Building & Integrating a crossplatform pki

Mark Stanislav NITA 599, Spring 2010

Overall Project scope
• Deployment of Windows PDC + DNS • Windows Certificate Services as Root CA • OCSP Responder/CRL for revocation • Web enrollment via IIS • Linux + OpenSSL as Intermediate CA • Windows Desktop Clients w/ certificates • Linux Webserver w/ SSL certificate • Successful validation of SSL certificate

General Network
• VMWare Fusion with bridged network interfaces on 192.168.0.0/24 • Mixed Operating Systems: • 2 Windows 2008 R2 Enterprise • 2 Windows XP SP3 • 2 Debian GNU/Linux 5.04 • Windows domain called ‘MYPKI’ • DNS services provided from PDC

Network overview
Mac OS X w/ VMWare Fusion 250GB HDD; 4GB RAM
Windows XP SP3 Generic Client #1 40GB VHD; 512MB RAM Windows Server 2008 R2 AD PDC + DNS Server 40GB VHD; 1GB RAM Windows Machine Windows Server 2008 R2 Root CA w/ AD CS 40GB VHD; 1GB RAM Linux Machine Mac OS X Machine Debian GNU/Linux 5.04 Intermediate CA w/ OpenSSL 8GB VHD; 128MB RAM

Windows Domain
Windows XP SP3 Generic Client #2 40GB VHD; 512MB RAM

Debian GNU/Linux 5.04 Apache Web Server + SSL 8GB VHD; 128MB RAM

Public Key Infrastructure

Goal Breakdown
Goal 2 Windows Server 2008 R2 Enterprise; 2 Windows XP SP3; 2 Debian Linux VMs Build Windows Server 2008 R2 Enterprise Primary Domain Controller (MYPKI) Join 2 Windows XP Clients + Root CA to ‘MYPKI’ domain + create additional user Deploy base DNS configuration on Windows PDC for ‘mypki.local’ zone Build Windows Server 2008 R2 Enterprise Root CA w/ Certificate Services Configure OCSP Responder + Certification Revocation List on Root CA Configure PDC Group Policy to do user ‘auto-enrollment’ for certificates on login Install Web Enrollment with IIS on Root CA + create a certificate with a valid CSR Use ‘certutil’ to verify a valid Root CA has been published to Active Directory Configure certificate policy templates for both permissions and availability Manage Root CA utilizing PDC remote snap-in for Server Manager Manually enroll a domain user through Web Enrollment on Windows XP Manually enroll a domain user through ‘mmc’ via the certificates snap-in Build an intermediate CA on Debian Linux with OpenSSL, signed by the Root CA Create valid certificate chain file containing both the Root and Intermediate CA Install an Apache server on Linux and configure with SSL using Intermediate CA Import certificate chain file with successful validation by Firefox of Apache SSL Platform
Mixed Windows Server Windows Server/XP Windows Server Windows Server Windows Server Windows Server Windows Server/Linux Windows Server Windows Server Windows Server Windows XP Windows XP Windows Server/Linux Windows Server/Linux Linux Mac OS X

Result

Major Successes
• Creation of Root CA on both secondary Windows Server 2008 VM as well as PDC (during break-fix testing) • Creation of Root CA signed, OpenSSL generated, Intermediate CA on Linux • Proper recognition of Mac OS X Keychain + Firefox to CA certificate chain and Apache SSL certificate • Manual user certificate enrollment via both Windows XP ‘mmc’ Certificates snap-in & Certificate Services web enrollment via IIS • Auto-enrollment of computer certificates for domain • OCSP + CRL revocation provisions from Root CA

Mishaps/Failures
• Unable to have user auto-enrollment, despite configuring two Root CAs; including one on PDC • Errors with web enrollment using Google Chrome • Windows XP SP3 integration with certutil command • Google Chrome not accepting Apache SSL certificate • Lack of Outlook integration without MS Exchange • CSR signing request for intermediate CA certificate not accepted with file-upload; only copy + paste to form • Redundant certification enrollment for PDC • Reoccurring Microsoft Exchange errors; unknown solution

Deployment SCreenshots

Virtual Machines used in deployment

User web-enrollment via IIS

Root CA generated user certificate

Root CA generated computer certificate

Windows XP installation of user certificate

Intermediate CA CSR signing process via Root CA

OpenSSL generation of Intermediate CA-signed Apache SSL certificate

Improper validation of CA certificates and Apache SSL certificate

Properly-signed Root CA certificate

Keychain certificate store w/ valid Root CA certificate

Valid Intermediate CA w/Apache SSL Certificate*

* Web site was accessed via IP, not ‘domain’ hostname, hence the error

Certificate store w/ PDC, user, and Intermediate CA certificates

Windows Server PDC w/ AD, AD CS, DNS, and IIS

Configuration of Root CA CRL

CRL imported with Firefox on Mac OS X

Configuration of CRL updates in Firefox

Manual user certificate enrollment via ‘mmc’

Resources Used
• • • • • • • • http://technet.microsoft.com/en-us/library/cc753828.aspx http://www.debian-administration.org/article/ Setting_up_an_SSL_server_with_Apache2 http://www.scribd.com/doc/5987876/Windows-Server-2008-Active-DirectoryCertificate-Services-StepByStep-Guide http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificateauthority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/ http://blog.netnerds.net/2009/10/securing-apache-using-mod_ssl-openssl-andmicrosoft-certificate-authority-ca/ http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm http://usefulfor.com/nothing/2008/03/20/howto-create-an-intermediate-certificaauthority-ca-using-openssl/ http://www.windowsreference.com/windows-server-2008/step-by-step-guide-forwindows-server-2008-domain-controller-and-dns-server-setup/

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.