Chapter 1: Introduction
Many companies use the Microsoft Active Directory Certificate Services application to create certificates for their web servers and other services that need certificates. Alliance Key Manager requires X509 certificates for many aspects of its operation, and client applications need X509 certificates to connect to and authenticate with the key server. This guide will help Microsoft administrators understand how to use AD CS to create certificates for Alliance Key Manager.
Microsoft AD CS exports certificates and keys in PFX format. Alliance Key Manager requires certificates in PEM format. Please see the section below on how to use openssl to convert PFX certificates to PEM format.
In this guide we will be setting up Public Key Infrastructure using Active Directory Certificate
Services on Windows Server 2008 Standard Edition. The following considerations need to be kept in mind before we can build PKI infrastructure:
-
Windows Server 2008 Standard Edition, or later version
-
Functional DNS.
-
The name and domain of AD CS server cannot be changed later.
In this guide we are using ROOTCA.cert.local as the name of the server.
Change log
| Version | Date | Description |
|---|---|---|
| 1.0.0 | 9/28/2011 | Initial release. |
| 1.0.1 | 10/17/2011 | Minor changes to correct example http links. |
| 1.0.2 | 10/30/2011 | Add information for customers with current installations of AD CS. |
| 1.0.3 | 11/20/2011 | Correct information about KEK, AUTH, and server certificates. |
| 1.0.4 | 4/18/2012 | Add additional information about generating a server certificate. |
| 2.1.13.001 | 6/1/2013 | Minor updates and application of style guide to documentation. |
| 3.0.0.001 | 2/11/2015 | Updates. Addition of section on creating a server certificate that has both server and client authentication to enable mirroring. |
Chapter 2: Existing AD CS Users
IMPORTANT: This manual shows how to create a basic configuration in AD CS if you haven’t used AD CS before. If you already have a configuration of AD CS that provides different services and options than this guide’s basic configuration, please use this chapter as a general guide in creating the certificates and private keys you need for Alliance Key Manager.
You will need to convert the PFX certificate files to PEM format. You can use steps in Chapter 4 to do this. You will also need to convert the CA certificate and the AKM Administrative certificate to Java Key Store (JKS) format. See the comments below.
Certificates you will need
| Certificate | Notes |
|---|---|
| CA_certificate.pem | Export the existing AD CS certificate authority certificate and convert to PEM format. You can give this file any name you like, but it must have a “.pem” extension. The name will be entered in the AKM configuration file. You will also need this certificate in Java Key Store (JKS) format for use with the AKM Administrative Console application. See the AKM Portecle Quick Start Guide for instructions on how to convert the CA certificate in PEM format to JKS format. |
| AKMServerSignedCert.pem | Create a certificate with the Organizational Unit (OU) name of “akm_server” and export it with the private key. Convert this file to two files named AKMServerSignedCert.pem and AKMServerPrivKey.pem. You can give these files any name you like, but the must have a “.pem” extension. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key. The names will be entered in the AKM configuration file. |
| KekSignedCert.pem | Create a certificate and export it with the private key. Convert this file to two files named KekSignedCert.pem and KekPrivKey.pem. The files must have these names which are case sensitive. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key. |
| AuthSignedCert.pem | Create a certificate and export it with the private key. Convert this file to two files named AuthSignedCert.pem and AuthPrivKey.pem. The files must have these names which are case sensitive. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key. |
| WindowsClientCert | This must be a client certificate, not a server certificate. Create this certificate with the CN name of a user and export it with the private key. This certificate and private key will be used in any .NET application that needs to retrieve keys, or in the Key Connection software for SQL Server EKM encryption. |
| UserSignedCert.pem | Do you have a Linux application that needs to access Alliance Key Manager? If Yes, you must create an appropriate client certificate and key in PEM format. This must be a client certificate, not a server certificate. Create this certificate with the CN name of a user and export it with the private key. Convert this to two files with an appropriate name. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key. |
| AS400SignedCert.pfx | Do you have an IBM i (AS/400, iSeries) application that needs to access Alliance Key Manager? If Yes, you must create a Certificate Signing Request (CSR) in IBM Digital Certificate Manager and sign it with AD CS. Transfer the PFX or P12 file to the IBM i IFS directory, and import it to Digital Certificate Manager. See the document AKM DCM Configuration for IBM i for more information. |
| AdminSignedCert.jks | This must be a client certificate, not a server certificate. Create this certificate with the OU name of “akm_admin” and export it with the private key. Convert this to two files named AdminSignedCert.pem and AdminPrivKey.pem. You can give these files any name you like, but the must have a “.pem” extension. Use the instructions in Chapter 4 to convert from PFX to PEM format without a password, and separate the certificate and private key. Use the AKM Portecle Quick Start Guide to convert the PEM format to Java Key Store (JKS) format. |
Chapter 3: Simple Example
IMPORTANT: This chapter assumes that you do not have Active Directory Certificate Services (AD CS) installed. It walks you through a very simple implementation of AD CS for the purposes of creating certificates and keys used by Alliance Key Manager. If you intend to use AD CS for other purposes, you should stop and consult with the Microsoft documentation for AD CS. Some of the settings in this example will not be appropriate for administering .NET web services and other applications.
Changing the Domain Prefix of Server
Log on to server ROOTCA.cert.local.
Click Start, navigate to Administrative Tools, and then click Server Manager.
On the right hand side, click Change System Properties.
The “System Properties” dialog will open:
Under the “Computer Name” tab, click Change and the “Computer Name/Domain Changes” dialog will display. Click More and enter your domain name. In this example, we have used cert.local as the domain name:
Click OK three times and restart your server.
Installing Active Directory Certificate Services
Log on to server ROOTCA.cert.local.
Click Start, navigate to Administrative Tools, and click Server Manager.
In the “Roles Summary” section, click Add roles. The “Select Server Roles” page is displayed:
Select the Active Directory Certificate Services check box. Click Next two times.
The “Select Role Services” page is displayed:
Select the Certification Authority and Certificate Authority Web Enrollment check boxes. When you select the Certificate Authority Web Enrollment check box, a dialog will display prompting you to install dependent roles and services. Click Add Required Role Services and click Next.
On the “Specify Setup Type” page, click Standalone and then click Next.
On the “Specify CA Type” page, click Root CA and then click Next.
On the “Setup a Private Key” page, click Create a new private key and then click Next.
On the “Configure Cryptography for CA” pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice. By default the “cryptographic service provider” is RSA, “Key character length” is 2048 and “algorithm” is SHA1:
Click Next.
In the “Common name for this CA” field, type the common name of the CA. Leave the pre-populated values or change them as per your choice:
Click Next.
On the “Set the Certificate Validity Period” page, accept the default validity duration for the root CA of 5 years, and click Next.
On the “Configure Certificate Database” page, accept the default values or specify other storage locations for the certificate database and the certificate database log. Click Next two times.
On “Select Role Services”, the required IIS role and its component will be selected by default:
Click Next.
After verifying the information on the “Confirm Installation Options” page, click Install. Review the information on the confirmation screen to verify that the installation was successful.
Configuring IIS
Before we begin creating and issuing certificates we need to configure IIS to securely transfer certificate requests and generate certificates.
Click Start, navigate to Administrative Tools, and click Internet Information Services (IIS) Manager.
Click Server. It will be the hostname of the server.
Double click Server Certificates:
The following page is displayed:
In the “Actions” pane, click Create Self-Signed Certificate…
The “Create Self-Signed Certificate” dialog is displayed:
For the “friendly name” of the certificate enter “mycert” or a name of your choice and click OK.
You will see the new certificate by the name of “mycert” (or the name you specify) under the “Contents” pane.
On the left hand side, select Server, select Sites, and then select the Default Web Site.
In the “Actions” pane, click Bindings…. The “Site Bindings” dialog is displayed:
Click Add. The “Add Site Binding” dialog is displayed:
Change the “Type” from http to https under the drop down box. For “SSL certificate”, select mycert. Click OK.
Under the “Contents” pane, click SSL Settings. The following page is displayed:
Select the Require SSL check box and click Apply under the “Actions” pane to save the changes.
Exit IIS Manager by clicking the X in the top right hand corner.
Open Internet Explorer. Navigate to the following web address: “https://rootca.cert.local/certsrv”. A page may display indicating that “Enhanced Security Configuration is enabled for IIS”:
Click OK in the “Security Alert” dialog.
The following page is displayed:
To disable enhanced security configuration, navigate to Server Manager using the following steps:
Click Start, navigate to Administrative Tools, and click Server Manager.
Under “Security Information” click Configure IE ESC:
Select OFF for both “Administrators” and “Users”. Click OK. Exit Server Manager by clicking the X in the top right hand corner.
Configuring Certification Authority
A Stand-alone CA may not be able to automatically publish updated CRLs. If updated CRLs are not published to their CRL distribution points, revocation checks on certificates issued by the CA may fail. In this section, we will be configuring CDP (Certificate Distribution Point) for CRL (Certificate Revocation List).
Configure CRL publication interval
Click Start, navigate to Administrative Tools, and then click Certification Authority.
In the Console Tree, double click the root CA to display certificate containers.
Right click the Revoked Certificates container and click Properties.
For “CRL publication interval”, enter a number that is 30 or larger, and select Days.
Check the box for Publish Delta CRLs and enter 15 Days for “Publication interval”.
Click OK to save changes.
Manually publish the CRL from the CA
Click Start, navigate to Administrative Tools, and click Certification Authority.
In the Console Tree, double click the CA name, right click Revoked Certificates, navigate to All Tasks, and click Publish.
If prompted, select New CRL. You can select Delta CRL only if you have published CRL at least once:
Click OK.
By default the CRLs will be published in the following location:
C:\Windows\system32\certsrv\CertEnroll
CAName and CAName+ CRLs and the + sign indicates that it is a delta CRL:
Configuring Certificate Authority Extensions to include CDP for CRL
Click Start, navigate to Administrative Tools, and click Certification Authority.
Right click CA server. Click Properties, then click the Extensions tab.
Select http under “Specify locations from which users can obtain a certificate revocation list (CRL).”
Check the box for Include in CRLs and Include in the CDP extension of issued certificates.
Click OK.
A warning message to restart certificate services is displayed:
Click Yes.
Creating Certificates
Click Start, navigate to All Programs and select Internet Explorer.
Type https://fqdn_of_Server/certsrv in the address bar. For example: https://rootca.cert.local/certsrv.
The Microsoft Active Directory Certificate Service page will appear under “Select a Task”. Click Request a Certificate.
Under “Request a Certificate”, click Advance certificate request.
Under “Advance Certificate Request”, click Create and Submit a request to this CA. A “Web Access Confirmation” dialog is displayed:
Click Yes.
We will be creating a new Server Authentication Certificate based on the following information:
Key type: RSA
Key size: 2048
Validity days: Maximum allowable value*
Company / Organization Name: Sample, Inc.
Common name: Info Sample
Email: info@sample.com
Department / Organizational Unit: Information Services
Alternative Subject Name (none)
City: Chicago
State: Illinois
Country: US
By default the Standalone CA issues the certificates which are valid for one year. To increase the validity period, we need to modify a registry key and set a validity period of three years. To do so, take the following steps:
Click Start, and then click Run.
In the “Open” box, type “regedit”, and then click OK.
Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>
In the right pane, double click ValidityPeriod.
Check that the “Value data” box is set to Years, and then click OK.
In the right pane, double click ValidityPeriodUnits.
In the “Value data” box, type the numeric value that you want and click OK. For example, type “3”.
Stop and then restart Certificate Services. To do so, take the following steps:
Click Start, and then click Run.
In the Open box, type “cmd” and click OK.
At the command prompt, type the following lines. Press Enter after each line.
net stop certsvc
net start certsvc
Type “Quit” and press Enter to exit.
Continuing from the previous step, enter the data in the respective fields:
Under “Type of Certificate Needed”, select Server Authentication Certificate from the drop down box.
Under “Key Options”, select Create a new key set.
For “CSP” select Microsoft Enhanced RSA and AES Cryptographic Provider.
For “Key Usage” select Both and for “Key Size” select 2048.
Check the box for Mark keys as exportable.
Click Submit at the bottom of the page.
You will now be presented with a “Certificate Pending” request and with a “Request ID”. The value of the Request ID can be different in your environment.
Click Start, navigate to Administrative Tools, and then click Certification Authority.
Expand the Console Tree. Select Pending Certificate.
Right click on Certificate, select All Tasks and click Issue to issue the certificate.
The certificate will appear under “Issue Certificate container”.
Identify the certificate by the Request ID, right click it, and select Open.
The following dialog is displayed:
Click the Details tab and click Copy to File to export the certificate.
The Certificate Export Wizard will begin:
Click Next.
Select Base-64 encoded X.509 (.CER) as the format for the certificate and click Next.
Specify a location to save the certificate file and click Next.
Click Finish.
Creating and Exporting Certificate with Private Keys
The process of creating certificate and marking the keys exportable is the same as in the previous section (see the section Creating Certificates above), except that “info” and “Type of Certificate Needed” are changed. Please follow the steps in the previous section to create a new certificate using the following information:
Key type: RSA
Key size: 2048
Validity days: 1095
Company / Organization name: Sample, Inc.
Department / Organizational Unit: Information Services
Common Name: akm_server
Email: info@sample.com
Alternative Subject Name (none)
City: Chicago
State: Illinois
Country: US
Select Client Authentication Certificate for “Type of Certificate Needed”. Name the certificate “AuthSignedCert” when saving.
Importing the Certificate AuthSignedCert into Trusted Root Certificate
Navigate to the the C:\Certs\ folder.
Right click AuthSignedCert and select Install Certificate.
The “Certificate Import Wizard” will begin:
Click Next.
Select Place all certificates in the following store. Click Browse and select Trusted Root Certification Authorities.
Click OK, Next, and then Finish.
You will be prompted with a “Security Warning” dialog that the certificate will be placed in the Local Certificate Authority:
Click Yes to install the certificate.
Click OK. A message is displayed saying “Import is Successful”.
Click Start, Run, type “mmc” and press Enter.
Click File and select Add/Remove Snap-in.
The following dialog is displayed:
Select Certificates and click Add.
Select My User Account and click Finish. Click OK.
Expand Certificates – Current User, click Trusted Root Certification Authorities, then click Certificates.
Under “Issued To” locate “akm_server certificate”.
Right click akm_server certificate and click All Tasks. Select Export.
The “Certificate Export Wizard” will begin. Click Next.
Under “Export Private Key” select Yes, export the private key and click Next.
Under “Export File Format” select Personal Information Exchange – PKCS#12 (.PFX). Click Next.
Type “Password” and “Confirm Password”. Click Next.
Click Browse to select the path and file name. Click Next, Finish, and OK.
Creating Certificate using CSR [Certificate Signing Request]
Click Start, All Programs and open Internet Explorer.
Type “https://fqdn_of_Server/certsrv” in the address bar. For example: “https://rootca.cert.local/certsrv”.
The Microsoft Active Directory Certificate Service page will appear under “Select a Task”. Click Request a Certificate.
Under “Request a Certificate”, click Advance certificate request.
Under “Advance Certificate Request”, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. You will get a “Web Access Confirmation” dialog box. Click Yes.
Enter the CSR data and click Submit to get a certificate based on the CSR.
Issuing a certificate, exporting it to a file and then importing it into Trusted Root Certificate Authority remains the same as described in the above example. You can then export the certificate along with the Private Key information as well.
Chapter 4: Creating Server Certificate Example
This chapter demonstrates how to create a server certificate with defined templates. Please see the previous chapter for examples of typical Active Directory Certificate Services user panels.
Create the certificate template
Run MMC, and add the Certificate Templates snap-in.
Select User template and right click All Tasks, then select Duplicate Template. Select Windows 2003 Server for the version.
Under the “General” tab, for “Template Display Name” select AKM Server. “AKMServer” appears for “Template Name.”
Uncheck the box for Publish certificate in Active Directory.
Under the “Subject Name” tab, check the box for Supply in request.
Under the “Extensions” tab, click Edit, then Add, then add Server Authentication, remove Secure Email and remove Encrypting File System.
Add the template to the Certification Authority
From the Start menu, click Administrative Tools and open Certification Authority.
Select the domain on the left pane, and right click Certificate Templates and select New, click Certificate Template to Issue, and select the new template AKM Server.
Create the certificate
Open the MMC snap-in and add the Certificates snap-in for “My user account”.
From the “Personal” tab, right click All Tasks and select Request New Certificate.
Select AKM Server, then click on the long blue text right at that name that reads More information is required to enroll for this certificate…
Under “Subject name”, select Common Name in the combo-box, then type in a name for the server (for example, the IP address or hostname). Click Add. Then switch the combo box to Organizational Unit and enter “akm_server”. Click Add.
You can also use any name for the Common Name and then add an Alternative Name, type DNS, or type IP Address (v4) on this same page.
Click OK. Navigate back to the list where you have checked AKM Server and click Enroll.
The message “Succeeded” is displayed.
In the “Personal” tab you should find the new certificate named after the Common Name you typed in above.
Export the certificate
From the MMC Certificates snap-in right click on the new certificate and select All Tasks. Click Export, then Next.
Check the box for Yes, export the private key. Click Next twice and type in a password (whatever you like) for the output file.
Click on Next, type in a filename, and click Next, Finish, then OK.
Import the certificate on AKM Server.
You’ll also need the CA root certificate installed on the client.
To convert the PFX file to two PEM files on Linux:
$ openssl pkcs12 -in my.pfx -nokeys > server-cert.pem
$ openssl pkcs12 -in my.pfx -nocerts -nodes > server-key.pem
Then copy those to /etc/akm/Certs and /etc/akm/PrivateKeys.
In /etc/akm/Certs run:
$ c_rehash .
Export the CA cert
From the MMC Certificates snap-in, locate the CA root certificate of the Active Directory. Right click All Tasks and select Export. Use the default DER encoded binary format.
Move the CA cert to the AKM Server
To convert this file to PEM on Linux, use the following command:
$ openssl x509 -inform DER -in my.cer -outform PEM -out my-ca-root.pem
Copy that to /etc/akm/CACerts. In that directory run the following command:
$ c_rehash .
Import the CA cert to the client (if not the Active Directory machine)
In an Active Directory organization, the CA will probably already be on the client; if so, you can skip this step. You may want to use a separate CA specifically reserved for AKM Servers (or an intermediate CA).
Chapter 5: Converting from PFX to PEM
When exporting a certificate and private key from AD CS the exported file will be protected by a password, and will be in PFX format. You must convert the certificate and private key to PEM format for use by Alliance Key Manager, and remove the password from the private key. This is easy to accomplish with the free and open source OpenSSL application. This section describes how to obtain the OpenSSL application for Windows and how to use it to convert certificates.
For a more detailed description of using OpenSSL with Alliance Key Manager please refer to AKM HOWTO: Install OpenSSL on Windows.
Download and install OpenSSL
You can download OpenSSL for Windows at the following location:
Locate and double click the installation .exe file to run the installer. There should be no need to change any of the default install options.
After running the installer program, take the following steps to set a global path for the OpenSSL bin directory.
From the Start menu, open the Control Panel.
Select the System control panel, and click the Advanced tab.
Click the Environment Variables button at the bottom of the dialog.
Once in the “Environment Variables” dialog, locate the “System variables” window and select Path. Click Edit.
A new dialog window will appear entitled “Edit System Variable”. The second field will have all of the directories that Windows uses as global.
Enter the OpenSSL binaries path into the “Variable Value” field without overwriting or removing any of the remaining information.
Append the new OpenSSL binaries path to the end of the field. Keep in mind that all entries are separated by semi-colons.
// example
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
C:\Program Files\QuickTime\QTSystem\;C:\OpenSSL\bin
The default path for Windows installation of OpenSSL should be C:\OpenSSL\bin.
Click OK after confirming the edit of the path, and continue clicking OK for any of the remaining open windows from the control panels.
Restart your system.
Convert PFX certificate to PEM format
A PFX file contains the certificate and private key that is encrypted with a password. You can use OpenSSL to extract the X509 certificate in PEM format. Start a CMD prompt and change to the OpenSSL <bin> directory. Use this command to extract only the certificate:
openssl pkcs12 -clcerts -nokeys -in AKMCLIENT.pfx -out AKMCLIENT.pem
Convert PFX private key to PEM format and remove password
To extract the private key from a PFX file you must use two commands. The first command extracts the private key, and the second command removes the password. Note that you will be prompted for the password and you must enter the password you used when exporting the certificate and key from AD CS:
To extract the private key use the following command:
openssl pkcs12 -nocerts -in AKMCLIENT.pfx -out WORK.pem
To remove the password on the private key use the following command:
openssl rsa -in WORK.pem -out AKMPRIVKEY.pem