Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Active Directory Certificate Services (ADCS)’ Category

(2016-06-24) Quick Learning Guide For A Public Key Infrastructure (PKI)

Posted by Jorge on 2016-06-24


Have you ever wanted to have a quick learning guide about a Public Key Infrastructure (PKI), then have a look at the following:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Advertisements

Posted in Active Directory Certificate Services (ADCS), Learning Guide | 1 Comment »

(2013-12-14) SHA1 Deprecation Policy

Posted by Jorge on 2013-12-14


This is an important message for anyone still using SHA1 certificates.

Read more here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Certificates, SHA1 | Leave a Comment »

(2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name

Posted by Jorge on 2013-10-22


If your computer has lots of certificates in the local computer store and you need to find out if one or more certificates will match a specific name in the subject or subject alternate name, or a certificate will match the first level wildcard, you can use the following PowerShell code:

# Searching For A Certificate With A Specific Name In The Subject Name Or Subject Alternate Name (SAN) # Searching For A Certificate With A WildCard Name In The Subject Name Or Subject Alternate Name (SAN) Matching The Specific Name # Define The Specific DNS Name $dnsName = "<FQDN>" # Determine The First Level WildCard Name $wildCardName = "*" + $dnsName.Substring($dnsName.IndexOf(".")) $certs = $null $certs = @() $certsInLocalMachine = DIR cert:\LocalMachine\My $certsInLocalMachine | ForEach-Object{ $certificate = $_ $certThumbprint = $certificate.Thumbprint $certSubject = $($certificate.Subject).substring($($certificate.Subject).IndexOf("=")+1) If ($certSubject.ToUpper() -eq $dnsName.ToUpper() -or $certSubject.ToUpper() -eq $wildCardName.ToUpper()) { $certs += $certificate } $sanCertExtension = $certificate.extensions | Where-Object{$_.oid.FriendlyName.ToLower() -eq "subject alternative name"} $sanObjs = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames If ($sanCertExtension -ne $null) { $altNamesStr = [System.Convert]::ToBase64String($sanCertExtension.RawData) $sanObjs.InitializeDecode(1, $altNamesStr) Foreach ($SAN in $sanObjs.AlternativeNames) { $certAltSubject = $SAN.strValue If ($certAltSubject -ne $null) { If ($certAltSubject.ToUpper() -eq $dnsName.ToUpper() -or $certAltSubject.ToUpper() -eq $wildCardName.ToUpper()) { $certs += $certificate } } } } } $certs | FL

If the DNS Name is "FS.ADCORP.LAB", the output is on my demo machine:

image

Figure 1: Looking For Certificates That Could Support The DNS Name "FS.ADCORP.LAB" (Example)

You might also want to look at the following article, which shows you how to list subject alternate names in a specific certificate:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Certificates, PowerShell, Tooling/Scripting | 2 Comments »

(2013-09-04) Incorrect CSP Prevents Enrollment Of OCSP Response Signing Certificates

Posted by Jorge on 2013-09-04


As mentioned in the previous post, (2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0×80090029) During CA Installation/Configuration, I was rebuilding my test environment. In addition to installing and configuring a certificate authority I also wanted to install and configure an online responder. Before, I used the default “OCSP Response Signing” certificate template, but I wanted to duplicate it and create a new one. Because I install multiple environments for testing purposes I wanted to script the creation of the certificate templates so save time. I never found an easy way script the duplication of certificate templates. So I duplicated the templates first and changed the settings as needed. Then through ADSIEDIT I got the attribute values and put them in a script with ADMOD from joeware. I did this for multiple certificate templates.

The settings of the duplicated “OCSP Response Signing” certificate template are shown below.

image

Figure 1: The Settings Of The Duplicated “OCSP Response Signing” Certificate Template

ADMOD –h <FQDN DC> -mvdelim # -replacedn XXX-CONFIG-XXX:_config -add -b "CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,XXX-CONFIG-XXX" "objectClass::pKICertificateTemplate" "displayName::OCSP Response Signing v20" "showInAdvancedViewOnly::TRUE" "flags::131648" "revision::100" "pKICriticalExtensions:++:2.5.29.15" "pKIDefaultKeySpec::2" "pKIExtendedKeyUsage:++:1.3.6.1.5.5.7.3.9" "pKIKeyUsage::8000" "pKIMaxIssuingDepth::0" "BIN##pKIExpirationPeriod::0080 37AE FFF4 FFFF" "BIN##pKIOverlapPeriod::0080 2CAB 6DFE FFFF" "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" "msPKI-RA-Signature::0" "msPKI-Enrollment-Flag::20512" "msPKI-Private-Key-Flag::33751040" "msPKI-Certificate-Name-Flag::402653184" "msPKI-Minimal-Key-Size::2048" "msPKI-Template-Schema-Version::3" "msPKI-Template-Minor-Revision::3" "msPKI-Cert-Template-OID::1.3.6.1.4.1.311.21.8.7425675.14461227.5065100.6342490.10430944.249.14559993.5566867" "msPKI-Certificate-Application-Policy:++:1.3.6.1.5.5.7.3.9" "msPKI-RA-Application-Policies:++:msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Security-Descriptor`PZPWSTR`D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;GR;;;S-1-5-80-3804348527-3718992918-2141599610-3686422417-2726379419)`msPKI-Key-Usage`DWORD`2`" "msPKI-Supersede-Templates:++:OCSPResponseSigning"

REMARK: YOU SHOULD NOT USE THIS METHOD IN YOUR TEST ENVIRONMENT TO DUPLICATE CERT TEMPLATES! I USED THIS IN MY TEST ENVIRONMENT WITH A PREDEFINED OID.

REMARK: I need to use the mvdelim parameter in this case and specify a new delimiter (#). The reason for that is that ADMOD by default uses the ; as a delimiter for multi-valued attributes. However, if you look at the second last attribute and its value in the command line, you will see it contains multiple ; as a value. Hence the required change in delimiter

image

Figure 2: Scripting The Creation Of The Custom “OCSP Response Signing” Certificate Template

Then I used DSACLS to configure the permissions of that specific certificate template.

REM Convert The DNS Domain To An NC SET DNDOMAIN=DC=%USERDNSDOMAIN:.=,DC=% REM Disable Inheritance And Copy The Inherited Permissions Onto The Object As Explicit Permissions DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /P:Y REM Assign Enterprise Admins Allow:Read And Allow:Write DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Enterprise Admins:GRWDWOWP" REM Remove Any Assigned Permissions To Domain Admins DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "Domain Admins" REM Assign Domain Admins Allow:Read And Allow:Write DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Domain Admins:GRWDWOWP" REM Remove Any Assigned Permissions To SYSTEM DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "SYSTEM" REM Assign SYSTEM Allow:Read And Allow:Write DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "SYSTEM:GRWDWOWP" REM Assign A Custom Group Allow:Enroll DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "GRP_R2_PKI-CertTmplt-Subscr-OCSPResponseSigning:CA;Enroll"

The last line assigns a custom group Allow:Enroll permissions. It is NOT needed to assigned AutoEnroll permissions! The command that disables inheritance and copies the inherited permissions to become explicit permissions keeps Authenticated Users with Allow:Read. By making the computer account of my OCSP server a member of that custom group OCSP Response Signing certificates are automatically enrolled by the OCSP service.

The second last thing to do is to configure the CA to support the custom “OCSP Response Signing” certificate template to be able to enroll certificates derived from that certificate template. The last thing to do is to configure OCSP to support revocation information for the installed CA (see: Designing And Implementing An OCSP Responder (Series)).

So as soon as you have configured the revocation information for that specific CA (also see the series: Automated/Unattended Installation Of OCSP) and you pressed/clicked Refresh it should tell you it got a new signing certificate. However, unfortunately, the case is different. No certificate is being enrolled! Damn!

This is what you will see continuously.

image

Figure 3: The Online Responder Configuration – Error “Bad Signing Certificate On Array Controller”

image

Figure 4: The Online Responder Configuration – Error “Signing Certificate: Not Found”

When looking at the Application Event Log, you will see…

image

Figure 5: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

image

Figure 6: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

Both the errors do not give you a clear hint of what’s wrong.

The only thing I remembered was that when I used the default “OCSP Response Signing” certificate template everything worked like a charm! Trouble started when I used my duplicated/custom certificate template. So, the first task was to compare both settings! YOU can do the same by comparing figure 1 above and figure 7 below.

image

Figure 7: The Settings Of The Original “OCSP Response Signing” Certificate Template

Besides the “msPKI-Cert-Template-OID” attribute value being different, there is another difference! The original “OCSP Response Signing” Certificate Template DOES NOT specify a CSP, while the duplicate “OCSP Response Signing” Certificate Template does. So, where did that go wrong!?

In the GUI this looks like….

image image

Figure 8: The Cryptography Settings Of The Default (Left) And The Duplicated (Right) “OCSP Response Signing” Certificate Template

The only thing to do here is changing the cryptographic settings of the duplicated “OCSP Response Signing” Certificate Template to match those of the original “OCSP Response Signing” Certificate Template.

image

Figure 9: The Online Responder Configuration – “Working”

image

Figure 10: The Online Responder Configuration – “Signing Certificate: OK”

image

Figure 11: The Online Responder Configuration – Certificate Enrolled

image

Figure 12: The Online Responder Configuration – Certificate (Re)Loaded

Explanation of what went wrong….

As I said I was scripting the creation of certificate templates.  While I was copying information around I copied the text "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" into the command line that creates the duplicated “OCSP Response Signing” Certificate Template. However, I SHOULD NOT have done that! It was therefore a mistake that generated the previous errors shown and that looks lots of time to troubleshoot!

So in the previous ADMOD command the part "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" MUST be removed!

Just a stupid copy/paste mistake.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Certificate Templates, OCSP | Leave a Comment »

(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)

Posted by Jorge on 2013-08-29


Click here for part 5

Make sure to select YOUR preferred Array Controller and afterwards synchronize all OCSP Array Members with the OCSP Array Controller. To select a new OCSP Array Controller afterwards, select the OCSP Array Member that will become the OCSP Array Controller and select the option “Set As Array Controller”

image_thumb141_thumb[1]_thumb_thumb_thumb

Figure 1: Configuring A New Array Controller

To synchronize the array members with the array controller, select the node “Array Configuration” and right-click it and select the option “Synchronize Members With Array Controller”

image_thumb144_thumb[1]_thumb_thumb_thumb

Figure 2: Synchronizing The Array Members With The Array Controller

Everything is up and running. To test OCSP you need a certificate that has been issued  to some entity. After exporting the certificate to a CER file, you can use the following command to test OCSP:

CERTUTIL -URL <CER file>. If you are using a PowerShell Command Prompt window, type: & ‘CERTUTIL’ –URL .\<CER file>

Check (on the right side) “OCSP (from AIA)” and click “Retrieve”

image_thumb147_thumb[1]_thumb_thumb_thumb

Figure 3: Testing OCSP

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 1 Comment »

(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Posted by Jorge on 2013-08-28


Click here for part 4

When using option [1] or [2], lets assume you want to have more than one OCSP server servicing the Revocation Configurations of each configured CA. After adding all revocation configurations you can add more OCSP members to the OCSP array. The first OCSP server hosting the revocation configurations is by default the array controller when adding additional OCSP members to the array. So this action, or the next script, needs to be executed on the OCSP array controller.

REMARK: A “BIG THANK YOU!” goes to Vadim Podans for helping me out in defining the correct format of the values being written to the ArrayMembers property.

# Get The Info Of The Local Server $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Put The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $true) # Retrieve The Current OCSP Array Member(s) $currentArrayMembers = $ocspAdmin.OCSPServiceProperties.Item(2).Value # Define The ADDITIONAL OCSP Array Members $newArrayMembers = @("R2FSMBSV2.ADDMZ.LAN") # Define The Total List Of Array Members [string[]]$totalListArrayMembers = $currentArrayMembers + $newArrayMembers # Write The New Total List Of Array Members $ocspAdmin.OCSPServiceProperties.Item(2).Value = $totalListArrayMembers # Commit The Changes $ocspAdmin.SetConfiguration($ocspServerFQDN, $true)

image_thumb133_thumb[1]_thumb_thumb

Figure 1: Configuring Additional OCSP Array Members On The Array Controller

Now open/start the “Online Responder Management” MMC. You will immediately get an array controller mismatch message as shown below

image_thumb137_thumb[1]_thumb_thumb

Figure 2: Array Controller Mismatch Message

Continued in part 6 “(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Posted by Jorge on 2013-08-27


Click here for part 3

This post will explain how to configure revocation information through option [3] (Use The CA Certificate For The Revocation Information) for each ENTERPRISE CA found in AD. 

 image

Figure 1: Configuring Revocation Configuration And Choosing The CA Certificate As The Signing Certificate

This option can only be used when OCSP is installed on the same server as the CA itself OCSP is servicing

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Local CA $localCA = Connect-CA -ComputerName $ocspServerFQDN # For The Local CA Create Revocation Configuration # Get The CA Name $caName = $localCA.DisplayName # Get The CA Server Name $caServerName = $localCA.ComputerName # Get The CA Certificate $caCert = $localCA.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_USE_CACERT = 0x002 $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_USE_CACERT ` + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA ` + $OCSP_SF_RESPONDER_ID_KEYHASH # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True)

image_thumb123_thumb[1]_thumb

Figure 2a: Configuring Revocation Configuration For The Local Enterprise CA

image_thumb127_thumb[1]_thumb

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb130_thumb[1]_thumb

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 5 “(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Posted by Jorge on 2013-08-26


Click here for part 2

This post will explain how to configure revocation information through option [2] (Manually Select A Signing Certificate) for each ENTERPRISE CA found in AD. 

image

Figure 1: Configuring Revocation Configuration And Choosing To Manually Select A Signing Certificate

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get All The Enterprise CAs Published In AD $enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"} # For Every CA Create Revocation Configuration $enterpriseCAs | %{ # Get The CA Name $caName = $_.DisplayName # Get The CA Server Name $caServerName = $_.ComputerName # Get The CA Certificate $caCert = $_.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT = 0x020 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT ` + $OCSP_SF_RESPONDER_ID_KEYHASH ` # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True) }

 

image_thumb112_thumb[1]

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb116_thumb[1]

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

Now before continuing MANUALLY assign a certificate to the OCSP Revocation Configuration. Do this through the “Online Responder Management” MMC. You must do this for EVERY OCSP Array Member. The certificate that will be used must have the “OCSP Signing” Enhanced Key Usage Extension.

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb120_thumb[1]

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 4 “(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)

Posted by Jorge on 2013-08-25


Click here for part 1

This post will explain how to configure revocation information through option [1] (Automatically Select A Signing Certificate) for each ENTERPRISE CA found in AD.

image 

Figure 1: Configuring Revocation Configuration And Choosing To Automatically Select A Signing Certificate

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/) Import-Module PSPKI # Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get All The Enterprise CAs Published In AD $enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"} # For Every CA Create Revocation Configuration $enterpriseCAs | %{ # Get The CA Name $caName = $_.DisplayName # Get The CA Server Name $caServerName = $_.ComputerName # Get The CA Config String $caConfigString = $_.ConfigString # Get The CA Certificate $caCert = $_.Certificate # Get The RawData Of The CA Certificate $caCertRawData = $caCert.RawData # Define The OCSP Name $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")" # Get The OCSP Signing Certificate Template Published By The CA ($_ | Get-CATemplate).Templates | %{ $certTemplateDisplayName = $_.DisplayName $enhancedKeyUsageCertTemplate = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Settings.EnhancedKeyUsage $enhancedKeyUsageFound = $enhancedKeyUsageCertTemplate | ?{$_.FriendlyName -eq "OCSP Signing"} If ($enhancedKeyUsageFound -ne $null) { $ocspCertTemplateName = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Name } } If (!$ocspCertTemplateName) { Write-Host "No Certificate Template Found With The 'OCSP Signing' Extension" Break } # Configure The Revocation Provider Properties In A Property Collection Object For This CA $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection" $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl" $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl" $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl) $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl) $ocspProperties.CreateProperty("RevocationErrorCode", 0) #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval # Configure The OCSP Signing Flags To Automatically Select A Signing Cert # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx $OCSP_SF_SILENT = 0x001 $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL = 0x004 $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008 $OCSP_SF_AUTODISCOVER_SIGNINGCERT = 0x010 $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040 $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT = 0x200 $ocspSigningFlags = $OCSP_SF_SILENT ` + $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL ` + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA ` + $OCSP_SF_AUTODISCOVER_SIGNINGCERT ` + $OCSP_SF_RESPONDER_ID_KEYHASH ` + $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT # Save The OCSP Configuration In An Object $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) # Create New Revocation Configuration $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData) $ocspConfig.CAConfig = $caConfigString $ocspConfig.SigningCertificateTemplate = $ocspCertTemplateName $ocspConfig.HashAlgorithm = "SHA1" $ocspConfig.SigningFlags = $ocspSigningFlags $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties() $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}" $ocspConfig.ReminderDuration = 90 # Commit The New Revocation Configuration $ocspAdmin.SetConfiguration($ocspServerFQDN, $True) }

 image_thumb97

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb101

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

image_thumb105

Figure 2c: Configuring Revocation Configuration For Every Enterprise CA Found In AD

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server $domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain $ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain # Get The Renewed OCSP Configuration $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" $ocspAdmin.GetConfiguration($ocspServerFQDN, $True) $ocspAdmin.OCSPCAConfigurationCollection $ocspAdmin.OCSPServiceProperties

image_thumb108

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

Continued in part 3 “(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 2 Comments »

(2013-08-24) Automated/Unattended Installation Of OCSP (Part 1)

Posted by Jorge on 2013-08-24


In W2K8R2 (although not tested, it will most likely also apply to higher OS versions) three methods exist to install the Online Certificate Status Protocol (OSCP). The three methods are:

  1. Through the Server Manager console by installing the ADCS role service called “Online Responder”
  2. Through the Server Manager command line “ServerManagerCMD.exe” utility by executing the command: ServerManagerCMD -install ADCS-Online-Cert
  3. Through the PowerShell CMDlet “Add-WindowsFeature” by executing the powershell command: Add-WindowsFeature ADCS-Online-Cert

Unfortunately there is no consistent behavior with all three methods. I have come to learn that only method [1] performs all tasks required in one go to get OCSP up and running. Method [2] and [3] install the binaries, but “forget” to execute the following remaining task:

  • Creation and configuration of the OCSP virtual directory (application)
  • Creation and configuration of the OCSP application pool (with Network Service as the user account)
  • Creation and configuration of the OCSP ISAPI filter
  • Configuration of the NTFS permissions on the physical path used by the virtual directory

Because of that, if you want to automate this, you need to perform the remaining tasks yourself. to complete the installation/configuration. The goal of these posts (serie) is to show you how to install and configure OCSP in Windows Server 2008 R2 in an unattended manner. So let’s get started.

To install the OCSP binaries execute the following commands. It will also install any required components:

# Installing The OCSP Binaries Import-Module ServerManager Add-WindowsFeature ADCS-Online-Cert

image

Figure 1: Installing The OCSP Binaries And Any Other Required Components

Next you need to issue a CERTUTIL command that will create and configure the  OCSP Virtual Directory (application), the OCSP application pool and the OCSP ISAPI filter. For that issue the following command:

# Installing/Configuring OCSP Virtual Directory # Installing/Configuring OCSP Application Pool # Installing/Configuring OCSP ISAPI filter & 'CERTUTIL' -VOCSPROOT

image

Figure 2: Installing/Configuring The OCSP Virtual Directory, The OCSP Application Pool And The OCSP ISAPI filter

Next you need to configure the correct NTFS permissions on the folder used by the OCSP virtual directory. For that issue the following command:

# Configuring The Permissions On The Physical Path Used By The OCSP Virtual Directory Import-Module WebAdministration $Ace = "NT AUTHORITY\IUSR","ReadAndExecute,Synchronize","ContainerInherit, ObjectInherit", "None", "Allow" $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $Ace $ocspFolder = (Get-Item "IIS:\Sites\Default Web Site\ocsp").PhysicalPath $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL $aclOCSPFolder.AddAccessRule($AccessRule) $aclOCSPFolder | Set-Acl $ocspFolder $aclOCSPFolder = Get-Acl $ocspFolder $aclOCSPFolder | FL

image

Figure 3: Configuring The NTFS Permissions On The Folder Used By The OCSP Virtual Directory

Next you need to configure the account on the OCSP Application Pool. For that issue the following command:

# Configuring The OCSP Application Pool # http://www.iis.net/configreference/system.applicationhost/applicationpools/add/processmodel Import-Module WebAdministration Set-ItemProperty -Path "IIS:\AppPools\OCSPISAPIAppPool" -Name ProcessModel.IdentityType -value 2

image

Figure 4: Configuring The Account Used By The OCSP Application Pool

To finish it up and reset everything, execute the following commands:

# Resetting The OCSP Service And IIS Restart-Service OCSPSVC -Force IISRESET

image

Figure 5: Resetting OCSP And IIS

At this point OCSP has been installed and configured. However, for it to be functional and support (OCSP) client requests, you must configure OCSP with revocation information for specific CA. When configuring OCSP with revocation information through the GUI you must select a CA certificate and for that you have three options as shown in the picture below.

image

Figure 6: Specifying The CA To Service For Revocation Information Through Its Certificate

After that you must determine which certificate to use to sign revocation information before the response is sent to a client. You can configure every OCSP array member to automatically select a certificate based upon some certificate template or you must configure every OCSP array member with a certificate manually. This is shown in the picture below.

Option [1] –> with this option the OCSP will be automatically configured to retrieve a certificate based upon the specified certificate template from the specified CA. Renewals will also be automatic. This will apply to every array member.

Option [2] –> with this option, every OCSP array member individually must be configured manually with a certificate afterwards to be used by OCSP. Renewals will not be automatic and need to occur manually every time the certificate needs to be renewed. Again, this will apply to every array member.

Option [3] –> with this last option OCSP will use the CA certificate to sign responses

image

Figure 7: Specifying Which Certificate To Use To Sign Responses

Continued in part 2 “(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), OCSP, PowerShell, Tooling/Scripting | 1 Comment »

 
%d bloggers like this: