Put that wretched CA to some use


Hola Amigos !!

So you are all sweaty after the hard work of setting up a root CA on your Windows 2012 R2 server ?

Well, pull up and let's get some juice out of that damn server :)

Here is the itinerary of our joyous ride ahead
  • We’ll learn how to generate a Certificate Signing Request(CSR) both on a windows and linux server
  • We’ll get the CSR signed by the CA
  • Download both the CA public cert and the signed Server cert. Install the certs on our dear client

Important Note:

The procedure described below is what we call 'Offline Certificate Enrollment' wherein the CSR is generated on a client, then submitted/copied over to CA by some means.
Get it signed and install

There are also methods to do this with 'Online Certificate Enrollment' but that required both the CA and the Windows client to be in the same forest. There was also an elaborate procedure to do this cross forests, but it involved some ghastly tricks so I avoided those.


With that in mind, let's get that engine roaring and fire up !!

Generate CSR to be signed by CA

On Windows server

  • Create the .inf file. Following is an example .inf file that can be used to create the certificate request

;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication 
;-----------------------------------------------

  • Cut and paste the sample file into a new text file named request.inf. Provide the fully qualified DNS name of the domain controller in the request

Note:
    • Some third-party certification authorities may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You may append this information to the Subject name (CN) in the Request.inf file. For example: Subject="E=admin@contoso.com, CN=<DC fqdn>, OU=Servers, O=Contoso, L=Redmond, S=Washington, C=US."
    • There might also be a case to generate CSR for multiple domain controllers serving same domain. The certificate should all be with same DNS name. That is, all the DC's should respond to same DNS name and not the individual host names. I achieved this using "Subject Alternative Names" in request.inf (Using SAN in digital certificates)


;----------------- request.inf -----------------

[NewRequest]





Subject = "CN=<DC fqdn>" ; remove this line to leave Subject blank






[Extensions]

; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7

; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.



2.5.29.17 = "{text}"

_continue_ = "dns=www01.fabrikam.com&" ;specify the FQDN of the DC



_continue_ = "dns=<dns-name-1>&" ;may specify multiple such lines

_continue_ = "dns=<dns-name-2>&"

_continue_ = "dns=<dns-name-3>&"

_continue_ = "dns=<dns-name-1>&"

_continue_ = "url=http://www.fabrikam.com&"

_continue_ = "ipaddress=101.96.79.34&"

_continue_ = "email=shines@fabrikam.com&"

_continue_ = "upn=shines@fabrikam.com&"

_continue_ = "guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&"

;-----------------------------------------------
  • Create the request file. To do this, type the following command at the command prompt, and then press ENTER:
certreq -new request.inf request.csr
  • A new file called request.csr is created. This is the base64-encoded CSR file

On Linux server

  • First create a private key
openssl genrsa -out priv.key 4096
  • Now generate a CSR using this private key
openssl req -new -key priv.key -out request.csr
Remember not to use x509 parameter else you’ll end up having a Self-signed certificate.
Oops !! Did I just give you another recipe ;)
You will immediately be presented with a long list of parameters:

 Country Name (2 letter code) [GB]: IN
State or Province Name (full name) [Berkshire]: MAHA
Locality Name (eg, city) [Newbury]: PUNE
Organization Name (eg, company) [My Company Ltd]: SELF
Organizational Unit Name (eg, section) []: EMPLOYED
Common Name (eg, your server's hostname) []: Hiccups934
Email Address []: varun.mittal@junkmail.com

 Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The most important one is the ‘Common Name’
This should be the DNS name of your server which the clients will need to use while connecting to the server. Trying to connect with any other name or the IP address will fail

The end result of going through this ordeal will give you the base64-encoded CSR file

Getting the CSR signed by CA

Well this is the easy part :)

  • From the CSR file generated in previous step, copy the entire content of the file starting from
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
  • Now visit the Web Enrollment page using your favorite browser and enter the AD admin credentials to reach the Home page
  • You’ll be presented with Home page where you can locate the ‘Request a Certificate’ option
  •  Choose that option to reach the second page. Here you will choose ‘advanced certificate request’ option
  • Past that, the third page presents you the space to paste your saved request in the ‘Certificate Request’ area

Paste the contents which you copied from the CSRAlso choose the ‘Long Term Web Server’ in the ‘Certificate Template’ which we created earlierPress ‘Submit’ and move on
  • The fourth page presents you the ‘Download Certificate’ option. Choose ‘Base 64 encoded’ option and download the file
  • Yippee!! The CSR is signed by the CA

Downloading the root CA cert

Using Web Enrollment

Visit the Web Enrollment page using your favorite browser and enter the AD admin credentials

  • You’ll be presented with Home page where you can locate the ‘Download a CA certificate’ option



  • Choose that option to reach the second page. Here choose the Base 64 bullet and ‘Download CA certificate’ option to download the file

Using MMC

Via powershell, launch the Microsoft Management Console by typing MMC and pressing enter
  • From the FILE menu choose ADD/REMOVE SNAP-IN
  • Choose CERTIFICATES and click the ADD button
  • Choose COMPUTER ACCOUNT and choose LOCAL COMPUTER
  • Click FINISH and OK
  • Expand the CERTIFICATES
  • Expand PERSONAL and select the CA in the RIGHT WINDOW PANE
  • Right Click on the DC choose ALL TASKS – EXPORT and click NEXT (2 times). Then choose Base64 encode bullet
  • Name the certificate file (will be on the DC)
  • Copy the file and import it when needed

Installing the root CA as trusted root CA and the signed CSR on your server

Install the certificate of the enterprise root CA

  • Open Active Directory Users and Computers
  • In the console tree, double-click Active Directory Users and Computers, right-click the domain name in which your CA lives, and then click Properties
  • On the Group Policy tab, click Default Domain Policy, and then click Edit
  • In the console tree, right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import
    • Whoa !! Slow down, where is this ??
      • Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities


  • The Certificate Manager Import wizard appears
  • Click Next, and follow the instructions in the wizard to import the .pem/.cer file of the CA into the Trusted Root Certification Authorities store. This file would be the one we acquired in the previous step and placed in C:\ drive of the server
  • Type the following at the command prompt:
gpupdate /Force

Installing the signed public certificate on your server

On Windows Server

Retrieve the certificate that is issued, and then save the certificate as Certnew.cer at some convenient location on the server.

To do this, follow these steps:
  • Create a new file called Certnew.cer
  • Open the file in Notepad, paste the encoded certificate into the file, and then save the file

  • Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER:
certreq -accept certnew.cer

Note: The saved certificate must be encoded as base64. I have also seen people doing a double click on the file and then importing it.


You want to verify that the certificate is installed in the computer's personal store.

To do this, follow these steps:
  • Start Microsoft Management Console (MMC)
  • Add the Certificates snap-in that manages certificates on the local computer
  • Expand Certificates (Local Computer), expand Personal, and then expand Certificates
  • A new certificate should exist in the Personal store
  • In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name

On Linux Server

Well, here you’ll need to consult the documentation of the application you wish to use the SSL certificates with
So you like the post, why not share it ?
Pin ThisShare on TumblrShare on Google PlusEmail This

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)