xdot509

Operating a Windows PKI: Removing Expired Certificates from the CA Database

2013-05-10T17:36:05Z

Today, I am going to discuss removing expired certificates from the CA database. Every time a CA issues a certificate it also stores a copy of the issued certificate in the CA database. Overtime the certificates that the CA issues expire. Once the certificate expires it is no longer valid. Therefore, once a certificate expires you can safely remove it from the CA database. The one exception to this is if have Key Archival configured on the CA. If you are archiving private keys, you may not want to remove expired CA certificates from the CA database.

Important Note: You should backup the CA including the database and log files prior to deleting any certificates from the database.

Removing expired certificates

Today’s current date is 5/10/2012, and you can see in the screenshot below that I have several issued certificates that are expired.

So, to remove the expired certificates from the CA Database I can run the following command:

certutil –deleterow certs 5/10/2012

As you can see in the screenshot below, 16 rows were deleted.

Now, if I look at the Issued Certificates container in the Certification Authority management console I see that my expired certificates are no longer there.

Note: The certutil command listed above will only delete ~3000 certificates at a time. So, if you have a lot of expired certificates you will have to rerun the command several times.

Delete Pending and Failed Requests

Also, if you want to delete any failed or pending requests that were submitted prior to the current day you can use the following command:

certutil –deleterow <today’s date in mm/dd/yyyy format> request

Summary

So, I covered the steps for removing expired certificates from the CA database. I also covered removing pending and failed requests from the CA database.

I am looking for a list of topics to cover in future blog postings. So, if you have a topic you would like me to cover, please submit a comment or contact me at @chdelay on Twitter.

Operating a Windows PKI

2013-05-10T17:34:23Z

In my customer engagements I get a lot of questions around what tasks an organization should be doing in terms of operation and maintenance for their PKI. So, in this blog series I am going to cover the operational and maintenance aspects of a PKI.

Below is the list of topics I plan on covering in this Blog Series:

Removing expired certificates from the CA Database
Publishing the CRL for an Offline Root CA
CA Certificate Lifecycle and Renewing CA Certificates
Implementing Credential Roaming
Implementing Key Archival
Role Separation
Certification Authority Backup
Emergency CRL Re-signing
Determining Expiring Certificates
Delegating Certificate Template Permissions
Implementing the SMTP Exit Module

If there are any additional topics you would like me to cover, please submit a comment to this blog posting or tweet me @chdelay.

Fun with Windows Phone 8 and NFC

2013-04-15T01:28:27Z

I currently have a Windows Phone 8 device, specifically the HTC 8X. One the features in this phone is Near Field Communications (NFC). I had heard a lot about NFC so I wanted to try it out. So, I bought some NFC tags from Amazon. I found the tags by searching for windows phone 8 nfc tags on Amazon. It cost me about $10 for 5 tags. Below is a picture of the NFC tags:

In order to use the tags I downloaded NFC Launchit from the Windows Phone Store. NFC Launchit lets you launch applications and perform actions when you tap your phone a NFC tag.

So, I opened NFC Launchit.

After the application opened, I tapped on Start.

I wanted to configure or write to the NFC tag so that when I tapped it, my phone would launch my blog website. So, I selected Launch website, from System Apps.

I then entered the URL of my blog which is http://blogs.technet.com/b/xdot509/, and tapped on the check mark.

Next, I held my phone up against the tag to write this information to the NFC tag.

Once the tag was written to, I was presented with the following screen.

So next, I wanted to test the tag and NFC Launchit. So, I tapped my phone against the tag, and was prompted on whether I wanted to receive content, and I tapped accept.

And as expected Internet Explore launched and navigated to my blog. I stuck the NFC tag to my laptop, and now anytime I want to open my blog I just have to tap my phone against the tag and tap accept.

-Chris

Upgrading your PKI to Windows Server 2012 Part III (Video)

2013-04-15T01:13:00Z

This video is Part 3 in a 4 part video series on the steps required to upgrade an existing PKI from Windows Server 2003 to Windows Server 2012. Although the steps demonstrated cover upgrading Windows Server 2003, the same steps could be used to upgrade Windows Server 2008 or Windows Server 2008 R2 to Windows Server 2012. This video covers the steps required to backup a Subordinate Enterprise CA and then decommission that CA in preparation for the migration.

If you have difficulties viewing this video, you can also view it here: http://www.youtube.com/watch?v=ox61aZXACHQ

(Please visit the site to view this video)

Upgrading your PKI to Windows Server 2012 Part II (Video)

2013-04-01T23:36:00Z

This video is Part 2 in a 4 part video series on the steps required to upgrade an existing PKI from Windows Server 2003 to Windows Server 2012. Although the steps demonstrated cover upgrading Windows Server 2003, the same steps could be used to upgrade Windows Server 2008 or Windows Server 2008 R2 to Windows Server 2012. This video covers the steps required to complete the migration of the Root CA.

If you have any issues with viewing the video on this website, it can also be viewed here: http://www.youtube.com/watch?v=2bkcM135kho

(Please visit the site to view this video)

Upgrading your PKI to Windows Server 2012 Part I (Video)

2013-04-01T23:21:00Z

This video is Part 1 in a 4 part video series on the steps required to upgrade an existing PKI from Windows Server 2003 to Windows Server 2012. Although the steps demonstrated cover upgrading Windows Server 2003, the same steps could be used to upgrade Windows Server 2008 or Windows Server 2008 R2 to Windows Server 2012. This video covers the steps to backup an existing Root CA, which is the first step in the migration.

If you have any issues with viewing the video on this website, it can also be viewed here: http://www.youtube.com/watch?v=wdyCPF3gOJc

(Please visit the site to view this video)

New Active Directory Certificate Services (PKI) Features in Windows Server 2012

2013-03-29T17:00:28Z

New Features

Below are a list of several new features available in Active Directory Certificate Services in Windows Server 2012. Additional information on new features in ADCS can be found here: http://technet.microsoft.com/en-us/library/hh831373.aspx

Deployment with Server Manager:

Active Directory Certificate Services (ADCS) as well as all other roles are deployed through Server Manager. I covered the install of Certificate Services on a Root CA with Server Manager in this blog posting: Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part II, Installing a Root Certification Authority with the GUI

Deployment with PowerShell:

One of the greatest improvements in my point of view is the ability to deploy Certificate Services with PowerShell. This feature enables the capability to have a well tested, repeatable implementation process that increases the likelihood of a successful deployment. In my blog series (Installing a Two Tier PKI Hierarchy in Windows Server 2012 Wrap Up) I covered installing ADCS with PowerShell. The two particular blog posting where I performed the installation with PowerShell were: Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part I, Installing a Root Certification Authority with PowerShell and Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part V, Installing an Enterprise Subordinate Certification Authority and Web Enrollment with PowerShell

Additionally, here are links to the deployment cmdlets for ADCS: http://technet.microsoft.com/en-us/library/hh848390.aspx

Server Core:

You can now install all ADCS Roles on Server Core. These roles of course include:

Certification Authority
Certification Authority Web Enrollment
Online Responder
Network Device Enrollment Service
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service

Server Edition:

All six roles mentioned above can be installed on any edition of the OS in Windows Server 2012.

Enhanced RPC Security:

Enhanced RPC Security has been introduced in Windows Server 2012. To support enrollment for down-level clients the additional security must be disabled. More information is available here: http://social.technet.microsoft.com/wiki/contents/articles/6289.certification-authority-authentication-level-incompatible-with-windows-xp.aspx

Active Directory Site Awareness:

ADCS in Windows Server 2012 supports site awareness for enrollment. Requirements are that CAs be Windows Server 2012 and Clients be at Windows 8 version level. Additional information for deploying site awareness is available here: http://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx

Certificate Template Compatibility:

When duplicating a template you can select the OS Version of your CA and OS version of your “Clients” and then only features supported by both the CA and the “Client” will be accessible when modifying a template. More information is available here: http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx

Group Protected PFX:

Allows securing a PFX file with Active Directory credentials to ease deployment of PFX files, especially in a server farm environment. Additional information available here: http://blogs.technet.com/b/pki/archive/2012/10/08/group-protected-pfx.aspx

Certificate Lifecycle Notification:

See: http://social.technet.microsoft.com/wiki/contents/articles/14250.certificate-services-lifecycle-notifications.aspx

Key Based Renewal:

Key Based Renewal allows for non-domain joined computers to automatically re-enroll for certificates. In order to allow non-domain joined computers to enroll and re-enroll for a certificate, Certificate Enrollment Web Services is leveraged. Additional information on Certificate Enrollment Web Services and Key Based Renewal is available here: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Key-based_renewal

Same Key Renewal:

You can force renewal of a certificate to use the same key pair. This setting is defined in the certificate template. Among other things, it enables the same key to be maintained if you are using a TPM to protect certificate keys.

TPM Support:

In Windows Server 2012 and Windows 8 a Trusted Platform Module (TPM) can be used to secure a certificate’s private key. In order to support the TPM the Microsoft Platform Crypto Provider (Key Storage Provider) is used. Here is an article on: “Creating a certificate template that includes the Microsoft Platform Crypto Provider on a CA with no TPM” which is located here: http://social.technet.microsoft.com/wiki/contents/articles/13964.creating-a-certificate-template-that-includes-the-microsoft-platform-crypto-provider-on-a-ca-with-no-tpm.aspx

Installing a Two Tier PKI Hierarchy in Windows Server 2012 Wrap Up

2013-03-22T15:23:13Z

After nine blog postings I have decided to wrap up the Installing a Two Tier PKI Hierarchy in Windows Server 2012 Blog Series. Stay tuned for upcoming content. I am going to add blog postings focusing on enrollment, new features, and maybe touch on some other technologies outside of PKI/Certificate Services.

Here are links to all 9 blogs in the series:

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part I, Installing a Root Certification Authority with PowerShell

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part II, Installing a Root Certification Authority with the GUI

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part III, Post Configuration of Root Certification Authority

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part IV, Publishing the Root CA Certificate and CRL to Active Directory

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part V, Installing an Enterprise Subordinate Certification Authority and Web Enrollment with PowerShell

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part VI, Post Configuration of an Enterprise Subordinate Certification Authority

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part VII, Enabling SSL on the Web Enrollment Website

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part VIII, PKI Security

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part IX, Configuring High Availability for the HTTP AIA and CDP Repositories

Upcoming Public Key Infrastructure (PKI) Talks

2013-03-16T02:37:53Z

I am looking for PKI Speaking Engagements. If you are a member of a user group or a security organization such as ISSA or ISACA, please contact me if you need someone to speak on PKI. I am based out of Charlotte. However, I will be traveling to the following cities in the upcoming weeks: Hershey, PA; Ann Arbor, MI; Columbus, OH; and Denver, CO. I can be contacted by submitting a comment to this blog posting or through twitter: @chdelay

Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part IX, Configuring High Availability for the HTTP AIA and CDP Repositories

2013-03-15T13:31:04Z

AIA and CDP Repositories are very important for certificate validation. The Authority Information Access or AIA repository host CA Certificates. This location is “stamped” in the Authority Information Access extension of issued certificates. A client that is validating a certificate may not have every CA certificate in the chain. The client needs to build the entire chain to verify that the chain terminates in a self-signed certificate that is trusted (Trusted Root). So, if a client does not have every certificate in the chain, the client can download these missing CA certificates from the AIA repository.

CDP Repositories host the CRLs that the CA publishes. The CRL Distribution Points extension is “stamped” in certificates. Client use this location to download CRLs that the CA Publishes. When a client is validating a certificate it will build the chain to a Root CA. If the Root CA is trusted this means the certificate is acceptable for use. However, for applications that require revocation checking, the client must also validate that every certificate in the chain (with the exception of the Root) is not revoked. The client does this buy downloading a CRL file and parsing the CRL to see if the serial number of the certificate being validated is not listed. If it is listed the certificate is revoke and should not be trusted.

So, we need these repositories to be available when a client is performing revocation checking. If the AIA and CDP repository is hosted on a web server we need to make the web server highly available. We don’t want clients to begin failing revocation checking because a single web server is down or unavailable. One way to make the HTTP repositories highly available is to host them on Load Balanced web servers.

In this blog entry I am going to cover on how to make the HTTP AIA and CDP repositories highly available. I am going to perform the following steps:

Install IIS (Web Server)
Configure a virtual directory
Copy CA certificates to the repository
Configure the CA to publish CRLs to the Repository on the two web servers
Install and configure Network Load Balancing (NLB)
Configure DNS

I have two web servers: FCWeb01 and FCWeb02. I am only going to illustrate the following steps one time, but I have to perform the same steps on both Web Servers:

Install IIS (Web Server)
Configure a virtual directory
Copy CA certificates to the repository

Install IIS (Web Server)

Thanks to PowerShell installing IIS is a breeze. Once I have the PowerShell CLI open I run:

Add-WindowsFeature Web-WebServer –IncludeManagementTools

Configure a virtual directory

Earlier in this blog series I configured my HTTP AIA and CDP locations for the both the Root and Issuing CA to be located here: http://pki.fourthcoffee.com/certenroll/

So, I need to create a "certenroll” virtual directory in order to support the AIA and CDP extensions that I defined earlier. To meet this requirement, I simply added a CertEnroll folder underneath the C:\Inetpub\wwwroot\ directory. There are of course other alternatives, a virtual directory could be created at another location on the C Drive or another drive if one is available.

Next I have to perform a couple steps. 1. I need to create a share, so that the Issuing CA can copy files via SMB to the CertEnroll folder. This is how the Issuing CA will update the CRL on the repository. 2. I have to give the Issuing CA, at least Change Permissions to the share so that it has access to write the CRL file. 3. I have to configure NTFS Permissions so that the CA has at least Modify permissions, again this is to facilitate the writing of the CRL file to the SMB share.

Configuring share permissions

After creating the CertEnroll directory, I right-click on the directory and select Properties from the context menu.

On the Sharing Tab, I select Advanced Sharing…

I select Share this folder, then enter a share name of CertEnroll$. Next I click the Permissions button. On the Permissions page, I click on the Add… button. On the Select Users, Computers, Service Accounts, or Groups Dialog box, I click the Object Types… button, and ensure that Computers is selected. Next I type the name of the server hosting my Issuing CA, and click the Check Names button. Once the name is validated, I click OK. This takes me back to the Permissions page, where I select the CA Machine name that I specified previously. I configure permissions so that the computer hosting the Issuing CA has Change and Read Permissions to the share. Finally on the Advanced Sharing page, I click OK.

Configuring NTFS permissions

This takes me back to the Properties page for the CertEnroll folder. I click on the Security Tab, and click the Edit… button.

Next, I click the Add… button. On the Select Users, Computers, Service Accounts, or Groups Dialog box, I click the Object Types… button, and ensure that Computers is selected. Next I type the name of the server hosting my Issuing CA, and click the Check Names button. Once the name is validated, I click OK.

Finally on the Permissions page for the CertEnroll folder, I configure the permissions to give the CA’s machine Modify permissions.

Copying CA Certificates and CRLs

The web servers are going to host the AIA repository for the Root and Issuing CA. So, I need to manually copy the Root and Issuing CA certificate to the CertEnroll directory. Also, the web servers are going to host the CDP repository for the Root and Issuing CA. So, I need to copy the Root CRL to the Web Servers. I am not going to copy the Issuing CAs CRL, because I am going to configure the Issuing CA to automatically publish it’s CRL to the CertEnroll folder. The CA certificate and CRL files can be located in the C:\Windows\System32\CertSrv\CertEnroll\ folder on each CA. So, I copy the files.

Configure the CA to publish CRLs to the Repository on the two web servers

Next, I have to configure the Issuing CA to publish it’s CRL to the repository via SMB. Once I make this configuration change, the Issuing CA will publish it’s CRL to the Web Servers hosting the repository, every time it publishes a new CRL. I am going to use the built in mechanism the CA has for publishing CRLs. Keep in mind if you want to use some other tool like SSH or SFTP to copy the files, you can do this. However, you will need to script the copy process and run it as a scheduled task.

So, I create a file I am calling CRLFixUp.bat. The file rewrites the configuration I made in Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part VI, Post Configuration of an Enterprise Subordinate Certification Authority. I also, add the following to the configuration: n1:file:\\fcweb01.fourthcoffee.com\certenroll$\%%3%%8%%%9.crl and n1:file:\\fcweb02.fourthcoffee.com\certenroll$\%%3%%8%%%9.crl. These two additions configure the CA to publish the CRL to the two web servers.

Next I have to restart Certificate Services for the changes to be read from the registry by the CA.

Publishing a new CRL file

Next, I need to publish a new CRL so that the CA publishes it’s CRL to the web server. I open the Certification Authority management console. I right-click on Revoked Certificates, then I select All Tasks and then Publish from the context menu.

Next, I am prompted to publish a New CRL, and I click OK.

If the CRL Publish failed a dialog box would pop-up with the error and an event would be logged to the Application Log. In my case the publication succeeded. Next I can view the CertEnroll directory on each web server to ensure that the file copy succeeded.

Install and configure Network Load Balancing (NLB)

Next, I am going to install and configure Network Load Balancing to provide a mechanism for High Availability between the two web servers. In most environments, there are dedicated Load Balancers that are used for this. Since this is a very simple demo environment I am using NLB as an illustration of one way HA can be accomplished.

To install NLB and the management tools, I enter the following in the PowerShell CLI:

Add-WindowsFeature NLB –IncludeManagementTools

To access the Network Load Balancing Manger, I select Tools from Server Manager, and select Network Load Balancing Manager.

To create a new NLB Cluster, I select the Cluster menu, and then select New from the context menu.

This opens the New Cluster “Wizard”. On the Connect page, I enter the name FCWeb01, and click Connect. Next, I click Next.

On the Host Parameters page I accept the defaults and click Next.

On the Cluster IP Address page I click the Add… button. Then on the Add IP Address page, I enter the IP address I want clients to use to access the Load Balanced Web Servers. I enter the subnet, and click OK.

Then I click Next.

On the Cluster Parameters page, I select Multicast, and click Next.

On the Port Rules page I accept the defaults and click Finish.

Next, I need to add the second web server to the Cluster. So, I right-click on the cluster name and select Add Host to Cluster from the context menu.

On the Connect page of the wizard, I enter the name of the second web server, and click Connect.

On the Host Parameters page I accept the defaults and click Next.

On the Port Rules page of the wizard, I accept the defaults and click Finish.

My NLB Cluster is now configured.

In the blog posting Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part VI, Post Configuration of an Enterprise Subordinate Certification Authority, I created a CNAME recored and pointed it at the Issuing CA as that was hosting my repositories. To undo that changes I previously made I open up DNS Manager (dnsmgmt.msc), and delete the CNAME record that I previously created.

Next I need to create an A record. So, I right-click on the fourthcoffee.com zone and select New host (A or AAAA)… from the context menu.

I enter in the name pki under Name. Next, I enter the IP Address of the front-end of my NLB Cluster, and click Add Host.

This completes the installation of my highly available HTTP AIA and CDP Repositories.

Conclusion

So, far in this series I have installed and configured a Root and Issuing CA. I have taken steps to secure the Web Enrollment website and the CAs themselves. And finally I have configured the HTTP AIA and CDP Repositories to be highly available. I am going to continue this series. In the next couple blog postings I am going to focus on enrollment.

-Chris