Chapter 1: Introduction

Many companies use the Microsoft Active Directory Certificate Services application to create certificates for their web servers and other services that need certificates. Alliance Key Manager requires X509 certificates for many aspects of its operation, and client applications need X509 certificates to connect to and authenticate with the key server. This guide will help Microsoft administrators understand how to use AD CS to create certificates for Alliance Key Manager.

Microsoft AD CS exports certificates and keys in PFX format. Alliance Key Manager requires certificates in PEM format. Please see the section below on how to use openssl to convert PFX certificates to PEM format.

In this guide we will be setting up Public Key Infrastructure using Active Directory Certificate

Services on Windows Server 2008 Standard Edition. The following considerations need to be kept in mind before we can build PKI infrastructure:

  • Windows Server 2008 Standard Edition, or later version

  • Functional DNS.

  • The name and domain of AD CS server cannot be changed later.

In this guide we are using ROOTCA.cert.local as the name of the server.

Change log

Version Date Description
1.0.0 9/28/2011 Initial release.
1.0.1 10/17/2011 Minor changes to correct example http links.
1.0.2 10/30/2011 Add information for customers with current installations of AD CS.
1.0.3 11/20/2011 Correct information about KEK, AUTH, and server certificates.
1.0.4 4/18/2012 Add additional information about generating a server certificate.
2.1.13.001 6/1/2013 Minor updates and application of style guide to documentation.
3.0.0.001 2/11/2015 Updates. Addition of section on creating a server certificate that has both server and client authentication to enable mirroring.

Chapter 2: Existing AD CS Users

IMPORTANT: This manual shows how to create a basic configuration in AD CS if you haven’t used AD CS before. If you already have a configuration of AD CS that provides different services and options than this guide’s basic configuration, please use this chapter as a general guide in creating the certificates and private keys you need for Alliance Key Manager.

You will need to convert the PFX certificate files to PEM format. You can use steps in Chapter 4 to do this. You will also need to convert the CA certificate and the AKM Administrative certificate to Java Key Store (JKS) format. See the comments below.

Certificates you will need

Certificate Notes
CA_certificate.pem Export the existing AD CS certificate authority certificate and convert to PEM format. You can give this file any name you like, but it must have a “.pem” extension. The name will be entered in the AKM configuration file. You will also need this certificate in Java Key Store (JKS) format for use with the AKM Administrative Console application. See the AKM Portecle Quick Start Guide for instructions on how to convert the CA certificate in PEM format to JKS format.
AKMServerSignedCert.pem Create a certificate with the Organizational Unit (OU) name of “akm_server” and export it with the private key. Convert this file to two files named AKMServerSignedCert.pem and AKMServerPrivKey.pem. You can give these files any name you like, but the must have a “.pem” extension. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key. The names will be entered in the AKM configuration file.
KekSignedCert.pem Create a certificate and export it with the private key. Convert this file to two files named KekSignedCert.pem and KekPrivKey.pem. The files must have these names which are case sensitive. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key.
AuthSignedCert.pem Create a certificate and export it with the private key. Convert this file to two files named AuthSignedCert.pem and AuthPrivKey.pem. The files must have these names which are case sensitive. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key.
WindowsClientCert This must be a client certificate, not a server certificate. Create this certificate with the CN name of a user and export it with the private key. This certificate and private key will be used in any .NET application that needs to retrieve keys, or in the Key Connection software for SQL Server EKM encryption.
UserSignedCert.pem Do you have a Linux application that needs to access Alliance Key Manager? If Yes, you must create an appropriate client certificate and key in PEM format. This must be a client certificate, not a server certificate. Create this certificate with the CN name of a user and export it with the private key. Convert this to two files with an appropriate name. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key.
AS400SignedCert.pfx Do you have an IBM i (AS/400, iSeries) application that needs to access Alliance Key Manager? If Yes, you must create a Certificate Signing Request (CSR) in IBM Digital Certificate Manager and sign it with AD CS. Transfer the PFX or P12 file to the IBM i IFS directory, and import it to Digital Certificate Manager. See the document AKM DCM Configuration for IBM i for more information.
AdminSignedCert.jks This must be a client certificate, not a server certificate. Create this certificate with the OU name of “akm_admin” and export it with the private key. Convert this to two files named AdminSignedCert.pem and AdminPrivKey.pem. You can give these files any name you like, but the must have a “.pem” extension. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key. Use the AKM Portecle Quick Start Guide to convert the PEM format to Java Key Store (JKS) format.

Chapter 3: Simple Example

IMPORTANT: This chapter assumes that you do not have Active Directory Certificate Services (AD CS) installed. It walks you through a very simple implementation of AD CS for the purposes of creating certificates and keys used by Alliance Key Manager. If you intend to use AD CS for other purposes, you should stop and consult with the Microsoft documentation for AD CS. Some of the settings in this example will not be appropriate for administering .NET web services and other applications.

Changing the Domain Prefix of Server

Log on to server ROOTCA.cert.local.

Click Start, navigate to Administrative Tools, and then click Server Manager.

On the right hand side, click Change System Properties.

The “System Properties” dialog will open:

image alt text

Under the “Computer Name” tab, click Change and the “Computer Name/Domain Changes” dialog will display. Click More and enter your domain name. In this example, we have used cert.local as the domain name:

image alt text

Click OK three times and restart your server.

Installing Active Directory Certificate Services

Log on to server ROOTCA.cert.local.

Click Start, navigate to Administrative Tools, and click Server Manager.

In the “Roles Summary” section, click Add roles. The “Select Server Roles” page is displayed:

image alt text

Select the Active Directory Certificate Services check box. Click Next two times.

The “Select Role Services” page is displayed:

image alt text

Select the Certification Authority and Certificate Authority Web Enrollment check boxes. When you select the Certificate Authority Web Enrollment check box, a dialog will display prompting you to install dependent roles and services. Click Add Required Role Services and click Next.

On the “Specify Setup Type” page, click Standalone and then click Next.

On the “Specify CA Type” page, click Root CA and then click Next.

On the “Setup a Private Key” page, click Create a new private key and then click Next.

On the “Configure Cryptography for CA” pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. By default the “cryptographic service provider” is RSA, “Key character length” is 2048 and “algorithm” is SHA1:

image alt text

Click Next.

In the “Common name for this CA” field, type the common name of the CA. Leave the pre-populated values or change them as per your choice:

image alt text

Click Next.

On the “Set the Certificate Validity Period” page, accept the default validity duration for the root CA of 5 years, and click Next.

On the “Configure Certificate Database” page, accept the default values or specify other storage locations for the certificate database and the certificate database log. Click Next two times.

On “Select Role Services”, the required IIS role and its component will be selected by default:

image alt text

Click Next.

After verifying the information on the “Confirm Installation Options” page, click Install. Review the information on the confirmation screen to verify that the installation was successful.

Configuring IIS

Before we begin creating and issuing certificates we need to configure IIS to securely transfer certificate requests and generate certificates.

Click Start, navigate to Administrative Tools, and click Internet Information Services (IIS) Manager.

Click Server. It will be the hostname of the server.

Double click Server Certificates:

image alt text

The following page is displayed:

image alt text

In the “Actions” pane, click Create Self-Signed Certificate…

The “Create Self-Signed Certificate” dialog is displayed:

image alt text

For the “friendly name” of the certificate enter “mycert” or a name of your choice and click OK.

You will see the new certificate by the name of “mycert” (or the name you specify) under the “Contents” pane.

On the left hand side, select Server, select Sites, and then select the Default Web Site.

In the “Actions” pane, click Bindings…. The “Site Bindings” dialog is displayed:

image alt text

Click Add. The “Add Site Binding” dialog is displayed:

image alt text

Change the “Type” from http to https under the drop down box. For “SSL certificate”, select mycert. Click OK.

Under the “Contents” pane, click SSL Settings. The following page is displayed:

image alt text

Select the Require SSL check box and click Apply under the “Actions” pane to save the changes.

Exit IIS Manager by clicking the X in the top right hand corner.

Open Internet Explorer. Navigate to the following web address: “https://rootca.cert.local/certsrv”. A page may display indicating that “Enhanced Security Configuration is enabled for IIS”:

image alt text

Click OK in the “Security Alert” dialog.

The following page is displayed:

image alt text

To disable enhanced security configuration, navigate to Server Manager using the following steps:

Click Start, navigate to Administrative Tools, and click Server Manager.

Under “Security Information” click Configure IE ESC:

image alt text

Select OFF for both “Administrators” and “Users”. Click OK. Exit Server Manager by clicking the X in the top right hand corner.

Configuring Certification Authority

A Stand-alone CA may not be able to automatically publish updated CRLs. If updated CRLs are not published to their CRL distribution points, revocation checks on certificates issued by the CA may fail. In this section, we will be configuring CDP (Certificate Distribution Point) for CRL (Certificate Revocation List).

Configure CRL publication interval

Click Start, navigate to Administrative Tools, and then click Certification Authority.

In the Console Tree, double click the root CA to display certificate containers.

Right click the Revoked Certificates container and click Properties.

For “CRL publication interval”, enter a number that is 30 or larger, and select Days.

Check the box for Publish Delta CRLs and enter 15 Days for “Publication interval”.

image alt text

Click OK to save changes.

Manually publish the CRL from the CA

Click Start, navigate to Administrative Tools, and click Certification Authority.

In the Console Tree, double click the CA name, right click Revoked Certificates, navigate to All Tasks, and click Publish.

If prompted, select New CRL. You can select Delta CRL only if you have published CRL at least once:

image alt text

Click OK.

By default the CRLs will be published in the following location:

C:\Windows\system32\certsrv\CertEnroll

CAName and CAName+ CRLs and the + sign indicates that it is a delta CRL:

image alt text

Configuring Certificate Authority Extensions to include CDP for CRL

Click Start, navigate to Administrative Tools, and click Certification Authority.

Right click CA server. Click Properties, then click the Extensions tab.

image alt text

Select http under “Specify locations from which users can obtain a certificate revocation list (CRL).”

Check the box for Include in CRLs and Include in the CDP extension of issued certificates.

Click OK.

A warning message to restart certificate services is displayed:

image alt text

Click Yes.

 

Creating Certificates

Click Start, navigate to All Programs and select Internet Explorer.

Type https://fqdn_of_Server/certsrv in the address bar. For example: https://rootca.cert.local/certsrv.

The Microsoft Active Directory Certificate Service page will appear under “Select a Task”. Click Request a Certificate.

Under “Request a Certificate”, click Advance certificate request.

Under “Advance Certificate Request”, click Create and Submit a request to this CA. A “Web Access Confirmation” dialog is displayed:

image alt text

Click Yes.

We will be creating a new Server Authentication Certificate based on the following information:

Key type: RSA

Key size: 2048

Validity days: Maximum allowable value*

Company / Organization Name: Sample, Inc.

Common name: Info Sample

Email: info@sample.com

Department / Organizational Unit: Information Services

Alternative Subject Name (none)

City: Chicago

State: Illinois

Country: US

By default the Standalone CA issues the certificates which are valid for one year. To increase the validity period, we need to modify a registry key and set a validity period of three years. To do so, take the following steps:

Click Start, and then click Run.

In the “Open” box, type “regedit”, and then click OK.

Locate and then click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

In the right pane, double click ValidityPeriod.

Check that the “Value data” box is set to Years, and then click OK.

image alt text

In the right pane, double click ValidityPeriodUnits.

In the “Value data” box, type the numeric value that you want and click OK. For example, type “3”.

Stop and then restart Certificate Services. To do so, take the following steps:

Click Start, and then click Run.

In the Open box, type “cmd” and click OK.

At the command prompt, type the following lines. Press Enter after each line.

net stop certsvc
net start certsvc

Type “Quit” and press Enter to exit.

Continuing from the previous step, enter the data in the respective fields:

image alt text

Under “Type of Certificate Needed”, select Server Authentication Certificate from the drop down box.

Under “Key Options”, select Create a new key set.

For “CSP” select Microsoft Enhanced RSA and AES Cryptographic Provider.

For “Key Usage” select Both and for “Key Size” select 2048.

Check the box for Mark keys as exportable.

Click Submit at the bottom of the page.

You will now be presented with a “Certificate Pending” request and with a “Request ID”. The value of the Request ID can be different in your environment.

image alt text

Click Start, navigate to Administrative Tools, and then click Certification Authority.

Expand the Console Tree. Select Pending Certificate.

Right click on Certificate, select All Tasks and click Issue to issue the certificate.

The certificate will appear under “Issue Certificate container”.

Identify the certificate by the Request ID, right click it, and select Open.

The following dialog is displayed:

image alt text

Click the Details tab and click Copy to File to export the certificate.

The Certificate Export Wizard will begin:

image alt text

Click Next.

image alt text

Select Base-64 encoded X.509 (.CER) as the format for the certificate and click Next.

image alt text

Specify a location to save the certificate file and click Next.

image alt text

Click Finish.

Creating and Exporting Certificate with Private Keys

The process of creating certificate and marking the keys exportable is the same as in the previous section (see the section Creating Certificates above), except that “info” and “Type of Certificate Needed” are changed. Please follow the steps in the previous section to create a new certificate using the following information:

Key type: RSA

Key size: 2048

Validity days: 1095

Company / Organization name: Sample, Inc.

Department / Organizational Unit: Information Services

Common Name: akm_server

Email: info@sample.com

Alternative Subject Name (none)

City: Chicago

State: Illinois

Country: US

Select Client Authentication Certificate for “Type of Certificate Needed”. Name the certificate “AuthSignedCert” when saving.

Importing the Certificate AuthSignedCert into Trusted Root Certificate

Navigate to the the C:\Certs\ folder.

Right click AuthSignedCert and select Install Certificate.

The “Certificate Import Wizard” will begin:

image alt text

Click Next.

image alt text

Select Place all certificates in the following store. Click Browse and select Trusted Root Certification Authorities.

Click OK, Next, and then Finish.

You will be prompted with a “Security Warning” dialog that the certificate will be placed in the Local Certificate Authority:

image alt text

Click Yes to install the certificate.

Click OK. A message is displayed saying “Import is Successful”.

Click Start, Run, type “mmc” and press Enter.

Click File and select Add/Remove Snap-in.

The following dialog is displayed:

image alt text

Select Certificates and click Add.

Select My User Account and click Finish. Click OK.

Expand Certificates – Current User, click Trusted Root Certification Authorities, then click Certificates.

Under “Issued To” locate “akm_server certificate”.

Right click akm_server certificate and click All Tasks. Select Export.

The “Certificate Export Wizard” will begin. Click Next.

image alt text

Under “Export Private Key” select Yes, export the private key and click Next.

image alt text

Under “Export File Format” select Personal Information Exchange – PKCS#12 (.PFX). Click Next.

Type “Password” and “Confirm Password”. Click Next.

image alt text

Click Browse to select the path and file name. Click Next, Finish, and OK.

Creating Certificate using CSR [Certificate Signing Request]

Click Start, All Programs and open Internet Explorer.

Type “https://fqdn_of_Server/certsrv” in the address bar. For example: “https://rootca.cert.local/certsrv”.

The Microsoft Active Directory Certificate Service page will appear under “Select a Task”. Click Request a Certificate.

Under “Request a Certificate”, click Advance certificate request.

Under “Advance Certificate Request”, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. You will get a “Web Access Confirmation” dialog box. Click Yes.

image alt text

Enter the CSR data and click Submit to get a certificate based on the CSR.

Issuing a certificate, exporting it to a file and then importing it into Trusted Root Certificate Authority remains the same as described in the above example. You can then export the certificate along with the Private Key information as well.

Chapter 4: Creating Server Certificate Example

This chapter demonstrates how to create a server certificate with defined templates. Please see the previous chapter for examples of typical Active Directory Certificate Services user panels.

Create the certificate template

Run MMC, and add the Certificate Templates snap-in.

Select User template and right click All Tasks, then select Duplicate Template. Select Windows 2003 Server for the version.

Under the “General” tab, for “Template Display Name” select AKM Server. “AKMServer” appears for “Template Name.”

Uncheck the box for Publish certificate in Active Directory.

Under the “Subject Name” tab, check the box for Supply in request.

Under the “Extensions” tab, click Edit, then Add, then add Server Authentication, remove Secure Email and remove Encrypting File System.

Add the template to the Certification Authority

From the Start menu, click Administrative Tools and open Certification Authority.

Select the domain on the left pane, and right click Certificate Templates and select New, click Certificate Template to Issue, and select the new template AKM Server.

Create the certificate

Open the MMC snap-in and add the Certificates snap-in for “My user account”.

From the “Personal” tab, right click All Tasks and select Request New Certificate.

Select AKM Server, then click on the long blue text right at that name that reads More information is required to enroll for this certificate…

Under “Subject name”, select Common Name in the combo-box, then type in a name for the server (for example, the IP address or hostname). Click Add. Then switch the combo box to Organizational Unit and enter “akm_server”. Click Add.

You can also use any name for the Common Name and then add an Alternative Name, type DNS, or type IP Address (v4) on this same page.

Click OK. Navigate back to the list where you have checked AKM Server and click Enroll.

The message “Succeeded” is displayed.

In the “Personal” tab you should find the new certificate named after the Common Name you typed in above.

Export the certificate

From the MMC Certificates snap-in right click on the new certificate and select All Tasks. Click Export, then Next.

Check the box for Yes, export the private key. Click Next twice and type in a password (whatever you like) for the output file.

Click on Next, type in a filename, and click Next, Finish, then OK.

Import the certificate on AKM Server.

You’ll also need the CA root certificate installed on the client.

To convert the PFX file to two PEM files on Linux:

$ openssl pkcs12 -in my.pfx -nokeys > server-cert.pem
$ openssl pkcs12 -in my.pfx -nocerts -nodes > server-key.pem

Then copy those to /etc/akm/Certs and /etc/akm/PrivateKeys.

In /etc/akm/Certs run:

$ c_rehash .

Export the CA cert

From the MMC Certificates snap-in, locate the CA root certificate of the Active Directory. Right click All Tasks and select Export. Use the default DER encoded binary format.

Move the CA cert to the AKM Server

To convert this file to PEM on Linux, use the following command:

$ openssl x509 -inform DER -in my.cer -outform PEM -out my-ca-root.pem

Copy that to /etc/akm/CACerts. In that directory run the following command:

$ c_rehash .

Import the CA cert to the client (if not the Active Directory machine)

In an Active Directory organization, the CA will probably already be on the client; if so, you can skip this step. You may want to use a separate CA specifically reserved for AKM Servers (or an intermediate CA).

Chapter 5: Converting from PFX to PEM

When exporting a certificate and private key from AD CS the exported file will be protected by a password, and will be in PFX format. You must convert the certificate and private key to PEM format for use by Alliance Key Manager, and remove the password from the private key. This is easy to accomplish with the free and open source OpenSSL application. This section describes how to obtain the OpenSSL application for Windows and how to use it to convert certificates.

For a more detailed description of using OpenSSL with Alliance Key Manager please refer to AKM HOWTO: Install OpenSSL on Windows.

Download and install OpenSSL

You can download OpenSSL for Windows at the following location:

Locate and double click the installation .exe file to run the installer. There should be no need to change any of the default install options.

After running the installer program, take the following steps to set a global path for the OpenSSL bin directory.

From the Start menu, open the Control Panel.

Select the System control panel, and click the Advanced tab.

Click the Environment Variables button at the bottom of the dialog.

Once in the “Environment Variables” dialog, locate the “System variables” window and select Path. Click Edit.

A new dialog window will appear entitled “Edit System Variable”. The second field will have all of the directories that Windows uses as global.

Enter the OpenSSL binaries path into the “Variable Value” field without overwriting or removing any of the remaining information.

Append the new OpenSSL binaries path to the end of the field. Keep in mind that all entries are separated by semi-colons.

// example
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
C:\Program Files\QuickTime\QTSystem\;C:\OpenSSL\bin

The default path for Windows installation of OpenSSL should be C:\OpenSSL\bin.

Click OK after confirming the edit of the path, and continue clicking OK for any of the remaining open windows from the control panels.

Restart your system.

Convert PFX certificate to PEM format

A PFX file contains the certificate and private key that is encrypted with a password. You can use OpenSSL to extract the X509 certificate in PEM format. Start a CMD prompt and change to the OpenSSL <bin> directory. Use this command to extract only the certificate:

openssl pkcs12 -clcerts -nokeys -in AKMCLIENT.pfx -out AKMCLIENT.pem

Convert PFX private key to PEM format and remove password

To extract the private key from a PFX file you must use two commands. The first command extracts the private key, and the second command removes the password. Note that you will be prompted for the password and you must enter the password you used when exporting the certificate and key from AD CS:

To extract the private key use the following command:

openssl pkcs12 -nocerts -in AKMCLIENT.pfx -out WORK.pem

To remove the password on the private key use the following command:

openssl rsa -in WORK.pem -out AKMPRIVKEY.pem