NOPE LinkedIn

Catégories:
Security

Generate certificate on windows PKI

The Internet Information Server (IIS) and Microsoft Internet Security and Acceleration (ISA) provide wizards in the administration user interface to request and install SSL certificates. With this blog post I want to explain how to request a SSL server certificate manually. The manual steps are required if the Certification Authority (CA) is not available in the same forest as the IIS or ISA is a member of.

Prerequisites

The AD server is running on the Microsoft Windows Server 2012 R2 operating system or later.

  • Verify that you installed Microsoft Server with Active Directory Domain Services enabled.
  • Verify that the Certificate Authority Service role and the Certificate Authority Web Enrollment role are installed and configured on the Active Directory Server.
  • Use a hashing algorithm of SHA-256 or higher on the certificate authority.

Procedure

1. Create a template for the firewall

  • Sign in to the computer that issued the certificate request by using an account that has administrative permissions.
    • Select Start, select Run, type certtmpl.msc, and then select OK.
    • In the Duplicate Template window, leave Windows Server 2003 Enterprise selected for backward compatibility and click OK.
    • In the Properties of New Template dialog box, click the General tab.
    • In the Template display name text box, enter Firewall as the name of the new template.
    • Click the Extensions tab and specify extensions information.
      • Select Key Usage and click Edit.
      • Select the Signature is proof of origin (nonrepudiation) check box.
      • Leave the default for all other options.
      • Click OK.
    • Click the Request Handling tab, ensure that the Allow private key to be exported check box is selected.
    • Click the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template.
    • To add the new template to your CA, click Windows Start > Run, enter certsrv.msc, and click OK.
    • In the Certification Authority window, expand the left pane if it is collapsed.
    • Right-click Certificate Templates and select New > Certificate Template to Issue.
    • In the Name column of the Enable Certificate Templates dialog box, select the Firewall certificate that you created and click OK.

2. Creating an INF file to set the certificate properties

Use Notepad to modify the following sample INF file according to your needs. Safe the file as ssl.inf for example

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=SERVER.BREIZHLAND.EU"   ; For a wildcard use "CN=*.BREIZHLAND.EU" for example
; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =
Exportable = FALSE                  ; Private key is not exportable
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1                         ; AT_KEYEXCHANGE
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
MachineKeySet = True                ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC

; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=computer1.breizhland.eu&dns=computer2.breizhland.eu"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

[RequestAttributes]
CertificateTemplate= WebServer

3. FIREWALL Template:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=FIREWALL.BREIZHLAND.EU"   ; For a wildcard use "CN=*.BREIZHLAND.EU" for example
; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =
Exportable = FALSE                  ; Private key is not exportable
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1                         ; AT_KEYEXCHANGE
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
MachineKeySet = True                ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC

[RequestAttributes]
CertificateTemplate= FIREWALL

[Extensions]
2.5.9.17 = "{text}"
_continue_ = "dns=Firewall01&"
_continue_ = "dns=Firewall01.breizhland.eu&"
_continue_ = "dns=Firewall01.breizhland.bzh&"
_continue_ = "ipaddress=111.222.333.444&"
_continue_ = "ipaddress=555.666.777.888&"
_continue_ = "ipaddress=123.345.678.910&"

Notes:

  • leave off the Subject= line if you want the subject to be empty
  • if you don’t need the template to be specified, remove the RequestAttributes section
  • the specification of the enhanced key usage OID is not explicitly required since the EKU is defined in the certificate template. The OID in the INF file above is for explanatory purposes
  • you can click on “OK” for the template not found UI from certreq if the client has no access to templates
  • you can ignore the unreferenced “[Strings]” section dialog when it appears

4. Compiling the INF file into a REQ file

The following command-line command will generate key material and turn the INF file into a certificate request.

certreq new ssl.inf ssl.req

Once the certificate request was created you can verify the request with the following command:

certutil ssl.req

5. Submitting the REQ file to the CA

If the CA is reachable via RPC over the network, use the following command to submit the certificate request to the CA:

certreq submit ssl.req

You will get a selection dialog to select the CA from. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately.

If RPC traffic is not allowed between the computer where the certificate request was created and the CA, transfer the certificate request to the CA and perform the above command locally at the CA.

If the certificate template name was not specified in the certificate request above, you can specify it as part of the submission command:

certreq -attrib "CertificateTemplate:webserver" submit ssl.req

6. Installing the certificate at the IIS or ISA computer

Once the certificate was issued and is available as a file on the target computer, use the following command to install it.

certreq accept ssl.cer

The installation actually puts the certificate into the computer’s personal store, links it with the key material created in step #1 and builds the certificate property. The certificate property stores information such as the friendly name which is not part of a certificate.

After performing steps 1 to 4 the certificate will show up in the IIS or ISA management interface and can be bound to a web site or a SSL listener.

7. To import the generated certifcate and associate it to the private key and extract the pfs certificate on the PKI server :

  • Sign in to the computer that issued the certificate request by using an account that has administrative permissions.
    • Select Start, select Run, type mmc, and then select OK.
      • On the File menu, select Add/Remove Snap-in.
      • In the Add/Remove Snap-in dialog box, select Add.
      • Select Certificates, and then select Add.
    • In the Certificates snap-in dialog box, select Computer account, and then select Next.
      • In the Select Computer dialog box, select Local computer: (the computer this console is running on), and then select Finish.
      • Select Close, and then select OK.
    • In the Certificates snap-in, expand Certificates, right-click the Certificate Enrollment Requests folder, point to All Tasks, and then select Import.
    • On the Welcome to the Certificate Import Wizard page, select Next.
      • On the File to Import page, select Browse.
      • In the Open dialog box, select the new certificate, select Open, and then select Next.
      • On the Certificate Store page, select Place all certificates in the following store, and then select Browse.
      • In the Select Certificate Store dialog box, select Certificate Enrollment Requests, select OK, select Next, and then select Finish.
    • In the Certificates snap-in, double-click the imported certificate that is in the Certificate Enrollment Requests folder and Certificates subFolder.
    • On the certifcates you want to export, Right click, point to All Tasks, and then select Export, select Next, Click on “Yes, export the private key”,select Next,
      • On Personal Information Exchange, select “Include all certificates in th certification path if possible” and “Export all extended properties”, select Next,
      • Put the same password as reclaimed, select Next, Choose where you want to store the pfx file and select save.
by Patrice Le Guyader
tags: PKI,Windows Server,SSLCerts