Archive | Public Key Infrastructure (PKI) RSS feed for this section

How to remove SSL 2.0 Server-Side Support from Windows Server 2008 R2

SSL 2.0 was released in 1995 but almost immediately replaced by SSL 3.0 in 1996 due to a number of security vulnerabilities. Nevertheless, Microsoft still enables server-side SSL 2.0 by default in Windows 7 and Windows Server 2008 R2… which will cause your server to fail any PCI compliance testing.

Disabling Server-Side SSL 2.0 is actually quite simple, you just need to create a key and reboot the server:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Name: Enabled
Value: 0

Disable_SSL_2

After you’ve disabled it, you can verify functionality by using this free SSL Server Test from Qualys SSL Labs.

There is no need to make any modifications to Internet Informations Services (IIS) or Threat Management Gateway (TMG)… this is strictly an operating system level function.

If you’re interested in where it’s at, Client-Side SSL 2.0 is disabled by this registry key which should already be present:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Name: DisabledByDefault
Value: 1

Note that you can follow the same process for just about any version of Windows since 2003.

Advertisements

Post Installation Script (Post_Install.bat) Template for Windows Server 2008 R2 Issuing CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy. While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Post Installation Script below is specifically for an Issuing CA in a three tier hierarchy. With this policy, your Issuing CA will issue certificates lasting a maximum of 2 years and your CRL will be valid for up to three days (that should be updated automatically anyway). We did that in the CAPolicy.inf file as well, but this makes doubly sure that those settings were set.

Additionally, we are using this batch file to set publication points in Active Directory as well as on two web servers.

Change the areas in bold to fit your environment. After that, simply copy the text below into a file named Post_Install.bat and run it on your Issuing CA immediately after Active Directory Certificate Services role installation.


::Issuing CA Post Installation Script
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration,DC=DOMAIN,DC=TLD

::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 3
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLOverlapUnits 4
certutil -setreg CA\CRLOverlapPeriod "Hours"
certutil -setreg CA\CRLDeltaPeriodUnits 12
certutil -setreg CA\CRLDeltaPeriod "Hours"

::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://%%1/CertEnroll/%%3%%8%%9.crl\n6:http://WEBSERVER1/CertData/%%3%%8%%9.crl\n6:http://WEBSERVER2/CertData/%%3%%8%%9.crl"

::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://WEBSERVER1/CertData/%%1_%%3%%4.crt\n2:http://WEBSERVER2/CertData/%%1_%%3%%4.crt\n2:http://%%1/CertEnroll/%%1_%%3%%4.crt"

::Enable all auditing events for the Issuing CA
certutil -setreg CA\AuditFilter 127

:: Enable discrete signatures in issued certificates
Certutil –setreg CA\csp\DiscreteSignatureAlgorithm 1

::Set Maximum Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 2
certutil -setreg CA\ValidityPeriod "Years"

::Restart Certificate Services
net stop certsvc & net start certsvc

Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Issuing CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy. While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment. For more complete information on the CAPolicy.inf file, see the excellent “Windows Server 2008 CAPolicy.inf Syntax” Microsoft blog post.

The Install Policy below is specifically for an Issuing CA in a three tier hierarchy. With this policy, your Issuing CA will issue certificates lasting up to 2 years and your CRL will need to be updated at least every three days (should be set to update automatically anyway).

Save the text below into a file named “CAPolicy.inf” and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Issuing CA.


[Version Issuing CAPolicy]
Signature="$Windows NT$"

[certsrv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=years
RenewalValidityPeriod=2

CRLPeriod=3
CRLPeriodUnits=days
CRLOverlapPeriod=4
CRLOverlapUnits=hours
CRLDeltaPeriod=12
CRLDeltaPeriodUnits=hours

AlternativeSignatureAlgorithm=1
LoadDefaultTemplates=0

How to Publish Root/Policy CAs in Active Directory

In order to get the Root and Policy CA’s CRT and CRL files published in Active Directory, you’ll need to run the following commands from a command line with elevated permissions. Make sure you either reference the directory in the file name or run the command from the directory where you have these files stored.

You should do this prior to setting up your Issuing CA, but it is not required if you manually add the CRT’s to the Issuing CA and have the CRL’s published in a location the Issuing CA can resolve.


certutil -dspublish -f "ROOTCA.crt" RootCA
certutil -dspublish -f "POLICYCA.crt" SubCA
certutil -dspublish -f "ROOTCA.crl"
certutil -dspublish -f "POLICYCA.crl"
gpupdate /force

Post Installation Script (Post_Install.bat) Template for Windows Server 2008 R2 Policy CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Post Installation Script below is specifically for a Policy CA in a three tier hierarchy.  With this policy, your Policy CA will issue a certificate to your Issuing CA lasting 5 years and you will only need to update your CRL once a year, allowing you to keep the Policy CA offline all but a few minutes a year.  We did that in the CAPolicy.inf file as well, but this makes doubly sure that those settings were set.

Additionally, we are using this batch file to set publication points in Active Directory as well as on two web servers.  Those web servers will be listed on the Root CA Certificate, but you will manually need to copy the CRL’s and CRT’s there from %SystemRoot%\System32\CertSrv\CertEnroll.  As your Policy CA should not be a member of the domain, you will also need to import the certificates into Active Directory.


::Policy CA Post Installation Script
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration, DC=DOMAIN,DC=TLD

::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 52
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLOverlapUnits 2
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"

::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n2:http://WEBSERVER1/Certdata/%%3%%8%%9.crl\n2:http://WEBSERVER2/Certdata/%%3%%8%%9.crl"

::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs  "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://WEBSERVER1/CertData/%%1_%%3%%4.crt\n2:http://WEBSERVER2/CertData/%%1_%%3%%4.crt"

::Enable all auditing events for the [CompanyName] Policy CA
certutil -setreg CA\AuditFilter 127

::Set Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 5
certutil -setreg CA\ValidityPeriod "Years"

:: Enable discrete signatures in subordinate CA certificates
Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1

::Restart Certificate Services
net stop certsvc & net start certsvc

Copy the text below into a file named Post_Install.bat and run it on your Policy CA immediately after Active Directory Certificate Services role installation.

Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Policy CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Install Policy below is specifically for a Policy CA in a three tier hierarchy.  With this policy, your Policy CA certificate will last 10 years and you will only need to update your CRL once a year, allowing you to keep the Policy CA offline all but a few minutes a year.

Since this is a Policy CA, we also include a link to the Certificate Practice Statement in the configuration.

Save the text below into a file named “CAPolicy.inf” (changing the items in bold to fit your environment) and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Policy CA.


[Version Intermediate CAPolicy]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=[CompanyName]CPS

[[CompanyNameCPS]]
OID=1.3.6.1.4.1.311.509.3.1
NOTICE=[CompanyName]  Certificate Practice Statement
URL=http://WEBSERVER/Policies-Checklists-Procedures/

[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriodUnits=10
RenewalValidityPeriod=years

CRLPeriod=weeks
CRLPeriodUnits=52
CRLOverlapPeriod=weeks
CRLOverlapUnits=2
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

AlternativeSignatureAlgorithm=1

Post Installation Script (Post_Install.bat) Template for Windows Server 2008 R2 Root CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Post Installation Script below is specifically for a Root CA in a three tier hierarchy.  With this policy, your Root CA certificate will last 20 years and you will only need to update your CRL once a year, allowing you to keep the Root CA offline all but a few minutes a year.  We did that in the CAPolicy.inf file as well, but this makes doubly sure that those settings were set.

Additionally, we are using this batch file to set publication points in Active Directory as well as on two web servers.  Those web servers will be listed on the Root CA Certificate, but you will need to copy the CRL’s and CRT’s there from %SystemRoot%\System32\CertSrv\CertEnroll.  As your Root CA should not be a member of the domain, you will also need to import the certificates into Active Directory.

Copy the text below into a file named Post_Install.bat and run it on your Root CA immediately after Active Directory Certificate Services role installation.


::Root CA Post Installation Script
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration, DC=DOMAIN,DC=TLD

::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 52
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\CRLOverlapUnits 2

::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10.ldap:///CN=%%7%%8,CN%%2,CN=CDP,CD=Public Key Services,CN=Services,%%6%%10\n2:http://WEBSERVER1/Certdata/%%3%%8%%9.crl\n2:http://WEBSERVER2/Certdata/%%3%%8%%9.crl"

::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://WEBSERVER1/CertData/%%1_%%3^^4.crt\n2:http://WEBSERVER2/CertData/%%1_%%3^^4.crt"

::Enable all auditing events for the Root CA
certutil -setreg CA\AuditFilter 127

::Set Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"

::Enable discrete signatures in subordinate CA certificates
Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1

::Restart Certificate Services
net stop certsvc & net start certsvc

Install Policy (CAPolicy.inf) Template for Windows Server 2008 R2 Root CA

While implementing PKI at my current employer, I used the Microsoft Press books extensively to develop our implementation strategy.  While doing so, I noticed that some of the scripts in the book had errors in them, so I ended up revising them to correct the errors and implement PKI with the policies we felt worked best in our environment.

The Install Policy below is specifically for a Root CA in a three tier hierarchy.  With this policy, your Root CA certificate will last 20 years and you will only need to update your CRL once a year, allowing you to keep the Root CA offline all but a few minutes a year.

Copy the text below into a file named “CAPolicy.inf” and place it in C:\Windows prior to adding the Active Directory Certificate Services role on your Root CA.


[Version - ROOT CAPolicy]
Signature="$Windows NT$"

[certserv_server]
renewalkeylength=2048
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=years

CRLPeriod=weeks
CRLPeriodUnits=52
CRLOverlapPeriod=weeks
CRLOverlapUnits=2
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

AlternativeSignatureAlgorithm=1

How to Install Root CA Certificates on Policy CA

Prior to installing the Policy CA certificate that is issued by the Root CA, you will need to install the Root CA Certificates on the Policy CA so that it knows it can trust the CA that issued its certificate.

To do this, copy the Root CA certs from “%SystemRoot%\System32\CertSrv\CertEnroll” on the Root CA to a directory on the Policy CA (I used c:\RootCA as an example below), and then run this script (modify paths & filenames) to add them to the local certificate store.


certutil -addstore -f Root "C:\RootCA\ROOTCA.crt"
certutil -addstore -f Root "C:\RootCA\ROOTCA.crl"