PKI – Port Requirements for Firewalls

Pretty basic, although the high ports are a gotcha.

Application protocolProtocolPorts
RPCTCP135
SMBTCP445, 139
Randomly allocated high portsTCPRandom port numbers between 49152 – 65535

For the web-based portions of PKI, you will also need the standard web ports:

Application protocolProtocolPorts
WebTCP80
Web SSLTCP443

Microsoft PKI – My Master Links to Documentation

Here is a list of links to what I would consider the best of the documentation that I have yet to find. Finding this stuff is not without it’s issues. Microsoft has moved and archived most of it. Indeed, one of these pages was located on one site one day, and was missing the next day, as I was using it. It took a whole lot of searching to find it again.

These first two links are the “Master” pages; links galore including the others below:

Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide

https://social.technet.microsoft.com/wiki/contents/articles/7421.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-design-guide.aspx

Windows PKI Documentation Reference and Library

https://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx


Technology overviews:

PKI:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779826(v=ws.10)

Certificates:

https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700805(v=technet.10)?redirectedfrom=MSDN

Certification Authority Guidance

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)


Tier Deployment:

ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment

https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v=ws.11)


Individual Tools and Topics:

certutil – command line Swiss Army Knife tool

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)?redirectedfrom=MSDN

Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview/ba-p/1128638

PowerShell ADCS Deployment

https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/?view=win10-ps

PowerShell ADCS Administration

https://docs.microsoft.com/en-us/powershell/module/adcsadministration/?view=win10-ps

CAPolicy.inf Syntax

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

Firewall Rules:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/firewall-rules-for-active-directory-certificate-services/ba-p/1128612

Disaster Recovery:

https://docs.microsoft.com/en-us/archive/blogs/pki/disaster-recovery-procedures-for-active-directory-certificate-services-adcs

Disaster Recovery Procedures for Active Directory Certificate Services (ADCS) | Microsoft Docs

Local Auditing Policy Setup:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739760(v=ws.10)?redirectedfrom=MSDN


Decommissioning/Replacing a CA:

Good short review of process:

https://serverfault.com/questions/276342/adding-new-root-enterprise-ca-without-disturbing-existing-one

How to decommission a Windows enterprise certification authority and remove all related objects

NOTE: This appears to contains info to wipe out the whole existing PKI.  Might want to go easy here.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

https://docs.microsoft.com/en-us/archive/blogs/pki/decommissioning-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-operations-to-a-new-one

Nice blog and hard to find (referenced in above article):

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/moving-your-organization-from-a-single-microsoft-ca-to-a/ba-p/398161