My Certificate Authority Lab Setup (Part 1) – Offline Root CA

Posted 2009/07/10
Filed under: My Lab | Tags: , , |

To start with something simple I’m building up a 2-tier CA hierarchy incorporating an offline root CA and and issuing Windows Server 2003 Enterprise CA.

image

Some notes on my Root CA setup:

  1. Install Windows Server 2003, Standard Edition is good enough for an offline CA.
  2. Workgroup only, DO NOT join Domain.
  3. Think twice on the Computer Name before starting CA installation, computer cannot be renamed afterwards.
  4. IMPORTANT! Create CAPolicy.inf in C:\WINDOWS (or %SYSTEMROOT%) to specify empty CRL distribution point and AIA.
    Example:
    [Version]
    Signature= “$Windows NT$”

    [Certsrv_Server]
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=5
    CRLPeriod=days
    CRLPeriodUnits=180

    [CRLDistributionPoint]
    Empty=TRUE

    [AuthorityInformationAccess]
    Empty=TRUE

    [PolicyStatementExtension]
    Policies=AllIssurancePolicy
    Critical=FALSE

    [AllIssurancePolicy]
    OID=2.5.29.32.0
    URL=http://www.contoso.com/cert/cps.htm
  5. Install Certificate Services only and do not install IIS and other services to minimize attack surface. You don’t need web enrollment for this offline CA.
  6. Use custom settings to specify key length as 4096 bits and 5 years validity. (Watch out for Domino root certificate key length support, use 2048-bit if any SubCA is going to issue certificate for S/MIME for Domino 6 & 7. More on MyKB)
  7. After installation, use “certutil –setreg ca\[name]” to set issuing validity timespan and default container distinguished name referenced by CDP and AIA LDAP URL.
    Registry Value
    ValidityPeriod Years
    ValidityPeriodUnits 2
    DSConfigDN CN=Configuration,DC=contoso,DC=com
  8. Config CA’s CDP and AIA locations. The objective is to use external FQDN instead of computer name for the HTTP URL and to make it comes before LDAP URL.
  9. Remove the default URLs except the local disk location and add back the followings URLs
    CDP URL Options
    http://www.contoso.com/cert/%3%8%9.crl CSURL_ADDTOCERTCDP — 2
    ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_ADDTOCERTCDP — 2
    CSURL_ADDTOFRESHESTCRL — 4
    CSURL_ADDTOCRLCDP — 8
    AIA URL
    http://www.contoso.com/cert/%1_%3%4.crt CSURL_ADDTOCERTCDP – 2
    ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_ADDTOCERTCDP – 2
  10. Config CRL publication interval and make sure Delta CRL is disabled. (Which an interval of 180 days is already specified in the CAPolicy.inf file).
  11. Publish the CRL and examine the CDP location. Make sure the DSConfigDN registry is correctly setup and you are not seeing “DC=UnavailableConfigDN namespace”in the LDAP URL.

OK, the root CA is now ready. The next would be the issuing enterprise CA.

References:

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

取消

Connecting to %s

Follow

Get every new post delivered to your Inbox.