tag:blogger.com,1999:blog-5458589696790815336.post7808895245189676424..comments2024-02-11T03:06:43.173-06:00Comments on itToby: Creating a Two Tier PKI With Windows 2008r2Toby Meyerhttp://www.blogger.com/profile/11479868060801724272noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-5458589696790815336.post-24277194173901106412019-06-18T10:58:45.718-05:002019-06-18T10:58:45.718-05:002.5 Publish the Certificate Revocation List manual...<b>2.5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI</b><br /><br /><a rel="nofollow">https://marvel-it.icu/iiamwad-implementing-identity-and-access-management-in-windows-server-active-directory/publish-the-certificate-revocation-list-manually-cdp-base-delta-crl-windows-server-2008-r2-pki-ca</a><br /><br /><a rel="nofollow">https://youtu.be/HpDaIsSGaX4</a>MarvelThanghttps://www.blogger.com/profile/17180267121274699671noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-75752766126607413922019-06-18T10:54:11.188-05:002019-06-18T10:54:11.188-05:00This comment has been removed by the author.MarvelThanghttps://www.blogger.com/profile/17180267121274699671noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-65734290579098912152016-03-06T23:39:52.800-06:002016-03-06T23:39:52.800-06:00Thanks @pk for the feedback and the fix, much appr...Thanks @pk for the feedback and the fix, much appreciated!Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-74106753584711067772016-03-03T16:58:38.460-06:002016-03-03T16:58:38.460-06:00Love the guide. Small typo in one of the commands...Love the guide. Small typo in one of the commands --<br /><br />Execute "certutil -setreg ca\ca\ValidityPeriod "Years"<br /><br />should be<br /><br />Execute "certutil -setreg ca\ValidityPeriod "Years"pkhttps://www.blogger.com/profile/11325398232655599326noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-22511485874927104072013-11-03T21:46:21.223-06:002013-11-03T21:46:21.223-06:00@Tom, thanks & absolutely!
The first think yo...@Tom, thanks & absolutely!<br /><br />The first think you'll want to do is make an active directory group that contains all users you would want to auto-enroll in PKI. (If you haven't done so already) This group will be used to directly trigger the auto-enrollment, so make sure it is accurate. Also note that when people are removed from this group, their certs will not be automatically revoked. If, after you get this working, you remove a user from that group you'll need revoke their cert either manually or via a script. (preferred) <br /><br />After the user group is in place, ensure you have the user template configured correctly and allowed for auto-enrollment. To do so copy the template: target the "User" template and perform most of the steps (let me know if you want a granular list of which) listed under "Step 4: Template Configuration, etc.". Make sure when you duplicate the template that you do two main things: Set the Superseded Templates to "user" (the default called in user auto-enrollment) and that you have your administrative user group listed under the "Security" tab of the cert. That user group will need to have read, enroll, and autoenroll rights. After doing that publish your duplicated template to your CA.<br /><br />It would actually work to update the default domain GPO at the user level at this point, but I would not recommend it in most cases. Instead, either create a new GPO for this purpose or tack the following on to a GPO dedicated to this user group. (for this and other settings) Make sure this GPO has <a href="http://technet.microsoft.com/en-us/library/cc728301%28v=ws.10%29.aspx" rel="nofollow">security filtering</a> enabled and bound to the Admins group. In that GPO, navigate to User(Not computer like above!) Configuration->Windows Settings->Security Settings->Public Key Policies and set the <b>Certificate Services Client - Auto-Enrollment</b> to <b>Enabled</b>. You will want to check the first two boxes below it as well regarding renewing expired certificates and updating certs that use templates. As for the other options those are at you discretion depending on your needs. <br /><br />After closing the GPO that should do it! Essentially now you have the User cert template restricted to that Admin group for auto-enrollment, and additionally you have the mechanism of auto-enrollment restricted to that group via GPO. <br /><br />Hopefully that should do it for you, post more if you have any other questions or to share your results. Thanks!Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-53702423752536253282013-11-01T08:43:49.304-05:002013-11-01T08:43:49.304-05:00Hi Toby - great article, I just have one quick que...Hi Toby - great article, I just have one quick question. In our domain, we'd like to enforce certificates (in particular with two-factor authentication) for our administrators. This enterprise PKI seems to be set up for ALL users. Is there a step in this process that we can enforce TFA for our admins and not for our users (or make it invisible to our users)?Tomhttps://www.blogger.com/profile/13060417389538890763noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-23585458751588481522013-10-29T22:49:00.045-05:002013-10-29T22:49:00.045-05:00@itismeap Good point! Article updated with your we...@itismeap Good point! Article updated with your welcome improvement. Thanks!Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-10467164971773183262013-10-29T09:25:56.268-05:002013-10-29T09:25:56.268-05:00Great article..just a quick note, at the top it sa...Great article..just a quick note, at the top it says 'Setup a new Windows 2008r2 Standard Edition server. x64 vs. x86 shouldn't make a difference'<br /><br />2008 R2 is 64 bit, I don't believe you can get 32bit edition.<br /><br /><br />itismeaphttps://www.blogger.com/profile/14610876103172968737noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-51647511584292569802013-04-03T22:04:08.923-05:002013-04-03T22:04:08.923-05:00Hi Damon, I hope you're doing well. Hopefully ...Hi Damon, I hope you're doing well. Hopefully troubleshooting the IIS permissions should be relatively straightforward. Here are a few tips to get going: <br />-Use certutil -verify -urlfetch {path to any issued cert} This will display and test all the lookup paths and display any warnings. <br />-To assist in troubleshooting, you can browse to the location of the certificate revocation list with any web browser. There is no reason you shouldn't be able to access and download it. <br />-Refer to <a href="http://msdn.microsoft.com/en-us/library/aa954062.aspx" rel="nofollow">this guide</a> for IIS Permissions troubleshooting.<br /><br />The error you're seeing, .14, is usually due to not having directory browsing permissions. That said, hitting a file-specific URL shouldn't need browsing permissions, so I wonder if something isn't quite right with the url. As an example, here is the CDP location for one of my implementations: <br />URL=http://www.company.com/pki/company.com%20RootCA.crl<br />Note that it automatically subs in %20 for any spaces; if present you'll need to use that in the URL when testing with your browser as well. <br /><br />I'm sure as soon as you get the URL tweaked everything will start working; note that you will have to re-issue any certificates after it is updated for them to work correctly though!<br /><br />Good luck!Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-27681914244856236272013-04-02T17:00:53.151-05:002013-04-02T17:00:53.151-05:00Hi Toby,
Long time no write. I had finished instal...Hi Toby,<br />Long time no write. I had finished installation of my 2 tier PKI but I am having some issues with the HTTP locations of the CDP and AIA. I kept the default naming structures for both except to change the site to pki.company.com and created a DNS entry for it. I get the "Unable to Download" error in pkiview so I know something isn't right. I receive an HTTP Error 403 forbidden error when I try to access the certenroll directory via web browser. When I try to browse the directory from the CA I get "HTTP Error 403.14 - Forbidden" I realize you've helped me with install in reference to your guide but do you have idea of where to start troubelshooting this? I believe this is what is preventing my Lync for iPad/iPhone from verifying the certificate. Thanks again for putting this guide together and for addending it with the CAPolicy file info.Anonymoushttps://www.blogger.com/profile/16159865639984717435noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-85300929177679218442013-03-04T16:46:15.984-06:002013-03-04T16:46:15.984-06:00No worries! It's really only for issuing CAs a...No worries! It's really only for issuing CAs and even then only in some specific cases. (if you'll be using <a href="http://technet.microsoft.com/en-us/library/cc753139(v=ws.10).aspx" rel="nofollow">issuance policies</a> to control how certs are issued. I do not recommend adding any issuance policy restrictions unless you design that up front, which is out of scope for a lot of implementations. An issuance policy can only <a href="http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/d6beffaf-9e97-42a1-aa06-008654b2b77f/" rel="nofollow">restrict the ability</a> to issue certificates;it can't enable it. The (missing) external link illustrates that the enforcement of issuance policies is slightly different in 2008 than in 2003. I'll fix that external link tonight. Thanks!Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-1329691537901384562013-03-04T14:33:10.597-06:002013-03-04T14:33:10.597-06:00Oops. I did not add the OID as i didn't think ...Oops. I did not add the OID as i didn't think it was necessary on the Offline CA. Will that hurt me going forward?Anonymoushttps://www.blogger.com/profile/16159865639984717435noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-70240537888373398572013-03-03T15:11:49.203-06:002013-03-03T15:11:49.203-06:00Great question again! I've added an appendix t...Great question again! I've added an appendix to the article because while the specific implementation I was documenting didn't include one, most do. Take a look @ the newly added Appendix A and the links contained therein to determine your need & settings. Good luck and feel free to post issues or progress! Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-36402630534252228612013-03-01T11:07:08.684-06:002013-03-01T11:07:08.684-06:00Again Thanks for the quick response. We have decid...Again Thanks for the quick response. We have decided to go with the Online Responder since we like to have it in case we need it later. I haven't had time to even look at 2012 yet. it's something I'm planning to take a look in a couple of months. I have one last question for you. I see that you didn't use a CApolicy.inf file. Everything I've read so far has said to use it. Does your Step By Step take that into consideration? Meaning are your steps covering the settings that would be put into a CAPolicy.inf file?Anonymoushttps://www.blogger.com/profile/16159865639984717435noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-10661354886559798242013-02-26T17:53:56.542-06:002013-02-26T17:53:56.542-06:00Good question Damon. I haven't run into anythi...Good question Damon. I haven't run into anything yet that *requires* OCSP. Unfortunately a lot of clients seem to handle OCSP differently at this time which is really hampering its takeoff. I'm hesitant to admit this because has some important benefits over CRL, but I have shied away from it for reasons like <a href="http://blogs.technet.com/b/instan/archive/2012/03/14/new-hotfix-for-intermittent-ocsp-revocation-failure-issues-on-domain-controllers-available.aspx" rel="nofollow">this</a>(though fixed) , <a href="http://www.inmite.eu/en/blog/20120302-details-certificate-revocation-mechanisms-on-ios-iphone" rel="nofollow">this</a> , and <a href="http://www.thoughtcrime.org/papers/ocsp-attack.pdf" rel="nofollow"> this</a>. If you do go down the road of OCSP you will need to take measures to ensure your clients use it which will vary depending on the client application. It may be worthwhile in some highly-secure environments with a very dynamic cert load, but note that it can be defeated anyhow. I guess long story short I would not recommend it at this time unless you had a specific need. <br /><br />As for the enterprise license, take a look <a href="http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx" rel="nofollow">here</a> and <a href="http://social.technet.microsoft.com/wiki/contents/articles/1137.active-directory-certificate-services-ad-cs-overview.aspx" rel="nofollow"> here</a> for other differences. I'd take particular note of the SMTP exit module which allows for SMTP notifications of certificate enrollment, etc. That said, there is some confusion out there regarding what one can and cannot do with standard vs. enterprise. Standard R2 is much better than standard non-r2 2008; it can do version 3 templates. (among other things) There is alot of training material out there that still references 2008 standard, much of which was my basis for insisting on enterprise. (see <a href="http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7c-ea254de5dada/" rel="nofollow">this</a>) If it's a big point of contention you could possibly go down to standard, but it never hurts to have the capability to use the other features should you want them in the future. Another option would be to go to 2012, which doesn't change much setup wise(I'll write something up soon) but does introduce some welcome new features. Using <a href="http://technet.microsoft.com/en-us/library/hh831373.aspx" rel="nofollow">2012 all features are available</a> on standard or higher. Know that you can mix 2008(r2) and 2012 CAs without problem. I updated my article to better illustrate the differences, thanks for bringing it up!<br /><br />Hopefully that addresses your question, let me know if you have any others. Thanks!,Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-43596708485568513452013-02-25T10:54:09.118-06:002013-02-25T10:54:09.118-06:00Toby,
Thank you for responding so quickly. Your ex...Toby,<br />Thank you for responding so quickly. Your example of Direct Access is exactly why I asked. Another question which has come up is OCSP. Do you know of anything that may require an OCSP? I'm trying to justify the cost of an Enterprise license. Thanks again.Anonymoushttps://www.blogger.com/profile/16159865639984717435noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-38909789590257528752013-02-23T17:24:45.674-06:002013-02-23T17:24:45.674-06:00Hi Damon! I'm glad my guide is helping you. Re...Hi Damon! I'm glad my guide is helping you. Regarding A vs.CNAME, you can use either without worry. I suspect the guidance to use a CNAME is to underscore the importance of being flexible with your hostname. At its core though, as long as the client can resolve it successfully you're good to go. <br /><br />The key to a successful long term deployment is ensuring you select a DNS name that you can use for the foreseeable future. When you choose this name, take into account how you will use these certificates. If there is any chance you'll use certificates externally, (say you want to deploy <a href="http://en.wikipedia.org/wiki/DirectAccess" rel="nofollow">Direct Access</a> down the road...) you may want to use "split DNS" and make the CNAME used for the CDP and AIA accessible both inside and outside your network. Say for example your company owned the internet domain widgets.com. To ensure the certificate CRL look-up will work no matter where the client is, you could set the CDP and AIA to http:\\pki.widgets.com\path and then set that CNAME (or A record) inside your network to point to an internally accessible server and set the CNAME (or A record) outside your network to point to an externally accessible server. <br /><br />(*Side note item, not related to PKI setup*) If you do choose to use split-DNS you may want to take this into account as well: If your company uses WiFi for mobile devices you may also want to setup a NAT rule on the inside interface of your firewall to redirect the external IP to the internal IP to account for mobile devices utilizing company WiFi that have a cached external DNS entry.<br /><br />If you do not see external access as a future need then setting a CNAME to the internal server will serve you just fine. Note that if you do have access to set your internal DNS though it wouldn't hurt to use a name that may be internet accessible in the future and just not put that into place yet. (I.E. set to pki.widgets.com but don't actually make that host externally)<br /><br />Hopefully that addresses your question; if no feel free to post a followup & thanks for reading!Toby Meyerhttps://www.blogger.com/profile/11479868060801724272noreply@blogger.comtag:blogger.com,1999:blog-5458589696790815336.post-59511610818871425782013-02-22T14:48:19.359-06:002013-02-22T14:48:19.359-06:00Hi Toby,
This is a very extensive and well put tog...Hi Toby,<br />This is a very extensive and well put together documentation and it is helping me learn about using and implementing a PKI in my infrastructure so I'd like to Thank you for putting it together. <br /><br />I do have a question about using HTTP for CDP and AIA. I was following the technet guide which said to use a CNAME instead of an A record. Is there a benefit to using one over the other? I was just going to add a cname that pointed to my Enterprise SubCA and continue but your post is giving me pause.<br /><br />-DamonAnonymoushttps://www.blogger.com/profile/16159865639984717435noreply@blogger.com