Thursday, April 29, 2010

Configure SSL install CA root certificate to target AD server

Configuring Active Driectory LDAP SSL using Windows 2003 Enterprise CA
Overview
Requirements for an LDAPS certificate
•To enable LDAPS, you must install a certificate that meets the following requirements:
The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
•A private key that matches the certificate is present in the Local Computer's store and is correctly associated with thecertificate. The private key must not have strong private key protection enabled.
•The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (alsoknown as OID).
•The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
•The Common Name (CN) in the Subject field.
•DNS entry in the Subject Alternative Name extension.
•The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
•You must use the Schannel cryptographic service provider (CSP) to generate the key.

1. Create the .inf file. Following is an testdomain.inf file that can be used to create the

certificate request.

;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=demo.testdomain.com" ; replace with the Full computer name of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------


Save it as a file named request.inf, then put this file to folder c:\certreq


2. Create Certificate Request



a). Login to the server that we want to configure SSL
b). Create a directory c:\certreq, and copy the request.inf to this directory.
c). open a command prompt, and type cd c:\certreq
d). Create certificate request,type the following command and then press Enter

certreq -new request.inf request.req

then a new file called request.req is created, this is a Base64-encoded request
file.

Note that make sure issue the command with in directory c:\certreq, otherwise
you won't find request.inf.

if we open request.req, we will see the similar like follows:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDrDCCAxUCAQAwga8xCzAJBgNVBAYTAk1ZMS8wLQYDVQQIHiYAVwBpAGwAYQB5
AGEAaABfAFAAZQByAHMAZQBrAHUAdAB1AGEAbjEQMA4GA1UEBxMHUmVkbW9uZDEQ
MA4GA1UEChMHQ29udG9zbzEQMA4GA1UECxMHU2VydmVyczEXMBUGA1UEAxMOdGVz
dGRvbWFpbi5jb20xIDAeBgkqhkiG9w0BCQEWEWFkbWluQGNvbnRvc28uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZVBtAuRmcpLgLIzhHBEYtqXIlt6CY
O4hZl+pByrSm5OgeT8ZF3NMhKeFBh4fKAyoAe39PbaStyabTsfYBbDML6pWooQSF
armmhRsnGw/afO+fO8134ko2Gty8E6yLsatX9br9tOoosBT2jsyV4Aizd/rMUfXK
1b0BR0YqBPKi3wIDAQABoIIBujAaBgorBgEEAYI3DQIDMQwWCjUuMi4zNzkwLjIw
SgYJKwYBBAGCNxUUMT0wOwIBAQwTZGVtby50ZXN0ZG9tYWluLmNvbQwYVEVTVERP
TUFJTlxBZG1pbmlzdHJhdG9yDAdjZXJ0cmVxMFAGCSqGSIb3DQEJDjFDMEEwHQYD
VR0OBBYEFJht4ESvBmzKPgeVA5GazOToBQrDMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MAsGA1UdDwQEAwIFoDCB/QYKKwYBBAGCNw0CAjGB7jCB6wIBAR5aAE0AaQBjAHIA
bwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQA
bwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByA4GJAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQADgYEA
ak5GUMARkeMtWYkJezIuia5WfslHPCBpFmm+YAfg8UUXW2XqCMcMgPNVwMTYWwW/
KHFjQcnl+Qxw0fKKUeSOU03nMctSeO4KjUpknXVbdQxubCNFRtRHo9a6Uk6C6HnZ
dp0M6guDMaP1yYQg+j98ZLf9o/JpBzA1/P+TaNjg4yk=
-----END NEW CERTIFICATE REQUEST-----



Alternatively, You can use the following command to View your request

certutil -dump request.req

you'll get the following result:
-----------------------------------------------------------------
PKCS10 Certificate Request:
Version: 1
Subject:
CN=demo.testdomain.com

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 a2 6c c5 27 30 ef 9c bb 3b
0010 d6 9b 76 4c 4b 1b 57 77 5f 2c 67 1f 1d 82 4b ac
0020 5b fa 4b 00 c8 c5 74 24 73 4d ea 74 9b 96 73 a0
0030 45 1f 5d 50 0d 1a ef 7b 26 de f1 06 d3 58 4d f0
0040 09 1c 9a b8 8d d0 04 fc 38 a2 12 60 fe 0c f5 a6
0050 f4 c1 a4 73 3d 6c 5e ff 05 38 9f 19 c5 34 20 14
0060 f8 7d 4a 2a 01 23 00 6d 3a d7 1f d1 62 00 f9 3e
0070 72 d2 d8 ae 06 ad 95 25 2e 10 e6 5e a8 28 ac 4a
0080 c4 c4 c6 f6 87 64 91 02 03 01 00 01
Request Attributes: 4
4 attributes:

Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0]:
5.2.3790.2

Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
Value[1][0]:
Unknown Attribute type
Client Id: = 1
XECI_XENROLL -- 1
User: TESTDOMAIN\Administrator
Machine: demo.testdomain.com
Process: certreq

Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[2][0]:
Unknown Attribute type
Certificate Extensions: 3
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
ea 5c 6c 68 e5 9b 23 3b a5 8f ab 06 c9 85 d6 fc d4 6a ff fe

2.5.29.37: Flags = 0, Length = c
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)


Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
Value[3][0]:
Unknown Attribute type
CSP Provider Info
KeySpec = 1
Provider = Microsoft RSA SChannel Cryptographic Provider
Signature: UnusedBits=0
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Remaining 78 bytes are zero
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 4d 03 97 19 5e 3a 2f f9 2b 55 6b 40 e7 01 02 be
0010 c1 bf 11 88 c0 30 05 c4 59 4a 88 a9 04 bd 67 64
0020 2c 00 55 68 e4 93 39 d3 f7 9f 68 96 d4 8d 3d 4c
0030 c0 18 ae 08 6c 4a a3 c7 b4 33 97 3a a4 b2 a9 08
0040 f3 a9 a8 50 00 ae fc d2 e6 27 6c c8 85 92 e7 4b
0050 f0 3f f0 3a ad c1 12 23 39 85 a8 1c 4a 05 64 bf
0060 80 70 2f a1 8c f8 98 95 45 54 5c d2 9c 92 e9 f4
0070 0b 79 ad 0a a3 69 23 c1 78 95 b9 d3 23 5c 91 3c
Signature matches Public Key
Key Id Hash(sha1): ea 5c 6c 68 e5 9b 23 3b a5 8f ab 06 c9 85 d6 fc d4 6a ff fe
CertUtil: -dump command completed successfully.

---------------------------------------------------------------------------
Check the subject must be : CN=demo.testdomain.com




3.Submit the request to a CA.
We are going to submit the request to a Microsoft Windows 2003 Enterprise CA,
that we have installed in another server.
we still need command certreq.exe to complete this step.

a). Login to the server has CA installed
b). create a directory c:\certreq, and copy request.req to this directory
c). open a command prompt, and type cd c:\certreq
d). submit the certificate request using the command below:

certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req

You will be prompt to select a certificate authority, Click OK

If you see the following error:
-------------------------------------------------------------------------------------------
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavaila
ble and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added t
o the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
-------------------------------------------------------------------------------------------

Solution to this issue.
1). Click start->run, then key in command mmc
2). Click File in the mmc console, then select Add/Remove Snap-in...
3). Click Add... buton in the Add/Remove Snap dialog
4). Select Certificate Templates, Click Add
5). Close the window in step 4) available standalone snap-in window.
6). You will see "Certificate Templates", Click OK.
7). Find "Domain Controller Authentication" in "Console Root\Certificate Templates"
8). Double click "Domain Controller Authentication" to open it.
9). You can change the validity of a certificate in "Domain Controller Authentication

Properties" window,change it to 10, meaning this certificate will be valid for 10 years.
10). Select the "Subject Name" tab, then select "Supply in the request", click Apply
11). Select the "Security" tab, select "Authenticated Users", in the permissions for

authenticated users section, make sure "Allow" for Enroll. Click OK to close "Domain

Controller Authentication Properties" window.
12)
Re-submit the certificate request using the follwing command:
certreq -submit -attrib "Certificate Template: DomainControllerAuthentication" request.req

Note that make sure you are in directory c:\certreq




It will ask for which CA to use, select the first in the dialog.

Click OK
e). if no error was prompted in step d), certreq util will ask to to save the signed

certificate,
save it to desktop, named demo.testdomain.com.cer





-----------------------------------------------------------------------------
Note that for Windows 2000, Use the command below:

certreq -submit -attrib "CertificateTemplate: DomainController" request.req
-------------------------------------------------------------------------



4. Accept the certificate.
a). Login to the AD server that you want to install server certificate
b). copy the newly issued certificate to directory c:\certreq
c). open a command prompt, and navigate to c:\certreq
d). accept the server certificate, using the command below:

certreq -accept demo.testdomain.com.cer

if no error prompt that means we have installed server certificate successfully.

But the SSL communication is not yet enable, that's why we need next step:


5. Install CA root certificate to target AD server.

a). Copy CA root certificate "PortaldomCA.cer" to target AD server, directory c:\certreq
b). Click start->run, then key in command mmc
c). Click File in the mmc console, then select Add/Remove Snap-in...
d). Click Add... buton in the Add/Remove Snap dialog
e). Select Certificates from the available standalone snap-ins window, click add
f). Select Computer account from Certificate snap-in window, Click Finish.
g). close the window in step d) available standalone snap-in window.
h). "You'll see Certificate (Local Computer)" in the Add/Remove Snap-in Dialog,Click OK
i). Un-folder "Certificate (Local Computer)", then Maximize the Console Root to have
a better view.
j). Select "Trusted Root Certificate Authorities" -> "All Tasks" -> "Import..."
k). A certificate Import wizard will be prompted, Click Next>
l). Navigate to c:\certreq, and select PortaldomCA.cer, then click Open.
m). You'll see the root certificate path has been selected, click Next>
n). In the certificate store dialog, keep the default selection, then click Next>
o). Click Finish in the "Completing the Certificate Import Wizard" Dialog. Congratulations, you have successfully imported Root certificate.
p). Navigate to Personal -> Certificates, you'll see the certificate "demo.testdomain.com"
r). Double click to open it.
notice that on the bottom of the certificate window, you can see "You have a private key that corresponds to this certificate", this proves we have successfully installed certificate in step 4.
s). Click tab "Certificate Path", check on the certificate status, you'll see "This

certificate is OK.", meaning server certificate has been installed, and you are ready to communicate with this AD server via SSL.
Note there is no need to restart server.

2 comments:

  1. Excellent!

    Works 100% correctly

    ReplyDelete
  2. ooups!

    5. Install CA root certificate to target AD server.

    a). Copy CA root certificate "PortaldomCA.cer" to target AD server, directory c:\certreq


    what is PortaldomCA.cer ?

    ReplyDelete