Windows 2008 PKI implementation

Posted on 2009-12-16
Medium Priority
Last Modified: 2012-06-22
Going to implement PKI in 2008. Therefore I'm looking for a "best practise" guide.
We want an offline Root CA.
Question by:stebyshe
  • 4
  • 2
  • 2
  • +2
LVL 12

Expert Comment

ID: 26060653

Author Comment

ID: 26060692
Yes, I have seen that article. But isn't that just a solution for the case "Hosted Messaging and Collaboration" ?

The say that:
"In a full production environment, we recommend that you deploy a rooted trust model with an offline Root Certificate Authority. In a rooted trust model, the root certificate authority (CA) is the trust anchor and has a self-signed certificate. If needed, the root CA issues a certificate to all direct subordinate CAs, which in turn issue certificates to their subordinate CAs. A subordinate CA is trusted cryptographically, based on the signature of its parent."

...and this is what I'm looking for ...
LVL 10

Expert Comment

ID: 26060714
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 10

Expert Comment

ID: 26060719

Author Comment

ID: 26060861
...not the article I'm looking for.
LVL 31

Expert Comment

ID: 26067842
Hopefully my article and this post fits the bill.  This one covers the subordinate:

For the root, I haven't made up an article yet, so I'll type this up and this will become the root article I've been meaning to write...

- Don't join to the domain, or to the network at all for that matter.
- For the offline root, Standard edition OS is fine unless you need to do Role Separation, then you need Enterprise Edition OS.  Enterprise Ed. is recommended for the online issuing subordinate.
- For activation, you will need to call it into Microsoft and they will give you the activation code.  If you have a license server for a volume license, they may be able to assist you with that also.
- Make a capolicy.inf file and store it in %systemroot% (e.g. c:\windows).  Filename must be exact (i.e. capolicy_root.inf is not valid).  See the following post for example.
- With 2008, don't trust that the capolicy got everything.  Double check your CA cert before moving forward.  If you need to manually edit the registry, you may do so at:
Registry values are named the same as in capolicy.inf.
- If you need to reissue your root CA cert, you can do so with the following cmd:
certutil -renewCert reusekeys
This will use the same keyset, so if anything was signed those signatures will still be valid.  If you need to change the key strength, then omit the 'reusekeys' portion, which a new keyset will be made and you will need to re-sign all certs issued to all lower tiers.

Ok, for the actual install:
- Install OS and secure that according to your company standards for high security.
- Create a backup local admin account in case your main account gets corrupt.
- If you are using an HSM, follow manufacturer directions to create the keyset and issue the smartcards to protect the keyset.  If not, omit this for now.  If so, read this:
- http://technet.microsoft.com/en-us/library/cc737740(WS.10).aspx
- Install AD CS role - this should already populate values based on the capolicy.inf file, but please do validate that they are what you want!
Start page 23:
- Select - Standalone CA - Root CA - Create new private key (unless using HSM) - default CSP, key length 2048, signing - SHA1 (if all systems are XP SP3 or later or vista+ then can do SHA-256), it is recommended to checkmark the "use strong private key protection" box so it prompts for a PIN every time private key is accessed (to start certsvc and reissue keyset) just note you need to log in after rebooting to start certsvc... - Common name = whatever you want, be descriptive e.g. "Company XYZ Root CA" - the DN should be the DN for your AD - for an example take a normal server and view it in dsa.msc for its full distinguished name - log file default locations are fine, if you have a D: drive you may want to put them there but not a big deal - finish the wizard.

-I would recommend staying away from higher than 2048 certs unless you are running all Vista/2008/Win7  or non-MS OS that support ECC (aka Suite B algorithms, CNG, Discrete Algorithms, ECDH, ECDSA).  Generally I would recommend 2048 bit RSA keyset.  If you can run ECC then do so, it cuts down on CPU - ECDH with a 256 bit key is good and well supported.
- Open the CA MMC - properties of CAName and validate settings, check against the capolicy.inf file to make sure those got applied.  You may want/need to change the CDP and AIA locations on the Extensions tab.  If you need more info on this, let me know.
- Once everything is they way you want then issue a CRL - CA MMC - expand CAName - rightclick Revoked Certificates - All Tasks - Publish.  Copy the CRL & server cert to a flash drive (both are normally in %systemroot%\system32\certsrv\certenroll directory).  Copy these to the issuing subordinate and install them - manually select - browse - checkmark 'show physical stores' expand Trusted Root Certificaton Authorities - Local Computer (for both crl and cert files).  Then follow my article on the sub CA - options should be similar to above.

As an alternative, you can also view this for a non-MS CA option by using XCA - this is a little bit more techincal tho, but you can do it on a linux box or any random OS.  Just do this for the root...
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 26067931
LVL 31

Expert Comment

ID: 26067991

Signature="Windows NT$"
; Configuration for Root CA
; This file belongs in: %systemroot% directory named capolicy.inf
; Usage is defined at http://technet.microsoft.com/en-us/library/cc756120.aspx
; 2008 R2 at http://blogs.technet.com/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx
; ProviderName="RSA#nCipher Security World Key Storage Provider" use only with HSM
DiscreteSignatureAlgorithm=1      ; use 0 if supporting win2k or pre xp sp3 OS
HashAlgorithm=RSASHA256            ; omit and configure in wizard if above is 0
Policies="Certificate Policy"
[Certificate Policy]
; OID=1.2.3  Do not use unless you actually have a a valid OID otherwise remove this line.
pathlength=1            ; this is the number of subordinate CA tiers you will have below this root - multiple subordinates may exist in the same tier with this set to 1, but if a 3rd tier is needed (rare) then set to 2.
LVL 31

Expert Comment

ID: 26068054
Personally I also recommend turning on all CA auditing features within the CA properties as well, having an auditor, and writing a Certificate Policy (CP) and Certificate Practices Statement (CPS).  RFC 3647 (http://tools.ietf.org/html/rfc3647) is the proper formatting for writing CP and CPS (may want to get a tech writer to do this, its a pain and lengthy... also run it by legal when you're done to make them happy).

Side note I sort of missed above but is in my article - make sure to have an externally available CDP and AIA for both root & sub CA so users can validate them from anywhere (they will need to trust your root to the same area as described above).  This can also be handy so business partner companies that trust your root cert will be able to validate them against the CRL (and OCSP if you set that up).

Expert Comment

ID: 26108758
if you want offline Root CA then you should install standaed certificate non joined domain that will be self signed then you can use CApolicy.inf file to install a CA to multi sub CA the will get a certificate before turn off a root CA  

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question