Installation of Certificate Authority

Owned by Stine Granviken
Last updated: Nov 17, 2014
3 min read

 

(lightbulb) This information is written in English only

 

Offline Root CA

Explanations

Screenshots

Create a CAPolicy.inf file and copy to %systemroot%

 

Add Active Directory Certificate Service

Choose AD CS and click next

Choose Certificate Authority (this will only install the Certificate Authority
and will not enable web enrollment)

See later on this page for explanation of role

Install CA as Standalone

 

Choose enterprise

 

Choose Root CA

 

Create a new private key

 
CSP: RSA#Microsoft Software Key Storage Provider

Key length: 4096

Hash algoritm: SHA1		 

Change validity to 20 years

 

Store the database on default location. 

Note: If the CA is going to issue many certificates on a short time
the performance will increase if stored on a separate disk.

 
Installation finished  

 

Define CRL interval

The validity for issued CRL list is changed to every 26 week. This means that the offline CA have to be started every 26th week and the CRL lists must be published to AD manually.

Explanations

Screenshot

To check the interval, right click “Revoked Certificates” and choose properties

Set the value to 26 Weeks

 

Change AIA and CDP

To ease change the location of AIA and CDP we can use a script. Remember to change the script to match your existing infrastructure. The example is based on Buypass LAB configuration.

 

:: The following variables may be used when defining CDP

:: and AIA URLs.

:: %1 = SERVERDNSNAME

:: %2 = SERVERSHORTNAME

:: %3 = SANITIZEDCANAME

:: %4 = CERTFILENAMESUFFIX

:: %5 = DOMAINDN

:: %6 = CONFIGDN

:: %7 = SANITIZEDCANAMEHASH

:: %8 = CRLFILENAMESUFFIX

:: %9 = CRLDELTAFILENAMESUFFIX

:: %10 = DSCRLATTRIBUTE

:: %11 = DSCACERTATTRIBUTE

:: %12 = DSUSERCERTATTRIBUTE

:: %13 = DSKRACERTATTRIBUTE

:: %14 = DSCROSSCERTPAIRATTRIBUTE

 

:: Each URL is prefaced by a value that indicates which

:: checkboxes are enabled for each distinct URL. The value is

:: the sum of the values assigned to each individual checkbox

 

:: The following values are assigned for the CRL check boxes

:: ServerPublish = 1

:: AddtoCertCDP = 2

:: AddtoFreshestCRK = 4

:: AddtoCRLCDP = 8

:: ServerPublishDelta = 64

:: The following values are assigned for the AIA check boxes

:: ServerPublish = 1

:: AddtoCertCDP = 2

:: AddtoCertOCSP = 32

:: Declare Configuration NC

 

:: Set domain configuration

certutil -setreg ca\DSConfigDN CN=Configuration,DC=bplab01,DC=local

 

:: Modify the CDP Extension URLs

certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\

CertEnroll\%%3%%8%%9.crl\n10:LDAP:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public

Key Services,CN=Services,%%6%%10\n2:http://pki.bplab01.local/CertData/%%

3%%8%%9.crl”

 

:: Modify the AIA Extension URLs

certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\

CertEnroll\%%1_%%3%%4.crt\n2:LDAP:///CN=%%7,CN=AIA,CN=Public Key

Services,CN=Services,%%6%%11\n2:http://pki.bplab01.local/CertData/%%

1_%%3%%4.crt”

 

:: Restart Certificate Services

net stop certsvc & net start certsvc

 

Check AIA and CDP after configuration

Explanations

Screenshots

Verify AIA and CDP after configuration. This can be done by right click on Root server and choose properties, then the tab Extensions

 

Under “Select Extensions for CDP” following should be shown

 

Under “Select Extensions for AIA” the following should be shown

 

 

Publish a new CRL

To ensure that all new information is present in a new CRL.

Explanations

Screenshots

Right lick “Revoked Certificates” in CA management and choose “All tasks” then “Publish”

 

 

Content  

Unable to render {include} The included page could not be found.

Unable to render {include} The included page could not be found.

 

Unable to render {include} The included page could not be found.
Unable to render {include} The included page could not be found.
 
Unable to render {include} The included page could not be found.
 

Buypass 2014 ©