Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part III, Post Configuration of Root Certification Authority
Introduction
I wanted to follow up on the Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part I, Installing a Root Certification Authority with PowerShell and Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part II, Installing a Root Certification Authority with the GUI blog postings. In those blogs I installed Active Directory Certificate Services. For the sake of completeness I wanted to give steps on how to configure the Root Certification Authority. Also, as mentioned in an earlier blog, I will not be explaining why I chose the settings I chose. The purpose of this blog series is simply to walk through the steps required for installation. At a later date I will discuss how to determine the configuration of your PKI. In the mean time you can use my previous blogs on this subject for guidance https://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx.
In the previous blog postings I covered how to Install a Root Certification Authority. In the blog posting I am going to cover the steps required to complete the Post Installation of the CA.
After you install a CA there are still a number of settings to configure. Those settings are Setting the DSConfig DN registry key, Configuring the AIA location and CA certificate publication, Configuring the CDP location and CRL Publishing, Configuring the CRL Validity Period, and Configuring the Validity Period for certs that will be issued by the CA, and Configuring Auditing.
Description of Settings
DSConfigDN
The CA can be configured to use LDAP (Active Directory) as a repository for CA certificates (AIA) and/or CRLs (CDP). The AIA and CDP containers are stored in the Configuration Partition of Active Directory. Since the DN of the AIA and CDP containers contain the root forest name the CA must have knowledge of the root forest name to properly publish this path in the AIA and CDP extensions of a certificate. Since a Standalone CA is not part of the domain this knowledge is gained through setting the DSConfigDN registry key.
Configuring the AIA and CA certificate publication
The AIA extension in a certificate allows the certificate validator to determine where they can download the certificate for a CA that issued a certificate. Also, certificates may need to be published by the CA. For a Standalone Root CA the CA certificate will typically be published to the file system. The administrator will then copy that certificate from the file system and publish it to the repositories specified in the AIA location. This interaction is necessary because the Standalone Root CA is typically kept offline and not connected to a network. As such manual publishing is typically required. Configuring the AIA location and CA certificate publication is done by setting the CACertPublicationURLs registry key.
Configuring the CDP location and CRL Publishing
The CDP extension in a certificate allows the validator of a certificate to determine where the CRL can be downloaded. Once the CRL is downloaded the validator can then determine if the certificate has been revoked. A CA will also publish a CRL. In the case of a Standalone Root CA the CRL will typically be published locally. The administrator will then copy that certificate from the file system and publish it to the repositories specified in the CDP location. This interaction is necessary because the Standalone Root CA is typically kept offline and not connected to a network. As such manual publishing is typically required. Configuring the CDP location and CRL publication is done by setting the CRLPublicationURLs registry key.
Configuring the CRL Validity Period
As previously mentioned the Certification Authority publishes a CRL. That CRL has a validity period or period for which it is valid. That validity period is configured by setting the CRLPeriodUnits and CRLPeriod registry settings.
Configuring the Validity Period for certs that will be issued by the CA
In this case, since I am speaking about a two tier hierarchy, the Root CA will publishe subordinate CA certificates. To configure the lifetime for CA certificates issued by the CA the ValidityPeriod and ValidityPeriodUnits registry settings must be configured.
Configuring Auditing
In order to configure auditing on the CA the AuditFilter registry setting must be configure. Additional information on CA Auditing is available here: https://technet.microsoft.com/en-us/library/cc758154(v=WS.10).aspx.
Post-Installation Script
Below is a sample script that I will run to configure all of the previous mentioned settings. For more detail on the script, please see: https://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx
certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=fourthcoffee,DC=com"
certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:https://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:https://pki.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"
certutil -setreg CA\CRLPeriodUnits 6
certutil -setreg CA\CRLPeriod "Months"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg ca\ValidityPeriodUnits 10
certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg CA\AuditFilter 127
net stop certsvc & net start certsvc
certutil -CRL
PowerShell
In Windows Server 2012 there are a number of AD CS Administration Cmdlets that were introduced. Included in these cmdlets are cmdlets that will modify the CRLPublicationURLs and CACertPublication URLs. These cmdlets are: Add-CACrlDistributionPoint, Add-CAAuthorityInformationAccess, Remove-CACrlDistributionPoint, and Remove-CAAuthorityInformationAccess. And although these commands may be useful in certain situations, they are not particularly useful for me in configuring me for post-installation of a CA. The reason I state that "they are not particularly useful" is because I can already perform these steps with “certutil –setreg” command. However, if you do decide those commands are helpful, here is a link which includes additional information: https://technet.microsoft.com/en-us/library/hh848365.
Conclusion
In this blog posting I covered the post installation steps for Standalone Root Certification Authority. I will shortly be following up with a posting on the steps for Installing an Issuing CA.