In Part 2 of this series we configured our Azure VM and On-Premise VM as Domain Controllers and established 2 Active Directory Sites. In Part 3 we will be deploying a PKI Infrastructure within our lab using Microsoft Active Directory Certificate Services. In Production PKI deployments a two-tier CA Hierarchy is normally used. This consists of an Offline Root and at least 1 Issuing CA. For the purposes of time and the fact that this is a lab, we will be deploying a single certificate server on our On-Premise Domain Controller.
This article assumes that you have already completed Part 2 of this series or at least have a Domain Controller (DC) and are able to stand up 1 additional machine to publish our Certificate Revocation List. Let’s get started!!!
The first step will be installing the Active Directory Certificate Services Role on our On-Premise DC. Follow the steps below to get the role installed:
- From the taskbar click on Server Manager.
- Under the Configure this local server section click on Add roles and features.
- At the Before you begin screen click Next.
- At the Select installation type screen click Next.
- At the Select destination server screen click Next.
- At the Select server roles screen select Active Directory Certificate Services then at the Add feature pop-up click Add Features then Next.
- At the Select features screen click Next.
- At the Active Directory Certificate Services screen click Next.
- At the Select role services screen select Certification Authority then click Next.
- At the Select role services screen click Next.
- At the Confirm installation selections screen click Install.
- When setup completes click Close.
Now that we have installed Active Directory Certificate Services, it’s time to configure it.
- Within Server Manager click on the Yellow Caution Sign under Notifications then click on Configure Active Directory Certificate Services on the …
2. At the Credentials screen click Next.
3. At the Select Role Services to Configure screen select Certification Authority then click Next
4. At the Specify the setup type of the CA screen select Enterprise CA then click Next.
5. At the Specify the type of the CA screen select Root CA then click Nex.
6. At the Specify the type of the private key screen select Create a new private key then click Next.
7. At the Specify the cryptographic options screen click Next.
8. At the Specify the name of the CA screen change Common name for this CA: to the following then click Next:
KHL-CA
9. At the Specify the validity period screen enter 10 for the number of Years then click Next.
10. At the Specify the database locations screen click Next.
11. At the Confirmation screen click Configure.
12. At the Results screen click Close.
Now that we have stood up our CA, it is time to set the values for our Certificates that will be issued. The two settings we will be customizing for this lab will the Certificate Distribution Point (CDP) and the Authority Information Access (AIA). The CDP contains locations (File, Web, Active Directory) that can be used to find an up to date Certificate Revocation List (CRL) file (.crl) for certificates issued by the CA. This list contains all certificates that have been revoked by the Certificate Admin. The AIA contains locations (File, Web, Active Directory) that can be used find an up to date copy of the CA’s certificate (.crt). As mentioned above there are several way’s to publish this location. For this lab we will be going with the Web based distribution method. In order to use the Web based distribution method we will be deploying a Web Server within Azure. Not only will this server act as our CRL Distribution point, but will also be used in Part 4 of this series “Remote Desktop Services”. Follow the steps below to deploy a server within Azure:
1. On the Left-Pane click on NEW.
2. From the menu select COMPUTE | VIRTUAL MACHINES | FROM GALLERY.
3. At Choose an image screen in the Middle-Pane select Windows Server 2012 R2 Datacenter then click Next.
4. At the Virtual machine configuration screen use the table and information below to create the following VM’s then click Next:
| Virtual Machine | Size | REGION/AFFINITY Group/Virtual Network |
| KHL-WEB | A1 (1 core, 1.75 GB memory) | VPNLAB |
***Note: The virtual machine name will need to be unique since it’s a hostname within cloudapp.net. So KHL-WEB is no longer available. J
1. Use the following as a temporary Username and Password then click Next.
NEW USER NAME: khl-admin
CONFIRM: blueberries
NEW PASSWORD: blueberries
2. At the next screen click Complete.
Sit back and wait for you Azure VM to be created. It normally takes about 5-10 minutes.
Once the VM is complete we will need to reserve its IP address. Since Azure VM’s are given DHCP addresses, we will to set ours to Static since it is going to be a domain controller. I have already posted an article on how to set a Azure VM’s IP to static. It can be found here:
http://blogs.technet.com/b/elliottf/archive/2015/06/12/assigning-static-ip-s-to-azure-vm-s.aspx
Let’s connect to our Azure VM (KHL-WEB) via remote desktop. To do this follow the steps below:
1. On the Left-Pane click on VIRTUAL MACHINES.
2. In the Middle-Pane highlight KHL-WEB then on the Bottom-Bar click CONNECT.
3. At the download pop-up click Save | Save As.
4. At the Save As pop-up enter KHL-WEB under File name: then click Save.
5. Navigate to the file and double-click on KHL-DC.
6. At the Remote Desktop Connection pop-up click Connect.
7. At the Windows Security screen enter your credentials.
8. At the Untrusted Certificate pop-up click Yes.
Once we are logged into KHL-WEB we need to verity that it is using KHL-DC as its DNS Server. We can do that by running an NSLookup as shown below:
Once it is confirmed that we can communicate with KHL-DC we will join this server to the domain using the steps below:
1. Right-click on the Windows Logo and click on System.
2. Under Computer name, domain and workgroup settings click on Change settings.
3. At the pop-up screen click on Change.
4. Under Member of select Domain: then enter killerhomelab.com and click OK.
5. At the Computer Name/Domain Changes pop-up enter your Domain Admin and Password then click OK.
6. At the Computer Name/Domain Changes pop-up click OK, OK, then Close.
7. Click Restart Now.
Once the server has restarted we will re-connect using out Domain Admin credentials. Once logged in we will need to install IIS using the steps below:
1. From the taskbar click on Server Manager.
2. Under the Configure this local server section click on Add roles and features.
3. At the Before you begin screen click Next.
4. At the Select installation type screen click Next.
5. At the Select destination server screen click Next.
6. At the Select server roles screen select Web Server (IIS) then at the pop-up click Add Features then Next.
7. At the Select features screen click Next.
8. At the Web Server Role (IIS) screen click Next.
9. At the Select role services screen click Next.
10. At the Confirm installation selections screen click Install.
11. When setup completes click Close.
Now that we have installed the IIS Binaries, we will need to create our directory that will be used to publish our CRL. Follow the steps below to create our Virtual Directory within IIS to host the CRL:
1. Right-click the Windows Logo and select Run.
2. Enter InetMgr.exe then click OK.
3. In the Left-Pane of the Internet Information Services (IIS) Manager expand KHL-WEB.
4. At the pop-up click No.
5. Expand Sites then right-click Default Web Site and select Add Virtual Directory.
6. At the Virtual Directory pop-up under Alias enter CertEnroll then click …
7. At the Browse For Folder pop-up select Local Disk (C:) then click Make New Folder.
8. Enter CertEnroll then click OK, OK.
9. In the Left-Pane right-click CertEnroll then click Edit Permissions.
11. At the CertEnroll Properties click on the Sharing tab then click Advanced Sharing.
12. At the Advanced Sharing pop-up select Share this folder then click the Permissions button.
13. At the Permissions for CertEnroll pop-up click the Add button.
14. At the Select Users, Computers, Service Accounts, or Groups pop-up click on Object Types and select Computers then click OK.
14. At the Select Users, Computers, Service Accounts, or Groups pop-up enter OP-DC then click OK.
15. At the Permissions for CertEnroll under Permissions for OP-DC click Full control from the Allow Column then click OK, OK and Close.
Now that we have our publishing location created let’s create a descriptive DNS A Record that points to our new Web Server. During this lab we will create this record only on our Internal DNS Zone since we have not yet extended our lab externally, however in Part 4 (Remote Desktop Services) we will create an external record as well. For now follow the steps below to create our CRL Distribution Point A Record:
1. Log onto KHL-DC.
2. From the taskbar click on Server Manager.
3. Select Tools | DNS.
4. In the Left-Pane expand Forward Lookup Zones then highlight killerhomelab.com
5. Right-click killerhomelab.com and select New Host (A or AAAA)…
6. At the New Host pop-up enter the following then click Add Host:
Name: khl-ca
IP Address: 192.168.111.5
7. At the pop-up click OK then click Done.
Now we are finally ready to configure our CA extensions. We will start with generating the URL that will be included within our Certificates as the CRL Distribution Point. Let’s log onto OP-DC and configure our extensions following the steps below:
1. Log onto OP-DC.
2. From the taskbar click on Server Manager.
3. Select Tools | Certification Authority.
4. In the Left-Pane right-click KHL-CA and select Properties.
5. At the KHL-CA Properties pop-up click on the Extensions tab.
6. Click the Add button then at the Add Location pop up enter http://khl-ca.killerhomelab.com/ under location.
7. Make sure <CAName> is selected under Variable: then click Insert.
8. Under Variable: use the pull-down and select <CRLNameSuffix> then click Insert.
9. Under Variable: use the pull-down and select <DeltaCRLAllowed> then click Insert.
10. After <DeltaCRLAllowed> enter .crl then click OK.
11. Now select the following then click Apply:
- Include in CRLs. Clients use this to find Delta CRL Locations
- Include in the CDP extension of issued certificates
12. At the Certification Authority pop-up click Yes.
13. Click the Add button then at the Add Location pop-up enter \khl-ca.killerhomelab.comCertEnroll under location.
14. Make sure <CAName> is selected under Variable: then click Insert.
15. Under Variable: use the pull-down and select <CRLNameSuffix> then click Insert.
16. Under Variable: use the pull-down and select <DeltaCRLAllowed> then click Insert.
17. After <DeltaCRLAllowed> enter .crl then click OK.
18. Now select the following then click Apply:
- Publish CRLs to this location
- Publish Delta CRLs to this location
19. At the Certification Authority pop-up click Yes.
20. Under Specify locations from which users can obtain a certificate revocation list (CRL) remove the following then click Apply:
- Ldap:///CN=<CATruncatedName>……..
- http://<ServerDNSName>………
- File://<ServerDNSName>……
Now we will set the AIA as we have set the CDP above using the steps below:
1. User the Select extension pull-down menu and select Authority Information Access (AIA).
2. Under Specify locations from which users can obtain a certificate revocation list (CRL) remove all entries then click Apply.
3. Click the Add button then at the Add Location pop-up enter \khl-ca.killerhomelab.comCertEnroll under location.
4. Make sure <ServerDNSName> is selected under Variable: then click Insert.
5. After <ServerDNSName> enter _ .
6. Under Variable: use the pull-down and select <CAName> then click Insert.
7. Under Variable: use the pull-down and select <CertificateName> then click Insert.
8. After <CertificateName> enter .crl then click OK.
9. Now select the following then click Apply:
- Include in the AIA extension of issued certificates
Our last step will be copying our OP-DC.killerhomelab.com_KHL-CA.crt file to our publishing point as shown below:
Copy From: C:WindowsSystem32CertSrvCertEnroll
Copy To: \khl-ca.killerhomelab.comCertEnroll
Now that our CDP and AIA extensions are set correctly. We can create our first Certificate Template. Certificate Templates are used to deploy certificates with certain pre-configured settings. The first certificate we will deploy will be our Web Server certificate. This certificate will be used later in this lab for our RD Web Server. Let’s follow the steps below to deploy our first Certificate Template:
1. From the taskbar click on Server Manager.
2. Select Tools | Certification Authority.
3. In the Left-Pane expand KHL-CA then right-click Certificate Templates and select Manage.
4. In the Right-Pane right-click Web Server and select Duplicate Template.
5. At the Certificate Templates Console click on the General tab.
6. Under Template display name: enter KHL Web Server then select Publish certificate in Active Directory.
7. Click on the Request Handling tab and select the Allow private key to be exported.
8. Click on the Security tab and select Authenticated users then under Permissions for Authenticated Users select Allow | Enroll then click OK.
9. Close Certificate Templates Console.
10. In the Left-Pane right-click Certificate Templates and select New | Certificate Template to Issue.
11. At the Enable Certificate Templates pop-up select KHL Web Server then click OK.
Now that we have finished creating our first Certificate Template, lets issue our first Certificate Request by using our Web Server. Log onto the Web Server (KHL-WEB) and follow the steps below to create and issue a certificate:
1. Log onto KHL-WEB.
2. Right-Click the Windows Log and select Run.
3. Enter CERTLM.msc then click OK.
4. In the Left-Pane right-click Personal and select All Tasks | Request New Certificate.
5. At the Before You Begin screen click Next.
6. At the Select Certificate Enrollment Policy screen click Next.
7. At the Request Certificates screen select KHL Web Server then click More information is required….
8. Under Subject name: use the pull-down menu and select Common name then enter rdpweb.killerhomelab.com under Value then click Add, OK, Enroll.
9. At the Certificate Installation Results screen click Finish.
You have now deployed a PKI Infrastructure within your lab!!! This completes Part 3 of the Killer Home Lab Series. In Part 4 we will be adding Remote Connectivity capabilities within our lab using Remote Desktop Services. Have fun with the lab!!!