Saturday, 4 March 2017

Enable key archival in Server 2012 R2

Overview

So, you get an escalated call from the helpdesk saying someone’s lost their private key. So, we only had one copy of that. Now what?
Well, here’s where key archival comes into play. You configure your CA to enable key archival and then you specify that your certificate templates have key archival enabled and now your private keys are copied to your CA so you can recover them when needed!

How to enable key archival

Identify a user to serve as the key recovery agent. In this case, we'll use the account LITWARE\Administrator.

Open your Certification Authority snap-in, right click Certificate Templates and click Manage. You now see a list of certificate templates:

clip_image001[6]

Duplicate the Key Recovery Agent certificate template and give it a name: Key Recovery Agent 2

clip_image002[6]

Configure the key recovery agent certificate template with Read and Enroll permissions for the key recovery agent (LITWARE\Administrator). You do this on the Security tab:

clip_image003[6]

Now we need to configure the CA to use issue the new certificate template. Right click Certificate Templates, click New then click Certificate Templates to Issue

clip_image004[6]

Select your new Key Recovery Agent 2 certificate and click OK

clip_image005[6]

Now we need to enroll the Administrator account for the Key Recovery Agent 2 certificate. To do this, open up certmgr.msc and click on Personal

Click on Action > All Tasks > Request New Certificate

clip_image006[6]

Click next

clip_image007[6]

Click to select the Key Recovery Agent 2 certificate and then click Enroll to finish the wizard:

clip_image008[6]

clip_image009[6]

Note that it didn't issue the certificate - the status is Enrollment pending. Now, go back to your CA snap-in and click on Pending Requests. You should see a pending request for the certificate you just enrolled.

clip_image010[6]

Right click the certificate, click on All Tasks and then Issue. The certificate is now issued.
Now, right click the CA and go to Properties and select the Recovery Agents tab. Select Archive the key, select the Number of recovery agents to use (one in our case):

clip_image011[6]

Click Add and select the certificate which was issued to your chosen user:

clip_image012[6]

Click OK twice and you're then prompted to restart the AD CS services so go ahead and click Yes

clip_image013[6]

So, we've now created our Key Recovery Agent certificate template, issued it to our Key Recovery Agent and configured the CA to use a Key Recovery Agent. We're not protected against key loss just yet because the certificate templates that are issued out need to have key archival enabled.
Right click on a certificate template which you need to enable key archival for, duplicate it, give it a name, go to Properties and then to the Request Handling tab. Tick Archive subject's encryption private key:

clip_image014[6]

On the Superseded Templates tab, add all the certificate templates that you want to be replaced by your new one then click OK:

clip_image015[6]

This doesn't protect against loss of private keys for certificates which have already been issued so in this case, you need to get the clients to reenroll these. Right click on your original certificate and select Reenroll All Certificate Holders:

clip_image016[6]

Go for an 8hr coffee break or just sit and stare at the screen…….

Go to Issued Certificates in the CA snap-in and add the Archived Key column. Eventually, you should start to see new certificates issued and you can see that the key is archived:

clip_image017[6]

So, there you have it. That’s how you enable key archival in AD CS!

If you need to recover a key then see here.
















Recover lost private key (Key Archival)

Overview

If you have Key Archival enabled then you can recover private keys. If you don’t have Key Archival enabled then click here for instructions.
In this post, I’ll demonstrate how to recover a lost private key

How to recover a lost private key

You need to be logged in with one of your Key Recovery Agents that you specified when you configured Key Archival.
Firstly, locate your certificate in the Issued Certificates section using the CA snap-in:
clip_image001
You then need to get the serial number so you can just double click it, go to details and select Serial Number:
clip_image002
Remove the spaces from the Serial Number:
1a00000042af62922b38431f48000100000042
Use certutil to get the key:
certutil -getkey 1a00000042af62922b38431f48000100000042 C:\Temp\key.key
clip_image003
You then use certutil again to recover the private key:
certutil -recoverkey C:\Temp\key.key c:\temp\cert.pfx
clip_image004
You now have a .pfx file and you can import this back onto your client using certmgr.msc














How to enable certificate autoenrollment

Introduction

Welcome back! In this post, we’ll do a quick demo of how you can enable certificate autoenrollment for a computer certificate. This means that the computer (or server) will get its own certificate……eventually……and you don’t (really) need to do anything.

How to enable certificate autoenrollment

Okay, so you have to do something! The first step is to open the Certification Authority snap-in on your CA or management computer, right click on Certificate Templates and click Manage.
clip_image001
You should now see a list of certificate templates you can configure:
image
Right click the Computer certificate template and duplicate it. Call your new certificate Computer 2 and change any settings you need to change (e.g. validity period)
clip_image002
Click on the Security tab and grant Enroll and Autoenroll permissions for Domain Computers (or whatever group of computers you need to configure autoenrollment for)
clip_image003
Create a Group Policy Object which is linked to the domain and go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment. Select Enable and tick Renew expired certificates and tick Update certificates that use templates. Although we link the GPO to the domain, we are in fact only allowing the group with permissions on the computer certificate to actually autoenroll and get the certificate
clip_image004
Now, to get your clients to actually autoenroll for a certificate, you can either wait a while or restart or run force the clients to autoenroll immediately with certutil /pulse.
This creates a certificate in the Local Machine personal store:
image
………and it has a common name which matches the FQDN of the client (litcli01.litware.com in our case):
image

Saturday, 11 February 2017

Offline standalone root CA install, Server 2012 R2 - Part 1

Overview

In this post, we’ll look at how to set up an offline standalone root CA in Windows Server 2012 R2. This is the most secure way to set up your CA because it means you can set up subordinate issuing CAs and power off the root CA when not required to issue subordinate CA certificates.
Having a powered off server means you cannot possibly have it compromised (unless someone has physical access to it or you decide to store the CA private key on an unencrypted USB key and gave it to a friend to get some movies but that’s beside the point!).

How to install an offline standalone root CA

Before we start, make sure you have a clean build of Windows Server 2012 R2 without any other roles installed. Make sure your server is not joined to a domain. The server in this example is called LITCA01 (our root CA in the Litware organization).
  • Install AD CS role and select Certificate Authority role service:
    • Either user Powershell
    Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority
    • Or use the GUI:
 clip_image001
clip_image002
clip_image003 
  • Select Active Directory Certificate Services
clip_image004
  • Click next
clip_image005
  • Click next
clip_image006
  • Select Certificate Authority
clip_image007
  • Click next
clip_image008 
  • Configure CA and select standalone CA:
clip_image009
  • After installation, the wizard prompts you to configure the CA. If you used PowerShell then you can continue CA configuration by opening up Server Manager.
  • Click through the wizard and select defaults and then when prompted, for a CA type, select root CA:
clip_image010
  • Create certificate or use an existing one (if you have one already). In our case, we don't already have one so we create a new one.
  • Accept defaults and complete the wizard. You now have a standalone Certificate Authority.

 

Conclusion

Your standalone CA is now set up. So, that’s great! How do I make sure things will work when it’s offline? How do you get a certificate from an offline CA? How will domain joined clients autoenroll certificates? Well, we’ll need a subordinate CA but first we need to configure our CA and prepare it for a subordinate CA. We’ll go through this in part 2.




Offline standalone root CA install, Server 2012 R2 - Part 2

Introduction

So, in part 1, we installed our offline root CA called LITCA01. In this part, we’ll configure the AIA and CDP settings so that we can create a subordinate CA which will be used to issue certificates to clients and be joined to the domain.

What is a CDP?

First of all, what is a CDP and what is AIA? Yes, good question!
CDP stands for CRL Distribution Point. CRL stands for Certificate Revocation List. Let’s say you issue a certificate to a web server. Your client then connects to the web server and downloads the certificate (public key). It needs to know if this web server certificate has been revoked or not so to do this, it looks at the certificate extensions (properties on the certificate) and looks for the CDP locations. Usually this is an LDAP or HTTP URL and the client can connect to download the CRL and then work out if the web server certificate has been revoked or not.

What is AIA?

The Authority Information Access (AIA) locations are configured on a CA and they are stamped onto certificates issued by the CA. This information is used by an application or service to get the issuing CA certificate to validate the certificate path.

How to configure an offline standalone root CA CDP and AIA extensions

  • Install IIS and the management tools:
Install-WindowsFeature web-server,web-mgmt-console
  • Make a directory in the default website: C:\inetpub\wwwroot\CertEnroll
  • Open up the Certification Authority console
image
  • Right click on your CA (LITCA01-CA in our case) and click on properties
  • Click on the extensions tab and click on Add to add a new CDP:
C:\inetpub\wwwroot\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • Enable Publish CRLs to this location and Publish Delta CRLs to this location
clip_image001
  • Run certutil -crl to create a new CRL and ensure this appears in the folder with the name: C:\inetpub\wwwroot\CertEnroll\LITCA01-CA.crl (your CA name will be different)
  • Configure the http CDP by enabling Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
clip_image002
  • Now, click on Select extension and choose Authority Information Access (AIA):
    • Add an AIA location:
C:\inetpub\wwwroot\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
clip_image003
  • Enable http AIA by ticking Include in the AIA extension of issued certificates
clip_image004
  • Click OK
  • Copy C:\Windows\System32\CertSrv\CertEnroll\litca01_LITCA01-CA.crt to C:\inetpub\wwwroot\CertEnroll\litca01_LITCA01-CA.crt (your CA name will be different so copy the .crt file for your CA)

Conclusion

We’ve now configured a CDP and AIA location for our offline root CA. These will only be needed for our subordinate CAs when they need to renew or reissue their CA certificates. In the next post, we’ll go through how to set up a subordinate enterprise CA which our domain joined clients can use for certificate requests.