ebook img

Practical Guide to PKI with Windows Server PDF

400 Pages·2021·15.01 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Practical Guide to PKI with Windows Server

Practical Guide to PKI with Windows Server Matthew Burr PracticalGuidetoPKIwithWindowsServer byMatthewBurr Copyright©2021MatthewBurr(https://mjcb.io/) Allrightsreserved.Thispublicationisprotectedbycopyright,andpermissionmustbeobtainedpriortoanyreproductionofthis publication.Nopartofthecontentsofthisbookmaybereproducedortransmittedinanyformorbyanymeanswithoutthe expresswrittenpermissionoftheauthor. ISBN:978-1-7774422-0-0 ISBN:978-1-7774422-1-7 Trademarks • ActiveDirectoryDomainServices,ActiveDirectoryCertificateServices,Edge,FileExplorer,Hyper-V,InternetExplorer, MicrosoftCertificateServer,Windows10,WindowsServer(2000,2003,2003R2,2008,2008R2,2012,2012R2,2016 and2019)andWindowsUpdatearetrademarkedtotheMicrosoftCorporation. • AndroidandChromearetrademarkedtoGoogleLLC. • ApacheHTTPServeristrademarkedtotheApacheSoftwareFoundation. • FirefoxistrademarkedtotheMozillaFoundation. • iOS,iPad,iPadOS,iPhone,macOS,andSafariaretrademarkedtoAppleInc. • LinuxistrademarkedtoLinusTorvaldsintheU.S.andothercountries. • NginxistrademarkedtoF5Networks,Inc. • OpenSSListrademarkedtotheOpenSSLSoftwareFoundation. • UbuntuistrademarkedtoCanonicalLtd. • VirtualBoxistrademarkedtoOracle. • VMwareWorkstationistrademarkedtoVMwareInc. WarningandDisclaimer Thisbookexpressestheauthor’sviewsandopinions.Theinformationcontainedwithinthisbookisprovidedwithoutany express,statutory,orimpliedwarranties.Theauthorwillnotbeheldliableforanydamagescausedbyorallegedtobecaused directlyorindirectlybythisbook.Reasonableeffortshavebeenmadetoensuretheaccuracyoftheinformationandcontents ofthisbook.Eventhoughallprecautionshavebeentakenintheresearchandpublicationofthisbook,theauthorassumesno responsibilityforerrorsoromissions.Noliabilityisassumedfordamagesresultingfromtheuseoftheinformationcontained inthisbook. Theexamplescontainedwithinthisbookmakereferencestocompanies,domainnames,e-mailaddresses,users, organizations,andotherscenarios.Allreferencesthatarecontainedwithinthisbookarefictitious.Thereisnoassociationwith anyrealcompanywithanyoftheprovidedexamples. Itisstronglyrecommendedtotestthestepsandproceduresprovidedinthisbookpriortousingitinaproductionenvironment. Detailsonhowtotestthestepsandproceduresinthisbookareprovided. Theauthorreservestherighttochange,modify,transfer,orotherwiserevisethispublicationwithoutnotice. RevisionHistory 2021-09-13-FirstEditionRelease AdditionalInformation Seehttps://mjcb.io/publications/practical-guide-to-pki-with-windows-server/foradditionaldetails,updates,andanyonline resourcesforthisbook. Iwouldliketodedicatethisbooktomywife,whohassupportedmeforallthetimethatI spentworkingonthisbook,andonalltheotherprojectsthatIenjoyworkingon. Contents at a Glance AbouttheAuthor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Chapter1-PublicKeyInfrastructureOverview . . . . . . . . . . . . . . . . . . . 1 Chapter2-CertificateAuthorityTestEnvironment . . . . . . . . . . . . . . . . . 25 Chapter3-DomainControllerandWorkstationSetup . . . . . . . . . . . . . . . 51 Chapter4-OfflineRootCASetup . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Chapter5-SubordinateCASetup . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Chapter6-DeployRootandSubordinateCertificates . . . . . . . . . . . . . . . 205 Chapter7-OnlineResponderRoleConfiguration . . . . . . . . . . . . . . . . . . 219 Chapter8-PrivateKeyArchiveandRecovery . . . . . . . . . . . . . . . . . . . . 251 Chapter9-CertificateTemplateCustomization . . . . . . . . . . . . . . . . . . . 265 Chapter10-CertificateEnrollment . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Chapter11-ADCSPost-ImplementationTasks. . . . . . . . . . . . . . . . . . . 311 Chapter12-ADCSQuickStart . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 ContentsataGlance|v Table of Contents AbouttheAuthor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv WhoIsThisBookFor?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv ConventionsUsedinThisBook . . . . . . . . . . . . . . . . . . . . . . . . . xv TextConventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi InformationBoxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix GoalsofThisBook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix WhatWon’tThisBookCover?. . . . . . . . . . . . . . . . . . . . . . . . . . . xx BeforeYouStart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx SoftwareRequirements . . . . . . . . . . . . . . . . . . . . . . . . . . xxi ADCSInstallationandConfigurationOptions . . . . . . . . . . . . . xxi VirtualizationRequirements . . . . . . . . . . . . . . . . . . . . . . . xxi OrganizationofthisBook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Chapter1-PublicKeyInfrastructureOverview . . . . . . . . . . . . . . . . . . . 1 WhatIsaPublicKeyInfrastructure? . . . . . . . . . . . . . . . . . . . . . . . 2 ActiveDirectoryCertificateServicesOverview . . . . . . . . . . . . . . . . . 4 ActiveDirectoryCertificateServicesRoles . . . . . . . . . . . . . . . . . . . 6 CertificateAuthorityHierarchies . . . . . . . . . . . . . . . . . . . . . . . . . 7 One-TierCertificateAuthority . . . . . . . . . . . . . . . . . . . . . . 8 Two-TierCertificateAuthority . . . . . . . . . . . . . . . . . . . . . . 9 Three-TierCertificateAuthority . . . . . . . . . . . . . . . . . . . . . 10 CertificateAuthorityandPKITerminology. . . . . . . . . . . . . . . . . . . . 12 X.509Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 CertificateAttributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 CertificateRevocationLists . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 CertificateTypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 PrivateEnterpriseNumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 WhyUseanOfflineRootCA? . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 WindowsCertificateManagement . . . . . . . . . . . . . . . . . . . . . . . . 21 PublicKeyInfrastructureOverviewNextSteps . . . . . . . . . . . . . . . . . 23 Chapter2-CertificateAuthorityTestEnvironment . . . . . . . . . . . . . . . . . 25 CertificateAuthorityEnvironmentDesignandOverview . . . . . . . . . . . . 26 CertificateAuthorityDesignConsiderations . . . . . . . . . . . . . . . . . . 29 CertificateHierarchyOverview . . . . . . . . . . . . . . . . . . . . . . . . . . 30 ADCSInternalURLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 ADCSImportantFiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 ADCSImportantFiles-TFS-CA01 . . . . . . . . . . . . . . . . . . . . 33 ADCSImportantFiles-TFS-DC01 . . . . . . . . . . . . . . . . . . . . 34 ADCSImportantFiles-TFS-ROOT-CA . . . . . . . . . . . . . . . . . . 35 ADCSSecurityConsiderations . . . . . . . . . . . . . . . . . . . . . . . . . . 35 TableofContents|vii CertificateAuthorityNamingConventions . . . . . . . . . . . . . . . . . . . 36 Hyper-VConfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Hyper-VRequirements . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Hyper-VInstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 EnableHyper-VusingtheControlPanel . . . . . . . . . . . . . 40 EnableHyper-VusingPowerShell . . . . . . . . . . . . . . . . 41 EnableHyper-VusingDISM. . . . . . . . . . . . . . . . . . . . 42 Hyper-VNetworkSetup . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Hyper-VVirtualMachineGeneration . . . . . . . . . . . . . . . . . . . 44 Hyper-VCheckpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Hyper-VVirtualMachineCreation . . . . . . . . . . . . . . . . . . . . 45 Hyper-VVirtualMachineConnection . . . . . . . . . . . . . . . . . . 46 Hyper-VDiskVirtualFloppyDiskManagement . . . . . . . . . . . . . 48 CertificateAuthorityTestEnvironmentNextSteps . . . . . . . . . . . . . . . 50 Chapter3-DomainControllerandWorkstationSetup . . . . . . . . . . . . . . . 51 DomainControllerServerSetup . . . . . . . . . . . . . . . . . . . . . . . . . 52 ADDSRoleInstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 ADDSRoleInstallation-GUIInstallation . . . . . . . . . . . . . . . . 53 ADDSRoleInstallation-CLIInstallation . . . . . . . . . . . . . . . . 59 ADDSRoleConfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 ADDSRoleConfiguration-GUIConfiguration . . . . . . . . . . . . . 62 ADDSRoleConfiguration-CLIConfiguration . . . . . . . . . . . . . 67 ADDSRoleConfiguration-Validation . . . . . . . . . . . . . . . . . . 69 CreateanActiveDirectoryOUStructure . . . . . . . . . . . . . . . . . . . . . 70 CreateanActiveDirectoryOUStructure-GUIConfiguration . . . . . 70 CreateanActiveDirectoryOUStructure-CLIConfiguration . . . . . 73 CreateDomainUserAccounts . . . . . . . . . . . . . . . . . . . . . . . . . . 74 CreateDomainUserAccounts-GUIConfiguration. . . . . . . . . . . 75 CreateDomainUserAccounts-CLIConfiguration . . . . . . . . . . . 78 WorkstationCreationandDomainJoin . . . . . . . . . . . . . . . . . . . . . 79 LDAPoverSSLforActiveDirectory . . . . . . . . . . . . . . . . . . . . . . . 82 DomainControllerandWorkstationNextSteps . . . . . . . . . . . . . . . . 86 Chapter4-OfflineRootCASetup . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 RootCAServerSetup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Optional: AddBitLockerontheRootCA. . . . . . . . . . . . . . . . . 89 AddBitLockerontheRootCA-GUIInstallation . . . . . . . . 91 AddBitLockerontheRootCA-CLIInstallation . . . . . . . . 96 Optional: ConfigureGroupPolicyforBitLockerontheRootCA. . . . 97 Optional: EnableBitLockerontheRootCA . . . . . . . . . . . . . . . 99 Optional: TestBitLockerontheRootCA . . . . . . . . . . . . . . . . 102 TesttheBitLockerRecoveryKey . . . . . . . . . . . . . . . . . 102 MounttheBitLockerHardDiskonAnotherDevice . . . . . . . 103 BackUptheBitLockerRecoveryKey. . . . . . . . . . . . . . . 104 Optional: DisableWindowsUpdateontheRootCA . . . . . . . . . . 105 RootCAServerLocalPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . 108 RootCACAPolicy.infInstallation . . . . . . . . . . . . . . . . . . . . . . . . . 110 viii|PracticalGuidetoPKIwithWindowsServer

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.