Help PKI installation - lots of questions !

  • Thread starter Thread starter BZP
  • Start date Start date
B

BZP

Guest
Hello,

First, I want to thank those who have already helping me here (Bryan
and others....) but I need help again :)
I'm not friendly with PKI. So in this post, I sum up all things I done
and I ask questions about some steps.
Thanks for your help :)

I have 7 domains :

ROOT.LOCAL. (thoe forest root domain, ressources domain, no user,
located at Mexico)

AMERICAS.LOCAL. (technical domain, located in Mexico)
MEXICO.AMERICAS.LOCAL. (located at Mexico)
BRAZIL.AMERICAS.LOCAL. (located at Rio)

ASIA.LOCAL. (technical domain, located at Tokyo)
JAPAN.ASIA.LOCAL. (located at Tokyo)
KOREA.ASIA.LOCAL. (located at Seoul)

There are 4 AD sites :

MEXICO site (for DC of ROOT.LOCAL., AMERICAS.LOCAL. and
MEXICO.AMERICAS.LOCAL.)
RIO site (for DC of BRAZIL.AMERICAS.LOCAL.)
TOKYO site (for DC of ASIA.LOCAL. and TOKYO.ASIA.LOCAL.)
KOREA site (for DC or KOREA.ASIA.LOCAL.)

All site are connected with MEXICO (hub site) with 20Mb/s link (uptime
24/7).

PKI Target architecture :

Three Tier PKI

One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, CA
for Certificate Authority, MX for Mexico not for the domain -machine
is in workgroup- but site)
Two STAND ALONE INTERMEDIATE CA called SACAAM01 (AM stand for America
not for the domain -machine is in workgroup- but site) and SACAAS01
(AS stand for Asia not for the domain -machine is in workgroup- but
site)
Then, two Enterprise Issuing SA in each domains called ENCAJP01 and
ENCAJP02 (EN stand for Enterprise, JP for Japan), same for others
domains ENCAKR01 and ENCAKR02 (KR stand for Korea) etc ... Name :
ENCAxx0y where xx are code corresponding of domain name.

Stand alone CA are secured virtual machines.

Name of CA are :
- CA Root
- AMERICAS Sub & CA ASIA Sub
- CA JAPAN Iss1, CA JAPAN Iss2, ...

Ok, let's see the installation steps:


Installation of SACAMX00
------------------------

Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
Configuration of CAPolicy.inf before CA services looks like that :

[Version]
Signature= "$Windows NT$"
[LegalPolicy]
OID= 1.3.6.1.4.1.311.21.43
Notice= "http://intranet.americas.local/pki/cps.asp"
[Certsrv_Server]
RenewalKeyLength= 4096
RenewalValidityPeriod= Years
RenewalValidityPeriodUnits= 20
[CRLDistributionPoint]
[AuthorityInformationAccess]

Q-01 Is the " " (space caracter) is required ?
Q-02 What does legalpolicy section mean ? And what about notice
parameter (can I change this parameter later?) ? Why this OID ? Does
it show somewhere in my CA ?
Q-03 What about Certsrv_server section ? We can configure these
parameters laters, after the installation or we have to set its now ?
Q-04 CRLDistributionPoint and AuthorityInformationAccess are
explicited wrote and left blank. Why ? What's happened if I don't add
these sections ?

Then, I install CA services.

SYSOCMGR /I:SYSOC.INF

In the wizard, I specify a 4096 Key and a validity period of 20 years.

Q-05 Is it redundant with Certsrv_Server section in CAPolicy.inf ?
What was the real utility of this section ?

CERTUTIL "CA Root.cer"

Q-06 Is that action wich create the cert file ? Without this command,
no .cer generated anywhere else ? Or should I specify option -
ca.cert ?

I map the offline root CA to the AD configuration container

CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL

Q-07 The Offline root never communicate with AD, why need we set this
parameter ? What about this parameter exactly ?
Q-08 Can we do the same action modifying the registry ?

Then I configure CDPs. I clear all checkboxes where CRL Delta is
mentionned. I have 3 CDP, on local, one LDAP and one HTTP.

Q-09 Can I uncheck "Include in CRLs. Client use this to find Delta CRL
locations." on all CDP because I don't use Delta CRL in an offline
CA ? Or is this option has others consequences ?

Then I configure AIAs with a local file publication, a LDAP and a
HTTP.

Q-10 Is there a difference if I set this parameters using REGEDIT.EXE
instead of using Extension tab in the GUI ?

Then I configure CRL publication interval. I set 180 days. (left blank
Delta CRLs)

Q-11 Should I publish again CRL when I change CRL interval ?
Q-12 If I change CRL interval, are my certificated already issued
still valid ?
Q-13 180 Days, does that mean I have to bring online my CA in order to
publish my CRL again even if no certificate are revoked ? Or does it
expire (when? How to configure it ?) ?

Then I modify "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
CertSvc/Configuration/Root CA". I set ValidityPeriod to Years,
ValidityPeriodUnit with 10.

Q-14 Can we set theses options in CAPolicy ?
Q-15 Is the CAPolicy.inf file modified by wizards or other after the
installation ?


Installation of SACAAM01
------------------------

Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
Configuration of CAPolicy.inf before CA services looks like that :

[Version]
Signature= "$Windows NT$"
[PolicyStatementExtension]
Policies= AllInssuancePolicy
Critical= FALSE
[AllIssuancePolicy]
OID= 2.5.29.32.0

Q-16 Is PolicyStatementExtension section required ? Why ?
Q-17 OID 2.5.29.32.0 was in a exemple CAPolicy.inf file I found. Is it
the good OID ? Is there only one OID for subordinate CA ?
Q-18 What does critical parameter mean exactly ? It is not a technical
parameter.
Q-19 Why there are no section with Renewal information ? Because it is
set by the Root CA so we don't need to specify here ?

Then I insatll binaries

SYSOCMGR /I:SYSOC.INF

In the wizard, I specify a 2048 Key and a validity period of 10 years.

Q-20 Should I prefer choice a 4096 bits key ? (it's an offline root,
what is the drawback if I choice a 4096 bits key ?

I modify registry as for the Root CA. I set 5 years for lifetime on
issued certificates and 30 days for CRL publication (no delta CRL).
Then I run

CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL

Q-21 Why ?

Then I run

certutil.exe -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"

Q-22 Is it required even if this parameter is specified in
CAPolicy.inf file ?
Q-23 What is this parameter exactly ? I can't issue certificates if
this parameter isn't set ?

I omit certificate request and import/export ioperations. That's ok
for theses.

Now. If I revoke the subornidate CA certificate.

Q-24 I publish CRL now ? Or I have to wait 180 days (I hope not ...) ?
(and copy/past crl file in my HTTP point).
Q-25 How can I republish CRL in AD ? Offline CA (wich are in
workgroup) can check CRL in AD ? I don't think so. And you ?
Q-26 Does the Sub CA service detect that its certificate is revoked
and do not start ? I test this scenario, and Sub CA still work and
chaining is OK. So, how much time this mechanism take ?

Ok for Root and Sub. Let's see for Online issuing CA.


Installation of ENCAJP01
------------------------

Windows 2003 Enterprise Edition SP2 with IIS, member of the domain
JAPAN.ASIA.LOCAL.

Q-27 If an online CA is down, does the roll back to an other is
automatic ?
Q-28 I want that CA is JAPAN domain only issuing CA for JAPAN users
(and even sub domains if I need in the future). I don't want that a
MEXICO user can obtain a certificate from MEXICO's CA. Should I use
X500 constraints or ACE permissions limitation ? What are the
advantages and drawbacks of the two methods ?

I don't use CAPolicy.inf file.

Q-29 Is it optional ? What can I specify in this CAPolicy.inf file
(constraints ?) ?

I use theses parameters, 2048 bits key for the CA, 5 years lifetime.
And 2 years lifetime on issued certificates. 1 week CRL and delta CRL
allowed.

Q-30 Can I use Delta CRL even if some of my servers are still Windows
2000 Server ?

Then i run theses commands :

certutil -dspublish <Root CRT file> RootCA
certutil -dspublish <Sub CRT file> SubCA
certutil -dspublish <Root CRL file> {Root CA Host Name}
certutil -dspublish <Sub CRL file> {Sub CA Host Name}

Q-31 In some documentations I found that I maty use -f parameters in
addition. Why ?
Q-32 When Root CA or Sub CA revoke a certificate, i have to run theses
commands again (concerning CRL) ?

I configure the Domain Policy GPO in order to publishing the root CA.

Q-33 Is this operation is required or is AD automaticaly done this
operation with other machanism ?

At the moment I don't use KRA agent. But in the future, I will.

Q-34 Can i configure all options about KRA later when the need will be
more hurry ? Or should I configure that now ?


I have many more questions about KRA and other. But if I can have
answer of theses question, it will be great !

Sorry for my poor english, and thanks for reading until there !

--
P.J.A.
 
Re: Help PKI installation - lots of questions !

Please forward these questions to info@identit.ca and we can send you a
proposal for a PKI engagement.
This stretches way beyond a mere newsgroup question and enters into a true
deployment engagement
Brian

"BZP" <p.audonnet@gmail.com> wrote in message
news:bca8eb29-2e4c-4c5f-a624-9f75b3050a71@e4g2000hsg.googlegroups.com...
> Hello,
>
> First, I want to thank those who have already helping me here (Bryan
> and others....) but I need help again :)
> I'm not friendly with PKI. So in this post, I sum up all things I done
> and I ask questions about some steps.
> Thanks for your help :)
>
> I have 7 domains :
>
> ROOT.LOCAL. (thoe forest root domain, ressources domain, no user,
> located at Mexico)
>
> AMERICAS.LOCAL. (technical domain, located in Mexico)
> MEXICO.AMERICAS.LOCAL. (located at Mexico)
> BRAZIL.AMERICAS.LOCAL. (located at Rio)
>
> ASIA.LOCAL. (technical domain, located at Tokyo)
> JAPAN.ASIA.LOCAL. (located at Tokyo)
> KOREA.ASIA.LOCAL. (located at Seoul)
>
> There are 4 AD sites :
>
> MEXICO site (for DC of ROOT.LOCAL., AMERICAS.LOCAL. and
> MEXICO.AMERICAS.LOCAL.)
> RIO site (for DC of BRAZIL.AMERICAS.LOCAL.)
> TOKYO site (for DC of ASIA.LOCAL. and TOKYO.ASIA.LOCAL.)
> KOREA site (for DC or KOREA.ASIA.LOCAL.)
>
> All site are connected with MEXICO (hub site) with 20Mb/s link (uptime
> 24/7).
>
> PKI Target architecture :
>
> Three Tier PKI
>
> One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, CA
> for Certificate Authority, MX for Mexico not for the domain -machine
> is in workgroup- but site)
> Two STAND ALONE INTERMEDIATE CA called SACAAM01 (AM stand for America
> not for the domain -machine is in workgroup- but site) and SACAAS01
> (AS stand for Asia not for the domain -machine is in workgroup- but
> site)
> Then, two Enterprise Issuing SA in each domains called ENCAJP01 and
> ENCAJP02 (EN stand for Enterprise, JP for Japan), same for others
> domains ENCAKR01 and ENCAKR02 (KR stand for Korea) etc ... Name :
> ENCAxx0y where xx are code corresponding of domain name.
>
> Stand alone CA are secured virtual machines.
>
> Name of CA are :
> - CA Root
> - AMERICAS Sub & CA ASIA Sub
> - CA JAPAN Iss1, CA JAPAN Iss2, ...
>
> Ok, let's see the installation steps:
>
>
> Installation of SACAMX00
> ------------------------
>
> Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
> Configuration of CAPolicy.inf before CA services looks like that :
>
> [Version]
> Signature= "$Windows NT$"
> [LegalPolicy]
> OID= 1.3.6.1.4.1.311.21.43
> Notice= "http://intranet.americas.local/pki/cps.asp"
> [Certsrv_Server]
> RenewalKeyLength= 4096
> RenewalValidityPeriod= Years
> RenewalValidityPeriodUnits= 20
> [CRLDistributionPoint]
> [AuthorityInformationAccess]
>
> Q-01 Is the " " (space caracter) is required ?
> Q-02 What does legalpolicy section mean ? And what about notice
> parameter (can I change this parameter later?) ? Why this OID ? Does
> it show somewhere in my CA ?
> Q-03 What about Certsrv_server section ? We can configure these
> parameters laters, after the installation or we have to set its now ?
> Q-04 CRLDistributionPoint and AuthorityInformationAccess are
> explicited wrote and left blank. Why ? What's happened if I don't add
> these sections ?
>
> Then, I install CA services.
>
> SYSOCMGR /I:SYSOC.INF
>
> In the wizard, I specify a 4096 Key and a validity period of 20 years.
>
> Q-05 Is it redundant with Certsrv_Server section in CAPolicy.inf ?
> What was the real utility of this section ?
>
> CERTUTIL "CA Root.cer"
>
> Q-06 Is that action wich create the cert file ? Without this command,
> no .cer generated anywhere else ? Or should I specify option -
> ca.cert ?
>
> I map the offline root CA to the AD configuration container
>
> CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
>
> Q-07 The Offline root never communicate with AD, why need we set this
> parameter ? What about this parameter exactly ?
> Q-08 Can we do the same action modifying the registry ?
>
> Then I configure CDPs. I clear all checkboxes where CRL Delta is
> mentionned. I have 3 CDP, on local, one LDAP and one HTTP.
>
> Q-09 Can I uncheck "Include in CRLs. Client use this to find Delta CRL
> locations." on all CDP because I don't use Delta CRL in an offline
> CA ? Or is this option has others consequences ?
>
> Then I configure AIAs with a local file publication, a LDAP and a
> HTTP.
>
> Q-10 Is there a difference if I set this parameters using REGEDIT.EXE
> instead of using Extension tab in the GUI ?
>
> Then I configure CRL publication interval. I set 180 days. (left blank
> Delta CRLs)
>
> Q-11 Should I publish again CRL when I change CRL interval ?
> Q-12 If I change CRL interval, are my certificated already issued
> still valid ?
> Q-13 180 Days, does that mean I have to bring online my CA in order to
> publish my CRL again even if no certificate are revoked ? Or does it
> expire (when? How to configure it ?) ?
>
> Then I modify "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
> CertSvc/Configuration/Root CA". I set ValidityPeriod to Years,
> ValidityPeriodUnit with 10.
>
> Q-14 Can we set theses options in CAPolicy ?
> Q-15 Is the CAPolicy.inf file modified by wizards or other after the
> installation ?
>
>
> Installation of SACAAM01
> ------------------------
>
> Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
> Configuration of CAPolicy.inf before CA services looks like that :
>
> [Version]
> Signature= "$Windows NT$"
> [PolicyStatementExtension]
> Policies= AllInssuancePolicy
> Critical= FALSE
> [AllIssuancePolicy]
> OID= 2.5.29.32.0
>
> Q-16 Is PolicyStatementExtension section required ? Why ?
> Q-17 OID 2.5.29.32.0 was in a exemple CAPolicy.inf file I found. Is it
> the good OID ? Is there only one OID for subordinate CA ?
> Q-18 What does critical parameter mean exactly ? It is not a technical
> parameter.
> Q-19 Why there are no section with Renewal information ? Because it is
> set by the Root CA so we don't need to specify here ?
>
> Then I insatll binaries
>
> SYSOCMGR /I:SYSOC.INF
>
> In the wizard, I specify a 2048 Key and a validity period of 10 years.
>
> Q-20 Should I prefer choice a 4096 bits key ? (it's an offline root,
> what is the drawback if I choice a 4096 bits key ?
>
> I modify registry as for the Root CA. I set 5 years for lifetime on
> issued certificates and 30 days for CRL publication (no delta CRL).
> Then I run
>
> CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
>
> Q-21 Why ?
>
> Then I run
>
> certutil.exe -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"
>
> Q-22 Is it required even if this parameter is specified in
> CAPolicy.inf file ?
> Q-23 What is this parameter exactly ? I can't issue certificates if
> this parameter isn't set ?
>
> I omit certificate request and import/export ioperations. That's ok
> for theses.
>
> Now. If I revoke the subornidate CA certificate.
>
> Q-24 I publish CRL now ? Or I have to wait 180 days (I hope not ...) ?
> (and copy/past crl file in my HTTP point).
> Q-25 How can I republish CRL in AD ? Offline CA (wich are in
> workgroup) can check CRL in AD ? I don't think so. And you ?
> Q-26 Does the Sub CA service detect that its certificate is revoked
> and do not start ? I test this scenario, and Sub CA still work and
> chaining is OK. So, how much time this mechanism take ?
>
> Ok for Root and Sub. Let's see for Online issuing CA.
>
>
> Installation of ENCAJP01
> ------------------------
>
> Windows 2003 Enterprise Edition SP2 with IIS, member of the domain
> JAPAN.ASIA.LOCAL.
>
> Q-27 If an online CA is down, does the roll back to an other is
> automatic ?
> Q-28 I want that CA is JAPAN domain only issuing CA for JAPAN users
> (and even sub domains if I need in the future). I don't want that a
> MEXICO user can obtain a certificate from MEXICO's CA. Should I use
> X500 constraints or ACE permissions limitation ? What are the
> advantages and drawbacks of the two methods ?
>
> I don't use CAPolicy.inf file.
>
> Q-29 Is it optional ? What can I specify in this CAPolicy.inf file
> (constraints ?) ?
>
> I use theses parameters, 2048 bits key for the CA, 5 years lifetime.
> And 2 years lifetime on issued certificates. 1 week CRL and delta CRL
> allowed.
>
> Q-30 Can I use Delta CRL even if some of my servers are still Windows
> 2000 Server ?
>
> Then i run theses commands :
>
> certutil -dspublish <Root CRT file> RootCA
> certutil -dspublish <Sub CRT file> SubCA
> certutil -dspublish <Root CRL file> {Root CA Host Name}
> certutil -dspublish <Sub CRL file> {Sub CA Host Name}
>
> Q-31 In some documentations I found that I maty use -f parameters in
> addition. Why ?
> Q-32 When Root CA or Sub CA revoke a certificate, i have to run theses
> commands again (concerning CRL) ?
>
> I configure the Domain Policy GPO in order to publishing the root CA.
>
> Q-33 Is this operation is required or is AD automaticaly done this
> operation with other machanism ?
>
> At the moment I don't use KRA agent. But in the future, I will.
>
> Q-34 Can i configure all options about KRA later when the need will be
> more hurry ? Or should I configure that now ?
>
>
> I have many more questions about KRA and other. But if I can have
> answer of theses question, it will be great !
>
> Sorry for my poor english, and thanks for reading until there !
>
> --
> P.J.A.
 
Re: Help PKI installation - lots of questions !

Hum, does someone have some answer ? At least at some questions ?

Thanks.

--
P.J.A.
 
Re: Help PKI installation - lots of questions !

No free consulting.
For the number of questions you have, the only way to get these answered is
to:
1) Learn PKI
2) Hire a consultant
3) Research
Brian

"BZP" <p.audonnet@gmail.com> wrote in message
news:bf19c419-afdb-478b-abc1-607111eff589@t1g2000pra.googlegroups.com...
> Hum, does someone have some answer ? At least at some questions ?
>
> Thanks.
>
> --
> P.J.A.
 
Re: Help PKI installation - lots of questions !

On 3 jan, 20:39, "Brian Komar" <brian.ko...@nospam.identit.ca> wrote:
> No free consulting.
> For the number of questions you have, the only way to get these answered is
> to:
> 1) Learn PKI
> 2) Hire a consultant
> 3) Research
> Brian
>
> "BZP" <p.audon...@gmail.com> wrote in message
>
> news:bf19c419-afdb-478b-abc1-607111eff589@t1g2000pra.googlegroups.com...
>
>
>
> > Hum, does someone have some answer ? At least at some questions ?

>
> > Thanks.

>
> > --
> > P.J.A.- Masquer le texte des messages précédents -

>
> - Afficher le texte des messages précédents -


I'm fed up with that kind of reactions ! But I understand.
I'm frustrated you know. In fact, I just need one Enterprise CA (and
online!), this scenario is very bigger than what I need, but I wonder
how it works and you tell me the only way I have is to pay for ?
I took the MS course 2821, I have searched on Technet and I have read
lots of whitepaper. Theses sharp questions haven't got an evident
answer in those documentations, and english is not my mother tongue,
so it's a little bit harder for me.
Finally, I need more technical explanations than an enterprise
conslulting/expertise (imagine a expert juste for my little CA...). I
don't want advises, I want technical responses as I am used to find in
NG. Ok, there are lots of questions, but if I wrote an big scenario,
it is to prevent responses like "why do you need this" or "there is a
workarround solution" too. Maybe I should cut theses questions...
Brian, I thank you for your previous answers and tips, I will try to
do all this alone.

Regards,

--
P.J.A.
 
Re: Help PKI installation - lots of questions !

On 3 jan, 23:47, BZP <p.audon...@gmail.com> wrote:
> On 3 jan, 20:39, "Brian Komar" <brian.ko...@nospam.identit.ca> wrote:
>
>
>
>
>
> > No free consulting.
> > For the number of questions you have, the only way to get these answered is
> > to:
> > 1) Learn PKI
> > 2) Hire a consultant
> > 3) Research
> > Brian

>
> > "BZP" <p.audon...@gmail.com> wrote in message

>
> >news:bf19c419-afdb-478b-abc1-607111eff589@t1g2000pra.googlegroups.com...

>
> > > Hum, does someone have some answer ? At least at some questions ?

>
> > > Thanks.

>
> > > --
> > > P.J.A.- Masquer le texte des messages précédents -

>
> > - Afficher le texte des messages précédents -

>
> I'm fed up with that kind of reactions ! But I understand.
> I'm frustrated you know. In fact, I just need one Enterprise CA (and
> online!), this scenario is very bigger than what I need, but I wonder
> how it works and you tell me the only way I have is to pay for ?
> I took the MS course 2821, I have searched on Technet and I have read
> lots of whitepaper. Theses sharp questions haven't got an evident
> answer in those documentations, and english is not my mother tongue,
> so it's a little bit harder for me.
> Finally, I need more technical explanations than an enterprise
> conslulting/expertise (imagine a expert juste for my little CA...). I
> don't want advises, I want technical responses as I am used to find in
> NG. Ok, there are lots of questions, but if I wrote an big scenario,
> it is to prevent responses like "why do you need this" or "there is a
> workarround solution" too. Maybe I should cut theses questions...
> Brian, I thank you for your previous answers and tips, I will try to
> do all this alone.
>
> Regards,
>
> --
> P.J.A.- Masquer le texte des messages précédents -
>
> - Afficher le texte des messages précédents -


It's OK, I have all my answers.
For people who want to know, mail me.
Thanks for your help.

--
P.J.A.
 
Back
Top