Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Active Directory Certificate Services (ADCS)’ Category

« Previous Entries

(2024-05-01) Delivering A Demo About Reconnecting AD Back With Entra ID At “Troopers 2024”

Posted by Jorge on 2024-05-01


Very proud (again!) to have been selected again to present at Troopers 2024!

Somewhere in the week of June 24th – 28th, I will be challenging the demo gods for a full hour. Let’s just hope everything goes as planned!

Last year at Troopers I presented about the “Best Practices for Resynchronizing AD and Entra ID After Forest Recovery”. This year, I will actually show you how this can be done for real!

For more information about the conference, please see: https://troopers.de/

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### https://jorgequestforknowledge.wordpress.com/ ###################

————————————————————————————————————————————————————

IAMTEC

Identity | Security | Recovery

————————————————————————————————————————————————————-

Posted in Active Directory Certificate Services (ADCS), Azure AD Cloud Sync, Azure AD Connect, Fixing Identity Data, Forest Recovery, GAP Analysis, GAP Analysis, PowerShell, Tooling/Scripting, Windows Azure Active Directory | Tagged: , , , , , , , , , , | Leave a Comment »

(2019-05-28) Windows Hello For Business – Certificate Template For DCs

Posted by Jorge on 2019-05-28


When implementing Windows Hello for Business, either using the “Hybrid AAD Joined Certificate Trust” method or the “Hybrid AAD Joined Key Trust” a PKI infrastructure is needed to at least implement a certificate template for DCs to support WH4B. When already having a (Microsoft) PKI infrastructure you may already have a certificate template for DCs that may have a provider and algorithm (Cryptography TAB) configured as or similar to as displayed below.

clip_image002

Figure 1: Existing Cryptography Settings In Legacy DC Certificate Template

When deploying WH4B, the following cryptography settings are required. You will only be able to configure this when in the compatibility TAB the certification authority is set to at least Windows Server 2012.

 clip_image004

Figure 2: Cryptography Settings In New DC Certificate Template Required By WH4B

Now a question may be: what is the impact on DCs when configuring a new certificate template and deploying that to the DCs to replace the existing certificate template?

A good question, might I say!

Important to note is that autoenrollment is configured and it is configured correctly, for this to succeed, then at least following high-lighted settings must be set and targeted against DCs in AD. See below.

You may also want to read: Troubleshooting Autoenrollment and Configuring Autoenrollment

image

Figure 3: Autoenrollment Settings

In addition, make sure to supersede the old certificate templates in the newest certificate template, as displayed below.

With regards to PKI, the WH4B documentation says the following:

By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template

image

Figure 4: Superseded Settings

From what I have understood, it changes the storage provider from CSP to KSP and it keeps the RSA algorithm. After doing this myself in multiple environments and asking around for experiences, the answer to the “impact” question is:

No negative impact anticipated or experienced

Nevertheless, make sure to test in your representative test environment!

Enjoy and have fun!,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Certificate Services (ADCS), Active Directory Domain Services (ADDS), Certificate Templates, Certificates, WH4B, Windows Client | Leave a Comment »

(2016-06-24) Quick Learning Guide For A Public Key Infrastructure (PKI)

Posted by Jorge on 2016-06-24


Have you ever wanted to have a quick learning guide about a Public Key Infrastructure (PKI), then have a look at the following:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Learning Guide | 1 Comment »

(2013-12-14) SHA1 Deprecation Policy

Posted by Jorge on 2013-12-14


This is an important message for anyone still using SHA1 certificates.

Read more here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Certificates, SHA1 | Leave a Comment »

(2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name

Posted by Jorge on 2013-10-22


If your computer has lots of certificates in the local computer store and you need to find out if one or more certificates will match a specific name in the subject or subject alternate name, or a certificate will match the first level wildcard, you can use the following PowerShell code:

# Searching For A Certificate With A Specific Name In The Subject Name Or Subject Alternate Name (SAN)
# Searching For A Certificate With A WildCard Name In The Subject Name Or Subject Alternate Name (SAN) Matching The Specific Name

# Define The Specific DNS Name
$dnsName = "<FQDN>"
# Determine The First Level WildCard Name
$wildCardName = "*" + $dnsName.Substring($dnsName.IndexOf("."))
$certs = $null
$certs = @()
$certsInLocalMachine = DIR cert:\LocalMachine\My 
$certsInLocalMachine | ForEach-Object{ 
    $certificate = $_ 
    $certThumbprint = $certificate.Thumbprint 
    $certSubject = $($certificate.Subject).substring($($certificate.Subject).IndexOf("=")+1) 
    If ($certSubject.ToUpper() -eq $dnsName.ToUpper() -or $certSubject.ToUpper() -eq $wildCardName.ToUpper()) { 
        $certs += $certificate 
    }
    $sanCertExtension = $certificate.extensions | Where-Object{$_.oid.FriendlyName.ToLower() -eq "subject alternative name"} 
    $sanObjs = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames            
    If ($sanCertExtension -ne $null) { 
        $altNamesStr = [System.Convert]::ToBase64String($sanCertExtension.RawData)            
        $sanObjs.InitializeDecode(1, $altNamesStr) 
        Foreach ($SAN in $sanObjs.AlternativeNames) { 
            $certAltSubject = $SAN.strValue 
            If ($certAltSubject -ne $null) { 
                If ($certAltSubject.ToUpper() -eq $dnsName.ToUpper() -or $certAltSubject.ToUpper() -eq $wildCardName.ToUpper()) { 
                    $certs += $certificate 
                }
            }
        }
    }
}
$certs | FL

If the DNS Name is "FS.ADCORP.LAB", the output is on my demo machine:

image

Figure 1: Looking For Certificates That Could Support The DNS Name "FS.ADCORP.LAB" (Example)

You might also want to look at the following article, which shows you how to list subject alternate names in a specific certificate:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Certificates, PowerShell, Tooling/Scripting | 2 Comments »

(2013-09-04) Incorrect CSP Prevents Enrollment Of OCSP Response Signing Certificates

Posted by Jorge on 2013-09-04


As mentioned in the previous post, (2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0×80090029) During CA Installation/Configuration, I was rebuilding my test environment. In addition to installing and configuring a certificate authority I also wanted to install and configure an online responder. Before, I used the default “OCSP Response Signing” certificate template, but I wanted to duplicate it and create a new one. Because I install multiple environments for testing purposes I wanted to script the creation of the certificate templates so save time. I never found an easy way script the duplication of certificate templates. So I duplicated the templates first and changed the settings as needed. Then through ADSIEDIT I got the attribute values and put them in a script with ADMOD from joeware. I did this for multiple certificate templates.

The settings of the duplicated “OCSP Response Signing” certificate template are shown below.

image

Figure 1: The Settings Of The Duplicated “OCSP Response Signing” Certificate Template

ADMOD –h <FQDN DC> -mvdelim # -replacedn XXX-CONFIG-XXX:_config -add -b "CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,XXX-CONFIG-XXX" "objectClass::pKICertificateTemplate" "displayName::OCSP Response Signing v20" "showInAdvancedViewOnly::TRUE" "flags::131648" "revision::100" "pKICriticalExtensions:++:2.5.29.15" "pKIDefaultKeySpec::2" "pKIExtendedKeyUsage:++:1.3.6.1.5.5.7.3.9" "pKIKeyUsage::8000" "pKIMaxIssuingDepth::0" "BIN##pKIExpirationPeriod::0080 37AE FFF4 FFFF" "BIN##pKIOverlapPeriod::0080 2CAB 6DFE FFFF" "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" "msPKI-RA-Signature::0" "msPKI-Enrollment-Flag::20512" "msPKI-Private-Key-Flag::33751040" "msPKI-Certificate-Name-Flag::402653184" "msPKI-Minimal-Key-Size::2048" "msPKI-Template-Schema-Version::3" "msPKI-Template-Minor-Revision::3" "msPKI-Cert-Template-OID::1.3.6.1.4.1.311.21.8.7425675.14461227.5065100.6342490.10430944.249.14559993.5566867" "msPKI-Certificate-Application-Policy:++:1.3.6.1.5.5.7.3.9" "msPKI-RA-Application-Policies:++:msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Security-Descriptor`PZPWSTR`D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;GR;;;S-1-5-80-3804348527-3718992918-2141599610-3686422417-2726379419)`msPKI-Key-Usage`DWORD`2`" "msPKI-Supersede-Templates:++:OCSPResponseSigning"

REMARK: YOU SHOULD NOT USE THIS METHOD IN YOUR TEST ENVIRONMENT TO DUPLICATE CERT TEMPLATES! I USED THIS IN MY TEST ENVIRONMENT WITH A PREDEFINED OID.

REMARK: I need to use the mvdelim parameter in this case and specify a new delimiter (#). The reason for that is that ADMOD by default uses the ; as a delimiter for multi-valued attributes. However, if you look at the second last attribute and its value in the command line, you will see it contains multiple ; as a value. Hence the required change in delimiter

image

Figure 2: Scripting The Creation Of The Custom “OCSP Response Signing” Certificate Template

Then I used DSACLS to configure the permissions of that specific certificate template.

REM Convert The DNS Domain To An NC
SET DNDOMAIN=DC=%USERDNSDOMAIN:.=,DC=%
REM Disable Inheritance And Copy The Inherited Permissions Onto The Object As Explicit Permissions
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /P:Y
REM Assign Enterprise Admins Allow:Read And Allow:Write
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Enterprise Admins:GRWDWOWP"
REM Remove Any Assigned Permissions To Domain Admins
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "Domain Admins"
REM Assign Domain Admins Allow:Read And Allow:Write
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Domain Admins:GRWDWOWP"
REM Remove Any Assigned Permissions To SYSTEM
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "SYSTEM"
REM Assign SYSTEM Allow:Read And Allow:Write
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "SYSTEM:GRWDWOWP"
REM Assign A Custom Group Allow:Enroll
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "GRP_R2_PKI-CertTmplt-Subscr-OCSPResponseSigning:CA;Enroll"

The last line assigns a custom group Allow:Enroll permissions. It is NOT needed to assigned AutoEnroll permissions! The command that disables inheritance and copies the inherited permissions to become explicit permissions keeps Authenticated Users with Allow:Read. By making the computer account of my OCSP server a member of that custom group OCSP Response Signing certificates are automatically enrolled by the OCSP service.

The second last thing to do is to configure the CA to support the custom “OCSP Response Signing” certificate template to be able to enroll certificates derived from that certificate template. The last thing to do is to configure OCSP to support revocation information for the installed CA (see: Designing And Implementing An OCSP Responder (Series)).

So as soon as you have configured the revocation information for that specific CA (also see the series: Automated/Unattended Installation Of OCSP) and you pressed/clicked Refresh it should tell you it got a new signing certificate. However, unfortunately, the case is different. No certificate is being enrolled! Damn!

This is what you will see continuously.

image

Figure 3: The Online Responder Configuration – Error “Bad Signing Certificate On Array Controller”

image

Figure 4: The Online Responder Configuration – Error “Signing Certificate: Not Found”

When looking at the Application Event Log, you will see…

image

Figure 5: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

image

Figure 6: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

Both the errors do not give you a clear hint of what’s wrong.

The only thing I remembered was that when I used the default “OCSP Response Signing” certificate template everything worked like a charm! Trouble started when I used my duplicated/custom certificate template. So, the first task was to compare both settings! YOU can do the same by comparing figure 1 above and figure 7 below.

image

Figure 7: The Settings Of The Original “OCSP Response Signing” Certificate Template

Besides the “msPKI-Cert-Template-OID” attribute value being different, there is another difference! The original “OCSP Response Signing” Certificate Template DOES NOT specify a CSP, while the duplicate “OCSP Response Signing” Certificate Template does. So, where did that go wrong!?

In the GUI this looks like….

image image

Figure 8: The Cryptography Settings Of The Default (Left) And The Duplicated (Right) “OCSP Response Signing” Certificate Template

The only thing to do here is changing the cryptographic settings of the duplicated “OCSP Response Signing” Certificate Template to match those of the original “OCSP Response Signing” Certificate Template.

image

Figure 9: The Online Responder Configuration – “Working”

image

Figure 10: The Online Responder Configuration – “Signing Certificate: OK”

image

Figure 11: The Online Responder Configuration – Certificate Enrolled

image

Figure 12: The Online Responder Configuration – Certificate (Re)Loaded

Explanation of what went wrong….

As I said I was scripting the creation of certificate templates.  While I was copying information around I copied the text "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" into the command line that creates the duplicated “OCSP Response Signing” Certificate Template. However, I SHOULD NOT have done that! It was therefore a mistake that generated the previous errors shown and that looks lots of time to troubleshoot!

So in the previous ADMOD command the part "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" MUST be removed!

Just a stupid copy/paste mistake.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Certificate Templates, OCSP | Leave a Comment »

(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)

Posted by Jorge on 2013-08-29


Click here for part 5

Make sure to select YOUR preferred Array Controller and afterwards synchronize all OCSP Array Members with the OCSP Array Controller. To select a new OCSP Array Controller afterwards, select the OCSP Array Member that will become the OCSP Array Controller and select the option “Set As Array Controller”

image_thumb141_thumb[1]_thumb_thumb_thumb

Figure 1: Configuring A New Array Controller

To synchronize the array members with the array controller, select the node “Array Configuration” and right-click it and select the option “Synchronize Members With Array Controller”

image_thumb144_thumb[1]_thumb_thumb_thumb

Figure 2: Synchronizing The Array Members With The Array Controller

Everything is up and running. To test OCSP you need a certificate that has been issued  to some entity. After exporting the certificate to a CER file, you can use the following command to test OCSP:

CERTUTIL -URL <CER file>. If you are using a PowerShell Command Prompt window, type: & ‘CERTUTIL’ –URL .\<CER file>

Check (on the right side) “OCSP (from AIA)” and click “Retrieve”

image_thumb147_thumb[1]_thumb_thumb_thumb

Figure 3: Testing OCSP

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 1 Comment »

(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Posted by Jorge on 2013-08-28


Click here for part 4

When using option [1] or [2], lets assume you want to have more than one OCSP server servicing the Revocation Configurations of each configured CA. After adding all revocation configurations you can add more OCSP members to the OCSP array. The first OCSP server hosting the revocation configurations is by default the array controller when adding additional OCSP members to the array. So this action, or the next script, needs to be executed on the OCSP array controller.

REMARK: A “BIG THANK YOU!” goes to Vadim Podans for helping me out in defining the correct format of the values being written to the ArrayMembers property. 

# Get The Info Of The Local Server
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Put The OCSP Configuration In An Object 
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" 
$ocspAdmin.GetConfiguration($ocspServerFQDN, $true) 

# Retrieve The Current OCSP Array Member(s)
$currentArrayMembers = $ocspAdmin.OCSPServiceProperties.Item(2).Value 

# Define The ADDITIONAL OCSP Array Members
$newArrayMembers = @("R2FSMBSV2.ADDMZ.LAN") 

# Define The Total List Of Array Members
[string[]]$totalListArrayMembers = $currentArrayMembers + $newArrayMembers

# Write The New Total List Of Array Members
$ocspAdmin.OCSPServiceProperties.Item(2).Value = $totalListArrayMembers 

# Commit The Changes
$ocspAdmin.SetConfiguration($ocspServerFQDN, $true)

image_thumb133_thumb[1]_thumb_thumb

Figure 1: Configuring Additional OCSP Array Members On The Array Controller

Now open/start the “Online Responder Management” MMC. You will immediately get an array controller mismatch message as shown below

image_thumb137_thumb[1]_thumb_thumb

Figure 2: Array Controller Mismatch Message

Continued in part 6 “(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Posted by Jorge on 2013-08-27


Click here for part 3

This post will explain how to configure revocation information through option [3] (Use The CA Certificate For The Revocation Information) for each ENTERPRISE CA found in AD. 

 image

Figure 1: Configuring Revocation Configuration And Choosing The CA Certificate As The Signing Certificate

This option can only be used when OCSP is installed on the same server as the CA itself OCSP is servicing

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/)
Import-Module PSPKI

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get The Local CA
$localCA = Connect-CA -ComputerName $ocspServerFQDN
    
# For The Local CA Create Revocation Configuration
# Get The CA Name
$caName  = $localCA.DisplayName

# Get The CA Server Name
$caServerName = $localCA.ComputerName

# Get The CA Certificate
$caCert = $localCA.Certificate

# Get The RawData Of The CA Certificate
$caCertRawData = $caCert.RawData

# Define The OCSP Name
$ocspName = "OCSP For " + $caName + " (" + $caServerName + ")"

# Configure The Revocation Provider Properties In A Property Collection Object For This CA
$ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection"
$baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl"
$deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl"
$ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl)
$ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl)
$ocspProperties.CreateProperty("RevocationErrorCode", 0)
#$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval

# Configure The OCSP Signing Flags To Automatically Select A Signing Cert
# http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx
$OCSP_SF_SILENT = 0x001
$OCSP_SF_USE_CACERT = 0x002
$OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008
$OCSP_SF_RESPONDER_ID_KEYHASH = 0x040
$ocspSigningFlags = $OCSP_SF_SILENT `
    + $OCSP_SF_USE_CACERT `
    + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA `
    + $OCSP_SF_RESPONDER_ID_KEYHASH

# Save The OCSP Configuration In An Object
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
$ocspAdmin.GetConfiguration($ocspServerFQDN, $True)

# Create New Revocation Configuration
$ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData)
$ocspConfig.HashAlgorithm = "SHA1"
$ocspConfig.SigningFlags = $ocspSigningFlags
$ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties()
$ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}"
$ocspConfig.ReminderDuration = 90

# Commit The New Revocation Configuration
$ocspAdmin.SetConfiguration($ocspServerFQDN, $True)

image_thumb123_thumb[1]_thumb

Figure 2a: Configuring Revocation Configuration For The Local Enterprise CA

image_thumb127_thumb[1]_thumb

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get The Renewed OCSP Configuration
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
$ocspAdmin.GetConfiguration($ocspServerFQDN, $True)
$ocspAdmin.OCSPCAConfigurationCollection
$ocspAdmin.OCSPServiceProperties

image_thumb130_thumb[1]_thumb

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 5 “(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Posted by Jorge on 2013-08-26


Click here for part 2

This post will explain how to configure revocation information through option [2] (Manually Select A Signing Certificate) for each ENTERPRISE CA found in AD. 

image

Figure 1: Configuring Revocation Configuration And Choosing To Manually Select A Signing Certificate

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/)
Import-Module PSPKI

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get All The Enterprise CAs Published In AD
$enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"}
    
# For Every CA Create Revocation Configuration
$enterpriseCAs | %{
    # Get The CA Name
    $caName  = $_.DisplayName

    # Get The CA Server Name
    $caServerName = $_.ComputerName

    # Get The CA Certificate
    $caCert = $_.Certificate

    # Get The RawData Of The CA Certificate
    $caCertRawData = $caCert.RawData

    # Define The OCSP Name
    $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")"

    # Configure The Revocation Provider Properties In A Property Collection Object For This CA
    $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection"
    $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl"
    $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl"
    $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl)
    $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl)
    $ocspProperties.CreateProperty("RevocationErrorCode", 0)
    #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval

    # Configure The OCSP Signing Flags To Automatically Select A Signing Cert
    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx
    $OCSP_SF_SILENT = 0x001
    $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT = 0x020
    $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040
    $ocspSigningFlags = $OCSP_SF_SILENT `
        + $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT `
        + $OCSP_SF_RESPONDER_ID_KEYHASH `
    
    # Save The OCSP Configuration In An Object
    $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
    $ocspAdmin.GetConfiguration($ocspServerFQDN, $True)

    # Create New Revocation Configuration
    $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData)
    $ocspConfig.HashAlgorithm = "SHA1"
    $ocspConfig.SigningFlags = $ocspSigningFlags
    $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties()
    $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}"
    $ocspConfig.ReminderDuration = 90

    # Commit The New Revocation Configuration
    $ocspAdmin.SetConfiguration($ocspServerFQDN, $True)
}

 

image_thumb112_thumb[1]

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb116_thumb[1]

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

Now before continuing MANUALLY assign a certificate to the OCSP Revocation Configuration. Do this through the “Online Responder Management” MMC. You must do this for EVERY OCSP Array Member. The certificate that will be used must have the “OCSP Signing” Enhanced Key Usage Extension.

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get The Renewed OCSP Configuration
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
$ocspAdmin.GetConfiguration($ocspServerFQDN, $True)
$ocspAdmin.OCSPCAConfigurationCollection
$ocspAdmin.OCSPServiceProperties

image_thumb120_thumb[1]

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 4 “(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

« Previous Entries