How can I configure PKI in a lab on Windows Server 2016 – Part 6

This series is comprised of different parts, listed below.

In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016,  Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In part 2 you installed and did the initial configuration on the Standalone Offline Root CA. In part 3 you prepared the HTTP Web Server for CDP and AIA Publication and you created a DNS record for the publicly available web server.

In part 4 you performed post configuration on the Standalone Offline Root CA to set certificate revocation list (CRL) period registry settings using CertUtil, and then enabled object access Auditing and finally, you configured three locations for the Authority Information Access (AIA) and four locations for the Certificate revocation list Distribution Point (CDP), again using CertUtil. In part 5 you joined the IssuingCA computer to the windowsnoob domain before creating a new CAPolicy.inf file which was customized for the Issuing CA role. Next, you published the Root CA Certificate and CRL (both to Active Directory and the HTTP webserver) and you installed the Enterprise Issuing CA before submitting a request to the StandAlone Offline Root CA. Next you installed the Issuing CA Certificate using the response files from the StandAlone Offline Root CA on the removable media.

In this part, you will perform post installation and configuration of the IssuingCA server.

Step 1. Configure Certificate Revocation and CA Certificate Validity Periods

To configure certificate revocation and CA certificate validity periods ensure that you are logged on to the IssuingCA server as windowsnoob\EntAdmin (you can use whoami in the command prompt to verify which user is logged on).

Configure the CRL and Delta CRL settings

Enter the following commands from an administrative command prompt:

Certutil -setreg CA\CRLPeriodUnits 1

Press enter when done, then enter the following:

Certutil -setreg CA\CRLPeriod "Weeks"

Press enter when done, then enter the following:

Certutil -setreg CA\CRLDeltaPeriodUnits 1

Press enter when done, then enter the following:

Certutil -setreg CA\CRLDeltaPeriod "Days"

The output of the above commands is shown below.

Configure the CRL and Delta CRL settings.png

Define CRL overlap settings

Enter the following commands from an administrative command prompt:

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Press enter when done, then enter the following:

Certutil -setreg CA\CRLOverlapPeriod "Hours"

The output of the above commands is shown below.

define crl overlap settings.png

Configure the certificate validity period

The default setting for ValidityPeriodUnits for certificates issued from the IssuingCA server is 2 years in the registry as shown here (HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\windows noob Issuing CA).

You can continue reading the rest of this blog post here on windows-noob.com.

This entry was posted in PKI. Bookmark the permalink.

Leave a Reply