Archive

Posts Tagged ‘CertificationAuthority Security Windows2008’

How to setup Microsoft Standalone Root CA

If you need to create a Microsoft Standalone Root CA, this short paper tries to help you. Before creating the Microsoft Standalone Root CA, you must provide to create a text file called CAPolicy.inf. At a minimum, a file CAPolicy.inf should be done with:

; File %SystemRoot%\CAPolicy.inf
;
; File di configurazione della HomeWorks Root CA (Windows 2003 R2 Standard Server, fa parte di Active Directory)

[Version]
Signature= “$Windows NT$”

[certsrv_server]
renewalkeylength = 2048
RenewalValidityPeriodUnits = 10
RenewalValidtyPeriod = Years
CRLPeriod = Years
CRLPeriodUnits = 1

[AuthorityInformationAccess]

[CRLDistributionPoint]

;Fine file

Once created the file CAPolicy.inf, copy it in the folder %SystemRoot% of your Windows system (in this paper we assume that you are working on a Windows 2008 Standard member of an Active Directory domain). To learn how to install a Microsoft Standalone Root CA you can watch this video:

If you only use the Standalone Root CA to provide your certificates, then it is good that you also install the Certification Authority Web Enrollment role.

Run a post-configuration scripts on Microsoft Standalone Root CA. A simple post-configuration script could be:

@echo off

rem Definiamo l’ambiente locale
setlocal enableextensions

rem Impostiamo le variabili
set Answer=

echo.
echo Questo script ha il compito di personalizzare la configurazione della Root CA.

:QUESTION
echo.
Set _T=%temp%\~tmp
echo Set oFS=CreateObject(“Scripting.FileSystemObject”)>%_T%.vbs
echo oFS.OpenTextFile(“CON”,2).Write “Vuoi proseguire con l’esecuzione dello script [si/no]: “>>%_T%.vbs
echo S=(Trim(oFS.OpenTextFile(“CON”,1).Readline))>>%_T%.vbs
echo Wscript.Echo “set Answer=”+CStr(S)>>%_T%.vbs
cscript.exe //nologo %_T%.vbs > %_T%.bat
for %%v in (%_T%.bat del) do call  %%v %_T%.???
set _T=
goto CONTINUE

:EXEC
rem Controlliamo l’esistenza della cartelle necessarie all’esecuzione dello script
if not exist %SystemDrive%\Logs md %SystemDrive%\Logs
set LOGFILE=%SystemDrive%\Logs\Root_CA_Post_Config.log

rem Intestiamo il file di log
echo FILE DI LOG DEL COMANDO ROOT_CA_POST_CONFIG.CMD  >> %LOGFILE%
echo. >> %LOGFILE%
echo Esecuzione del %DATE% alle %TIME% >> %LOGFILE%
echo. >> %LOGFILE%
echo.

rem Impostiamo le variabili per la gestione dei certificati delle Subordinate CA
set /p myADnamingcontext=”Inserisci il nome del dominio LDAP (ad es: DC=homeworks,DC=it): ”
echo Esempio: http://www.homeworks.it/ca/cert/HomeWorks_Root_CA_Public_Cert.crt
set /p myCACertURL=”Inserisci URL del Certificato della Root CA: ”
echo Esempio: http://www.homeworks.it/ca/crl/HomeWorks_Root_CA_Revocation_List.crl
set /p myCACRLURL=”Inserisci URL della Root CA CRL: ”
echo.

rem Impostiamo la configurazione dei Certificati Digitali rilasciati dalla Root CA
echo Impostiamo la configurazione della Root CA …
echo Dominio LDAP: %myADnamingcontext%
certutil -setreg CA\DSConfigDN “CN=Configuration,%myADnamingcontext%” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myCACRLURL%\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CACertPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myCACertURL%\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriodUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLPeriod “Years” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLDeltaPeriodUnits 0 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapPeriod “Days” >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\CRLOverlapUnits 1 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriodUnits 5 >> %LOGFILE%
echo. >> %LOGFILE%
certutil -setreg CA\ValidityPeriod “Years” >> %LOGFILE%

rem Riavviamo il servizio Certification Authority (Active Directory Certificate Services)
echo Riavviamo il servizio Active Directory Certificate Services …
net stop certsvc & net start certsvc >> %LOGFILE%

rem Attiviamo la Root CA
echo Attiviamo la Root CA …
certutil -vroot >> %LOGFILE%

rem Pubblichiamo la CRL
echo Pubblichiamo la CRL della Root CA …
certutil -CRL >> %LOGFILE%

echo Fine esecuzione dello script ….
echo. >> %LOGFILE%
echo Fine del file di log >> %LOGFILE%

:END
endlocal
exit /b

:CONTINUE
if /i “%Answer%” equ “si” goto EXEC
if /i “%Answer%” equ “no” goto END
goto ERRATA

:ERRATA
echo.
echo La risposta che hai dato non e’ corretta !!!
echo Puoi rispondere solamente con un si o con un no.
goto QUESTION

Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory: certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>

The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll

Assign a digital certificate for HTTPS connection to IIS to access the website where you require your digital certificates. To learn how to do this work, read the article (use the action Create Domain Certificate …Installing an SSL Certificate in Windows Server 2008 (IIS 7.0). Now you’re ready to drop your digital certificates.

For more information, please consult the following article: Designing and Implementing a PKI Part II