My Certificate Authority Lab Setup (Part 1) – Offline Root CA

To start with something simple I’m building up a 2-tier CA hierarchy incorporating an offline root CA and and issuing Windows Server 2003 Enterprise CA.

image

Some notes on my Root CA setup:

  1. Install Windows Server 2003, Standard Edition is good enough for an offline CA.
  2. Workgroup only, DO NOT join Domain.
  3. Think twice on the Computer Name before starting CA installation, computer cannot be renamed afterwards.
  4. IMPORTANT! Create CAPolicy.inf in C:\WINDOWS (or %SYSTEMROOT%) to specify empty CRL distribution point and AIA.
    Example:
    [Version]
    Signature= “$Windows NT$”

    [Certsrv_Server]
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=5
    CRLPeriod=days
    CRLPeriodUnits=180

    [CRLDistributionPoint]
    Empty=TRUE

    [AuthorityInformationAccess]
    Empty=TRUE

    [PolicyStatementExtension]
    Policies=AllIssurancePolicy
    Critical=FALSE

    [AllIssurancePolicy]
    OID=2.5.29.32.0
    URL=http://www.contoso.com/cert/cps.htm

  5. Install Certificate Services only and do not install IIS and other services to minimize attack surface. You don’t need web enrollment for this offline CA.
  6. Use custom settings to specify key length as 4096 bits and 5 years validity. (Watch out for Domino root certificate key length support, use 2048-bit if any SubCA is going to issue certificate for S/MIME for Domino 6 & 7. More on MyKB)
  7. After installation, use “certutil –setreg ca\[name]” to set issuing validity timespan and default container distinguished name referenced by CDP and AIA LDAP URL.
    Registry Value
    ValidityPeriod Years
    ValidityPeriodUnits 2
    DSConfigDN CN=Configuration,DC=contoso,DC=com
  8. Config CA’s CDP and AIA locations. The objective is to use external FQDN instead of computer name for the HTTP URL and to make it comes before LDAP URL.
  9. Remove the default URLs except the local disk location and add back the followings URLs
    CDP URL Options
    http://www.contoso.com/cert/%3%8%9.crl CSURL_ADDTOCERTCDP — 2
    ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_ADDTOCERTCDP — 2
    CSURL_ADDTOFRESHESTCRL — 4
    CSURL_ADDTOCRLCDP — 8
    AIA URL
    http://www.contoso.com/cert/%1_%3%4.crt CSURL_ADDTOCERTCDP – 2
    ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_ADDTOCERTCDP – 2
  10. Config CRL publication interval and make sure Delta CRL is disabled. (Which an interval of 180 days is already specified in the CAPolicy.inf file).
  11. Publish the CRL and examine the CDP location. Make sure the DSConfigDN registry is correctly setup and you are not seeing “DC=UnavailableConfigDN namespace”in the LDAP URL.

OK, the root CA is now ready. The next would be the issuing enterprise CA.

References:

KB: User will be enrolled with a new certificate when logging on to new client machine with certificate autoenrollment enabled

Problem: For user logs on to multiple machines with autoenrollment enabled, each machine will generate a new set of private and public keys for the user since user’s existing certificates do not exist in the local certificate store.

Solution: Configure Credential Roaming supported in Windows Server 2003 SP1 Administrative Template.

http://technet.microsoft.com/en-us/library/cc783542(WS.10).aspx