-
Notifications
You must be signed in to change notification settings - Fork 7
CA Documentation #105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
CA Documentation #105
Changes from all commits
e29715f
c5a4c14
884be5a
bf90a25
dd1cb74
0826524
73ececb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
|
|
||
| **GETTING ROOT CERT:** | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Rather Than using bolds to create section headers I would use the As Chris mentioned adding a document header with the title of the page would be good since it helps orient us and if it were to be printed that would also be useful. |
||
|
|
||
| The default file path, unless otherwise changed during the creation of a Windows CA, for the root certificate generated will be `C:/Windows/System32/CertSrv/CertEnroll/` | ||
|
|
||
|  | ||
|
|
||
| Here, it is found with the name `WIN-9RN04403S53_ccdc-test-CA`. This is your root certificate; not only does it have to be trusted on the machine with the CA present, but on every machine which is going to end up trusting this CA for the certificates which have been generated. | ||
|
|
||
| **ADDING TO TRUSTED CA LIST:** | ||
|
|
||
| Windows (Server 2019): | ||
| Typing "Manage computer certificates" into the search bar will result in a control panel option with the same name as the quotes. Similarly, you can search for the same thing in control panel and find the same tab underneath Administrative Tools. | ||
|
|
||
|  | ||
|
|
||
| Somewhat intuitively, in this tab, you can add the root certificate we saw earlier to the folder named "Trusted Root Certification Authority," simply by expanding this folder, right clicking the "Certificates" folder from the expansion, hovering over "All Tasks" and clicking import. | ||
|
|
||
|  | ||
|
|
||
| Find your certificate file, and import it to this list, which requires Administrator permissions. The following screens prompt questions which may or may not be changed, as importing the way shown above will place the certificate in the right folder, though it will automatically detect if something is wrong. | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,31 @@ | ||||||||||||||||
| On every install of Windows Server, service named "Server Manager" will be mainly used to install and modify features. | ||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add title and author tag (Keep old text below the
Suggested change
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For the text I think it can be cleaned up a little bit. something like
Suggested change
|
||||||||||||||||
|
|
||||||||||||||||
| Connect to your machine and find your way to the Server Manager service (should be able to search for the program if it does not automatically show up, 'servermanager' from Win+R). | ||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. reword a little bit
Suggested change
|
||||||||||||||||
|
|
||||||||||||||||
| On the main dashboard page, select the option that reads "Add roles and features" | ||||||||||||||||
|
|
||||||||||||||||
|  | ||||||||||||||||
|
|
||||||||||||||||
| Skipping the "Before you Begin" page, select "Role-based feature or installation" on the page that follows. | ||||||||||||||||
|
|
||||||||||||||||
|  | ||||||||||||||||
|
|
||||||||||||||||
| Click next, and from the local server list, choose the server to install the feature on, and click next. This will most likely be your local machine. | ||||||||||||||||
|
|
||||||||||||||||
|  | ||||||||||||||||
|
|
||||||||||||||||
| The "Server Roles" page that comes up is the list of roles you'd wish to install. The only necessary installation for setting up the CA is "Active Directory Certificate Services." Select this, and on the popup page, select "Add features" to install the dependencies as well. | ||||||||||||||||
|
|
||||||||||||||||
|  | ||||||||||||||||
|
|
||||||||||||||||
| Nothing else is required on the "Features" page, and the initial "AD CS" page can be skipped as well. | ||||||||||||||||
|
|
||||||||||||||||
| On the following page, entitled "Role Services," there are a few useful services that may make the CA installation more accessible, however, the only necessary installation from this page is simply "Certification Authority." Make sure to keep this selected, select any other role services that may be used, and click Next. | ||||||||||||||||
|
|
||||||||||||||||
|  | ||||||||||||||||
|
|
||||||||||||||||
| The final page is for confirmation. There is a single option that can be selected, enabling automatic restarts on the server if restarts are necessary. Select your preference, and click install. | ||||||||||||||||
|
|
||||||||||||||||
|  | ||||||||||||||||
|
|
||||||||||||||||
| Once the installation completes, you can close out of the installation page entirely, though setup is still necessary. | ||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,41 @@ | ||||||||||||
| **Configuration Options** | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add title and author tag (Keep old text below the
Suggested change
|
||||||||||||
|
|
||||||||||||
| **PREREQ: Make sure CA machine is added to Active Directory before configuring, as the Domain cannot change once this configuration is completed.** | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe make this into a IMPORTANT block?
Suggested change
|
||||||||||||
|
|
||||||||||||
| Once AD CS is installed on the server of choice, a new tab should appear on the left side of the Server Manager simply titled "AD CS." Assuming no prior setup has been done, the easiest way to setup is to find the yellow bar that exclaims setup is needed, as shown in the screenshot below. | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| This will bring up a Task Details popup with the CA configuration task appearing somewhere in the list. Underneath the action column, there is a link titled "Configure Active Directory Certificate Services" which can be clicked to lead to the configuration. | ||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| The page that pops up will be a credentials page. Depending on which role services were selected, specific permissions may be required out of the user you are logged into. For simply installing the certification authority, administrator permissions are required. Change your credentials if necessary and click next. | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| The next role services page is the selection for which services should be configured. For this purpose, only the certification authority will be configured. | ||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| The next page asks which type of CA should be setup. An enterprise CA typically operates online alongside features such as web enrollment services; for the sake of a private network, in which all machines are connected, the standalone CA works just fine. | ||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| Next up, you have the choice between creating a Root CA and a subordinate CA; for the purpose of a standalone internal infrastructure, a Root CA would be the one of choice. Creating a Root CA also generates and self-signs a root certificate. | ||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| The next page will prompt about type of private key; if this is the first time configuring a CA on this machine, it is optimal to create a new private key. For the sake of migration, if a private key already exists, that same private key can be used. | ||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| If it is chosen to create a new key, the next page has to do with cryptography. It is ideal to use a long key length (>=2048), combined with a secure and usable hashing algorithm (for example, SHA1 and MD5 are considered no longer usable due to collision attacks). SHA512 is a great example. The cryptographic provider is also up to the user's specifications, though RSA works great for this case. | ||||||||||||
|
|
||||||||||||
| The next two pages, CA name and validity period, are up to the user's specifications. These have no security impact. | ||||||||||||
|
|
||||||||||||
| Next up is the database location(s); the default location is in a directory underneath System32. Change this path if it is necessary to, and remember this path for later, as this will be the location of the self-signed root certificate which will need to be distributed to any system accessing this CA. | ||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| Confirm on the next page, and the setup process will begin. Once finished, the CA will be ready to use. | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Technically the private key doesn't need a password (if you add |
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,24 @@ | ||||||||
| **PREREQUISITES: OpenSSL installed on machine generating the request. Installed by default on Linux systems, can be used on Windows systems either through WSL or Git for Windows.** | ||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Put in IMPORTANT block?
Suggested change
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (Also should put in the title and author tag as mentioned previously) |
||||||||
|
|
||||||||
| **TLDR: helpful commands -** | ||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Similar thing as before, use |
||||||||
| Request w/ new key: `openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out YOURDOMAIN.csr` | ||||||||
|
|
||||||||
| Running this OpenSSL command as shown above will generate a .csr file, which is used to request certificates, as well as generating a new private key for this .csr file. Upon running this command and changing the capital names if needed, the user will be prompted with a few things. | ||||||||
|
|
||||||||
| First up, there is a required password for the private key; choose something that can be remembered if this private key is to be accessed in the future. | ||||||||
|
|
||||||||
| After the private key is generated, there is a series of questionnaire type questions to fill out. | ||||||||
|
|
||||||||
| **NOTE:** The only required field is the Common Name field, which should be filled out to typically be the fully qualified domain name of the website to be accessed. For example, dev.example.com would be a valid way to fill out this field. All other information can be filled out for extra information, but does not need to be. | ||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Replace with NOTE block
Suggested change
|
||||||||
|
|
||||||||
|  | ||||||||
|
|
||||||||
| Hang onto the private key, and let it be as secure as possible. The .csr file will now be transmitted to the CA being used to generate the cert; one simple way to do this is through SCP. | ||||||||
|
|
||||||||
| If you're using WSL, this should already be in your Windows machine's file system. | ||||||||
|
|
||||||||
| If you're looking to SCP from the Linux machine to the Windows machine, make sure the Windows machine has OpenSSH Server installed as an optional feature, and make sure you can access the machine either through firewall settings or network settings. A sample command would be: | ||||||||
| `scp /path/to/file.csr WindowsUser@WindowsIP:C:/path/to/final/` | ||||||||
|
|
||||||||
| If you're looking to SCP from the Windows machine and grab the file from the Linux machine, all you need is the OpenSSH client on the Windows machine, and Linux SSH access configured so that you can SSH into the Linux machine. A sample command would be: | ||||||||
| `scp LinuxUser@LinuxIP:/path/to/file.csr C:/path/to/final/` | ||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,26 @@ | ||||||||||||
|
|
||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Title and author block |
||||||||||||
| Now that you have the .csr file on your Windows machine, you can submit the request and generate a certificate. From the Windows Server machine, CA can be opened by typing "Certification Authority" and opening from the search bar, or intuitively through Server Manager by navigating to "AD CS" on the left side bar, right clicking the current server, and clicking "Certification Authority." | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Probably want to reword it a bit more |
||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| From inside the Certification Authority service, the CA which was created should now be an entry on the left side bar. To generate a certificate using this CA, right click, hover over "All Tasks," and click "Submit new request..." | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| This should open a file explorer tab, in which you must navigate to your .csr file. One thing to note is you must change the file types in this file explorer tab to "All files" rather than the select few extensions. Find your .csr file, and select open. | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||
|
|
||||||||||||
| Selecting open on this file will move it into the "Pending Requests" folder associated with your Certification Authority. Click on the arrow next to your CA and navigate to said folder. Find the specific request (it is probably worth deleting old requests as to not get swarmed with requests), right click it, hover over "All Tasks" and select "Issue." | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| This will now move the certificate to the "Issued Certificates" folder. Now, all that is left is to export this certificate to a certificate file, which can then be sent back using SCP commands to the original machine. | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Its obvious, but maybe add a little context with something like "sent back to the requestor with SCP"
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As "Original Machine" is fine, but maybe being a little more specific can be good? |
||||||||||||
|
|
||||||||||||
| To do this, right click on the issued certificate in the list (once again, it is recommended to remove old certs), and select "Open." | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would suggest moving the parens note "(once again, it is...)" to a NOTE block
Suggested change
|
||||||||||||
|
|
||||||||||||
| Here, you can look over any of the details that have been inputted, but the button we are looking for is underneath the "Details" tab, titled "Copy to File..." | ||||||||||||
|
|
||||||||||||
|  | ||||||||||||
|
|
||||||||||||
| Keeping all options as default, unless otherwise necessary, the only necessary page is the page in which you are saving the name of the certificate. Save it to a path you will remember, and while any name is fine, it is recommended to name it as yourdomain.cer. This can now be sent back to the machine. | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Probably want to reword the first half.
Suggested change
|
||||||||||||
|
|
||||||||||||
| As a last step, if not already done, the machine(s) which are going to be using this certificate will need to trust your CA which has been created in order to trust the certificate. | ||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Probably add details or link to document on adding the root CA or intermediate CA to the trusted certificate store |
||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.