126 Part II: Establishing a PKI The following assumptions apply to the Fabrikam, Inc. policy CA: ■ It implements a single CPS, with the CPS published at www.fabrikam.com/CPS/ CPStatement.asp. ■ OID 1.3.6.1.4.1.311.509.3.1 is assigned to the CPS. ■ The key length for the private key and public key is 2,048 bits. ■ The validity period of the policy CA certificate is 10 years. ■ Base CRLs are published every 26 weeks with a 2-week overlap. ■ Delta CRLs are disabled. ■ Discrete signatures must be enabled in the policy CA certificate to allow the use of CNG algorithms for hash and certificate signing. ■ The policy CA will use the SHA256 hash algorithm. Based on these assumptions, the following CAPolicy.inf file can be installed in the %Windir% of the Fabrikam, Inc. policy CA computer: [Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=FabrikamCPS [FabrikamCPS] OID=1.3.6.1.4.1.311.509.3.1 NOTICE=Fabrikam Industries Certification Practice Statement URL=http://www.fabrikam.com/CPS/CPStatement.asp [certsrv_server] RenewalKeyLength=2048 RenewalValidityPeriodUnits=10 RenewalValidityPeriod=years CRLPeriod=weeks CRLPeriodUnits=26 CRLOverlapPeriod=weeks CRLOverlapUnits=2 CRLDeltaPeriodUnits=0 CRLDeltaPeriod=days DiscreteSignatureAlgorithm=1 Installing Certificate Services After the CAPolicy.inf file is in place, you can install Certificate Services. Because the policy CA’s certificate request is submitted to the root CA, the issuance of the subordinate CA certificate takes place at the root CA. Chapter 6: Implementing a CA Hierarchy 127 The following assumptions are made about the root CA computer: ■ It uses the naming scheme shown previously in Figure 6-1. ■ It has two mirrored partitions—drive C for the operating system and drive D for the CA database and log files. Note IIS is not required for the installation of an offline policy CA. The only certificate requests submitted to the policy CA are for subordinate CA certificates, and these can be submitted by using the Certification Authority console. To start the process of installing Certificate Services, perform the following tasks at the policy CA: 1. Log on as a member of the local Administrators group. 2. Ensure that the date and time matches the date and time on the root CA computer. 3. Click Start, point to Administrative Tools, and then click Server Manager. 4. In the Roles Summary section, click Add Roles. 5. If the Before You Begin page appears, select the Skip This Page By Default check box, and then click Next. 6. On the Select Server Roles page, select the Active Directory Certificate Services check box, and when the role is populated, click Next. 7. On the Introduction To Active Directory Certificate Services page, click Next. 8. On the Select Role Services page, select the Certification Authority check box, and then click Next. 9. On the Specify Setup Type page, click Standalone, and then click Next. 10. On the Specify CA Type page, click Subordinate CA, and then click Next. 11. On the Set Up Private Key page, click Create A New Private Key, and then click Next. 12. On the Configure Cryptography For CA page, set the following options, and then click Next. ❑ Select a cryptographic service provider (CSP): RSA#Microsoft Software Key Storage Provider ❑ Key character length: 2048 ❑ Select the hash algorithm for signing certificates issued by this CA: sha256 13. On the Configure CA Name page, provide the following information, and then click Next. ❑ Common name for this CA: Fabrikam Corporate Policy CA ❑ Distinguished name suffix: O=Fabrikam Inc.,C=US 128 Part II: Establishing a PKI 14. On the Request Certificate From A Parent CA page, click Save A Certificate Request to file, and manually send it later to a parent CA, accept the default file name, and then click Next. 15. On the Configure Certificate Database page, provide the following settings, and then click Next: ❑ Certificate database: D:\CertDB ❑ Certificate database log: D:\CertLog 16. After verifying the information on the Confirm Installation Selections page, click Install. 17. On the Installation Results page, note that the installation is incomplete, and then click Close. 18. Open C:\. 19. Copy the FABINCCA02_Fabrikam Corporate Policy CA.req file to the USB drive. 20. Remove the USB drive containing the certificate request file from the policy CA computer. The USB drive must now be transported to the root CA computer to submit the certificate request and to copy the issued certificate back to the policy CA. While logged on at the root CA computer as a member of the local Administrators group, use the following process: 1. Insert the USB Drive containing the certificate request file into a USB port on the root CA computer. 2. From the Start menu, click Administrative Tools, and then click Certification Authority. 3. In the console tree, right-click Fabrikam Corporate Root CA, point to All Tasks, and then click Submit New Request. 4. In the Open Request File dialog box, in the File Name box, type A:\FABINCCA02_Fabrikam Corporate Policy CA.req, and then click Open. 5. In the console tree, expand Fabrikam Corporate Root CA, and then click Pending Requests. 6. In the details pane, right-click the certificate request, point to All Tasks, and then click Export Binary Data. 7. In the Export Binary Data dialog box, in the Columns That Contain Binary Data drop- down list, select Binary Request, and then click OK. 8. Review the request detail for accuracy: ❑ Verify that the subject name is Fabrikam Corporate Policy CA. Subject: CN=Fabrikam Corporate Policy CA O=Fabrikam Inc. C=US ❑ Ensure that the public key length is 2048 bits. Public Key Length: 2048 bits Chapter 6: Implementing a CA Hierarchy 129 ❑ Ensure that the basic constraints indicate Subject Type=CA. Basic Constraints Subject type=CA ❑ Verify that the Certificate Policy statement is correctly configured with the Policy Identifier OID set to 1.3.6.1.4.1.1204.509.3.1, the Notice Text set to “Fabrikam Industries Certification Practice Statement,” and the CPS qualifier set to http://www.fabrikam.com/CPS/CPStatement.asp. Certificate Policies [1] Certificate Policy: Policy Identifier=1.3.6.1.4.1.1204.509.3.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=User Notice Qualifier: Notice Text=Fabrikam Industries Certification Practice Statement [1,2]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://www.fabrikam.com/CPS/CPStatement.asp ❑ Verify that the Signature Algorithm is SHA256RSA. Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA ❑ Verify that the signature matches the public key. Signature matches Public Key 9. Close the Binary Request window. 10. In the details pane, right-click the pending SubCA certificate, point to All Tasks, and then click Issue. 11. In the console tree, click Issued Certificates. 12. In the details pane, double-click the issued certificate. 13. In the Certificate dialog box, click the Details tab. 14. On the Details tab, click Copy To File. 15. In the Certificate Export Wizard, click Next. 16. On the Export File Format page, click Cryptographic Message Syntax Standard— PKCS #7 Certificates (.P7B), select the Include All Certificates In The Certification Path If Possible check box, and then click Next. 17. On the File To Export page, in the File Name box, type F:\policyca.p7b, and then click Next. 18. On the Completing The Certificate Export Wizard page, click Finish. 19. In the Certificate Export Wizard message box, click OK. 130 Part II: Establishing a PKI 20. In the Certificate dialog box, click OK. 21. Close the Certification Authority console. 22. Remove the USB drive containing the certificate request file. Once the certificate is exported to the floppy disk, you must complete installation of the policy CA by installing the subordinate CA certificate at the policy CA. Use the following procedure: 1. Insert the USB Drive containing the PKCS#7 file into a USB port on the Policy CA computer. 2. From the Start menu, click Administrative Tools, and then click Certification Authority. 3. In the console tree, right-click Fabrikam Corporate Policy CA, point to All Tasks, and then click Install CA Certificate. 4. In the Select File To Complete CA Installation dialog box, in the File Name box, type F:\policyca.p7b, and then click Open. 5. In the console tree, right-click Fabrikam Corporate Policy CA, point to All Tasks, and then click Start Service. Note At this point, Certificate Services starts and allows you to view and configure the policy CA. If the service does not start, the most common error is the revocation function being unable to check revocation status. This is typically because of forgetting to install the root CA certificate and CRL on the policy CA. Post-Installation Configuration Once the policy CA installation is complete, you must ensure that the policy CA’s registry settings are configured correctly. The following assumptions are made regarding the Fabrikam network: ■ All client and server computers are running Windows XP or later and are members of the Fabrikam.com domain. ■ There is a Web server named www.fabrikam.com. A virtual directory named Certdata contains CRL and AIA information for all CAs in the CA hierarchy. This Web server is accessible internally and externally. ■ The subordinate CA below the policy CA has a validity period of five years. ■ All auditing options must be enabled on the policy CA. ■ The policy CA certificate and CRL are copied to a floppy disk to allow publication to AD DS and to the www.fabrikam.com Web server. Chapter 6: Implementing a CA Hierarchy 131 ■ Sleep.exe from the Windows Server 2003 Resource Kit is installed on the policy CA computer. ■ Discrete Signatures must be supported and available for certificate requests submitted to the CA. To configure the policy CA to implement these design decisions and the assumptions stated previously, the following post-installation script can be used: ::Declare Configuration NC certutil -setreg CA\DSConfigDN CN=Configuration,DC=fabrikam,DC=com ::Define CRL Publication Intervals certutil -setreg CA\CRLPeriodUnits 26 certutil -setreg CA\CRLPeriod "Weeks" certutil –setreg CA\CRLOverlapUnits 2 certutil –setreg CA\CRLOverlapPeriod "Weeks" certutil -setreg CA\CRLDeltaPeriodUnits 0 certutil -setreg CA\CRLDeltaPeriod "Days" ::Apply the required CDP Extension URLs certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:/// CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n 2:http://www.fabrikam.com/Certdata/ %%3%%8%%9.crl" ::Apply the required AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n 2:http://www.fabrikam.com/CertData/%%1_%%3%%4.crt" ::Enable all auditing events for the Fabrikam Corporate Policy CA certutil -setreg CA\AuditFilter 127 ::Set Validity Period for Issued Certificates certutil -setreg CA\ValidityPeriodUnits 5 certutil -setreg CA\ValidityPeriod "Years" :: Enable discrete signatures in subordinate CA certificates Certutil –setreg CA\csp\DiscreteSignatureAlgorithm 1 ::Restart Certificate Services net stop certsvc & net start certsvc sleep 5 certutil –crl ::Copy the policy CA certificates and CRLs to the USB Drive Echo Insert the USB Drive in the USB slot sleep 5 copy /y %windir%\system32\certsrv\certenroll\*.cr? f:\ 132 Part II: Establishing a PKI Implementing an Online Issuing CA The process for installing subordinate online CAs is slightly different than the process for installing subordinate offline CAs. Pre-Installation Configuration Before installing Certificate Services on the issuing CA, you must ensure that the issuing CA trusts the root CA and is able to download the policy CA certificate and CRL for certificate revocation checking. This is accomplished by manually installing or publishing the root CA and policy CA certificates stored on a floppy disk to the following locations: ■ The local computer’s Trusted Root Store and intermediate CA store This location is required if you are unable to publish the certificate into AD DS or to the HTTP URL referenced in the AIA and CDP extensions of certificates issued by the root or policy CA. This location is also required if the issuing CA is a standalone CA. ■ AD DS The root and policy CA certificate and CRLs can be published into AD DS. Publication into AD DS enables the automated download of the certificates to all Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 computers that are members of the forest. ■ HTTP URLs referenced in the AIA and CDP extensions The root and policy CA certifi- cates and CRLs must be manually published to these locations to enable download of the CA certificates and CRLs to all clients using these URLs for chain building and revocation checking. Installing Certificates Locally at the Issuing CA If you have not published the root and policy CA certificates into AD DS or to the HTTP URLs included in the certificates issued by the root and policy CAs, you can manually install the certificates into the issuing CA’s local machine store. This process is similar to the one used to install the root CA certificate and CRL at the policy CA. The difference is that both root and intermediate CA certificates are installed at an issuing CA. Tip I still publish the root and policy CA certificates locally because of impatience. When you publish them to AD DS, you have to wait for replication and application of Group Policy before the issuing CA has knowledge of the certificates. Installing the certificate and CRL locally offers immediate recognition of the CA hierarchy. The following script publishes the root CA certificate and CRL into the local machine store: @echo off a: cd \ for %%c in ("FABINCCA01*.crt") do certutil -addstore -f Root "%%c" Chapter 6: Implementing a CA Hierarchy 133 for %%c in ("Fabrikam Corporate Root*.crl") do certutil -addstore -f Root "%%c" for %%c in ("FABINCCA02*.crt") do certutil -addstore -f CA "%%c" for %%c in ("Fabrikam Corporate Policy*.crl") do certutil -addstore -f CA "%%c" This batch file supports later revisions to the root or policy CA certificates and publishes all versions of the root and policy CA certificates and CRLs. Tip When using this script in your environment, modify each line’s search pattern to a pattern that uniquely describes the CA computer name for *.crt files and the CA logical name for *.crl files. Publishing Certificates and CRLs into AD DS The preferred method of publishing root and policy CA certificates and CRLs in a forest environment is to publish them into AD DS. When published into AD DS, the CA certificates and CRLs are published in the configuration naming context and are automatically downloaded to all forest members running Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008 through autoenrollment. To publish the root and policy CA certificates and CRLs, use the following script, which must be run by a member of the Enterprise Admins group: @echo off a: cd \ for %%c in ("FABINCCA01*.crt") do certutil -dspublish -f "%%c" RootCA for %%c in ("FABINCCA02*.crt") do certutil -dspublish -f "%%c" SubCA for %%c in ("Fabrikam Corporate Root*.crl") do certutil -dspublish -f "%%c" for %%c in ("Fabrikam Corporate Policy*.crl") do certutil -dspublish -f "%%c" gpupdate /force The next time Group Policy is applied to a computer that is a member of the forest, certificates will be automatically added to the trusted root or intermediate CA store of the local machine through the autoenrollment mechanism. Tip When using this script in your environment, modify each line’s search pattern to a pattern that uniquely describes the CA computer name for *.crt files and the CA logical name for *.crl files. Copying Certificates and CRLs to HTTP Publication Points If you implement HTTP URLs in your offline CA CDP and AIA extensions, you must manually copy the files to the referenced location. The transfer mechanism entirely depends on the Web servers that host the CA certificates and CRLs. Some of the more commonly chosen mechanisms include: File Transfer Protocol (FTP), Robocopy (now part of the Windows Server 2008 operating system), Secure FTP, Remote Copy Protocol (RCP), and Trivial File Transfer Protocol (TFTP). 134 Part II: Establishing a PKI The actual commands that you use depend entirely on the method you choose to copy the files to the Web server or Web server cluster. The following example shows how to use Robocopy to copy the root and Policy CA files to a Web server with the NetBIOS name FABWEB01 to a share named CertEnroll$. The batch file assumes that the necessary files are on the root of the USB Drive (F:). @echo off F: net use \\FABWEB01.fabrikam.com robocopy F: \\ FABWEB01.fabrikam.com\certenroll$ *.crt *.crl /R:5 /W:5 /V / LOG:UpdateCrlLog.txt net use \\FABWEB01.fabrikam.com /d Creating a CAPolicy.inf File Once the root and policy CA certificates and CRLs are downloaded to the local machine’s trusted root store, you must prepare a CAPolicy.inf file for the issuing CA. The CAPolicy.inf file for an issuing CA must define certificate-renewal and CRL publication settings. The following assumptions apply to the Fabrikam issuing CA: ■ The key length for the private key and public key is 2,048 bits. ■ The policy CA certificate’s validity period is five years. ■ Base CRLs are published every three days with an overlap of four hours. ■ Delta CRLs are published every 12 hours. ■ Discrete signatures must be enabled in the issuing CA certificate to allow the use of CNG algorithms for hash and certificate signing. ■ The issuing CA will use the SHA256 hash algorithm. ■ The CA will not have any certificate template available for enrollment initially. Based on these assumptions, the following CAPolicy.inf file can be installed in the %Windir% of the Fabrikam, Inc. issuing CA computer: [Version] Signature="$Windows NT$" [certsrv_server] renewalkeylength=2048 RenewalValidityPeriodUnits=5 RenewalValidityPeriod=years CRLPeriod=3 CRLPeriodUnits=days CRLOverlapPeriod=4 CRLOverlapUnits=hours CRLDeltaPeriod=12 CRLDeltaPeriodUnits=hours Chapter 6: Implementing a CA Hierarchy 135 DiscreteSignatureAlgorithm=1 LoadDefaultTemplates=0 What if I Am Deploying Only a Two-Tier Hierarchy? If you are deploying a two-tier CA hierarchy, the major configuration change is the contents of the CAPolicy.inf file. In a two-tier CA hierarchy, the second tier is deployed as a combination policy and issuing CA. The CAPolicy.inf file must be changed to reflect this, as shown below. This example assumes that the same requirements exist for CPS publication. [Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=FabrikamCPS [FabrikamCPS] OID=1.3.6.1.4.1.311.509.3.1 NOTICE=Fabrikam Industries Certification Practice Statement URL=http://www.fabrikam.com/CPS/CPStatement.asp renewalkeylength=2048 RenewalValidityPeriodUnits=5 RenewalValidityPeriod=years CRLPeriod=3 CRLPeriodUnits=days CRLOverlapPeriod=4 CRLOverlapUnits=hours CRLDeltaPeriod=12 CRLDeltaPeriodUnits=hours DiscreteSignatureAlgorithm=1 LoadDefaultTemplates=0 This CAPolicy.inf file ensures that the CPS information is included in the issuing CA’s certificate, but the file implements the CRL and CA certificate settings for an issuing CA. Installing Certificate Services Once the CAPolicy.inf file is in place, you can install Certificate Services. Because the issuing CA’s certificate request is submitted to the policy CA, the issuance of the subordinate CA certificate occurs at the policy CA. The following assumptions are made about the issuing CA computer: ■ It uses the naming scheme shown previously in Figure 6-1. ■ It has two mirrored partitions and a RAID 5 array—drive C: for the operating system, drive D: for the CA log files, and drive E:, a RAID 5 array, for the CA database. [...]... Windows Server 2008 and then migrating the existing CA database, CA certificate, and key pair to a computer running the 64-bit edition of Windows Server 2008 ■ Migrating the Windows Server 20 03 existing CA database, CA certificate, and key pair to a 64-bit Windows Server 20 03 CA and then upgrading the 64-bit CA to Windows Server 2008 There probably will not be much demand to migrate existing root and. .. versions of Windows Certificate Services Table 7-1 provides the supported upgrade paths from previous versions of Certificate Services to Windows Server 2008 Active Directory Certificate Services Table 7-1 Upgrade Paths to Windows Server 2008 Windows version Edition Upgrade to Windows Server 2008 Standard Edition Enterprise Edition Datacenter Edition Windows NT 4 All No No No Windows 2000 All No No No Windows. .. Server 2008 Active Directory Certificate Services is not supported on Windows Server 2008 for Itanium-based systems 32 -Bit to 64-Bit Considerations The upgrade to Windows Server 2008 will not support upgrade between architectures You will not be able to upgrade from a 32 -bit version of Windows Server 20 03 to a 64-bit version of Windows Server 2008 There are three different methods to migrate from 32 -bit... (http://technet2 .microsoft. com/windowsserver/en/library/091cda67-79ec481d-8a96-03e0be 737 4ed1 033 .mspx?mfr=true) ■ Certificate Revocation and Status Checking” (http://technet .microsoft. com/en-us/ library/bb457027.aspx) ■ “Active Directory Certificate Server Enhancements in Windows Server Code Name ‘Longhorn’” (http://www .microsoft. com/downloads/details.aspx?familyid=9bf17 231 -d 832 4ff9-8fb8-0 539 ba21ab95&displaylang=en) 150 Part II: Establishing a PKI ■ 231 182: Certificate. .. for issuing CAs and a member of the local Administrators group for offline CAs 3 Ensure that you back up all critical Certificate Services files Note For details on the recommendations for backup, see Chapter 14 4 Insert the Windows Server 2008 media in the DVD-ROM drive Use Windows Server 2008 Standard to upgrade existing Windows Server 20 03 Standard offline CAs and Windows Server 2008 Enterprise... Additional migration steps are required if you previously deployed Windows Server 20 03 certification authorities (CAs) using a 32 -bit processor and want to deploy Windows Server 2008 on computers with 64-bit processors What Versions Can You Upgrade to Windows Server 2008? The recommended method to upgrade to Windows Server 2008 Active Directory Certificate Services is to perform an in-place upgrade Unfortunately,... certificates are automatically added to the local machine store of all Windows 2000, Windows XP, and Windows Server 20 03 domain members? 2 What commands do you use to ensure that the root CA and policy CA CRLs are automatically added to the local machine store of all Windows 2000, Windows XP, and Windows Server 20 03 domain members? 3 On the first attempt to install the issuing CA, you receive the error... Windows Server 20 03 Standard Edition (SP1 and later, R2) Yes Yes No Enterprise Edition (SP1 and later, R2) No Yes No Datacenter Edition No No Yes Itanium-based Editions No No No 151 152 Part II: Establishing a PKI As detailed in the table, the only version of Windows Certificate Services that supports a direct upgrade to Windows Server 2008 is Windows Server 20 03 running on Service Pack 1 or later or on Windows. .. database, CAPolicy.inf, and the CA registry settings on the existing 32 -bit Windows Server 20 03 CA 2 Remove the 32 -bit CA from the network 3 Build a 64-bit version of the CA that maintains the 32 -bit CA’s NetBIOS name and domain membership 4 Restore the CA key pair, the CA certificate, the CA database, CAPolicy.inf, and the CA registry settings to the 64-bit Windows Server 20 03 CA 5 Verify that the... to upgrade the server computer to the 64-bit version of Windows Server 2008 Performing the Upgrade The actual upgrade process involves preparing AD DS, performing the in-place upgrade, updating the available certificate templates, and then choosing whether to implement the new Windows Server 2008 features and options Upgrading the Schema Before you can upgrade your CAs to Windows Server 2008, you must . network: ■ All client and server computers are running Windows 2000, Windows XP, or Windows Server 20 03 and are members of the Fabrikam.com domain. ■ The issuing CA’s certificate and CRL are published. to use Windows Server 2008 Enterprise Edition when installing an enterprise CA. Windows Server 2008 Enterprise Edition enables advanced features not available in Windows Server 2008 Standard. Server 20 03, Windows Vista, and Windows Server 2008 computers that are members of the forest. ■ HTTP URLs referenced in the AIA and CDP extensions The root and policy CA certifi- cates and CRLs