Implementing 2 Tier PKI with CRL

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi friends my name is raku and welcome to my channel i work as a system engineer specializing in sccm and in tune in end user computing space today i will be explaining how we can configure a 2 tap pki in a lab but essentially the concept remains the same same even if you're doing in a production environment so my lab it runs on a vmware workstation pro application but you can use hyper-v or oracle virtualbox it should work exactly the same so talking about my existing setup my domain name is home.com and my dc and root ca both are on the same subnet hence there is no issue in communication between each other since it is my lab i have disabled firewall but in production environment you may want to get in touch with your netops team to get port 135 allowed for better communication and you know not to face any issues in there and my lab is a single domain first with one dc in place as i said already domain name is home.com so and i will be configuring a root ca my two tap care lab on a non-domain vm this will eventually be used uh to convert my iccm lab from http to https so with no further delay let's jump right into it so this is as you can look my this is my root ca uh i've renamed it it's in work group there's no need to put in a static ip as long as it's getting an ip any communication is there you could just to save us and you a bit of a time uh i have configured this uh notepad file which will have which i will put in in the description below basically this is cracks from different microsoft technic articles and other documentation i found on google uh just to make our life easy so as you can see so very first link is the technic link uh microsoft docs link which which explains uh the steps of 2d apk in detail so the very first thing we have to do is we have to create a file called ca policy.inf and to create it we just right click here and run powershell as admin and then you can put in not notepad ce windows and give it a name and hit enter it should create the file once the file is there come in here you copy the content from here to here paste it save it just to see if it got what we need you just check it it's all good so the next step is we need to make a dns change which basically is an is an alias for a crl that we're going to use to submit uh the certificate request so i'm going to use pca.home.com which will be pointing to my dc so let's jump to my dc uh why we're doing it on my dc because i will be using my dc as a subordinated ca i don't want to use another third vm here so i'm using my dc there's no harm in doing it uh it's just that it i don't have enough infrastructure to spin up another vm so if you can have a look so that's it done click okay it's here all good uh while we are here we can also go ahead and create a sorry install the web server rules in here so in order to do that you just click add roles next next pretty much it so click default leave everything default we don't want to do anything and just click next so while it's installing let's come back here so we're gonna install the ca row on this ca click next add row root ca and select the very first one we're not selecting anything else it's just going to be a purely rca that's nothing else so click next while it's installing we can check on a subordinated ca as things going so it's still installing uh the web services that we tried to which we initiated before and also we're installing uh actual directory certificate services on our primary routes here which will be offline once we are done here and while this is also doing we can do one more thing which is to check the communication between dc and roots here so it's all there make sure you have this folder created on your dc or the subordinates here so you configure so what basically we did we clicked on configure active directory certificate services on the destination server which is a root cause you clicked on it select ca very top it's going to be a standalone ca roots here yep new key i'm just going to change the key length and leave everything else default click next i'm going to name it offline root ca that's what i'm going to name my so you can name anything you want and i'm gonna change this to 20 years that's what i want and click on configure pretty straightforward once it is done you're going to come back here right click open certificate authority it should start uh it should open the certificate authority just gonna make one change here right once it is here you're gonna go to see windows system32 set so this is where your default certificate and everything are located so we're not going to do anything with that just now because if you come back to a notepad file once this is done we need to make these changes so we're going to define the ad configuration uh partitions in this distinguished name so one thing to note here i'm going to run these commands and but you need to change these values so dc so if you're is like let's say lab dot local so you're going to put lab here and local here mine is d home.com and so i'm using home here and com here just to make things easier so this is the bat file i'm going to share with you with you all uh basically it's going to run all these things i don't want to copy paste each and everything so i'm just going to change it it's saying that you i need to restart the search services which is nothing but active directory certificate services to complete or make sure the changes to take effect so i'll leave that there i'm going to move to the next step because we're going to restart the service once we are done with all the steps so you're going to press any key it's going to completely just make sure that this line exists after every keystroke it's there so it's restarting the services now so it's going to stop the services first it's stopping it so let's wait once it is stopped then it will restart it as well it's taking more of a time cool so it's stopped perfect so it's starting now cool so it started successfully as well so we come back here cool everything working so we just that's the name we gave we come here click property we can always view the certificate it's gonna good for 20 years as as we defined uh one thing you can always check what's the signature hash algorithm here that's what we selected and it should say four zero nine six on the public key key strength that's all good so we're gonna make some changes here to the crl and the aia so just the first thing we're gonna do remove this one remove this one too click add and copy this part we're gonna change it to pki.home.com so you just click here and click ok make sure these two are selected don't click ok or reply because that's going to restart the search services we will click apply once we are done with both the options of aaia authority information access and the crl as well the cdp so you can remove these two click here we're going to do the same thing copy this one paste it here and pki.home.com and click ok include click ok yep i'm going to click yes on that okay so you come here you can also check the revokies uh reward certificates length so we publish it for 20 years okay so what basically it means is that we need to power on this root ca every 20 years so yeah just click here click publish it's a new crl perfect so that's all done we published a root certain serial so you copied these two files and paste it in on the dc wherever you want to i'm going to put it here because i have created another bat file that i'm going to use on my subordinate ca to activate these file which i will show you in a short time so if you look at there so we're done with this bat file and we're going to jump on our subordinate ca in in my case it's my domain controller meanwhile this is also done so just to test if our web services are working on that i'm just gonna browse to pki.home.com perfect which means is is working so we're gonna minimize that so dns part is done um come to here right so again we're going to do the same thing uh create a new ca policy inf file so this one so we just click yes copy the content paste it save it we can close it so i'll i'll paste this one and provide this one as well i probably put it on my github and you guys can download it from there if you want so the next thing we're going to do is we're going to publish the roots here ai certificates here at list in ad so sometime some tutorials online may tell you that not to uh publish the crl and other things online before you do it before you copy uh the certificates from their roots here to support an nca so but what we're going to do is we're going to install the rule first okay i'm going to do that yeah you roll that click next here you make sure that you do select ca authority web enrollment and click next click install so while it's installing i just want to give you a bit of an insight what we're doing here my experience in my journey of learning to tap infrastructure has been really really super fast i would say learning on steroids to be honest with you i had to learn all this in in matter of two to three weeks which is in no way uh recommended uh way of learning uh learning pk it's way too complicated but uh there was a bit of a business requirement that i had to understand and there was a urgency because of the circumstances in our in our company with everybody going on remote and we had to implement uh cloud management gateway in in our office within matter of days so so one of the prerequisites is to to have uh uh the whole site on https beforehand so that was kind of a driving point for me why i had to learn this and implement it within a week's time so yeah great so the installation has completed uh once the installation is done you just come in here click on configure ad certificate services on this destination service as we did in previous one so you click next and also one more thing this is my domain admin or enterprise admin account any account if you're using different one you just need to make sure this account is a member of enterprise admin in your domain otherwise it won't work so yeah click next select both of these click next so you're going to use enterprise ca this time because it's going to be a subordinating one perfect click next so just going to change the key length and again i'm going to name it issuing ca because it's going to be used as a issuing sale right so this is the request file to authenticate since our root c is not in domain we need to authenticate uh this subordinate cm manually and that's just one time thing you don't have to do it every time just once you have to complete that so just everything is default just click next all right on this warning is basically saying that we haven't submitted this request hence it cannot validate uh the functionality of ca on this server so that's what we're going to do now so if you come back on your routes here and go to that dcc dollar that's the file there copy it from there and paste it and you see temp on your uh roots here come here right click and here you're gonna submit a new request browse to see tam select the subordination is gonna be in the pending request click right click all tasks issue i mean the issue so once it is issued then open it copy to file click next we're gonna export it as a dot p7p well so just name it issues here insert file so click next click finish export was success cool so you just put it back here in the c temp paste it and come back to our subordinates here and before we import this one we just gonna run this bad file so what's this basically this bad file is going to do all the steps which are mentioned here it's just going to run those files it's not going to do anything fancy it's just going to run these one by one so if you have a look that's all it's doing so run it run it as admin so that's fine success success it's completely success successfully success so it's basically i put in two pauses say have you installed the role yes we have so it's going to successfully complete this one uh there oh there is an extra e there i think i made a typographical error oh yes i have so we can always come in here and run that manually perfect so that's done see so that's that's the reason why you have to take a keep a closer look on every time you click any key to continue it has to say successfully otherwise some something won't work so you will you have your head scratching all the time while it's not working and then you're gonna spend hours and hours uh to troubleshoot it but if you follow this same process what i'm doing right now it's gonna both run up work perfectly fine for you trust me on that so all good successfully here successful perfect so it's gonna starting great so okay it failed on something here okay so what we need to do in order to fix that part is we just need to come in here complete the certificate authority right click and you need to install the csr it's in the so that we exported from the roots here that's exactly what uh something that uh exactly the same certificate you need to submit here right click start the service perfect it works fine so it failed on something oh yeah that failed on the services because services were not working or running before uh it started running now since we implemented that i imported that certificate here so yeah the next thing we have to do is we need to make those exact same changes to the crl and a aia as well so just click add so you just copy this one add it here put the same name pcat.home.com in my case it may be something else in your case guys so please make sure you change it click ok include it here remove remove add copy pki.home.com remove it so just copy here glue click okay yep we just need to do that and just revoke certificate publish news here we don't want to do delta one d0 cool so that part is done so should see these ones here so what we have to do is we need to copy these two files remember we copied these two from uh the roots here these two files so these two files from here need to go into the certain role folder on your subordinated css click yes continue so that part is done if you come in here cool so this you see this one that means it's working so you can create a new request here or you can submit a new one after entering your certificate request here i haven't published any templates uh but you can always publish any template you want to to certificate to publish a new template you can always come in here and say duplicate template whatever name you want or details you want you can just always publish a new template yeah and then you can start deploying certificates from there one more thing i wanted to show you guys that how to check health of your any 2d apk environment so that the command is pki view they should always have all the checks done if you are facing any issue or red mark here that means there is some issues with it pretty straight forward basic troubleshooting is just uh you copy this url and run it in the browser it should always download this certificate this means the certificate is working oh sorry the web crl is working it should distribute the certificates without any issue but if there are any issues this is the very first point you should be looking at so with this guys uh that's pretty much it into this video uh the very first session of mine if i have made any mistake feel free to give me feedback put in the comments if you need any information or help uh feel free to share ask me i'm more than happy to answer all of your queries and again this is my first attempt if i have made any mistake please i apologize for that and yeah have a good day take care guys bye

Info

Channel: Team IT

Views: 214

Rating: undefined out of 5

Keywords:

Id: ji4qyBjdHeY

Channel Id: undefined

Length: 22min 21sec (1341 seconds)

Published: Fri Aug 21 2020