Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Adding Trusted Certificate
Author: <You>
---

**GETTING ROOT CERT:**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather Than using bolds to create section headers I would use the # marks to make headers.

As Chris mentioned adding a document header with the title of the page would be good since it helps orient us and if it were to be printed that would also be useful.


The default file path, unless otherwise changed during the creation of a Windows CA, for the root certificate generated will be `C:/Windows/System32/CertSrv/CertEnroll/`

![ss1](Images/rootcert.png)

Here, it is found with the name `WIN-9RN04403S53_ccdc-test-CA`. This is your root certificate; not only does it have to be trusted on the machine with the CA present, but on every machine which is going to end up trusting this CA for the certificates which have been generated.

**ADDING TO TRUSTED CA LIST:**

Windows (Server 2019):
Typing "Manage computer certificates" into the search bar will result in a control panel option with the same name as the quotes. Similarly, you can search for the same thing in control panel and find the same tab underneath Administrative Tools.

![ss2](Images/manage.png)

Somewhat intuitively, in this tab, you can add the root certificate we saw earlier to the folder named "Trusted Root Certification Authority," simply by expanding this folder, right clicking the "Certificates" folder from the expansion, hovering over "All Tasks" and clicking import.

![ss3](Images/trusted.png)

Find your certificate file, and import it to this list, which requires Administrator permissions. The following screens prompt questions which may or may not be changed, as importing the way shown above will place the certificate in the right folder, though it will automatically detect if something is wrong.
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
On every install of Windows Server, service named "Server Manager" will be mainly used to install and modify features.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add title and author tag (Keep old text below the ---)

Suggested change
On every install of Windows Server, service named "Server Manager" will be mainly used to install and modify features.
# Certificate Authority Installation - Windows Server 2019
Author: <You>
---

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the text I think it can be cleaned up a little bit.

something like

Suggested change
On every install of Windows Server, service named "Server Manager" will be mainly used to install and modify features.
On Windows Server installs, the *Service Manager* service is used to install and modify features on the server. It is no different in this case and will be used to install our Certificate Authority.


Connect to your machine and find your way to the Server Manager service (should be able to search for the program if it does not automatically show up, 'servermanager' from Win+R).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reword a little bit

Suggested change
Connect to your machine and find your way to the Server Manager service (should be able to search for the program if it does not automatically show up, 'servermanager' from Win+R).
Once connected to the Windows Server you want to deploy the CA on, if the *Server Manager* has not already opened search for the program by typing `servermanager` in the window that opens once you hit `Win + R`.


On the main dashboard page, select the option that reads "Add roles and features"

![ss1](Images/addroles.png) 

Skipping the "Before you Begin" page, select "Role-based feature or installation" on the page that follows.

![ss2](Images/rolebased.png)

Click next, and from the local server list, choose the server to install the feature on, and click next. This will most likely be your local machine.

![ss3](Images/serverpool.png)

The "Server Roles" page that comes up is the list of roles you'd wish to install. The only necessary installation for setting up the CA is "Active Directory Certificate Services." Select this, and on the popup page, select "Add features" to install the dependencies as well.

![ss4](Images/adcs.png)

Nothing else is required on the "Features" page, and the initial "AD CS" page can be skipped as well.

On the following page, entitled "Role Services," there are a few useful services that may make the CA installation more accessible, however, the only necessary installation from this page is simply "Certification Authority." Make sure to keep this selected, select any other role services that may be used, and click Next.

![ss5](Images/roleservices.png)

The final page is for confirmation. There is a single option that can be selected, enabling automatic restarts on the server if restarts are necessary. Select your preference, and click install.

![ss6](Images/confirmation.png)

Once the installation completes, you can close out of the installation page entirely, though setup is still necessary.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Once the installation completes, you can close out of the installation page entirely, though setup is still necessary.
Once the installation completes, you can close out of the installation page entirely, though setup is still necessary.
> [!NOTICE]
> Once you have successfully installed the Windows CA see the [Setup Documentaion](Reative Path) for the next steps you should take.

41 changes: 41 additions & 0 deletions OperatingSystem-Services/Platform-Windows/CA/ca-setup-ws2019.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
**Configuration Options**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add title and author tag (Keep old text below the ---)

Suggested change
**Configuration Options**
# Certificate Authority Setup - Windows Server 2019
Author: <You>
---


**PREREQ: Make sure CA machine is added to Active Directory before configuring, as the Domain cannot change once this configuration is completed.**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe make this into a IMPORTANT block?

Suggested change
**PREREQ: Make sure CA machine is added to Active Directory before configuring, as the Domain cannot change once this configuration is completed.**
> [!IMPORTANT]
> Make sure CA machine is added to Active Directory before configuring, as the Domain cannot change once this configuration is completed.


Once AD CS is installed on the server of choice, a new tab should appear on the left side of the Server Manager simply titled "AD CS." Assuming no prior setup has been done, the easiest way to setup is to find the yellow bar that exclaims setup is needed, as shown in the screenshot below.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Once AD CS is installed on the server of choice, a new tab should appear on the left side of the Server Manager simply titled "AD CS." Assuming no prior setup has been done, the easiest way to setup is to find the yellow bar that exclaims setup is needed, as shown in the screenshot below.
Once AD CS is installed on the server of choice, a new tab should appear on the left side of the Server Manager window simply titled *AD CS*. Assuming no prior setup has been done, the easiest way to setup the CA is to find the yellow bar that exclaims *setup is needed*, as shown in the screenshot below.


![ss1](Images/setup.png)

This will bring up a Task Details popup with the CA configuration task appearing somewhere in the list. Underneath the action column, there is a link titled "Configure Active Directory Certificate Services" which can be clicked to lead to the configuration.

![ss2](Images/config.png)

The page that pops up will be a credentials page. Depending on which role services were selected, specific permissions may be required out of the user you are logged into. For simply installing the certification authority, administrator permissions are required. Change your credentials if necessary and click next.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The page that pops up will be a credentials page. Depending on which role services were selected, specific permissions may be required out of the user you are logged into. For simply installing the certification authority, administrator permissions are required. Change your credentials if necessary and click next.
The page that pops up will be a credentials page. Depending on which role services you have selected, specific permissions may be required of the user you are logged in as. Administrator permissions are required when installing the certification authority. Change your credentials if necessary and click next.


![ss3](Images/creds.png)

The next role services page is the selection for which services should be configured. For this purpose, only the certification authority will be configured.

![ss4](Images/rs.png)

The next page asks which type of CA should be setup. An enterprise CA typically operates online alongside features such as web enrollment services; for the sake of a private network, in which all machines are connected, the standalone CA works just fine.

![ss5](Images/standalone.png)

Next up, you have the choice between creating a Root CA and a subordinate CA; for the purpose of a standalone internal infrastructure, a Root CA would be the one of choice. Creating a Root CA also generates and self-signs a root certificate.

![ss6](Images/root.png)

The next page will prompt about type of private key; if this is the first time configuring a CA on this machine, it is optimal to create a new private key. For the sake of migration, if a private key already exists, that same private key can be used.

![ss7](Images/key.png)

If it is chosen to create a new key, the next page has to do with cryptography. It is ideal to use a long key length (>=2048), combined with a secure and usable hashing algorithm (for example, SHA1 and MD5 are considered no longer usable due to collision attacks). SHA512 is a great example. The cryptographic provider is also up to the user's specifications, though RSA works great for this case.

The next two pages, CA name and validity period, are up to the user's specifications. These have no security impact.

Next up is the database location(s); the default location is in a directory underneath System32. Change this path if it is necessary to, and remember this path for later, as this will be the location of the self-signed root certificate which will need to be distributed to any system accessing this CA.

![ss8](Images/database.png)

Confirm on the next page, and the setup process will begin. Once finished, the CA will be ready to use.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically the private key doesn't need a password (if you add -nodes to the command to let that happen). It's a good practice though. Just something to note.

Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
**PREREQUISITES: OpenSSL installed on machine generating the request. Installed by default on Linux systems, can be used on Windows systems either through WSL or Git for Windows.**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put in IMPORTANT block?

Suggested change
**PREREQUISITES: OpenSSL installed on machine generating the request. Installed by default on Linux systems, can be used on Windows systems either through WSL or Git for Windows.**
> [!IMPORTANT]
> OpenSSL must be installed on the machine generating a request. This is installed by default on Linux systems, and can also be used on Windows systems either through WSL or Git for Windows.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Also should put in the title and author tag as mentioned previously)


**TLDR: helpful commands -**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar thing as before, use # rather than bolds for subsections and sections

Request w/ new key: `openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out YOURDOMAIN.csr`

Running this OpenSSL command as shown above will generate a .csr file, which is used to request certificates, as well as generating a new private key for this .csr file. Upon running this command and changing the capital names if needed, the user will be prompted with a few things.

First up, there is a required password for the private key; choose something that can be remembered if this private key is to be accessed in the future.

After the private key is generated, there is a series of questionnaire type questions to fill out.

**NOTE:** The only required field is the Common Name field, which should be filled out to typically be the fully qualified domain name of the website to be accessed. For example, dev.example.com would be a valid way to fill out this field. All other information can be filled out for extra information, but does not need to be.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace with NOTE block

Suggested change
**NOTE:** The only required field is the Common Name field, which should be filled out to typically be the fully qualified domain name of the website to be accessed. For example, dev.example.com would be a valid way to fill out this field. All other information can be filled out for extra information, but does not need to be.
> [!NOTE]
> The only required field is the *Common Nam* field, which should have the fully qualified domain name of the website entered as the value. For example, dev.example.com would be a valid way to fill out this field. All other fields can be filled out for extra information, but they are not required.


![ss1](Images/questions.png)

Hang onto the private key, and let it be as secure as possible. The .csr file will now be transmitted to the CA being used to generate the cert; one simple way to do this is through SCP.

If you're using WSL, this should already be in your Windows machine's file system.

If you're looking to SCP from the Linux machine to the Windows machine, make sure the Windows machine has OpenSSH Server installed as an optional feature, and make sure you can access the machine either through firewall settings or network settings. A sample command would be:
`scp /path/to/file.csr WindowsUser@WindowsIP:C:/path/to/final/`

If you're looking to SCP from the Windows machine and grab the file from the Linux machine, all you need is the OpenSSH client on the Windows machine, and Linux SSH access configured so that you can SSH into the Linux machine. A sample command would be:
`scp LinuxUser@LinuxIP:/path/to/file.csr C:/path/to/final/`
26 changes: 26 additions & 0 deletions OperatingSystem-Services/Platform-Windows/CA/sign-csr-file.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Title and author block

Now that you have the .csr file on your Windows machine, you can submit the request and generate a certificate. From the Windows Server machine, CA can be opened by typing "Certification Authority" and opening from the search bar, or intuitively through Server Manager by navigating to "AD CS" on the left side bar, right clicking the current server, and clicking "Certification Authority."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Now that you have the .csr file on your Windows machine, you can submit the request and generate a certificate. From the Windows Server machine, CA can be opened by typing "Certification Authority" and opening from the search bar, or intuitively through Server Manager by navigating to "AD CS" on the left side bar, right clicking the current server, and clicking "Certification Authority."
Now that you have a `.csr` file on your Windows machine, you can submit the request and generate a certificate. From the Windows Server machine, the CA can be opened by typing "Certification Authority" and opening the result from the search bar, or through Server Manager by navigating to "AD CS" on the left side bar, right-clicking the current server, and clicking "Certification Authority."

Probably want to reword it a bit more


![ss2](Images/search.png)

From inside the Certification Authority service, the CA which was created should now be an entry on the left side bar. To generate a certificate using this CA, right click, hover over "All Tasks," and click "Submit new request..."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
From inside the Certification Authority service, the CA which was created should now be an entry on the left side bar. To generate a certificate using this CA, right click, hover over "All Tasks," and click "Submit new request..."
The CA we created earlier should be visible from within the Certification Authority service as an entry on the left sidebar. In order to generate a certificate using this CA, right-click this entry, hover over "All Tasks," then click "Submit new request..."


![ss2](Images/submit.png)

This should open a file explorer tab, in which you must navigate to your .csr file. One thing to note is you must change the file types in this file explorer tab to "All files" rather than the select few extensions. Find your .csr file, and select open.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This should open a file explorer tab, in which you must navigate to your .csr file. One thing to note is you must change the file types in this file explorer tab to "All files" rather than the select few extensions. Find your .csr file, and select open.
This should open a file explorer tab, in which you must navigate to your `.csr` file. Find your `.csr ` file, and select open.
> [!NOTE]
> You must change the file types in this file explorer tab to "All files" rather than selecting a few extensions.


Selecting open on this file will move it into the "Pending Requests" folder associated with your Certification Authority. Click on the arrow next to your CA and navigate to said folder. Find the specific request (it is probably worth deleting old requests as to not get swarmed with requests), right click it, hover over "All Tasks" and select "Issue."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Selecting open on this file will move it into the "Pending Requests" folder associated with your Certification Authority. Click on the arrow next to your CA and navigate to said folder. Find the specific request (it is probably worth deleting old requests as to not get swarmed with requests), right click it, hover over "All Tasks" and select "Issue."
Selecting open on this file will move it into the "Pending Requests" folder associated with your Certification Authority. Click on the arrow next to your CA and navigate there. Find the specific request, right click it, hover over "All Tasks" and select "Issue."
> [!NOTE]
> You should probably delete old requests you have fulfilled to not get overwhelmed with requests.


![ss3](Images/issue.png)

This will now move the certificate to the "Issued Certificates" folder. Now, all that is left is to export this certificate to a certificate file, which can then be sent back using SCP commands to the original machine.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its obvious, but maybe add a little context with something like "sent back to the requestor with SCP"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As "Original Machine" is fine, but maybe being a little more specific can be good?


To do this, right click on the issued certificate in the list (once again, it is recommended to remove old certs), and select "Open."

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest moving the parens note "(once again, it is...)" to a NOTE block

Suggested change
To do this, right click on the issued certificate in the list (once again, it is recommended to remove old certs), and select "Open."
> [!NOTE]
> We again recommend removing old certificates...


Here, you can look over any of the details that have been inputted, but the button we are looking for is underneath the "Details" tab, titled "Copy to File..."

![ss4](Images/copytofile.png)

Keeping all options as default, unless otherwise necessary, the only necessary page is the page in which you are saving the name of the certificate. Save it to a path you will remember, and while any name is fine, it is recommended to name it as yourdomain.cer. This can now be sent back to the machine.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably want to reword the first half.

Suggested change
Keeping all options as default, unless otherwise necessary, the only necessary page is the page in which you are saving the name of the certificate. Save it to a path you will remember, and while any name is fine, it is recommended to name it as yourdomain.cer. This can now be sent back to the machine.
Unless required you can keep all of the options at their default values, the only page we need to be worried about is the one where we specify the name of the certificate. Make sure you save it to a path that you will remember, and the name provided to the file does not matter much though it is recommended you provide the file extension `.cer`. Once completed you can transfer this file to the target machine.


As a last step, if not already done, the machine(s) which are going to be using this certificate will need to trust your CA which has been created in order to trust the certificate.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably add details or link to document on adding the root CA or intermediate CA to the trusted certificate store