Beruflich Dokumente
Kultur Dokumente
Page 1 of 33
Certificate Authority
Articles Authors Blogs ISA Server Articles Links Message Boards Newsletter RSS Security Tests Services Software White Papers
Enviar Consulta
How to install a PKI based on Microsoft Certificate Services in Windows Server 2003.
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 2 of 33
Published: Aug 15, 2007 Updated: Sep 19, 2007 Section: Articles :: Authentication, Access Control & Encryption Author: Martin Kiaer Printable Version Adjust font size: Rating: 3.8/5 - 24 Votes
j k l m 1n 2n j k l m 3n j k l m 4n j k l m j k l m 5n
If you missed the other articles in this series please go to: A Microsoft PKI Quick Guide - Part 1: Planning A Microsoft PKI Quick Guide Part 2: Design A Microsoft PKI quick guide Part 4: Troubleshooting If you would like to be notified when Martin Kiaer releases A Microsoft PKI Quick Guide Part 4 please sign up to the WindowSecurity.com Real time article update newsletter. We have now gotten to the third article in our Microsoft PKI quick guide four part series. In our first article we gave you a quick overview on how to prepare and plan your Microsoft PKI. In our second article we went into design mode and looked at some best practice settings. In this article we will get a lot more technical and show you how to install a PKI based on Microsoft Certificate Services in Windows Server 2003.
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 3 of 33
always have a consistency for the issued certificates at each level. If you only want to deploy a 2level hierarchy, simply remove the CA in level-3. The model will still apply.
Figure 1: A best practice validity period for each CA at each level The other thing you should prepare before we start the installation is a text file called CAPolicy.inf. This file is used to customize your configuration of Windows Certificates Services. In this file, you will find important things such as: The CDP statement Certificate renewal settings such as validity period and key size The links for the CDP and AIA paths How often the CRL should be published
Create the file using Notepad and save it to %windir%\capolicy.inf (e.g. C:\Windows\capolicy.inf). We have made this task a lot easier for you, by supplying the files in our step-by-step guides below. With these things in mind, it is time to get technical.
Here is how it should be done: 1. Install a server with Windows Server 2003 Standard Edition incl. SP1 or newer and make sure that it runs as a stand-alone server (i.e. it should not be a member of any domain) 2. Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 4 of 33
Figure 2: Filename: CAPolicy.inf 3. Copy the CAPolicy.INF file to %windir%\capolicy.inf 4. Navigate to the Start Menu / Control Panel / Add or Remove Programs |click Add/Remove Windows Components 5. In Windows Components Wizard, you select Certificates Services and click Next 6. Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes
Figure 3 7. In the CA Type field, you click Stand-alone root CA, and put a checkmark at Use custom settings to generate the key pair and CA certificate check box and click Next Note: It is normal that the Enterprise root CA and Enterprise subordinate CA options cannot be selected, since this server is not member of a domain
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 5 of 33
Figure 4 8. Select the CSP you want to use for your offline root CA. For simplicity, weve selected the Microsoft Strong Cryptographic Provider v1.0, however you can also select another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure. Select the default hash algorithm SHA-1 Set the key length to 4096 Make sure that both the Allow this CSP to interact with the desktop and Use an existing key options are not checked. Click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 6 of 33
Figure 5 9. Enter a common name for your root CA, configure the Distinguished name suffix (O=domain, C=local) and set the validity period to 20 years, then click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 7 of 33
Figure 6 10. Accept the default suggestion for the certificate database and log files (or change it at will) and click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 8 of 33
Figure 7 11. Since this is an offline root CA, there is no need to install IIS (Internet Information Services) and thus the reason why this dialog is displayed. Click OK
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 9 of 33
Figure 9 13. Click Start / Programs / Administrative Tools / Certificate Authority 14. Expand your CA server pane and right-click Revoked Certificates. Click All tasks / Publish
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 10 of 33
Figure 10 15. Select New CRL and click OK 16. Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need these files for the next subordinate CA that will be installed 17. You should also copy these files to the CDP HTTP location as indicated in the caconfig.inf file listed earlier. 18. Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 11 of 33
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 12 of 33
Figure 11 19. You are done installing the root CA. We mentioned earlier that there are good security reasons to keep the root and policy CAs offline, which includes turning them off. Only the issuing CAs should be kept online. Because the root and policy CAs are kept offline, they should not be a member of a domain.
Here is how you do it: 1. Install a server with Windows Server 2003 Enterprise Edition incl. SP1 or newer and make sure it is a member of a domain 2. Make sure that IIS (internet Information Services) has been installed. There is a note to this however. If you really want to do this right, then omit the IIS part. The only caveat doing so, is that you definitely need to know your PKI before you omit the IIS component. The advantage is a more simple setup, and one attack vector less. 3. Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)
Figure 12: Filename: CAPolicy.inf 4. Copy the CAPolicy.INF file to %windir%\capolicy.inf 5. Navigate to the Start Menu / Control Panel / Add or Remove Programs / click Add/Remove Windows Components 6. In Windows Components Wizard, you select Certificates Services and click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 13 of 33
Figure 13 7. Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes 8. In the CA Type field, you click Enterprise subordinate CA and put a checkmark at Use custom settings to generate the key pair and CA certificate check box and click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 14 of 33
Figure 14 9. Select the CSP you want to use for your issuing CA. For simplicity, we have selected the Microsoft Strong Cryptographic Provider v1.0, however you could also have selected another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure. Select the default hash algorithm SHA-1 Set the key length to 2048 Make sure that both the Allow this CSP to interact with the desktop and Use an existing key options are not checked. Click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 15 of 33
Figure 15 10. Enter a common name for your issuing CA and set the validity period to 5 years, then click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 16 of 33
Figure 16 11. Accept the default suggestion for the certificate database and log files (or change at will) and click Next 12. A CA Certificate Request window is displayed. Select Save the request to a file and enter a path and a filename (the wizard will automatically add a .req extension to the filename). Copy the file to a USB key for later use. Click Next. We will be using this request file later on in this quick guide
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 17 of 33
Figure 17 13. Some certificate IIS application components will be added. Click Yes
Figure 18 14. (Optional) If you have not enabled ASP support in IIS, then the following dialog box is display. Click Yes
Figure 19 15. You are not quite done yet. As indicated in the dialog box, then you will need to generate a private key for your new issuing CA.
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 18 of 33
Figure 21 17. Before you continue, you should publish the certificate and revocation list for your root CA to Active Directory. This is easily done by doing the following: a. Copy both the *.crt and *.crl files generated during the installation of the root CA to the
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 19 of 33
%systemroot%\system32\certsrv\certenroll folder on the issuing CA server. b. Run the script below from a command line prompt in the same folder on your issuing CA. You have to run the script as a user who is a member of the Cert Publishers Group in Active Directory (normally someone with domain admin rights).
Figure 22 The script will automatically process the entire filename and complete the needed commands. 18. Make sure you have the certificate request file generated in Step 12. Log on to the root CA server 19. From the root CA server you click Start / Programs / Administrative Tools / Certificate Authority 20. Expand your CA server pane and right-click the server name. Click All tasks / Submit new request
Figure 23 21. Locate the request file generated in Step 12 and click OK 22. In the left pane, click Pending Requests. Locate the certificate request in the right pane / Right-click the certificate request and select All Tasks / Issue
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 20 of 33
23. Next we need to export the certificate. In the left pane you click Issued Certificates. In the right pane you right-click the certificate and click Open
Figure 24 24. Click the details tab and click Copy to file
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 21 of 33
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 22 of 33
Figure 26 26. Select Cryptografic Message Syntax Standard . and Include all certificates in the certification path if possible. Click Next
Figure 27 27. Save the certificate to the same USB key used in Step 12. Click Next
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 23 of 33
Figure 28 28. Click Finish and the click OK 29. Now you go back to issuing the CA and click Start / Programs / Administrative Tools / Certificate Authority 30. Expand the CA server pane and right-click the server name. Click All tasks / Install CA certificate
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 24 of 33
Figure 29 31. Locate the certificate you issued in Step 27 and click OK 32. Expand your CA server pane and right-click the server name. Click Start service
Figure 30 33. Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need to copy these files to your web servers that are being used as Certificate Distribution Points
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 25 of 33
(CDP) using the HTTP protocol. This is the HTTP based CDP URL you defined in the issuing CAs caconfig.inf earlier. Note: This task should be scheduled and run automatically 34. Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 26 of 33
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 27 of 33
Figure 31 35. Expand your CA server pane and right-click Revoked Certificates. Click All tasks / Publish
Figure 32 36. Select New CRL and click OK 37. And finally, you are done.
Conclusion
In this article, we have given you some quick guidelines and best practice advice on how to best implement a PKI consisting of a combination of both offline standalone CAs and enterprise based online issuing CAs. You should know that the script used for publishing the root CAs certificate and CRL file to the local store of the issuing CA and Active Directory needs modifications if you are using a 3-level hierarchy. This is because the policy CA also needs to be published to the local certificate store of our enterprise based issuing CA and also needs to be published to Active Directory. To a certain extent you may find this third article a bit cumbersome, especially during the implementation of an online issuing CA. But once you try it, you find out that it is really not that difficult to implement a full blown PKI that is both scalable and secure. In our last article in this PKI quick guide series, we will show you how to verify our installation as well as maintain and troubleshoot a PKI using a few simple steps. External resources This article series is done with the help of a lot of great resources. All the excellent Microsoft PKI articles are collected in one place which you can find on the Microsoft PKI Web Portal Public Key Infrastructure for Windows Server 2003
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 28 of 33
Want to see how Microsoft does PKI, then check out the IT Showcase -Deploying PKI Inside Microsoft Deploying PKI Inside Microsoft And this is a great book Microsoft Windows Server 2003 PKI and Certificate Security Microsoft Windows Server 2003 PKI and Certificate Security If you missed the other parts in this article series please go to A Microsoft PKI Quick Guide - Part 1: Planning A Microsoft PKI Quick Guide Part 2: Design A Microsoft PKI quick guide Part 4: Troubleshooting If you would like to be notified when Martin Kiaer releases A Microsoft PKI Quick Guide Part 4 please sign up to the WindowSecurity.com Real time article update newsletter.
Martin Kiaer is a Microsoft MVP in Windows Security and works as a Principal Consultant for LogicaCMG, a Microsoft Gold Partner in Security and Enterprise solutions. Martin has worked in IT for over 16 years, specializing in IT security since 1994. In his spare time he works as a freelance journalist and is the founder of IT-experts.dk, the largest Microsoft online community for Danish IT pros. Click here for Martin Kiaer's section.
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 29 of 33
Related links
Whats New with Windows Server 2003 Certificate Services? A Microsoft PKI Quick Guide - Part 1: Planning Implementing EFS in a Windows Server 2003 Domain Securing Wireless LANs with Certificate Services A Microsoft PKI Quick Guide Part 2: Design
Featured Links*
Automatic Event Log Monitoring Let GFI EventsManager do the dirty work - Have event logs monitored automatically and get warned about critical events! It's New - SpamTitan Virtual Email Appliance, runs on VMware - Includes Kaspersky AV! 99% spam protection, anti phishing, in/out bound scanning, disclaimers, end user quarantine, reporting suite, simple installation, all from $500-100 users - 30 day free trial!
Community Area
Log in | Register
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 30 of 33
IS e n m D cisio s.co A sb Go le d y og
Solution Center
Articles & Tutorials Authentication, Access Control & Encryption Content Security (Email & FTP) Firewalls & VPNs Intrusion Detection Misc Network Security Product Reviews Viruses, trojans and other malware Web Application Security Web Server Security Windows 2003 Security Windows Networking Windows OS Security Wireless Security Authors Jesper M. Christensen Derek Melber
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 31 of 33
Don Parker Jakob H. Heidelberg Martin Kiaer Ricky M. Magalhaes Thomas Shinder Brien Posey Deb Shinder Justin Troutman Mitch Tulloch Robert J. Shimonski Blogs Message Boards Newsletter Signup RSS Feed Security Tests Services Email Security Services Managed security services Software Anti Virus Authentication / Smart cards Email Anti-Virus Email Content Security Email Encryption Encryption Endpoint Security Event Log Monitoring File integrity checkers Firewall security log analyzers Firewalls Group Policy Management Intrusion Detection Misc. Network Security Tools Network Auditing Patch Management Security Scanners VPNs Web Application Security Web Content Security White Papers
Featured Products
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 32 of 33
Readers' Choice
Which is your preferred Email Antivirus solution?
j k l m n Antigen
for Microsoft Exchange j k l m n BitDefender Security j k l m n Frontgate Perimeter Defense j k l m n GFI MailSecurity j k l m n Kaspersky Security for Mail Server j k l m n Panda Security for Enterprise j k l m n Sophos Email Security & Control j k l m n Symantec AntiVirus for Messaging j k l m n Other please specify
Vote!
TechGenix Sites
ISAserver.org The No.1 ISA Server 2006 / 2004 / 2000 resource site. MSExchange.org The leading Microsoft Exchange Server 2007 / 2003 / 2000 resource site. WindowsNetworking.com Windows Server 2008 / 2003 & Windows Vista networking resource site. VirtualizationAdmin.com The essential Virtualization resource site for administrators. Articles Authors Blogs Books ISA Server Articles Links Message Boards Newsletter RSS Security Tests Services Software White Papers
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009
Page 33 of 33
About Us : Email us : Product Submission Form : Advertising Information WindowsSecurity.com is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers. Copyright 2009 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms & Conditions.
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part3.html
5/5/2009