A Microsoft PKI Quick Guide – Part 3: Installation

by Martin Kiaer [Published on 15 Aug. 2007 / Last Updated on 15 Aug. 2007]

How to install a PKI based on Microsoft Certificate Services in Windows Server 2003.

If you missed the other articles in this series please go to:

If you would like to be notified when Martin Kiaer releases A Microsoft PKI Quick Guide - Part 4 please sign up to the WindowSecurity.com Real time article update newsletter.

We have now gotten to the third article in our Microsoft PKI quick guide four part series. In our first article we gave you a quick overview on how to prepare and plan your Microsoft PKI. In our second article we went into design mode and looked at some best practice settings. In this article we will get a lot more technical and show you how to install a PKI based on Microsoft Certificate Services in Windows Server 2003.

Installing the PKI

Based on some of the design issues from our previous article, it is time to start the installation of your PKI. Since this is a quick guide, we will cover a few things along the way, even though they actually belong to the design stage. For the rest of this article, we will show you how to install a 2-level hierarchy consisting of an offline root CA and an online issuing CA in the same PKI using best practice methods. However before we start the installation, let us get a few practical things in place.

In figure 1, we have illustrated a best practice validity period for each CA at each level (based on a 3-level hierarchy for a complete overview). The advantage with this model is that it will ensure you always have a consistency for the issued certificates at each level. If you only want to deploy a 2-level hierarchy, simply remove the CA in level-3. The model will still apply.


Figure 1: A best practice validity period for each CA at each level

The other thing you should prepare before we start the installation is a text file called CAPolicy.inf. This file is used to customize your configuration of Windows Certificates Services. In this file, you will find important things such as:

  • The CDP statement
  • Certificate renewal settings such as validity period and key size
  • The links for the CDP and AIA paths
  • How often the CRL should be published

Create the file using Notepad and save it to %windir%\capolicy.inf (e.g. C:\Windows\capolicy.inf).

We have made this task a lot easier for you, by supplying the files in our step-by-step guides below. With these things in mind, it is time to get technical.

 Installing an offline root CA

To install an offline root CA, you will have to complete the following:

  • Prepare a CAPolicy.inf file
  • Install Windows Certificate Services
  • Publish the CRL list
  • Run the post-Configuration script

Here is how it should be done:

  1. Install a server with Windows Server 2003 Standard Edition incl. SP1 or newer and make sure that it runs as a stand-alone server (i.e. it should not be a member of any domain)
  2. Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)


Figure 2:
Filename: CAPolicy.inf

  1. Copy the CAPolicy.INF file to %windir%\capolicy.inf
  2. Navigate to the Start Menu / Control Panel / Add or Remove Programs |click Add/Remove Windows Components
  3. In Windows Components Wizard, you select Certificates Services and click Next
  4. Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes


Figure 3

  1. In the CA Type field, you click Stand-alone root CA, and put a checkmark at “Use custom settings to generate the key pair and CA certificate” check box and click Next

    Note:
    It is normal that the Enterprise root CA and Enterprise subordinate CA options cannot be selected, since this server is not member of a domain


Figure 4

  1. Select the CSP you want to use for your offline root CA. For simplicity, we’ve selected the Microsoft Strong Cryptographic Provider v1.0, however you can also select another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure.

    Select the default hash algorithm SHA-1

    Set the key length to 4096

    Make sure that both the “Allow this CSP to interact with the desktop” and “Use an existing key” options are not checked. Click Next


Figure 5

  1. Enter a common name for your root CA, configure the Distinguished name suffix (O=domain, C=local)  and set the validity period to 20 years, then click Next


Figure 6

  1. Accept the default suggestion for the certificate database and log files (or change it at will) and click Next


Figure 7

  1. Since this is an offline root CA, there is no need to install IIS (Internet Information Services) and thus the reason why this dialog is displayed. Click OK


Figure 8

  1. Click Finish


Figure 9

  1. Click Start / Programs / Administrative Tools / Certificate Authority
  2. Expand your CA server pane and right-click Revoked Certificates. Click All tasks / Publish


Figure 10

  1. Select New CRL and click OK
  2. Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need these files for the next subordinate CA that will be installed
  3. You should also copy these files to the CDP HTTP location as indicated in the caconfig.inf file listed earlier.
  4. Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt


Figure 11

  1. You are done installing the root CA.

We mentioned earlier that there are good security reasons to keep the root and policy CAs offline, which includes turning them off. Only the issuing CAs should be kept online. Because the root and policy CAs are kept offline, they should not be a member of a domain.

Installing an online issuing enterprise CA

To install an online issuing Enterprise CA, you will have to complete the following:

  • Prepare a CAPolicy.inf file
  • Install IIS (Internet Information Services)
  • Install Windows Certificate Services
  • Submit the sub CA certificate request to the parent CA
  • Issue the sub CA certificate
  • Install the sub CA certificate at the enterprise subordinate CA
  • Run the post-Configuration script
  • Publish the CRL list

Here is how you do it:

  1. Install a server with Windows Server 2003 Enterprise Edition incl. SP1 or newer and make sure it is a member of a domain
  2. Make sure that IIS (internet Information Services) has been installed. There is a note to this however. If you really want to do this right, then omit the IIS part. The only caveat doing so, is that you definitely need to know your PKI before you omit the IIS component. The advantage is a more simple setup, and one attack vector less.
  3. Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)


Figure 12:
Filename: CAPolicy.inf

  1. Copy the CAPolicy.INF file to %windir%\capolicy.inf
  2. Navigate to the Start Menu / Control Panel / Add or Remove Programs / click Add/Remove Windows Components
  3. In Windows Components Wizard, you select Certificates Services and click Next


Figure 13

  1. Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes
  2. In the CA Type field, you click Enterprise subordinate CA and put a checkmark at “Use custom settings to generate the key pair and CA certificate” check box and click Next


Figure 14

  1. Select the CSP you want to use for your issuing CA. For simplicity, we have selected the Microsoft Strong Cryptographic Provider v1.0, however you could also have selected another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure.

    Select the default hash algorithm SHA-1

    Set the key length to 2048

    Make sure that both the “Allow this CSP to interact with the desktop” and “Use an existing key” options are not checked. Click Next


Figure 15

  1. Enter a common name for your issuing CA and set the validity period to 5 years, then click Next


Figure 16

  1. Accept the default suggestion for the certificate database and log files (or change at will) and click Next
  2. A CA Certificate Request window is displayed. Select Save the request to a file and enter a path and a filename (the wizard will automatically add a .req extension to the filename). Copy the file to a USB key for later use. Click Next. We will be using this request file later on in this quick guide


Figure 17

  1. Some certificate IIS application components will be added. Click Yes


Figure 18

  1. (Optional) If you have not enabled ASP support in IIS, then the following dialog box is display. Click Yes


Figure 19

  1. You are not quite done yet. As indicated in the dialog box, then you will need to generate a private key for your new issuing CA.


Figure 20

Click OK and continue.

  1. Click Finish


Figure 21

  1. Before you continue, you should publish the certificate and revocation list for your root CA to Active Directory. This is easily done by doing the following:

    a.  Copy both the *.crt and *.crl files generated during the installation of the root CA to the %systemroot%\system32\certsrv\certenroll folder on the issuing CA server.

    b.  Run the script below from a command line prompt in the same folder on your issuing CA. You have to run the script as a user who is a member of the Cert Publishers Group in Active Directory (normally someone with domain admin rights).


Figure 22

The script will automatically process the entire filename and complete the needed commands.

  1. Make sure you have the certificate request file generated in Step 12. Log on to the root CA server
  2. From the root CA server you click Start / Programs / Administrative Tools / Certificate Authority
  3. Expand your CA server pane and right-click the server name. Click All tasks / Submit new request…


Figure 23

  1. Locate the request file generated in Step 12 and click OK
  2. In the left pane, click Pending Requests. Locate the certificate request in the right pane / Right-click the certificate request and select All Tasks / Issue
  3. Next we need to export the certificate. In the left pane you click Issued Certificates. In the right pane you right-click the certificate and click Open


Figure 24

  1. Click the details tab and click Copy to file…


Figure 25

  1. The Certificate Export Wizard is displayed. Click Next


Figure 26

  1. Select ”Cryptografic Message Syntax Standard ….” and ”Include all certificates in the certification path if possible”. Click Next


Figure 27

  1. Save the certificate to the same USB key used in Step 12. Click Next


Figure 28

  1. Click Finish and the click OK
  2. Now you go back to issuing the CA and click Start / Programs / Administrative Tools / Certificate Authority
  3. Expand the CA server pane and right-click the server name. Click All tasks / Install CA certificate…


Figure 29

  1. Locate the certificate you issued in Step 27 and click OK
  2. Expand your CA server pane and right-click the server name. Click Start service


Figure 30

  1. Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need to copy these files to your web servers that are being used as Certificate Distribution Points (CDP) using the HTTP protocol. This is the HTTP based CDP URL you defined in the issuing CAs caconfig.inf earlier.

    Note:
    This task should be scheduled and run automatically
  2. Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt


Figure 31

  1. Expand your CA server pane and right-click Revoked Certificates. Click All tasks / Publish


Figure 32

  1. Select New CRL and click OK
  2. And finally, you are done.

Conclusion

In this article, we have given you some quick guidelines and best practice advice on how to best implement a PKI consisting of a combination of both offline standalone CAs and enterprise based online issuing CAs. You should know that the script used for publishing the root CAs certificate and CRL file to the local store of the issuing CA and Active Directory needs modifications if you are using a 3-level hierarchy. This is because the policy CA also needs to be published to the local certificate store of our enterprise based issuing CA and also needs to be published to Active Directory.

To a certain extent you may find this third article a bit cumbersome, especially during the implementation of an online issuing CA. But once you try it, you find out that it is really not that difficult to implement a full blown PKI that is both scalable and secure. In our last article in this PKI quick guide series, we will show you how to verify our installation as well as maintain and troubleshoot a PKI using a few simple steps.

External resources

This article series is done with the help of a lot of great resources. All the excellent Microsoft PKI articles are collected in one place which you can find on the Microsoft PKI Web Portal
Public Key Infrastructure for Windows Server 2003

Want to see how Microsoft does PKI, then check out the IT Showcase -Deploying PKI Inside Microsoft
Deploying PKI Inside Microsoft

And this is a great book – Microsoft Windows Server 2003 PKI and Certificate Security
Microsoft Windows Server 2003 PKI and Certificate Security

If you missed the other parts in this article series please go to

If you would like to be notified when Martin Kiaer releases A Microsoft PKI Quick Guide - Part 4 please sign up to the WindowSecurity.com Real time article update newsletter.

Featured Links