Professional Documents
Culture Documents
P O DC A S T DO WNL O A DS A UT HO R S SIGN IN
Table of contents
Explore the DOJO
1. Prerequisites f or a WSL/Windows Server Certification Pair
2. Phase 1: Prepare the Subordinate CA on the Windows Server
3. Enable Windows Subsystem f or Linux and Choose Your Distribution
4. Windows Subsystem f or Linux Storage
AZURE
5. Creating a Root Certification Authority in Windows Subsystem f or Linux
6. Optional: Use OpenSSL to Generate the Subordinate CA’s Keys and Certificate NETWORKING
Request
7. Distributing the Root Certification Authority and Revocation List POWERSHELL & AUTOMATION
8. Complete Configuration of the Subordinate CA
9. Root CA Maintenance and Activities SCRIPTS & TOOLS
In a previous article, I talked about the concepts involved in PKI. In this article, I want to show TROUBLESHOOTING &
you how to build your own PKI. I will mostly write this as a how-to, on the assumption that you
read the previous article or already have equivalent knowledge. I will take a novel approach of PERFORMANCE
implementing the root certification authority in Windows Subsystem f or Linux. That allows you to
enjoy the benefits of an of fline root CA with almost none of the drawbacks. WINDOWS SERVER
I use Windows Subsystem f or Linux to create an of fline root CA and use a Windows system f or
an online intermediate (subordinate) CA f or these reasons:
Licensing: If you use a Windows Server system as the of fline root, it consumes a license
(physical installation) or a virtualization right (virtual installation). Since the of fline root CA Search
should be kept of fline f or nearly the entirety of its existence, that’s a waste.
Built-in components: I won’t show you anything in this article that you can’t find natively in
Search
Windows/Windows Server. You could certainly go through all the ef f ort to obtain and install a
f ull Linux installation to use as the root CA. You could download and install OpenSSL f or
Windows to mimic what I’m doing with WSL.
Setup ease: You can bring up the WSL instance with almost no ef f ort. Compare to the On-Demand Webinar
alternatives.
Active Directory integration :You can certainly create a f ull PKI without using Windows
Server at all. You lose a lot, though. You can get a lot of mileage out of f eatures such as
auto-enrollment.
Using WSL f or the of fline root allows us to protect it easily. Using Windows Server as the
intermediate allows us maximal benefits.
There a quite a f ew parts to this configuration so please use the table of contents below to
keep track of your progress:
Prerequisites f or a WSL/Windows Server Certification Pair Featured eBook
Phase 1: Prepare the Subordinate CA on the Windows Server
Install the Subordinate CA Role
Perf orm Initial CA Configuration
Enable Windows Subsystem f or Linux and Choose Your Distribution
Enable WSL on Windows 10
Enable WSL on SAC or Windows Server LTSC 2019 or Later
Windows Subsystem f or Linux Storage
Creating a Root Certification Authority in Windows Subsystem f or Linux
Configuring OpenSSL Supercharging Hyper-V
The Process f or Creating a Root Certification Authority Using OpenSSL by Paul Schnackenburg
Optional: Use OpenSSL to Generate the Subordinate CA’s Keys and Certificate Request
Distributing the Root Certification Authority and Revocation List Read eBook
Place the Root Certificate into the Domain
Configuring DNS f or Root Certificate and CRL Distribution
Configuring IIS f or Root Certificate and CRL Distribution
Install the Certification Authority Web Enrollment Feature
Hyper-V Backup
Create an IIS Site to Publish the Root CA Certificate and CRL
Complete Configuration of the Subordinate CA
Root CA Maintenance and Activities
Updating the Root CA’s CRL
Revoking the Subordinate CA’s CRL
Renewing the Subordinate CA’s CRL
Further Reading
Credentials f or a domain account that belongs to the Enterprise Admins security group High-performance Backup
An installation of Windows Server (2016 used in this article; anything 2012 or later should and Replication for Hyper-
suf fice) to use as the online intermediate (subordinate) certificate server
V
Domain-joined
Machine name set and finalized (you cannot change it af terward)
IP set and finalized Watch Demo
A Windows system capable of running Windows Subsystem f or Linux (Windows 10 used in
this article; a current iteration of Windows Server, Semi-Annual Channel or Windows Server
LTSC version 2019+ should suf fice). This article is written with the expectation that you will Download your Free Trial
use a physical Windows 10 system and store vital inf ormation on a removable USB device.
Any f ull installation of a Linux distribution with OpenSSL, virtual or physical, would
suf fice as an alternative
OpenSSL on a Windows installation would also suf fice
A f older on the Windows system where files can be transf erred to and f rom the WSL
environment. For your own sake, pick something easy to type (I used D:CA in this article)
A DNS name where you will publish the root CA’s certificate and certificate revocation list
(CRL). It must be reachable by the systems and devices that will treat your CA as
authoritative. This DNS name becomes a permanent part of the issued certificates, so
choose wisely.
If you want, you can use the same Windows Server system to host the online intermediate CA
and the of fline root. You only need to ensure that the Windows Server version can run WSL.
Ordinarily, running both together would be a terrible action. In this case, the root CA will not
“exist” long enough to cause concern.
1. Start the Add roles and features wizard f rom within Server Manager
2. Select Active Directory Certificate Services:
3. You will be prompted to add the management f eatures. You can skip this if you only want
the Certificate Authority role to exist on the target server.
4. By def ault, the wizard will only want to install the Certification Authority role. We will
install and configure other roles later. You can select them now, but you will be unable to
configure them. I recommend only taking the def ault at this time:
1. In Server Manager, click the notification flag with the yellow triangle at the top right of the
window, then click Configure Active Directory Certificate Services on the destination
server:
2. In the wizard, choose the enterprise admin account selected f or this procedure:
3. Choose to configure the Certification Authority only. If you had selected to install other
roles, do not attempt to configure them at this time.
7. The def ault Cryptography selections should suf fice f or most installations. Reducing any
settings could cause compatibility problems; increasing them might cause compatibility and
perf ormance problems. Do not check Allow administrator interaction when the
private key is accessed by the CA. That will cause credential prompts where you don’t
want them.
8. Choose an appropriate name f or the CA’s common name. The def ault should work well
enough, although I tend to choose a f riendlier name. I recommend that you avoid spaces;
they can be used but will cause problems in some places. You can also change the suf fix, if
necessary f or your usage.
9. Choose to Save a certificate request to file on the target machine. You can make the
filename f riendlier if you like. Make sure that you keep track of the name though because
you’ll enter it in a f uture step.
You have completed the initial configuration of the subordinate certificate authority. Now we
turn to the WSL system to set up your of fline root CA.
Enabling Windows Subsystem f or Linux is slightly dif f erent depending on whether you are using
a desktop or server operating system.
1. Use Cortana to search f or Turn Windows features on or off (or enough of a subset f or
the f ollowing to be f ound), then open the link
3. Once that’s complete, use the Microsof t Store to find and install the Linux distribution of
your choice. I pref er Kali, but any should do (you can find starting instructions f or installing a
non-Store distribution on Microsof t’s blog):
Start the Kali image and f ollow its prompts to set up your user and password.
As mentioned in the intro, I will have you use a USB device on your physical system running WSL.
WSL can see your Windows file system at /mnt/DRIVELET T ER. As an example, your C: drive is
/mnt/c, your D: drive is /mnt/d, etc.
Before proceeding, pick a f older to use to transf er files back and f orth f rom WSL and your
Windows installation. I am using “D:CA” (/mnt/d/CA). Copy in the CSR (the .req file) created by
the wizard at the end of the Windows section above.
Configuring OpenSSL
Like most Linux programs, OpenSSL depends on a configuration file. I will include one, but
OpenSSL provides a def ault file that you can modif y. If you wish to copy that def ault file out to
Windows f or editing in something like Notepad++, I will provide the exact point at which you will
perf orm that step. If you wish to use mine as your template, place it in the Windows-side f older
that you’re using f or transf er (D:CA on my system).
To keep the file short, I used only a f ew comments. Notes on the configuration points appear
af ter the listing. Check each line bef ore using this file yourself . I believe that you will only need
to modif y the f our items at the top, but you may disagree. I have trimmed away all items that I
considered non-essential f or the task at hand. You will be unable to use this file f or OpenSSL
operations unrelated to certification authorities and x509 certificates.
# set the complete URL where the root CA's downloadable certificate will be pub
rootcaissuerssite=http://rootca.sironic.life/SironicRootCA2018.crt
# set the complete URL where the root CA's downloadable CRL will be published
rootcrldistributionpoint=http://rootca.sironic.life/SironicRootCA2018.crl
# set the FQDN where the root CA's OCSP will be located (optional -- uncomment
rootocspsite=http://rootca.sironic.life/ocsp
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/private/$rootcaname.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl/$rootcaname.crl
crl_extensions = crl_ext
private_key = $dir/private/$rootcaname.key
RANDFILE = $dir/private/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days = 210
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
commonName = supplied
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=critical,CA:true
keyUsage=critical,digitalSignature,cRLSign,keyCertSign
[ v3_subca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints=critical,CA:true,pathlen:0
keyUsage=critical,digitalSignature,cRLSign,keyCertSign
authorityInfoAccess = @v3_root_aia
crlDistributionPoints = URI:$rootcrldistributionpoint
[ v3_root_aia ]
caIssuers;URI=$rootcaissuerssite
#OCSP;URI=$rootocspsite
[ crl_ext ]
authorityKeyIdentifier=keyid:always
issuerAltName=issuer:copy
I included points where you can configure OCSP f or the root CA if you wish, but I
commented them out. Since your root CA will only sign one certificate, I see no justification
f or OCSP.
You will want to change the names to match your own; the scripts that I’m about to show
you expect the same names, so take care that they align.
I set the CRL to expire af ter 210 days (about 7 months). You will need to regenerate and
redeploy the CRL within that time or clients will cease trusting the subordinate CA, and
theref ore all certificates it has signed. CRL regeneration instructions provided later.
It is possible to sign the subordinate CA without including CRL inf ormation. That will alleviate
the need to periodically redeploy the CRL. However, it will also eliminate most of the
benefit of using an of fline CA. One major reason to keep the root of fline is because if it is
ever compromised, no authority can revoke it. If you do not configure your subordinate CA
so that it can be revoked, then it will also remain valid even if compromised.
Some other tutorials include generating a CRL f or the root (here, in the v3_ca section). That
is a wasted ef f ort. No one is above the root, so it cannot be revoked. A CA cannot revoke
its own certificate. This point trips some people up, because it seems to conflict with the
preceding. The CA’s own certificate is self -signed; it is impossible to revoke a self -signed
certificate. If you fill in CRL inf ormation on a self -signed certificate, it has no value. Every
certificate issued by any CA is not self -signed, so it should have valid CRL inf ormation.
I restricted the subordinate CA with “pathlen:0”. That way, if it is ever compromised,
thieves cannot use it to create f urther CAs. You can change or remove this restriction if you
need a more complex CA structure.
You are certainly welcome to make any changes that suit your situation. Just remember that the
upcoming processes have item names that must completely match what’s in your openssl.cnf .
Overall instructions: paste the text f rom these blocks directly into WSL.
URGENT NOTE: The WordPress code plugin will not show the entire contents of the file
correctly. Specifically, the file_crl variable in the “# # composite variables” section. That should
have TWO dollar signs ($). It does not correctly display the dollar sign bef ore {rootcaname}. You
might try $rootcaname instead, although I have much better luck with composite variables when
using curly braces. For some reason, it does display correctly on the f ollowing line
(file_rootcakey), so you can use that as a template to correct the file_crl line.
# random seeds
seed_root=5791
seed_sub=7020
## composite variables
file_crl="${dir_crl}/${rootcaname}.crl"
file_rootcakey="${dir_private}/${rootcaname}.key"
rootcacert=${rootcaname}.crt
file_rootcacert="${dir_private}/${rootcacert}"
file_subcakey="${dir_private}/${subcaname}.key"
file_subcacert="${dir_newcerts}/01.pem"
file_pemchain="${dir_out}/${chainname}.crt"
file_p7bchain="${dir_out}/${chainname}.p7b"
file_p7bchainwithcrl="${dir_out}/${chainname}WithCRL.p7b"
Note that I set the duration of the root CA’s validity to about 30 years and the subordinate CA’s
validity to about 10 years. A CA cannot issue a certificate with a lif espan beyond its own. If both
certificates expire at the same time, you will need to replace your entire PKI simultaneously.
cp /etc/ssl/openssl.cnf $dir_host_transfer
This section will build up the f older structure that openssl expects without disrupting the built-in
openssl setting.
cp $dir_host_transfer/openssl.cnf $dir_root
chmod -x $file_conf
Note: under WSL, openssl doesn’t care about Windows vs. UNIX line-endings in its cnf file. In any
other configuration, make sure you have line endings set appropriately f or your environment.
You will be prompted to provide a password (“pass phrase”) to protect the key. Do not lose the
password or the key will be irretrievable. You will also need it several times in the remaining
steps of this article.
Warning: the key set you just created is the most important file in the entire procedure. If any
unauthorized individual gains access to it, you should consider your root CA compromised. They
will need the password to unlock it, of course, but the key cannot be considered secured.
You will first be prompted f or the password to the private key. You will also be prompted f or the
common name of the root certification authority. I stored that in $rootcaname, but in this
particular prompt I always typed it in manually.
Note: if you want to use openssl to create the subordinate CA’s certificate instead of using one
provided by the Windows wizard, those instructions appear af ter this section. Perf orm those
steps and then continue with Part 7.
cp "${dir_host_transfer}/${file_subcacsr}" $dir_root
chmod -x "${dir_root}/${file_subcacsr}"
openssl ca -batch -in "${dir_root}/${file_subcacsr}" -extensions v3_subca -days
You will be prompted f or the password to the root CA’s private key (f rom step 4). You might also
see an error about “index.txt.attr”. You can ignore that message. It will automatically create the
necessary file with def aults.
I included -batch to suppress as much input as possible, but you will still see the certificate’s
details and its base64-encoded text on-screen.
You will be prompted f or the password to the root CA’s private key (f rom step 4).
# collect all files to be used in the Windows environment into a single folder
cp $file_rootcacert $dir_out
cp $file_subcacert "${dir_out}/${subcaname}.crt"
cp $file_crl $dir_out
cp -r $dir_root/* $dir_host_transfer
You’ll find all of the files needed f or your Windows inf rastructure in the out subf older of your
targeted Windows f older. Those are all saf e to use and share anywhere. The rest of the f older
structure should be treated as a singular unit and secured immediately. The private key f or the
root CA resides in private. It is imperative that you protect the .key file.
1. Start by verif ying each file in the out f older; Windows should be able to open all of them
directly. If a file is damaged, it will not open. Be aware that the subordinate CA will not yet
be able to validate the entire chain because the root does not yet appear in the local
trusted root store.
2. Place the contents of the out f older somewhere that you can access them in upcoming
sections. Remember that all of these are public files; they do not need any particular
security measures.
3. Once you have verified that all output files are valid, transf er all files in your target Windows
f older to a secured, of fline location, such as an external USB device that can be placed into
a saf e. You do not need to include the out f older.
4. In WSL, run: rm -r $dir_root Note: this completely removes all of the CA data f rom WSL!
Remember that the CA environment that you created in WSL was intended to be temporary.
You can’t really “save” it anywhere, and I’ve had multiple WSL environments f ail completely f or
no reason that I could discern. Do not expect to keep it.
If space on your secured device is at a premium, you can delete the newcerts1.pem file. That
is your sub-CA’s signed certificate, which you kept as part of the out file listing. If space is even
more precious than that, the only file that you absolutely must keep is the .key file in private.
With that, you can sign new certificates, revoke compromised certificates, and regenerate the
CRL. You should also have the various serial files and certificate database (index.txt, serial,
crlnumber, etc.), but you could reasonably approximate those if absolutely necessary. You will not
be able to perf ectly reproduce the root CA’s public certificate, but hopef ully, you’ll have some
copies of it spread around. openssl.cnf would also be dif ficult to reproduce, but not impossible.
To avoid problems, the best thing is to retain the entire directory structure.
[thrive_leads id=’17165′]
This is a text dump of the commands involved. It expects the same environmental setup that I
used in Part 1 above and the f older structure f rom Part 2. I did not break out the separate
sections this time, to ensure that you do not blindly copy/paste the entire thing. I
documented where OpenSSL will interrupt you.
The pkcs12 output portion is optional, but it allows you to move your entire subordinate CA’s
keys and certificate in a single package. Just remember to take special care of it, as it contains
the CA’s private key.
I f eel that the Group Policy Management Console f alls under the category of “common
knowledge”, so I will not give you a detailed walk-through on installing or using it. You will find it
as an installable f eature on Windows Server. You can read Microsof t’s of ficial documentation.
4. Click Next to go to the import page where you can browse f or the root CA’s certificate file:
5. Proceed through the remainder of the wizard without changing anything.
You do not need to modif y the user settings; you can disable that branch if you wish.
In this article, I will piggyback of f of the IIS installation enabled by the subordinate
CA’s Certification Authority Web Enrollment role. It fits this purpose perf ectly. In its current
incarnation, this role has little more value than automatically publishing the CRT and CRL f or the
subordinate CA. It aligns with our goal of publishing the root CA’s CRT and CRL.
1. On the certificate server (or a management workstation connected to it), start the Add
roles and features wizard in Server Manager. Step f orward to the Roles page.
2. Expand Active Directory Certificate Services and check Certification Authority Web
Enrollment:
3. The wizard will prompt you to install several components of IIS. Agree by clicking Add
Features.
4. Proceed through the remainder of the wizard, keeping all def aults.
1. In C:inetpub, create a f older named “rootca”. Place the root certification authority’s CRT
and CRL file.
3. Configure the new site. Pay attention to the indicated areas. The Site Name is up to you.
Use port 80; all of the items are digitally-signed and public. Publishing them with https is
counter-productive, at best. Make sure that you use the same FQDN f or the Host name
that you indicated in the CRL inf ormation in your openssl.cnf file.
4. Test access to the CRL and CRT by accessing the complete URL that appears in the
subordinate CA’s CRL inf ormation:
1. Run gpupdate /f orce to ensure that group policy publishes the root certificate to the
subordinate server.
2. Assuming Server 2016, use Cortana to Manage computer certificates. On older servers,
you’ll need to manually run MMC.EXE and add the Certificates snap-in.
3. Make certain that the certificate appears in Trusted Root Certification Authorities:
4. Start the Certification Authority tool. You can find it under Windows Administrative
Tools.
6. Browse f or any one of the subordinate CA’s certificate files that you generated into the
out f older:
7. Provided that everything is OK, it will run a short progress bar and then return you to the
management console.
8. Right-click on your certification authority, go to All Tasks, and click Start Service.
9. Open Server Manager and click the notification flag with the yellow triangle at the top right
of the window, then click Configure Active Directory Certificate Services on the
destination server. If it is not present f or some reason, then one of the recent tasks
should show a link back to the Add roles and features wizard. It will start on the last page,
which includes a link to the certification role configuration wizard.
10. Proceed to the role configuration page. Check Certification Authority Web Enrollment.
11. IIS should now have a “CertEnroll” virtual directory underneath the Default Web Site that
redirects to C:Windowssystem32CertSrvCertEnroll. It should contain the CRT and CRL
f or your subordinate CA:
Congratulations! You have set up a f unctional public key inf rastructure, complete with an of fline
root CA and an operational enterprise subordinate CA! If you check the certificate list on a
domain member with a current policy update, you should see the sub-CA with an OK status:
You can request certificates using the Certificates MMC snap-in on a domain-joined computer.
You can also instruct group policy to automatically issue certificates. Explaining such usage (and
all of the other possibilities) exceeds what I want to accomplish in this article.
I highly recommend placing all of the above activities into a single text file and storing it with
your CA’s files. You can then easily reuse the portions that you need. You’ll also have them
available if you have an emergency and need to rebuild a new PKI f rom scratch in a hurry.
Append the f unctions in this section to the file with relevant comments.
When you need to reuse your files, spin up a WSL environment, enter sudo -s, and then run the
portion that generates the environment variables (Part 1: Establish Variables). Then, run cp -rf
$dir_host_transf er/* $dir_root.
Assuming that you have perf ormed the preceding bit about regenerating the CA structure
within WSL, you can create an updated CRL very simply:
openssl ca -gencrl -config $file_conf -out $file_crl
cp -r /ca/crl* $dir_host_transfer
cp $file_crl $dir_out
Remember to rm -r /ca to remove the CA f rom WSL af ter you’ve done this. Copy the updated
CRL file out to the web location and place the CA files back into secured storage.
Copy the index.txt file back to Windows; it contains the CA’s database and will now have a
record of the revoked subordinate CA certificate.
cp $dir_root/index.txt $dir_host_transfer
You will need to provide the root CA’s private key password to complete the revocation.
Perf orm all the steps in the “Updating the Root CA’s CRL” section above — most importantly,
you need to publish the CRL and leave it available. Remove the authority f rom Active Directory.
In the Certification Authority tool, right-click your authority, go to All Tasks and select Renew
CA Certificate.
Follow the wizard to generate a new CSR. In the WSL portion above, locate the portion in Part 1
where you copy in the CSR file. Then, proceed f rom part 6 through to the end. Wrap up by
starting at step 4 of the “Complete Configuration of the Subordinate CA” section above.
Further Reading
Microsof t’s base documentation f or Certificate Services: https://docs.microsof t.com/en-
us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831740(v%3dws.11)
Want to ask a question that relates directly to your situation? Head on over to the Altaro Dojo
Forums and start a discussion. I’m actively part of that community and answering questions on a
daily basis.
Comment only.
An excellent summary of this complex process, with just enough comments which are
clearly made. Thanks f or this Eric, worked fine f or me. Tony
Reply
Hi,
You write about wasted ef f ort regarding creation of CRL f or the root ca and write later it is
important to publish the root CRT and CRL files.
How could I create an CRL file? The f ollow command asks about root passwort, but dont
create the CRL file.
openssl ca -gencrl -config $file_conf -out $file_crl
cheers
Loe
Reply
Shorter version: the CRL data that appears on a certificate ref ers to the CRL that
might revoke it. Root CAs can’t have any usef ul data there because no one can revoke
them, but every other certificate can. Put yet another way, any non-self -signed
certificate can and should have CRL data, but no self -signed certificate should.
Make sense?
As f or your command, read the “Urgent Note” right above the listing in Part 1, about
half way down the page. The $file_crl variable is not created properly because of the
way that WordPress mangles my code. You have to manually adjust that part of the
listing. Just f ollow the instructions, it’s easy.
Reply