Deploying a PKI IIS Web Server - SECNET E12

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello youtube and welcome to my channel in today's episode i will be deploying a web server that will host the pki certificates in crl as well as the online responder or ocsp this server will be windows server 2019 and this video is a part of my series on building a enterprise network if you're new to the channel please subscribe and if you like this video please do click the like button so in the last video i built out the pki proxy um this is a reverse proxy that will point requests for ocsp and crl to the internal hq pki web server uh which i am deploying today so let's jump in and begin building this out so as i stated we already built out the hq pki proxy um and in this video i will be building out the web server so let's start that uh this will be a 2019 server so i'm going to use the 2019 server template so i'm going to call this hq pki web and then click next select our server next i'm going to customize the operating system and power on after the vm has been created and i'm going to click next i'm going to select the server template and click next so the name for this will be hq pki web i'm going to click next so as that is building what i'm going to do is jump over to the active directory domain and active directory users and computers and i'm going to look at groups so i'm going to create a group in here and i'm creating this group under the domain secnet accounts groups and i'm going to call this ca publishers and what this group will do is allow the issuing certificate authority to publish the crls and certificate files to the web server so once the computer account has joined i will add it to that group so i will let this finish building out and i will return once it's done all right so the server has been joined to the domain and has let me log in uh for the first time and i have successfully updated the group policies so what i'm gonna do do is change the ip address and move this over to the aaa network so the mp address for this is going to be 10 0 31 23 and default gateway is 10 0 31.1 10 0 31.1131.12. all right and for our reboot i'm going to work over and i'm going to change the network to play go ahead and reboot so while that's rebooting i'm going to uh add in a disk it'll be a 10 to a 10 gig hard drive um that will be used to store the certificates in crl it'll never be 10 gigs but and this i default go to all right so now that that is up i'm going to login all right so now that i've been able to log in what i'm going to do [Music] is refresh this and then take that and move it down oh you that i created take this and put it here good with now that this is up i'm gonna run a group policy update again and i'm just going to let that run in the background first thing i'm going to do is go into disk management click yes and i'm going to bring the disk online initialize okay simple volume private e click the label and then on drive e i'm going to create a new folder call it pki right click properties security i'm going to add va publishers group with manageability then i'm going to rest i go into sharing advanced sharing share it as pki the permissions will be domain users read admins [Music] change close that then i'm going to open up server manager so i'm going to click add roles and features click next next next i'm going to add the uh i'll add the certificate role now as well as i'm not going to install the certificate uh certification authority but i am going to install the line bonder uh and the only thing yep i want to make sure request filtering is enabled click next and i will return once this is complete okay so our server roles have finished installing there are post configuration roles that need to happen but i'm not going to do that until after i deploy the enterprise certificate authority uh so what i'm going to do is minimize this open up iis i'm going to expand this down and under the default web server i'm going to create a new virtual directory i'm going to call this pki and i'm going to specify the folder i created on the e drive we're going to do application user i click ok and then i'm going to go to request filtering uh and then i'm going to allow double escaping so what i'm going to do real quick while i'm here just drop over to the e drive and create a couple of files first let me go view and allow file name extensions to be visible so i'm going to call this index.html and then i'm going to copy this a csp okay so that is about the extent of html knowledge that i have but i just wanted a quick test page here and it looks exactly how imagine it would look probably use an editor to add in some links say pki server um all right so now that that is done just one more thing i want to do all right so the next thing that i have to do is create a firewall rule and i can jump back over to this picture so ultimately i'm creating a rule that allows the proxy server to communicate to the hq pki web server so clients will come into the proxy server proxy server will then go out to the web server to build the request so before that can happen i have to allow the firewall i have to permit the connection through the firewall so i'm going to jump back over to the firewall so this will be those i could create this rule underneath this one what i'll do is add this will be hq [Music] q dki proxy to this will not be a universal rule by the enter zone rule and this will be from the dmz which will be our view proxy server that will be destined to triple a network and i have to create a new record which will be hq ekiweb.sec.org and the ip address will be 10 0 31 23 okay application ob web browsing and csp application defaults and we're going to allow so okay i'm going to commit this and be back once this is completed okay so that is nearing its completion so what i'm going to do is jump back over to the proxy server and start the services i'm going to run systemctl status nginx and the service is running now if i go to use a different browser pki.sec network to work i get what i should get which you can so in this video we built the ocspcrl web server and we tested connection through the pki proxy to the server so that is working as expected all right so that's going to be the end of today's episode on building out a web server as part of our pki solution if you like this video please do click the like button and if you want to see more content such as this please do subscribe thank you

Info

Channel: Julian Yates

Views: 175

Rating: undefined out of 5

Keywords: Deploying a PKI IIS Web Server, julian yates, it, information technology, security, network, networking, firewall, internet information services, windows server, iis web server, web server iis, digital certificates, certificate authority server 2019, public key infrastructure, pki, vmware, virtualization, deploy a pki on windows server 2019, windows 2019 certificate authority step by step, certificate authority, reverse proxy, nginx reverse proxy

Id: pQ8bpuQTh1E

Channel Id: undefined

Length: 17min 4sec (1024 seconds)

Published: Mon Sep 21 2020