Install offline Root CA Server 2003

2008
Ammar Hasayen
Ammarhasayen@outlook.com
http://ammarhasayen.com
Twitter:@ammarhasayen
[INSTALLING ROOT
CERTIFICATION AUTHORITY]
Thisdocumentprovides Step-by-stepprocedurestoinstall andconfigure anofflinestandalone
Root Certificate Authorityserver.

Installing Root Certification Authority 2
Table of Contents
1 Introduction ...............................................................................................................3
2 Installation..................................................................................................................4
2.1 CAPolicy.inf File .....................................................................................................4
2.2 Installing Certificate Services...................................................................................6
3 Post Installation Tasks .........................................................................................10
3.1 To verify Installation: .............................................................................................10
3.2 Map the Namespace of Active Directory to an Offline CA's Registry Configuration ....10
3.3 Configure Distribution Points for CRL and AIA by using GUI. ...................................11
3.4 Republish new CRLs ............................................................................................15
3.5 Set the Validity Period for Issued Certificates at the Offline Root CA ........................15
3.6 Object Access Auditing .........................................................................................16
3.7 Export Root Certificates and CRL to a floppy ..........................................................17
3.8 All in one post installation batch file........................................................................18
3.9 Publishing CA certificates and CRL in Active Directory ............................................20

1 Introduction
The CONTOSO stand-alone root CA (named ContosoRootCA), is never connected to a network
and remains offline and physically secured. It is installed on Microsoft Virtual Machine 2005 R2
SP1. The root CA issues and revokes certificates for Issuing/Policy CAs in the hierarchy. Offline
Root Keys are generated by Microsoft Software CSP. The CA certificate and the CRL are
regularly and manually published and made available through an HTTP and an LDAP distribution
point.
Settings for Offline Root CA:
 Computer name (should be unique in the network) : ContosoRootCA
 Windows 2003 server with SP2
 Local Password : d?spene_$uT2$Ra5
 Windows Server 2003 Resource Kit Tools installed.
 Common Name for this CA: CONTOSO Corporate Root CA
 Distinguished name suffix : DC=CONTOSO,DC=com
 IP : 192.168.80.80 mask 255.255.255.0
 H.D: 20 GB all allocated for the “C” partition.

2 Installation
2.1 CAPolicy.inf File
The CAPolicy.inf file provides Certificate Services configuration information, which is read during
initial CA installation and whenever the CA certificate is renewed. The CAPolicy.inf file defines
settings specific to root CAs, as well as settings that affect all CAs in the CA hierarchy.
By default, the CAPolicy.inf file does not exist when l Microsoft Windows Server 2003 is installed.
It should be manually created in the Windows operating system folder (%windir% folder). When
Certificate Services are installed, the operating system applies any settings defined in the
CAPolicy.inf file.
This CAPolicy.inf file for Root CA makes the following assumptions:
 The root CA will renew its key with one with length of 4,096 bits.
 Hash algorithm: SHA-1
 The validity period of the root CA certificate is 20 years.
 Base CRLs are published every 50 weeks.
 Delta CRLs are disabled.
 The root CA does not contain a CDP or an AIA extension to prevent revocation checking
of the root CA certificate.
 Cryptographic service provider (CSP): Microsoft Strong Cryptographic Service Provider.
 Database and log settings: Database files on C:CA_DB .Log files on C:CA_LOG
 Empty CDP and AIA locations in the CAPolicy File.
Based on these assumptions, the following CAPolicy.inf file can be installed in the %windir% of
the ROOTCA computer:

[Version]
Signature="$Windows NT$"
[certsrv_server]
renewalkeylength=4096
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=years
CRLPeriod=weeks
CRLPeriodUnits=50
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days
[CRLDistributionPoint]
Empty=True
[AuthorityInformationAccess]
Empty=True
Notes:
 The [Version] section defines that the .inf file uses the Windows NT format. This section
must exist for both root and subordinate CA installations.
 CRLDeltaPeriodUnits=0 means that Delta CRLs are disabled which is a
recommendation in an offline root CA.
 [CRLDistributionPoint] and [AuthorityInformationAccess] are assigned value empty as a
best practice for the root CA certificate. Later after installation, those values should be
redefined to locate the correct location for CDP and AIA for the Issuing/online CA
Certificates.
o renewalkeylength=4096 specifies the key length for the CA Root certificate when its key
are renewed. In the other hand, the current key length is specified in the installation
wizard.

2.2 Installing Certificate Services
Once the CAPolicy.inf file is installed, Certificate Services on the root CA computer can be
installed. The installation must be performed by a member of the local Administrators account on
the CA computer, and the computer must not be a member of a domain. This will allow the
computer to be removed from the network for long periods of time.
Note: IIS is not required for the installation of an offline root CA. The only certificate requests
submitted to the root CA are for subordinate CA certificates, and these can be submitted by using
the Certification Authority console.
You can use the following procedure to install the root CA:
1. Ensure that the date and time on the root CA computer is correct.
This is to ensure the correct time for publishing and stamping CLRs.
(run this command from the root CA : net time jdcdc01.contoso.com /set)
2. From the Start menu, click Control Panel and click Add or Remove Programs.
3. In the Add or Remove Programs window, click Add/Remove Windows Components.
4. In the Windows Components Wizard, in the Windows Components list, click the Certificate
Services check box.
5. In the Microsoft Certificate Services dialog box, click Yes.
6. On the Windows Components page, click Next.
7. On the CA Type page, click Standalone Root CA, enable the Use Custom Settings to Generate
the Key Pair and CA Certificate check box, and click Next.

8. On the Public and Private Key Pair page, set the following options:
 CSP: Microsoft Strong Cryptographic Service Provider
 Allow the CSP to interact with the desktop: Disabled
 Hash algorithm: SHA-1
 Key length: 4,096

9. On the CA Identifying Information page, enter the following information:
 Common Name for this CA: CONTOSO Corporate Root CA
 (Optional) In Distinguished name suffix : DC=CONTOSO,DC=com
 Validity Period: 20 Years
<Validity time can only be set for a root CA>
Note:
If you type a name in the (Distinguished name suffix), confirm that you have typed it correctly so
that it works in the context of the Active Directory domain name. If you install a CA on a computer
that is a domain member with Enterprise Administrator privileges, the distinguished name suffix is
automatically configured. You can also set the distinguished name suffix at a later time by using
the Certutil.exe command.

10. On the Certificate Database Settings page, provide the following settings and click Next:
 Certificate database: C:CA_DB
 Certificate database log: C:CA_Log
 CA configuration: C:CA_Config
11. If prompted, insert the Windows Server 2003, Standard Edition, and CD in the CDROM drive
and choose the i386 folder.
15. In the Microsoft Certificate Services dialog box, click OK to identify that IIS is not installed.
16. On the Completing the Windows Components Wizard page, click Finish.
17. Close the Add or Remove Programs dialog box.

3 Post Installation Tasks
After the stand-alone offline root CA is installed, you must configure the properties of the offline
root CA for certificates that are subsequently issued from the CA. These extensions are
necessary to ensure correct revocation and chain building.
Note that any settings configured to the CA can be found in the following registry
path:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration
3.1 To verify Installation:
 At a command prompt, type certutil –cainfo and verify the CA type. The result will be
similar to the following:
CA type: 3 -- Stand-alone Root CA
ENUM_STANDALONE_ROOTCA -- 3
 At a command prompt, type certutil –getreg to verify the database settings
3.2 Map the Namespace of Active Directory to an Offline CA's
Registry Configuration
Because the offline root CA is not connected to the domain and does not automatically publish
the CRL to Active Directory, you must set a key in the registry. To do this, at a command prompt,
type the following command and then stop and start the CA service:
certutil.exe –setreg caDSConfigDN CN=Configuration,DC=contoso,DC=com
Where DC=concorp,DC=contoso,DC=com is the namespace of the forest root domain. This
setting is primarily required for CRLs and CA certificates (AIA) that are published in Active
Directory.
This registry value sets the %6 replacement token that is required for the CRL location attribute.

3.3 Configure Distribution Points for CRL and AIA by using GUI.
The CRL and AIA distribution points must be set before any certificates are issued from the new
CA. This configuration step ensures that the correct information is embedded in each of the
issued certificates so that the certificate's signature and revocation status can be verified. CRL
distribution point and AIA extension changes take effect only after the CA is restarted.
We must configure the CRL and AIA distribution point for certificates issued by this CA. To
configure these extensions in a Windows Server 2003 CA, perform the following steps:
1. Log on to the computer running certificate services with an account that has Certification
Authority Management permissions.
2. Click Start, point to All Programs, point to Administrative Tools, and then click
Certification Authority
3. In the console tree, right-click the name of the CA that you want to work with, and then
click Properties. Click the Extensions tab
4. To configure the Distribution Points for the CRL :
 First, remove all of the CRL distribution point locations, except for the local CRL
distribution point.
Warning: Do not remove the local CRL distribution point location. The local
distribution point will look similar to the following path:
C:WindowsSystem32CertSrvCertEnrollCorporateRootCA.crl The CA must
publish the CRL to the file system because all of the other distribution points are
not accessible for this offline CA. The CA uses the local CRL to validate all
certificates that are generated before the certificates are issued to users. The local
path is not included in the CRL distribution point extension of issued certificates.
 On the Extensions tab, in Select extension, select CRL Distribution Point (CDP).
 In Specify location from which users can obtain a certificate revocation list (CRL),
click the default LDAP location, click Remove, and then click Yes.
 Repeat this for all CRL distribution point locations except for the local CRL
distribution point
 After you remove all of the appropriate locations, the remaining list of CRL
distribution points will be similar to the following figure.
Note: Don’t ever add CDP locations from the GUI interface and always use the CA variable
instead of typing the explicit name of the server or certificate name. This is the best
recommendation from Microsoft PKI Team.

 Create a folder on the www.contoso.com named (CA)
 Add the folder to the IIS by creating a virtual directory. Give only read access to
Everyone and clear all other checkboxes.
Make sure that the file names that are published with HTTP exactly match the CA
certificate and CRL distribution point as defined as part of the CA configuration. If
the file names do not match, clients will fail to retrieve the CRL with the URL that
was specified as the CRL distribution point.
 On the offline root, copy the contents of the
%Systemroot%System32CertsrvCertEnroll folder to a floppy disk.
 Take the floppy disk to the online server and move the contents into the folder
previously created.

 Record the URL for the virtual directory (http://www.contoso.com/CA/Contoso Root
CA.crl)
 Run the below script:
certutil -setreg CACRLPublicationURLs
"1:%WINDIR%system32CertSrvCertEnroll%%3%%8%%9.crln14:LDAP:///CN=%%7%%8,CN=
%%2,CN=CDP,CN=Public Key
Services,CN=Services,%%6%%10"n2:http://www.contoso.com/ca/%%3%%8%%9.crl
 Make sure to configure the properties for each URL as shown in the table below:
CRL distribution point property File HTTP LDAP
Publish CRLs to this location check box Select N/A Clear
Include in all CRLs check box N/A N/A Select
Include in CRLs check box N/A Select* Select
Include in the CDP extension of issued certificates check box N/A Select Select
Publish delta CRLs to this location check box Clear N/A Clear
Note:
In Publish CRLs to this location, since the CorporateRootCA computer is not attached to the
network, the CA cannot automatically publish the CRL to the LDAP CRL distribution point. By
default, this option is chosen on an enterprise CA to automate the CRL publishing to the LDAP
CRL distribution point.
In Publish CRLs to this location, a UNC file path can be specified to publish to clustered Web
servers using IIS for CRL fault tolerance.
If the Publish Delta CRLs to this location check box is selected, make sure that the delta CRL
is also published

 In the Extensions tab ,In the select Extension ,Choose (Authority Information
Access (AIA)
 Remove Any existing places, and run the below script
certutil -setreg CACACertPublicationURLs
"1:%WINDIR%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:LDAP:///CN
=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11n2:http://www
.contoso.com/ca/%%1_%%3%%4.crt"
Access protocol AIA Distribution Point
[local] D:WINDOWSsystem32CertSrvCertEnroll%1_%3%4.crt
HTTP http://www.contoso.com/pki/%1_%3%4.crt
LDAP ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
 Make sure to configure the properties for each URL as shown in the table below:
AIA property FILE HTTP LDAP
Include in the AIA extension of issued certificates check box N/A Select Select
Include in the online certificate status protocol (OCSP) extension
check box
N/A Clear Clear

3.4 Republish new CRLs
It is important to republish the CRL because adapted configuration parameters such as
DSConfigDN are included as attributes in the CRL. Also, CRL properties affect the publication of
the CRL.
 Log onto the CA server with CA Manager permissions
 Open the Certification Authority MMC. To do this, click Start, point to All Programs,
point to Administrative Tools, and then click Certification Authority
 Right-click Revoked Certificates, point to All Tasks, and then click Publish.
 A new base CRL is published. A delta CRL is published only if you have also set the CRL
delta publication schedule.
 When you are prompted to confirm the type of CRL that should be published with this
request, click New CRL
 Because only base CRLs are published by the offline root CA, only the New CRL option
is available.
 To publish the CRL, at a command prompt, type certutil -CRL, and then
press ENTER. When you do this, the CRL is published to the location that you
configured.
3.5 Set the Validity Period for Issued Certificates at the Offline
Root CA
Note that during the installation, we specified the validity period for the CA certificate (20
years).This is because there is no parent CA from which the validity period can be specified.
Because this CA will issue future certificate ,there must be a way to specify the validity period for
issues certificates.To fo this ,apply the following Batch file on the root CA.
certutil -setreg caValidityPeriodUnits 10
certutil -setreg caValidityPeriod "Years"
net stop certsvc & net start certsvc

3.6 Object Access Auditing
The post-installation script enables all auditing events for Certificate Services. These events
depend on enabling success and failure auditing for Object Access. Because the offline policy CA
is not a member of a domain, auditing must be enabled in the Local Security Policy using the
following procedure:
1. From Administrative Tools, open Local Security Policy.
2. In Security SettingsLocal PoliciesAudit Policy, enable the following auditing settings:
 Account Logon: Success, Failure
 Account Management: Success, Failure
 Directory Service Access: Failure
 Logon Events: Success, Failure
 Object Access: Success, Failure
 Policy Change: Success, Failure
 Privilege Use: Failure
 Process Tracking: No auditing
 System Events: Success, Failure
3. Close the Local Security Policy console.
4. Close all windows.
5. Run this command (certutil -setreg CAAuditFilter 127)
6. Enable object access auditing in the following locations:
a. %windir%system32certsrvcertenroll
b. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc
Configuration.

Configure CRL Publication Interval by Using the User Interface
After the CRL distribution point is set, you must configure the CRL publication interval. To
configure the publication schedule, use the following procedure.
1. Click Start, point to Programs, point to Administrative Tools, and then click
Certification Authority. This opens the Certification Authority MMC Snap-in.
2. In the console tree, right-click Revoked Certificates, and then click Properties.
3. In CRL publication interval, type a number for the CRL publication interval according to
your CPS (50 weeks).
4. Verify that the Publish Delta CRLs check box is not selected.
3.7 Export Root Certificates and CRL to a floppy
Make sure to insert a floppy disk on the root CA and run the below script
certutil –crl
::Copy the Root CA certificates and CRLs to the Floppy Drive
Echo Insert a Floppy disk in Drive A:
sleep 5
copy /y %windir%system32certsrvcertenroll*.cr? a:
Note: (Certutil –crl ) is used to publish new CRLs , and the Sleep command requires that
Windows Server 2003 Resource Kit is installed on the root CA computer. After installing the
resource kit tool ,search for sleep.exe and copy it to %windowsroot%system32

3.8 All in one post installation batch file
@ECHO OFF
REM FileName Config-Root
REM Contoso International
REM CA configuration script for Windows Server 2003 CA
REM
REM Map name spcae for Active Directory
certutil.exe –setreg caDSConfigDN "CN=Configuration,DC=CONTOSO,DC=com"
REM
REM Configure CRL and AIA CDP
REM
certutil -setreg CACRLPublicationURLs
"1:%WINDIR%system32CertSrvCertEnroll%%3%%8%%9.crln14:LDAP:///CN=%%7%%8,CN=
%%2,CN=CDP,CN=Public Key
Services,CN=Services,%%6%%10"n2:http://www.contoso.com/ca/%%3%%8%%9.crl”
REM
certutil -setreg CACACertPublicationURLs
"1:%WINDIR%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:LDAP:///CN=%%7,CN=AIA,
CN=Public Key
Services,CN=Services,%%6%%11n2:http://www.contoso.com/ca/%%1_%%3%%4.crt"
REM
REM Configure CRL Publication
REM
certutil -setreg CACRLPeriod "Weeks"
certutil -setreg CACRLPeriodUnits 50
REM
REM Set the CRL Overlap
REM

certutil -setreg CACRLOverlapUnits 10
certutil -setreg CACRLOverlapPeriod "Days"
REM
REM Disable Delta CRL Publication
REM
certutil -setreg CACRLDeltaPeriodUnits 0
certutil -setreg CACRLDeltaPeriod "days"
REM
REM Set the validity period for issued certificates
REM
Certutil -setreg caValidityPeriodUnits 10
Certutil -setreg caValidityPeriod "Years"
REM
REM Enable all auditing events for the CONTOSO Corporate Issuing CA
certutil -setreg CAAuditFilter 127
REM
REM Restart the CA Server Services
REM
net stop certsvc & net start certsvc
REM
REM Publish CRL
REM The CRL Publishing may immediately not work
REM after you restart the CA server service. if this behavior
REM occurs, try certutil CRL command at a command
REM prompt again
REM
SLEEP 5

Certutil -CRL
REM
REM Test if CAPolicy.inf file exists
REM
IF EXIST %SYSTEMROOT%capolicy.inf GOTO ENDCFG
ECHO Warning, no capolicy.inf file used
:ENDCFG
pause
3.9 Publishing CA certificates and CRL in Active Directory
On the offline root, copy the contents of the Systemroot%System32CertsrvCertEnroll
into the root of the C drive of a domain controller and open a command prompt and
type the following:
cd
for %%c in (*.crt) do certutil -dspublish -f “%%c” RootCA
for %%c in (*.crl) do certutil -dspublish -f “%%c"
Note: If the publication of the root CA certificate, append the Root CA NetBIOS name to
the command as per the following:
for %%c in (*.crt) do certutil -dspublish -f “%%c” RootCA CAName
Where CANAME is the NetBIOS name of the Root CA server.

Install offline Root CA Server 2003

More Related Content

Install offline Root CA Server 2003