Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services

In this part I’m going to install a Public Key Infrastructure consists of an offline Root CA and an online Sub CA. The offline Root CA will be installed on a server that is not member of Active Directory and will be shut down after installation. The Sub CA will be an enterprise CA because it is joined to Active Directory and always online. My Root CA server is called VMPKI01 and the Sub CA server is called VMPKI02.

This topic is part of a series of articles about Public Key Infrastructure. If you are not comfortable with AIA, CA, CDP and anything about PKI I recommend you to read previous parts of this series.

Active Directory Certificate Services role installation

This part is run on every Certificate Authority server (VMPKI01 and VMPKI02).

First, open the Server Manager and select Add Roles and Features as below.

When you are on Select Server Roles screen, select Active Directory Certificate Services.

On Select role services screen, select only Certification Authority.

To finish click on install.

Root CA configuration (VMPKI01)

Certification authority service configuration

Open the Server Manager and click on the flag. Select Configure Active Directory Certificates Services as below.

On the first screen of the AD CS Configuration, It informs you that install a Standalone Certification Authority, you need an account member of the Administrators group.

Tick the Certification Authority check box and click next.

On the Setup Type screen, you have no choice : you must select Standalone CA.

On the CA Type screen, select Root CA and click next.

On Private Key screen, select Create a new private key. The other options are used when you want to restore a CA after a disaster.

On the next screen, I advise you to set at least a key length of 4096 and use at least SHA 256 (MD5 and SHA-1 are vulnerable to collision).

Next, specify a common name for your CA. I choose to not change this parameter.

On Validity Period screen, select a validity period for the Self-Signed certificate using to sign certificates for Sub CA. In best pratices, this type of certificate should have a validity period between 10 and 20 years.

Next, choose the database locations. It is recommended to store the database on a separate disk.

To finish, click on configure to run the CA configuration.

Now you can open Certification Authority console (as below).

Extensions configuration (AIA and CDP)

Before signing any certificates, it is necessary to configure the CDP and the AIA extensions. Every certificate you sign before you configure these extensions will not have CDP and AIA information and you will must resign them. To configure CDP and AIA open Certification Authority console and right click on the CA Name (as below). Select Properties

Navigate to Extensions tab. On CRL Distribution Point (CDP) menu we have some settings to modify. First I delete all CDP except LDAP.

I add a CDP located to D:\CRL. I use variable to construct CRL name. In this example the CRL will be called VMPKI01-CA.crl

Verify that the previously CDP added have the publish option ticked for CRL and Delta CRL as below.

For the LDAP CDP, make sure that this options are configured as below. The first checkbox is useful to include the Active Directory path directly in CRL to simply publishing manually. The second option add the CDP extension to the certificate. This extension is used by servers to download the CRL.

Next I navigate to Authority Information Extension (AIA) menu. As CDP, I remove every location except LDAP. Verify that option Include in the AIA extension of issued Certificates is ticked for LDAP location. The server will download the certificate chain from the path included in AIA extension.

Next I add my custom path to store the CA certificate.

Once extensions are set, click on apply. You will be asked to restart the Certificate Services. Select yes.

Now I try to publish a CRL to validate my settings. For that right click on Revoked Certificates, select All tasks and publish.

Now that my CRL is published I navigate to D:\CRL and as you can see below, I have my CRL.

CRL and Certificate Validity period

The Root CA is used to sign the CA certificate from Sub CA. So the Certificate and CRL validity period can be increased. So open the registry key HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>. To modify the signed certificate validity period, edit ValidityPeriodUnits and set this key to 20. Because ValidityPeriod key is set to Years, certificates that will be signed by my Root CA will have a validity period of 20 years. You can do this with these commands:

certutil -setreg ca\ValidityPeriodUnits 20
certutil -setreg ca\ValidityPeriod "Years"


Next the CRL validity period can be increased also because this CA will sign certificate only of Sub CA. So few revocation will be performed. So edit CRLPeriodUnits and set this key to 12. Because CRLPeriod key is set to Weeks, the validity period of the Root CA CRL is 12 weeks. You can do this using these commands:

certutil -setreg CA\CRLPeriodUnits 12
certutil -setreg CA\CRLPeriod "Weeks"

To finish, you have to restart CertSvc service (net stop certsvc && net start certsvc)

Variables configuration

Before when we have set CDP and AIA extensions we have seen variable. There are also variables for the Distinguished Name in Active Directory where to store information (for example LDAP CDP). Because my Root CA is not a member of an Active Directory, it can’t know the Distinguished Name (DN) in Active Directory. So it is possible to define it manually with certutil command:

Certutil –setreg ca\DSConfigDN "CN=Configuration,DC=My,DC=Domain"

Below an example in my environment:

Next, you have to restart CertSvc service (net stop certsvc && net start certsvc). To view if the configuration is good, publish again the CRL and open it. In the General tab, you should see Published CRL Location field. If the value of this field contains the DN that you have specified previously it is good:

Publish Root CA CRL and AIA to Active Directory

The first time, you have to connect with an enterprise admin account to publish certificate and CRL in Active Directory.

To finish the Root CA configuration, it is necessary to publish the CRL and the Root CA certificate in Active Directory. For that I have copied the Root CA certificate (crt file) and the CRL file to VMPKI02. Next I have run the below commands:

Publish CRL: certutil –dspublish –f <CRLFile> <CAName>

Publish CA Certificate : certutil –dspublish –f <CACertificateName>

Now the basic configuration of the Root CA is done. It is time to set the Sub CA.

Sub CA configuration (VMPKI02)

You have to connect with an enterprise admin account to install the enterprise Sub CA.

Connect to the Sub CA server and open the Server Manager. Select Configure Active Directory Certificate Services as below.

On the first screen, you can see that an Enterprise Admins account is needed to install an Enterprise Certification Authority

On Role Services screen, select Certification Authority and click on next.

On Setup Type screen, select Enterprise CA and click on next.

On the next screen, select Subordinate CA.

On private key screen, select Create a new private key. Other options are used to recover the CA after a disaster.

On the next screen, I advise you to set at least a key length of 4096 and use at least SHA 256 (MD5 and SHA-1 are vulnerable to collision).

Next specify a common name for your CA and the distinguished name. I choose to let default parameter.

Next, specify where to store the certificate request and click on next.

Next, choose the database locations. It is recommended to store the database on a separate disk.

Click on configure to run the CA configuration.

Submit the CA certificate request

First copy the request file that is generated from your Sub CA to the Root CA.

Open the certification authority console, right click on the CA Name. Select All tasks and Submit new request. Then specify the path to the CA certificate request.

Once the request is submitted, navigate to pending requests and right click on the request. Select all Tasks and Issue.

Once the CA certificate is issued, navigate to Issued Certificates and right click on the certificate and select open.

Navigate to details tab and click on Copy to File.

After that, the export wizard is opened. On File Format screen select DER encoded X.509 (.CER).

Specify a location to store the CA certificate. I choose to store it directly on Sub CA server.

CA certificate installation on Sub CA

Open the Certification Authority console and right click on CA name. Select All tasks and install CA Certificate. Select the certificate that you have previously exported.

Once the CA certificate is installed, you should start the Certificate Services.

Extension configuration

As Root CA, CDP and AIA should be set first. I configure a CDP on D:\CRL where I publish only CRL.

Make sure that the LDAP CDP is configured as below.

On AIA menu, I set a custom location to store certificate on D:\AIA. Make sure that LDAP location is set as below.

Click on apply and the service should restart. Now you can open PKIVIEW.msc:

Now you have a basic PKI ready to sign certificates. It is a basic configuration. In the next part of this series of articles we will see more in details CRL  configuration.

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

18 comments

  1. I like this a lot and I intend to set up my own lab using your excellent instruction. In the meantime, I am a bit stumped at “Publish Root CA CRL and AIA to Active Directory” section in that I do not know if the commands should be issued against on the Root CA or the Subordinate server. I am leaning against the latter since the former is a stand-alone and therefore it should not be associated with AD, right?

    • Hi,

      Thanks for your comment 🙂
      Because the Root CA should be offline, it is not integrated to Active Directory. SO you can’t publish AIA and CRL from the Root CA.
      So you have to generate the CRL from the Root CA and copy this CRL and the Root CA certificate to another server like the Sub CA.
      Once you have copied these two files, you can run the certutil command twice to publish the CRL and the certificate in the Active Directory.
      In this way, clients could use Active Directory to download CRL and AIA information.
      Hope I have helped you 🙂

      Romain

      • Yes, indeed, you did help me! Thank you. Perhaps, it may be a good idea to have a paragraph in the section to indicate that the commands need to be run on VMPKI02, which is the DC of the lab…. Thank you for your prompt response.

        • In fact VMPKI02 is not a Domain Controller. You can run the certutil command on a RDS server if the command is present on the server 🙂

  2. “The first time, you have to connect with an enterprise admin account to publish certificate and CRL in Active Directory.”

    How I do this on a server that is not a member of the domain.

    • Hi,

      Then you have to copy the CRL to a machine member of the Active Directory and run the certutil cmd from this server 🙂

  3. How do you create the crt file on the the Root CA in order to copy it to the Sub CA?

  4. Hi,
    The nothing is entered into my D:\AIA folder on VMPKI01 after I publish. So I can only copy the CRL file to VMPKI02. The Root CA certificate (crt file) is located in C:\Windows\System32\CertSvr\CertEnroll but has a diffenrent timestamp. What am I doing wrong?

  5. Thank you for the excellent guide.

    I’ve some questions.

    “Publish Root CA CRL and AIA to Active Directory”

    Should i run these commands in my SuBCA ? Before runing these commands should i install certificate roles ?

    I’ve also problem with AIA dir. After publishing there is no file in this directory.

  6. I am a novice in PKI so i would like to ask a few questions from you:

    Because revocation list is published only to an AD, it can be only used from ad-joined entities? It would be nice addition to have an example of how to publish crl´s to an website or to an network share.

    Crl from root-ca is used to revoke all certificates issued by Sub-Ca…right? I mean by revoking the certificate issued to sub-ca.

    Crl from sub-ca is used to revoke certificates issued by sub-ca?

    • Hello,

      If you publish only in AD, only AD machine can reach CRL. You have to publish in shares and install IIS to provide a web access to the CRL. You can also use the OCSP role as I described.

      CRL revoke certificates only for sub CA, yes.

      CRL from SUb CA revoke only certificates issued from this SUb CA.

  7. Stephen Sprencel

    This tutorial has been a great refresher for me as I am trying to setup PKI on a new domain! Thanks for putting it together and I can’t believe you are still fielding questions from people 4 years after you posted it! You rock!

  8. Thanks for the great write up. I do have one question. I followed this setup a single root ca in lab and after setup i issued a cert to my iDRAC. Everything works, but then I revoke it and the cert is still showing valid and i’ve run certutil -verify on the cert that was used.

  9. Many thanks. It really helps me.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Public Key Infrastructure Part 8 – OCSP responder

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 6 – Manage certificate templates

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...