In Part 2 of this series we configured our Azure VM and On-Premise VM as Domain Controllers and established 2 Active Directory Sites. In Part 3 we will be deploying a PKI Infrastructure within our lab using Microsoft Active Directory Certificate Services. In Production PKI deployments a two-tier CA Hierarchy is normally used. This consists of an Offline Root and at least 1 Issuing CA. For the purposes of time and the fact that this is a lab, we will be deploying a single certificate server on our On-Premise Domain Controller.
This article assumes that you have already completed Part 2 of this series or at least have a Domain Controller (DC) and are able to stand up 1 additional machine to act as our Online Certificate Status Protocol. Let’s get started!!!
The first step will be installing the Active Directory Certificate Services Role on our On-Premise DC. Follow the steps below to get the role installed:
- From the taskbar click on Server Manager.
- Under the Configure this local server section click on Add roles and features.
- At the Before you begin screen click Next.
- At the Select installation type screen click Next.
- At the Select destination server screen click Next.
- At the Select server roles screen select Active Directory Certificate Services then at the Add feature pop-up click Add Features then Next.
- At the Select features screen click Next.
- At the Active Directory Certificate Services screen click Next.
- At the Select role services screen select Certification Authority then click Next.
- At the Confirm installation selections screen click Install.
- When setup completes click Close.
Now that we have installed Active Directory Certificate Services, it’s time to configure it.
- Within Server Manager click on the Yellow Caution Sign under Notifications then click on Configure Active Directory Certificate Services on the …
2. At the Credentials screen click Next.
3. At the Select Role Services to Configure screen select Certification Authority then click Next
4. At the Specify the setup type of the CA screen select Enterprise CA then click Next.
5. At the Specify the type of the CA screen select Root CA then click Next.
6. At the Specify the type of the private key screen select Create a new private key then click Next.
7. At the Specify the cryptographic options screen select SHA256 as shown below then click Next.
8. At the Specify the name of the CA screen change Common name for this CA: to the following then click Next:
KHL-CA
9. At the Specify the validity period screen enter 10 for the number of Years then click Next.
10. At the Specify the database locations screen click Next.
11. At the Confirmation screen click Configure.
12. At the Results screen click Close.
Now that we have stood up our CA, it is time to set the values for our Certificates that will be issued. The two settings we will be customizing for this lab will the Certificate Distribution Point (CDP) and the Authority Information Access (AIA). For this lab we will only be using an OCSP via our AIA extension. In order to use the OCSP we will be deploying a Web Server within Azure. Not only will this server act as our Online Responder, but will also be used in Part 4 of this series “Remote Desktop Services”. Follow the steps below to deploy a server within Azure:
1. In the Left-Pane click + | Compute | Windows Server 2012 R2 Datacenter.
2. At the Windows Server 2012 R2 Datacenter screen click Create.
3. At the Basics screen enter the following then click OK.
***Note: The virtual machine name will need to be unique for your lab since it’s a hostname within eastus.cloudapp.azure.com. So KHL-WEB is no longer available.
4. At the Choose a size screen select DS1_V2 Standard VM (Best Bang for Buck) then click Select.
6. At the Settings screen accept the defaults then click OK.
7. At the Summary screen review your settings then click OK.
Sit back and wait for you Azure VM to be created. It normally takes about 5-10 minutes.
Once the VM is finished being created (About 5-10 minutes), we will need to make a few modifications to the VM to make sure we can access it consistently remotely. This will involve, setting Static IP’s for the VM (Internal/External) as well as an external DNS name for the computer, that can be used to access it via Remote Desktop. Follow the steps below to make these change
1. In the Left-Pane click on Virtual Machines then click on KHL-WEB.
2. At the KHL-WEB screen click on the Public IP address as shown below:
3. At the KHL-WEB-ip – Configuration screen under Assignment click Static, under DNS name label enter khl-web, then click Save.
4. In the top-right corner click on the Bell to confirm the public ip addres change has been saved.
5. Scroll back to the Left-Side of the screen then click on Virtual Machines | KHL-WEB.
6. Under KHL-WEB click on Network interfaces.
7. At the KHL-WEB – Network interfaces screen click on the Network Interface as shown below:
8. Under the Network Interface click on IP configurations.
9. At the IP configurations screen click on ipconfig1 as shown below:
10. At the ipconfig1 screen under Assignment select Static then click Save.
Follow the steps below to connect to KHL-WEB.
1. In the Left-Pane click on Virtual Machines then click on KHL-WEB.
2. At the KHL-WEB screen click on Connect.
3. At the Pop-up click Save.
4. At the next pop-up click on Open Folder.
5. Under the Downloads double-click on KHL-DC then at the pop-up click Connect, and enter your Credentials.
Once we are logged into KHL-WEB we need to verity that it is using KHL-DC as its DNS Server. We can do that by running NSLookup from a command prompt.
Once it is confirmed that we can communicate with KHL-DC we will join this server to the domain using the steps below:
1. Right-click on the Windows Logo and click on System.
2. Under Computer name, domain and workgroup settings click on Change settings.
3. At the pop-up screen click on Change.
4. Under Member of select Domain: then enter killerhomelab.com and click OK.
5. At the Computer Name/Domain Changes pop-up enter your Domain Admin and Password then click OK.
6. At the Computer Name/Domain Changes pop-up click OK, OK, then Close.
7. Click Restart Now.
Once the server has restarted we will re-connect using our Domain Admin credentials (KILLERHOMELABkhl-admin). Once logged in we will need to install IIS using the steps below:
1. From the taskbar click on Server Manager.
2. Under the Configure this local server section click on Add roles and features.
3. At the Before you begin screen click Next.
4. At the Select installation type screen click Next.
5. At the Select destination server screen click Next.
6. At the Select server roles screen select Active Directory Certificate Services then at the pop-up click Add Features.
7. At the Select server roles screen select Web Services (IIS) then at the Add Roles and Features Wizard pop-up click Add Features then click Next.
8. At the Select features screen click Next.
9. At the Active Directory Certificate Services screen click Next.
10. At the Select role services screen unselect Certificate Authority and select Online Responder, click Add Features then click Next.
11. At the Web Server Role (IIS) screen click Next.
12. At the Select role services screen click Next.
13. At the Confirm installation selections screen click Install.
14. When setup completes click Close and restart as necessary.
Now that we have installed the IIS and OCSP Binaries, we will need to create our directory that will be used to publish our CRL. Follow the steps below to create our Virtual Directory within IIS to host the CRL:
1. Right-click the Windows Logo and select Run.
2. Enter InetMgr.exe then click OK.
3. In the Left-Pane of the Internet Information Services (IIS) Manager expand KHL-WEB.
4. At the pop-up click No.
5. Expand Sites then right-click Default Web Site and select Add Virtual Directory.
6. At the Virtual Directory pop-up under Alias enter CertEnroll then click …
7. At the Browse For Folder pop-up select Local Disk (C:) then click Make New Folder.
8. Enter CertEnroll then click OK, OK.
9. In the Left-Pane right-click CertEnroll then click Edit Permissions.
10. At the CertEnroll Properties click on the Sharing tab then click Advanced Sharing.
11. At the Advanced Sharing pop-up select Share this folder then click the Permissions button.
12. At the Permissions for CertEnroll pop-up click the Add button.
13. At the Select Users, Computers, Service Accounts, or Groups pop-up click on Object Types and select Computers then click OK.
14. At the Select Users, Computers, Service Accounts, or Groups pop-up enter OP-DC then click OK.
15. At the Permissions for CertEnroll under Permissions for OP-DC click Full control from the Allow Column then click OK, OK and Close.
We will need utilize Split Brain DNS in order to provide Internal and External Name resolution for our domain. I have elliottfieldsjr.com registered so this domain is no longer available. To complete the remaining parts of this blog I strongly recommend that you register your own Domain Name and utilize it for your External DNS Name Resolution.
External Name Resolution
Each Name Registrar has different procedures on creating DNS Records. Since this is out of scope for this lab please review your Name Registrar’s procedures to create the necessary DNS Records. In order to determine the IP address we need these A Records to point to we will ping the Azure FQDN which will be in the following format:
KHL-WEB.eastus.cloudapp.azure.com
In my case the IP assigned was 13.92.38.78. This IP will need to resolve to the FQDN that we used for our Web Server Certificate that was issued in Part 3. This FQDN is:
Rdpweb.it.dmgva.com (Remote Desktop Gateway Server)
khl-ca.it.dmgva.com (Certificate Distribution Point)
Internal Name Resolution
In order to provide Internal DNS Name Resolution follow the procedures listed below to create an AD Integrated DNS Zone and A records to support our Split DNS Configuration:
1. Log onto OP-DC and from within Server Manager select Tools | DNS.
2. In the Left-Pane of the DNS Manager expand KHL-DC | Forward Lookup Zones.
3. Right-click Forward Lookup Zones and select New Zone.
4. At the New Zone Wizard click Next.
5. At the Zone Type screen click Next.
6. At the Active Directory Zone Replication Scope screen click Next.
7. At the Zone Name screen enter the name of the Domain that you registered then click Next. (Example: it.dmgva.com)
8. At the Dynamic Update screen click Next.
9. At the Completing the New Zone Wizard screen click Finish
10. In the Left-Pane select the DNS Zone you just created (Example: it.dmgva.com) then Right-click it and select New Host (A or AAA)…
11. At the New Host pop-up enter rdpweb for Name and 10.1.05 for IP Address then click Add Host and at the pop-up click OK.
12. At the New Host pop-up enter khl-ca for Name and 10.1.0.5 for IP Address then click Add Host and at the pop-up click OK, Cancel.
Now we are finally ready to configure our CA extensions. We will start with 0.generating the URL that will be included within our Certificates as the AIA. Let’s log onto OP-DC and configure our extensions following the steps below:
1. Log onto OP-DC.
2. From the taskbar click on Server Manager.
3. Select Tools | Certification Authority.
4. In the Left-Pane right-click KHL-CA and select Properties.
5. At the KHL-CA Properties pop-up click on the Extensions tab.
6. Under the Specify locations from which users can obtain a certificate revocation list (CRL) select ldap://CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName.. then uncheck the following 3 options highlighted below:
7. Click the Add button then at the Add Location pop-up enter \khl-ca.<mydomainname>.comCertEnroll under location. (Example: \khl-ca.it.dmgva.com)
8. Make sure <CAName> is selected under Variable: then click Insert.
9. Under Variable: use the pull-down and select <CRLNameSuffix> then click Insert.
10. Under Variable: use the pull-down and select <DeltaCRLAllowed> then click Insert.
11. After <DeltaCRLAllowed> enter .crl then click OK.
12. Now select the following then click Apply:
- Publish CRLs to this location
13. Click Apply then Yes at the Certificate Authority pop-up.
14. Use the Select extension pull-down menu and select Authority Information Access (AIA).
15. Under the Specify locations from which users can obtain the certificate for this CA select ldap://CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=…. then uncheck the following Include in the AIA extension of issues certificates.
16. Click Apply then Yes at the Certificate Authority pop-up.
17. Under Specify locations from which users can obtain the certificate for this CA click the Add button.
18. At the Add Location pop-up enter http://khl-ca.<mydomainname>.com/ocsp under location then click OK. (Example: http://khl-ca.it.dmgva.com/ocsp)
19. Select Include in the online certificate status protocol (OCSP) extension then click Apply then Yes at the Certificate Authority pop-up.
20. Click OK to close the Certificate properties.
21. Under the CA right-click Revoked Certificates as shown below and then select All Tasks | Publish as shown below:
22. At the Publish CRL pop-up click OK.
23. Right-click the Windows Logo and select Run.
24. Enter \khl-ca.it.dmgva.comCertEnroll and click OK then confirm that the Base CRL is published as shown below:
25. While this folder is opened we will be copying our OP-DC.killerhomelab.com_KHL-CA.crt file to our publishing point as shown below:
Copy From: C:WindowsSystem32CertSrvCertEnroll
Copy To: \khl-ca.it.dmgva.comc$CertEnroll
Now that our CDP and AIA extensions are set correctly. We can create our Certificate Templates. Certificate Templates are used to deploy certificates with certain pre-configured settings. The first certificate we will deploy will be our Web Server certificate. This certificate will be used later in this lab for our RD Web Server. Let’s follow the steps below to deploy our first Certificate Template:
1. From the taskbar click on Server Manager.
2. Select Tools | Certification Authority.
3. In the Left-Pane expand KHL-CA then right-click Certificate Templates and select Manage.
4. In the Right-Pane right-click Web Server and select Duplicate Template.
5. At the Certificate Templates Console click on the General tab.
6. Under Template display name: enter KHL Web Server then select Publish certificate in Active Directory.
7. Click on the Request Handling tab and select the Allow private key to be exported.
8. Click on the Security tab and select Authenticated users then under Permissions for Authenticated Users select Allow | Enroll then click OK.
9. In the Right-Pane right-click OCSP Response Signing and select Duplicate Template.
10. At the Certificate Templates Console click on the General tab.
11. Under Template display name: enter KHL OCSP Response Signing then select Publish certificate in Active Directory and change the Validity period to 2 years.
12. Click on the Security tab and select Authenticated users then under Permissions for Authenticated Users select Allow | Enroll then click OK.
9. Close Certificate Templates Console.
10. In the Left-Pane right-click Certificate Templates and select New | Certificate Template to Issue.
11. At the Enable Certificate Templates pop-up select KHL Web Server and KHL OCSP Response Signing then click OK.
Now that we have finished configuring Templates, lets issue our first Certificate Request by using our Web Server. Log onto the Web Server (KHL-WEB) and follow the steps below to create and issue a certificate:
1. Log onto KHL-WEB.
2. Right-Click the Windows Log and select Run.
3. Enter CERTLM.msc then click OK.
4. In the Left-Pane right-click Personal and select All Tasks | Request New Certificate.
5. At the Before You Begin screen click Next.
6. At the Select Certificate Enrollment Policy screen click Next.
7. At the Request Certificates screen select KHL Web Server then click More information is required….
8. Under Subject name: use the pull-down menu and select Common name then enter rdpweb.it.dmgva.com under Value then click Add, OK, Enroll.
9. At the Certificate Installation Results screen click Finish.
10. In the Left-Pane right-click Personal and select All Tasks | Request New Certificate.
11. At the Before You Begin screen click Next.
12. At the Select Certificate Enrollment Policy screen click Next.
13. At the Request Certificates screen select KHL OCSP Response Signing then click Enroll, then Finish.
The last configuration we need to do with our Certificates is granting the Network Service Read access to the Private Key for our OCSP Response Signing Certificate. Follow the steps below to grant this permission:
1. Right-click the Windows Logo the select Run.
2. Enter certlm.msc then click OK.
3. In the Left-Pane expand Personal and select Certificates.
4. In the Right-Pane right-click KHL-WEB.killerhomelab.com (Make sure the Intended Purpose is OCSP Signing) and select All Tasks | Manage Private Keys.
5. At the Permission pop-up click Add.
6. At the Select Users, Computers, Service Accounts, or Groups pop-up enter NETWORK SERVICE then click OK.
7. In the Group or user name: section highlight NETWORK SERVICE then in the Permissions for NETWORK SERVICE section uncheck Allow for Full control then click OK.
Now that we have finished deploying and configuration our Certificates, lets configure our OCSP using the steps below:
1. Log onto KHL-WEB.
2. Within Server Manager click on the Yellow Caution Sign under Notifications then click on Configure Active Directory Certificate Services on the …
3. At the Specify Credentials to Configure Role Services click Next.
4. At the Select Role Services to configure screen select Online Responder then click Next.
5. At the Confirmation screen click Configure.
6. At the Summary screen click Close.
7. Right-Click the Windows Logo and select Run.
8. Enter OCSP.msc then click OK.
9. At the OCSP MMC right-click Revocation Configuration and select Add Revocation Configuration.
5. At the Add Revocation Configuration wizard click Next.
6. At the Name the Revocation Configuration screen enter KHL-CA then click Next.
7. At the Select CA Certificate Location make sure Select a certificate for an Existing enterprise CA is selected then click Next.
8. At the Choose CA Certificate screen click the Browse button then select KHL-CA at the pop-up then click OK.
9. At the Select Signing Certificate screen Manually select a signing certificate then click Next.
10. At the Error pop-up click OK then click Provider…
11. At the Revocation Provider Properties enter the Base as shown below then click OK, then Finish:
12. In the Left-Pane expand Array Configuration and select KHL-WEB.killerhomelab.com.
13. In the Right-Pane select Assign Signing Certificate.
14. At the pop-up select KHL-WEB.killerhomelab.com then click OK.
15. In the Right-Pane click Refresh. Once Completed the OCSP should show as Working as shown below:
Now that we have finished configuring our OCSP, you have now deployed a PKI Infrastructure within your lab!!! This completes Part 3 of the Killer Home Lab Series. In Part 4 we will be adding Remote Connectivity capabilities within our lab using Remote Desktop Services. Have fun with the lab!!!