(2019-05-28) Windows Hello For Business – Certificate Template For DCs

When implementing Windows Hello for Business, either using the “Hybrid AAD Joined Certificate Trust” method or the “Hybrid AAD Joined Key Trust” a PKI infrastructure is needed to at least implement a certificate template for DCs to support WH4B. When already having a (Microsoft) PKI infrastructure you may already have a certificate template for DCs that may have a provider and algorithm (Cryptography TAB) configured as or similar to as displayed below.

Figure 1: Existing Cryptography Settings In Legacy DC Certificate Template

–

When deploying WH4B, the following cryptography settings are required. You will only be able to configure this when in the compatibility TAB the certification authority is set to at least Windows Server 2012.

 

Figure 2: Cryptography Settings In New DC Certificate Template Required By WH4B

–

Now a question may be: what is the impact on DCs when configuring a new certificate template and deploying that to the DCs to replace the existing certificate template?

A good question, might I say!

–

Important to note is that autoenrollment is configured and it is configured correctly, for this to succeed, then at least following high-lighted settings must be set and targeted against DCs in AD. See below.

You may also want to read: Troubleshooting Autoenrollment and Configuring Autoenrollment

Figure 3: Autoenrollment Settings

–

In addition, make sure to supersede the old certificate templates in the newest certificate template, as displayed below.

With regards to PKI, the WH4B documentation says the following:

By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template

Figure 4: Superseded Settings

–

From what I have understood, it changes the storage provider from CSP to KSP and it keeps the RSA algorithm. After doing this myself in multiple environments and asking around for experiences, the answer to the “impact” question is:

No negative impact anticipated or experienced

Nevertheless, make sure to test in your representative test environment!

–

Enjoy and have fun!,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisement

(2016-06-24) Quick Learning Guide For A Public Key Infrastructure (PKI)

Have you ever wanted to have a quick learning guide about a Public Key Infrastructure (PKI), then have a look at the following:

• Public Key Infrastructure part 1 – Introduction to encryption and signature
• Public Key Infrastructure part 2 – main components
• Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services
• Public Key Infrastructure Part 4 – Configure Certificate Revocation List
• Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory
• Public Key Infrastructure Part 6 – Manage certificate templates
• Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment
• Public Key Infrastructure Part 8 – OCSP responder
• Public Key Infrastructure Part 9 – management accounts
• Public Key Infrastructure Part 10 – Best Practices about PKI

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2013-12-14) SHA1 Deprecation Policy

This is an important message for anyone still using SHA1 certificates.

–

Read more here.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name

If your computer has lots of certificates in the local computer store and you need to find out if one or more certificates will match a specific name in the subject or subject alternate name, or a certificate will match the first level wildcard, you can use the following PowerShell code:

# Searching For A Certificate With A Specific Name In The Subject Name Or Subject Alternate Name (SAN)
# Searching For A Certificate With A WildCard Name In The Subject Name Or Subject Alternate Name (SAN) Matching The Specific Name

# Define The Specific DNS Name
$dnsName = "<FQDN>"
# Determine The First Level WildCard Name
$wildCardName = "*" + $dnsName.Substring($dnsName.IndexOf("."))
$certs = $null
$certs = @()
$certsInLocalMachine = DIR cert:\LocalMachine\My 
$certsInLocalMachine | ForEach-Object{ 
    $certificate = $_ 
    $certThumbprint = $certificate.Thumbprint 
    $certSubject = $($certificate.Subject).substring($($certificate.Subject).IndexOf("=")+1) 
    If ($certSubject.ToUpper() -eq $dnsName.ToUpper() -or $certSubject.ToUpper() -eq $wildCardName.ToUpper()) { 
        $certs += $certificate 
    }
    $sanCertExtension = $certificate.extensions | Where-Object{$_.oid.FriendlyName.ToLower() -eq "subject alternative name"} 
    $sanObjs = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames            
    If ($sanCertExtension -ne $null) { 
        $altNamesStr = [System.Convert]::ToBase64String($sanCertExtension.RawData)            
        $sanObjs.InitializeDecode(1, $altNamesStr) 
        Foreach ($SAN in $sanObjs.AlternativeNames) { 
            $certAltSubject = $SAN.strValue 
            If ($certAltSubject -ne $null) { 
                If ($certAltSubject.ToUpper() -eq $dnsName.ToUpper() -or $certAltSubject.ToUpper() -eq $wildCardName.ToUpper()) { 
                    $certs += $certificate 
                }
            }
        }
    }
}
$certs | FL

–

If the DNS Name is "FS.ADCORP.LAB", the output is on my demo machine:

Figure 1: Looking For Certificates That Could Support The DNS Name "FS.ADCORP.LAB" (Example)

–

You might also want to look at the following article, which shows you how to list subject alternate names in a specific certificate:

• Display Subject Alternative Names of a Certificate with PowerShell

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-09-04) Incorrect CSP Prevents Enrollment Of OCSP Response Signing Certificates

As mentioned in the previous post, (2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0×80090029) During CA Installation/Configuration, I was rebuilding my test environment. In addition to installing and configuring a certificate authority I also wanted to install and configure an online responder. Before, I used the default “OCSP Response Signing” certificate template, but I wanted to duplicate it and create a new one. Because I install multiple environments for testing purposes I wanted to script the creation of the certificate templates so save time. I never found an easy way script the duplication of certificate templates. So I duplicated the templates first and changed the settings as needed. Then through ADSIEDIT I got the attribute values and put them in a script with ADMOD from joeware. I did this for multiple certificate templates.

The settings of the duplicated “OCSP Response Signing” certificate template are shown below.

Figure 1: The Settings Of The Duplicated “OCSP Response Signing” Certificate Template

–

ADMOD –h <FQDN DC> -mvdelim # -replacedn XXX-CONFIG-XXX:_config -add -b "CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,XXX-CONFIG-XXX" "objectClass::pKICertificateTemplate" "displayName::OCSP Response Signing v20" "showInAdvancedViewOnly::TRUE" "flags::131648" "revision::100" "pKICriticalExtensions:++:2.5.29.15" "pKIDefaultKeySpec::2" "pKIExtendedKeyUsage:++:1.3.6.1.5.5.7.3.9" "pKIKeyUsage::8000" "pKIMaxIssuingDepth::0" "BIN##pKIExpirationPeriod::0080 37AE FFF4 FFFF" "BIN##pKIOverlapPeriod::0080 2CAB 6DFE FFFF" "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" "msPKI-RA-Signature::0" "msPKI-Enrollment-Flag::20512" "msPKI-Private-Key-Flag::33751040" "msPKI-Certificate-Name-Flag::402653184" "msPKI-Minimal-Key-Size::2048" "msPKI-Template-Schema-Version::3" "msPKI-Template-Minor-Revision::3" "msPKI-Cert-Template-OID::1.3.6.1.4.1.311.21.8.7425675.14461227.5065100.6342490.10430944.249.14559993.5566867" "msPKI-Certificate-Application-Policy:++:1.3.6.1.5.5.7.3.9" "msPKI-RA-Application-Policies:++:msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Security-Descriptor`PZPWSTR`D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;GR;;;S-1-5-80-3804348527-3718992918-2141599610-3686422417-2726379419)`msPKI-Key-Usage`DWORD`2`" "msPKI-Supersede-Templates:++:OCSPResponseSigning"

–

REMARK: YOU SHOULD NOT USE THIS METHOD IN YOUR TEST ENVIRONMENT TO DUPLICATE CERT TEMPLATES! I USED THIS IN MY TEST ENVIRONMENT WITH A PREDEFINED OID.

–

REMARK: I need to use the mvdelim parameter in this case and specify a new delimiter (#). The reason for that is that ADMOD by default uses the ; as a delimiter for multi-valued attributes. However, if you look at the second last attribute and its value in the command line, you will see it contains multiple ; as a value. Hence the required change in delimiter

–

Figure 2: Scripting The Creation Of The Custom “OCSP Response Signing” Certificate Template

–

Then I used DSACLS to configure the permissions of that specific certificate template.

REM Convert The DNS Domain To An NC
SET DNDOMAIN=DC=%USERDNSDOMAIN:.=,DC=%
REM Disable Inheritance And Copy The Inherited Permissions Onto The Object As Explicit Permissions
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /P:Y
REM Assign Enterprise Admins Allow:Read And Allow:Write
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Enterprise Admins:GRWDWOWP"
REM Remove Any Assigned Permissions To Domain Admins
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "Domain Admins"
REM Assign Domain Admins Allow:Read And Allow:Write
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "Domain Admins:GRWDWOWP"
REM Remove Any Assigned Permissions To SYSTEM
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /R "SYSTEM"
REM Assign SYSTEM Allow:Read And Allow:Write
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "SYSTEM:GRWDWOWP"
REM Assign A Custom Group Allow:Enroll
DSACLS "\\<FQDN DC>\CN=OCSPResponseSigning_v20,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,%DNDOMAIN%" /G "GRP_R2_PKI-CertTmplt-Subscr-OCSPResponseSigning:CA;Enroll"

The last line assigns a custom group Allow:Enroll permissions. It is NOT needed to assigned AutoEnroll permissions! The command that disables inheritance and copies the inherited permissions to become explicit permissions keeps Authenticated Users with Allow:Read. By making the computer account of my OCSP server a member of that custom group OCSP Response Signing certificates are automatically enrolled by the OCSP service.

–

The second last thing to do is to configure the CA to support the custom “OCSP Response Signing” certificate template to be able to enroll certificates derived from that certificate template. The last thing to do is to configure OCSP to support revocation information for the installed CA (see: Designing And Implementing An OCSP Responder (Series)).

So as soon as you have configured the revocation information for that specific CA (also see the series: Automated/Unattended Installation Of OCSP) and you pressed/clicked Refresh it should tell you it got a new signing certificate. However, unfortunately, the case is different. No certificate is being enrolled! Damn!

This is what you will see continuously.

Figure 3: The Online Responder Configuration – Error “Bad Signing Certificate On Array Controller”

–

Figure 4: The Online Responder Configuration – Error “Signing Certificate: Not Found”

–

When looking at the Application Event Log, you will see…

Figure 5: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

–

Figure 6: The Online Responder Service – Error “0x80092006: No Provider Was Specified For The Store Or Object”

–

Both the errors do not give you a clear hint of what’s wrong.

The only thing I remembered was that when I used the default “OCSP Response Signing” certificate template everything worked like a charm! Trouble started when I used my duplicated/custom certificate template. So, the first task was to compare both settings! YOU can do the same by comparing figure 1 above and figure 7 below.

Figure 7: The Settings Of The Original “OCSP Response Signing” Certificate Template

–

Besides the “msPKI-Cert-Template-OID” attribute value being different, there is another difference! The original “OCSP Response Signing” Certificate Template DOES NOT specify a CSP, while the duplicate “OCSP Response Signing” Certificate Template does. So, where did that go wrong!?

In the GUI this looks like….

 

Figure 8: The Cryptography Settings Of The Default (Left) And The Duplicated (Right) “OCSP Response Signing” Certificate Template

–

The only thing to do here is changing the cryptographic settings of the duplicated “OCSP Response Signing” Certificate Template to match those of the original “OCSP Response Signing” Certificate Template.

Figure 9: The Online Responder Configuration – “Working”

–

Figure 10: The Online Responder Configuration – “Signing Certificate: OK”

–

Figure 11: The Online Responder Configuration – Certificate Enrolled

–

Figure 12: The Online Responder Configuration – Certificate (Re)Loaded

–

Explanation of what went wrong….

As I said I was scripting the creation of certificate templates.  While I was copying information around I copied the text "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" into the command line that creates the duplicated “OCSP Response Signing” Certificate Template. However, I SHOULD NOT have done that! It was therefore a mistake that generated the previous errors shown and that looks lots of time to troubleshoot!

So in the previous ADMOD command the part "pKIDefaultCSPs:++:1,Microsoft Enhanced Cryptographic Provider v1.0" MUST be removed!

–

Just a stupid copy/paste mistake.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)

Click here for part 5

Make sure to select YOUR preferred Array Controller and afterwards synchronize all OCSP Array Members with the OCSP Array Controller. To select a new OCSP Array Controller afterwards, select the OCSP Array Member that will become the OCSP Array Controller and select the option “Set As Array Controller”

Figure 1: Configuring A New Array Controller

–

To synchronize the array members with the array controller, select the node “Array Configuration” and right-click it and select the option “Synchronize Members With Array Controller”

Figure 2: Synchronizing The Array Members With The Array Controller

–

Everything is up and running. To test OCSP you need a certificate that has been issued  to some entity. After exporting the certificate to a CER file, you can use the following command to test OCSP:

CERTUTIL -URL <CER file>. If you are using a PowerShell Command Prompt window, type: & ‘CERTUTIL’ –URL .\<CER file>

Check (on the right side) “OCSP (from AIA)” and click “Retrieve”

Figure 3: Testing OCSP

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)

Click here for part 4

When using option [1] or [2], lets assume you want to have more than one OCSP server servicing the Revocation Configurations of each configured CA. After adding all revocation configurations you can add more OCSP members to the OCSP array. The first OCSP server hosting the revocation configurations is by default the array controller when adding additional OCSP members to the array. So this action, or the next script, needs to be executed on the OCSP array controller.

REMARK: A “BIG THANK YOU!” goes to Vadim Podans for helping me out in defining the correct format of the values being written to the ArrayMembers property.

# Get The Info Of The Local Server
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Put The OCSP Configuration In An Object 
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin" 
$ocspAdmin.GetConfiguration($ocspServerFQDN, $true) 

# Retrieve The Current OCSP Array Member(s)
$currentArrayMembers = $ocspAdmin.OCSPServiceProperties.Item(2).Value 

# Define The ADDITIONAL OCSP Array Members
$newArrayMembers = @("R2FSMBSV2.ADDMZ.LAN") 

# Define The Total List Of Array Members
[string[]]$totalListArrayMembers = $currentArrayMembers + $newArrayMembers

# Write The New Total List Of Array Members
$ocspAdmin.OCSPServiceProperties.Item(2).Value = $totalListArrayMembers 

# Commit The Changes
$ocspAdmin.SetConfiguration($ocspServerFQDN, $true)

Figure 1: Configuring Additional OCSP Array Members On The Array Controller

–

Now open/start the “Online Responder Management” MMC. You will immediately get an array controller mismatch message as shown below

Figure 2: Array Controller Mismatch Message

–

Continued in part 6 “(2013-08-29) Automated/Unattended Installation Of OCSP (Part 6)”

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)

Click here for part 3

This post will explain how to configure revocation information through option [3] (Use The CA Certificate For The Revocation Information) for each ENTERPRISE CA found in AD. 

 

Figure 1: Configuring Revocation Configuration And Choosing The CA Certificate As The Signing Certificate

–

This option can only be used when OCSP is installed on the same server as the CA itself OCSP is servicing

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/)
Import-Module PSPKI

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get The Local CA
$localCA = Connect-CA -ComputerName $ocspServerFQDN
    
# For The Local CA Create Revocation Configuration
# Get The CA Name
$caName  = $localCA.DisplayName

# Get The CA Server Name
$caServerName = $localCA.ComputerName

# Get The CA Certificate
$caCert = $localCA.Certificate

# Get The RawData Of The CA Certificate
$caCertRawData = $caCert.RawData

# Define The OCSP Name
$ocspName = "OCSP For " + $caName + " (" + $caServerName + ")"

# Configure The Revocation Provider Properties In A Property Collection Object For This CA
$ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection"
$baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl"
$deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl"
$ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl)
$ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl)
$ocspProperties.CreateProperty("RevocationErrorCode", 0)
#$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval

# Configure The OCSP Signing Flags To Automatically Select A Signing Cert
# http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx
$OCSP_SF_SILENT = 0x001
$OCSP_SF_USE_CACERT = 0x002
$OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008
$OCSP_SF_RESPONDER_ID_KEYHASH = 0x040
$ocspSigningFlags = $OCSP_SF_SILENT `
    + $OCSP_SF_USE_CACERT `
    + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA `
    + $OCSP_SF_RESPONDER_ID_KEYHASH

# Save The OCSP Configuration In An Object
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
$ocspAdmin.GetConfiguration($ocspServerFQDN, $True)

# Create New Revocation Configuration
$ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData)
$ocspConfig.HashAlgorithm = "SHA1"
$ocspConfig.SigningFlags = $ocspSigningFlags
$ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties()
$ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}"
$ocspConfig.ReminderDuration = 90

# Commit The New Revocation Configuration
$ocspAdmin.SetConfiguration($ocspServerFQDN, $True)

Figure 2a: Configuring Revocation Configuration For The Local Enterprise CA

–

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

–

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get The Renewed OCSP Configuration
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
$ocspAdmin.GetConfiguration($ocspServerFQDN, $True)
$ocspAdmin.OCSPCAConfigurationCollection
$ocspAdmin.OCSPServiceProperties

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

–

Continued in part 5 “(2013-08-28) Automated/Unattended Installation Of OCSP (Part 5)”

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)

Click here for part 2

This post will explain how to configure revocation information through option [2] (Manually Select A Signing Certificate) for each ENTERPRISE CA found in AD. 

Figure 1: Configuring Revocation Configuration And Choosing To Manually Select A Signing Certificate

–

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/)
Import-Module PSPKI

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get All The Enterprise CAs Published In AD
$enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"}
    
# For Every CA Create Revocation Configuration
$enterpriseCAs | %{
    # Get The CA Name
    $caName  = $_.DisplayName

    # Get The CA Server Name
    $caServerName = $_.ComputerName

    # Get The CA Certificate
    $caCert = $_.Certificate

    # Get The RawData Of The CA Certificate
    $caCertRawData = $caCert.RawData

    # Define The OCSP Name
    $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")"

    # Configure The Revocation Provider Properties In A Property Collection Object For This CA
    $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection"
    $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl"
    $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl"
    $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl)
    $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl)
    $ocspProperties.CreateProperty("RevocationErrorCode", 0)
    #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval

    # Configure The OCSP Signing Flags To Automatically Select A Signing Cert
    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx
    $OCSP_SF_SILENT = 0x001
    $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT = 0x020
    $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040
    $ocspSigningFlags = $OCSP_SF_SILENT `
        + $OCSP_SF_MANUAL_ASSIGN_SIGNINGCERT `
        + $OCSP_SF_RESPONDER_ID_KEYHASH `
    
    # Save The OCSP Configuration In An Object
    $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
    $ocspAdmin.GetConfiguration($ocspServerFQDN, $True)

    # Create New Revocation Configuration
    $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData)
    $ocspConfig.HashAlgorithm = "SHA1"
    $ocspConfig.SigningFlags = $ocspSigningFlags
    $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties()
    $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}"
    $ocspConfig.ReminderDuration = 90

    # Commit The New Revocation Configuration
    $ocspAdmin.SetConfiguration($ocspServerFQDN, $True)
}

 

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

–

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

–

Now before continuing MANUALLY assign a certificate to the OCSP Revocation Configuration. Do this through the “Online Responder Management” MMC. You must do this for EVERY OCSP Array Member. The certificate that will be used must have the “OCSP Signing” Enhanced Key Usage Extension.

–

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get The Renewed OCSP Configuration
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
$ocspAdmin.GetConfiguration($ocspServerFQDN, $True)
$ocspAdmin.OCSPCAConfigurationCollection
$ocspAdmin.OCSPServiceProperties

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

–

Continued in part 4 “(2013-08-27) Automated/Unattended Installation Of OCSP (Part 4)”

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-08-25) Automated/Unattended Installation Of OCSP (Part 2)

Click here for part 1

This post will explain how to configure revocation information through option [1] (Automatically Select A Signing Certificate) for each ENTERPRISE CA found in AD.

 

Figure 1: Configuring Revocation Configuration And Choosing To Automatically Select A Signing Certificate

–

# Import The PSPKI Module (Get It At: http://pspki.codeplex.com/)
Import-Module PSPKI

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get All The Enterprise CAs Published In AD
$enterpriseCAs = Get-CA | ?{$_.Type -match "Enterprise"}
    
# For Every CA Create Revocation Configuration
$enterpriseCAs | %{
    # Get The CA Name
    $caName  = $_.DisplayName

    # Get The CA Server Name
    $caServerName = $_.ComputerName

    # Get The CA Config String
    $caConfigString = $_.ConfigString

    # Get The CA Certificate
    $caCert = $_.Certificate

    # Get The RawData Of The CA Certificate
    $caCertRawData = $caCert.RawData

    # Define The OCSP Name
    $ocspName = "OCSP For " + $caName + " (" + $caServerName + ")"

    # Get The OCSP Signing Certificate Template Published By The CA
    ($_ | Get-CATemplate).Templates | %{
        $certTemplateDisplayName = $_.DisplayName
        $enhancedKeyUsageCertTemplate = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Settings.EnhancedKeyUsage
        $enhancedKeyUsageFound = $enhancedKeyUsageCertTemplate | ?{$_.FriendlyName -eq "OCSP Signing"}
        If ($enhancedKeyUsageFound -ne $null) {
            $ocspCertTemplateName = (Get-CertificateTemplate -DisplayName $certTemplateDisplayName).Name
        }
    }
    If (!$ocspCertTemplateName) {
        Write-Host "No Certificate Template Found With The 'OCSP Signing' Extension"
        Break
    }
    
    # Configure The Revocation Provider Properties In A Property Collection Object For This CA
    $ocspProperties = New-Object -com "CertAdm.OCSPPropertyCollection"
    $baseCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + ".crl"
    $deltaCrl = "http://pki." + $domainName.ToLower() + "/pki/" + $caName.ToLower() + "+.crl"
    $ocspProperties.CreateProperty("BaseCrlUrls", $baseCrl)
    $ocspProperties.CreateProperty("DeltaCrlUrls", $deltaCrl)
    $ocspProperties.CreateProperty("RevocationErrorCode", 0)
    #$ocspProperties.CreateProperty("RefreshTimeOut", 3600000) # Update CRLs At This Refresh Interval

    # Configure The OCSP Signing Flags To Automatically Select A Signing Cert
    # http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx
    $OCSP_SF_SILENT = 0x001
    $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL = 0x004
    $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA = 0x008
    $OCSP_SF_AUTODISCOVER_SIGNINGCERT = 0x010
    $OCSP_SF_RESPONDER_ID_KEYHASH = 0x040
    $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT = 0x200
    $ocspSigningFlags = $OCSP_SF_SILENT `
        + $OCSP_SF_ALLOW_SIGNINGCERT_AUTORENEWAL `
        + $OCSP_SF_FORCE_SIGNINGCERT_ISSUER_ISCA `
        + $OCSP_SF_AUTODISCOVER_SIGNINGCERT `
        + $OCSP_SF_RESPONDER_ID_KEYHASH `
        + $OCSP_SF_ALLOW_SIGNINGCERT_AUTOENROLLMENT

    # Save The OCSP Configuration In An Object
    $ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
    $ocspAdmin.GetConfiguration($ocspServerFQDN, $True)

    # Create New Revocation Configuration
    $ocspConfig = $ocspAdmin.OCSPCAConfigurationCollection.CreateCAConfiguration($ocspName, $caCertRawData)
    $ocspConfig.CAConfig = $caConfigString
    $ocspConfig.SigningCertificateTemplate = $ocspCertTemplateName
    $ocspConfig.HashAlgorithm = "SHA1"
    $ocspConfig.SigningFlags = $ocspSigningFlags
    $ocspConfig.ProviderProperties = $OcspProperties.GetAllProperties()
    $ocspConfig.ProviderCLSID = "{4956d17f-88fd-4198-b287-1e6e65883b19}"
    $ocspConfig.ReminderDuration = 90

    # Commit The New Revocation Configuration
    $ocspAdmin.SetConfiguration($ocspServerFQDN, $True)
}

 

Figure 2a: Configuring Revocation Configuration For Every Enterprise CA Found In AD

–

Figure 2b: Configuring Revocation Configuration For Every Enterprise CA Found In AD

–

Figure 2c: Configuring Revocation Configuration For Every Enterprise CA Found In AD

–

After the configuration lets fetch the OCSP Revocation Configuration by issuing the following command:

# Get The Info Of The Local Server
$domainName = $(Get-WmiObject -Class Win32_ComputerSystem).Domain
$ocspServerFQDN = $(Get-WmiObject -Class Win32_ComputerSystem).Name + "." + $(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Get The Renewed OCSP Configuration
$ocspAdmin = New-Object -com "CertAdm.OCSPAdmin"
$ocspAdmin.GetConfiguration($ocspServerFQDN, $True)
$ocspAdmin.OCSPCAConfigurationCollection
$ocspAdmin.OCSPServiceProperties

Figure 3: Retrieving The Revocation Configuration Properties And The Service Properties

–

Continued in part 3 “(2013-08-26) Automated/Unattended Installation Of OCSP (Part 3)”

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————