Deploy a PKI on Windows Server 2016 (Part 5)

This is the fifth part of a seven-part series explaining and setting up a two-tier PKI with Windows Server 2016 in an enterprise SMB setting.

*Note* (16 May 2017): This page is currently in progress, is unfinished, and likely contains errors.  I published it in this state due to time constraints, and will be working on it over the next week until it’s finished.

Because of the long time period between part 4 and part 5, I had to recreate my demonstration lab.  Everything is functionally the same, but you may notice some different IPs or other minor changes.

Part 1 (Informational)
Part 2 (Getting Started & IIS Web Server Configuration)
Part 3 (Standalone Offline Root CA Configuration)
Part 4 (Enterprise CA Configuration)
>>> Part 5 (Distributing Certificates & AutoEnrollment) <<<
Part 6 (Additional Configuration)
Part 7 (Troubleshooting & Clean-up)

To help with the layout and navigation of these longer pages, use the Table of Contents below:

Certificate Templates

Now that you have the IIS, Root CA, and Enterprise CA servers basically set up, it’s time to create or distribute certificates to users and devices.  But, before we can do that, we must create the templates from which the certificates will be made.

There’s a ton of reasons you would want to distribute user and computer certificates, and a ton of certificate templates you could configure.  To name a few popular examples, you could have a template for the following purposes:

  • Web Server SSL certificates
  • Email S/MIME certificates for digital signatures and encryption
    • One for digital signatures
    • One for encryption
  • Smartcards
  • IPSec
  • File encryption
  • …etc

If you are a small or even medium size business, require a simple PKI, and don’t want to deal with the extra administration of multiple certificates, you could combine them a little if you are using strong encryption algorithms.  This of course depends on a number of factors, so don’t just go ahead and do it…

For example, lets say that due to new email security concerns, you need to require that all emails from company users are digitally signed and encrypted.  You could do that with a single certificate.  Best practice may suggest that you use separate certificates; one for digital signatures, and one for email encryption.  You don’t have to.  Will it matter?  Not likely, but it can.

However, your company may have legal reasons to do so, and may be required to separate them!  You may also be high-risk.  Always find out first!  The main reason for separating them is to spread risk.  If your encryption key was compromised, not only could the attacker decrypt your emails, but they could also impersonate you by using the same key to digitally sign emails as you!  The same idea goes for whatever else the certificate is used for.  Another two reasons, are that you may also want to set certain certificates to expire sooner or later than others… or for archival (escrow) purposes.  There are definitely other reasons, but for now you get my point.

For the purpose of keeping this guide simple and still useful, I’ll guide you through creating a single template for email (digital signatures and encryption) certificates, and a template for one-off Web Server SSL certificates.  Once you can do these, you can easily make and distribute certificates for any purpose, such as those listed a bit above.

Creating your (S/MIME) Certificate Template

On the server issuingCA, we will duplicate a preexisting user certificate template and configure it to our needs for digitally signing and encrypting email.

Duplicate a user certificate template

  1. Open up Certification Authority manager.
  2. Right-click on Certificate Templates and select Manage.
  3. Right-click on the User template and click Duplicate Template.
  4. In the Compatibility tab, select your appropriate compatibility levels.
    1. In my testing and lab environment, nothing is running below Windows 10 or Windows Server 2016, so I selected appropriately.  Your environment may be different, choose your settings intelligently.
  5. In the General tab:
    1. Type a display name for your new template.
    2. Set a validity periodTwo years is a good standard that meets most usage requirements.
    3. Renewal period sets the amount of time before the validity period expires in which the certificate will be renewed.  Six weeks is sufficient for a two year validity period.
    4. CHECK Publish certificates in Active Directory.
    5. CHECK Do not automatically reenroll if a duplicate certificate exists in Active Directory.
      1. Some reasons you want this enabled is in the case users will log on to more than a single computer, and if you don’t want users to keep getting multiple certificates via auto-enrollment.
      2. If the certificates are stored in AD, we’ll be setting a Group Policy to have their certificates automatically “follow” the user no matter which computer they log on to in the domain.
  6. In the Request Handling tab:
    1. CHECK Archive subject’s encryption private key.
      1. We’ll be enabling key archiving later, before we start distributing certificates with this template.  You may or may not want to do this in your production environment due to policies or legal reasons.  Check first!  Generally, it should be okay, and is nice to be able to recover a users private key in the case it is lost.
  7. In the Cryptography tab:
    1. Provider Category, select Key Storage Provider.
    2. Algorithm name, verify RSA is selected.
    3. Minimum key size, change it to 4096.
    4. Select Requests must use one of the following providers:
      1. Select Microsoft Software Key Storage Provider
    5. Request hash, select SHA256.  Legacy clients may not work with SHA256 and may require updates, or your environment may need CSP.  Check first.
    6. Note that this area may be greyed out.  You should be using Key Storage Provider.  You can check what is used in the CA Properties here:
  8. In the Subject Name tab:
    1. Subject name format:  Common name
    2. Check:  Include e-mail name in subject name
    3. Verify checked:
      1. E-mail name
      2. User principal name (UPN)
  9. In the Extensions tab:
    1. Select “Key Usage“, and then click the Edit button
      1. Check the box that says “Allow encryption of user data“.
  10. In the Security tab:
    1. Select each user/group at the top and verify the following are checked:
      1. Authenticated Users:  Read, Enroll, Autoenroll
      2. Domain Users:  Read, Enroll, Autoenroll
    2. If there are any users in the domain you do not want to have autoenrolled, you can create a group in Active Directory, add the user(s) to it, then add that group in the Security tab above, checking the Deny box for Autoenroll for that group.
  11. Click Apply, then click OK.

Publishing your (S/MIME) Certificate Template

Publishing a certificate template makes it available for use.  To publish your above S/MIME certificate template (or any other certificate template), follow the below steps.

  1. In Certificate Authority manager, click on Certificate Templates.
  2. Then right-click Certificate Template, go to New, and click Certificate Template to Issue.
  3. Scroll down to find the template you created:  User Email AutoEnroll, and click OK.
  4. asdf

Autoenrollment will not automatically hand out certificates to users until we create and configure a GPO that is distributed to all domain computers.  But before we do that, we need to enable private key archiving.

 

 

… article in progress …

29 Comments

  1. Timothy, I fervently hope that you will be finishing this fine series. I have been following it and setting up a PKI for my firm but I’m not quite ready to commit until I get the final 3 parts from you. Please find time to finish this fantastic guide

    • Timothy Gruber

      I will, I promise, as soon as I have time. Things are a bit busy at the moment. I need to rebuild a lab to finish it out for the purpose of these articles. It’s just a matter of finding the time. I hope to sometime in the next few weeks to a month.

  2. Hi Timothy, this guide has been a great healp in setting up a PKI in my homelab environment. Just curious, is there a change you’ll finish up part 6 and 7?

  3. Thanks for the great guide. I look forward to seeing it finished!

  4. Please finish the rest of the guide. I am using it for a different purpose other than S/MIME but have adapted it to my environment. It has been extremely helpful. There are lots of things left unanswered. Like the remaining IIS configuration which is crucial. It was extremely disappointing to see this is where the guide ended.

    • Timothy Gruber

      Which part of the IIS configuration are you stuck on?

      • at the end of part 2 you say:
        Additional Configuration
        There are still some more configurations to be done on this web server, but we can’t do those until the RootCA and EnterpriseCA are set up and configured. For example, we can’t set up “CertSrv” on here yet, because that requires an Enterprise (subordinate issuing) CA.

        These things will be configured in later parts of this series.

        That is what I’m missing to finish the setup

        • Timothy Gruber

          The RootCA and EnterpriseCA are done in parts 3 and 4, so after that you will be able to set up CertSrv.

  5. Hi,

    Good work on the series so far. Is there any chance that the series or even just this part could be published.

    I would like to get my new CA environment fully deployed,

    Thanks

  6. Any chance that we will see the remaining parts in this series published? I’m stuck on the templates part – I just am unsure as to what to do next. I am not at all a PKI wizard.

  7. Just wanted to say thanks. This is definitely the best/most modern article on the topic. In the past I have had to use a complication of Technet & 3rd party articles to piece together a functional PKI deployment.

  8. Hello Timothy,

    I’ve been eagerly awaiting your return to this topic. Any chance of finishing it off in the near future?

  9. This is the greatest help i’ve found. Thank you for your time and effort in sharing your experience with this.

    I’m planning a CA implementation and have found your documentation to be the best.

  10. This is some quality documentation!! Do you have part 6 and 7 ready? I’ve followed up until part 5 and now I’m not sure what comes next or of I’ve missed something. This has taken an incredibly complex process and made it much easier to understand. Thank you!

  11. This guide has been an AMAZING help! Do you have any plans to complete parts 6 & 7 (and list part 5 as complete)? And possibly the OCSP section? I for one, appreciate all the work you have put into this guide so far.

    • Thank you! Yes I do plan on finishing the whole series. I’ve just been very busy lately, my lab for this series expired, and will need to find the time to set it all back up again to continue where I left off.

      I will try to get it finished soon! Sorry for wait.

      • I have a few scripts that I’ve written to automate the lab rebuild process. If you want them, you can find me at the email I’ve used here.

  12. This has been a GREAT guide. I’ve been putting this project off for years and now have implemented a proper CA in my network. Any chance you could post a quick and dirty outline of the next steps. I’ve deployed as far as you’ve posted and its working so far I just want to make sure the parts that I’ve filled in aren’t completely wrong.

  13. Hi Thomas ,

    Thanks so.much although I now have a root ca and and enterprise issuing server . I am a bit stumped on setting up ocsp . And on where that should sit ? I initially started this to do WiFi and VPN securely . With a pretence of implementing Azure AD in the near future. Hoping you are able to finish this soon . Thanks for the help so far

  14. Hi Timothy, great content!

    I am setting up in a home lab to learn this myself and have enjoyed the guide thus far.

    Any chance you may have time/motivation to continue please 🙂
    Looking forward to it.

    Cheers again,
    Mario

  15. Great Post!! Would you mind sharing your references so we can attempt to complete the configuration on our own?

    Appreciate the time and work it takes to document the process with lots of explnations on why it was configured this way.

  16. Looking forward to the info on deployment – there seems to be nothing out there for 2016 that is complete.

  17. Hi Timothy
    is there any reason the certificate enrollment service is not installed on the web server? could you list what other task should be done (no detail im sure you are very busy.

    Thanks

  18. Demetrius Cassidy

    Where’s the rest of part 5? The first 4 parts were great and very detailed.

  19. Thank you for posting such detailed directions! It has been a great help in rebuilding my PKI.

  20. Just wanted to say thanks for the excellent walk through. I know this took time to do, and it’s an incredible help for building a CA environment on Server 2016, for which there is little updated documentation.

  21. Dmitriy Shtyrkov

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *