Last month I have been busy building the lab environment to demonstrate Workplace Join with Windows 8.1 and Windows Server 2012 R2. Microsoft created an excellent walkthrough to build the lab environment starting with AD FS. While working my way through the demo I noticed that Workplace Join is very picky when retrieving the certificate revocation list for the certificate used for the AD FS service. The lab set up refers to Configure SSL/TLS on a Web site in the domain with an Enterprise CA to set up the Public Key Infrastructure. But this reference does not contain the steps to set up a working PKI. Here is my fix for this omission.
This time I setup the PKI with an OCSP Responder. The previous setup with an published CRL, expires the CRL every few days. This requires a manual action to republish the CRL. With the OCSP Responder server this is no longer the case.
Disclaimer: The following steps are for setting up PKI for a DEMO ENVIRONMENT. It is NOT meant as a solution for building a production PKI.
You can use the Domain Controller in the lab environment as the Certificate Authority or set up a separate server that is joined in the domain. In my case I used the Domain Controller to setup the CA.
Step 1: Configure the Domain Controller
I used the following PowerShell commands to setup the Domain Controller for nextxpert.net:
Install-WindowsFeature AD-Domain-Services –IncludeManagementTools
Install-ADDSForest -DomainName “nextxpert.net” -ForestMode 5 -DomainMode 5 -DomainNetbiosName “nextxpert”
Step 2: Configure the Certificate Authority with Active Directory Certificate Services
Install Active Directory Certificate Services and the Online Responder
I used the following PowerShell commands to install AD CS:
Install-WindowsFeature ADCS-Cert-Authority,ADCS-Online-Cert –IncludeManagementTools
Configure the Certificate Authority
I used the following PowerShell commands to set up the Enterprise Root CA:
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CACommonName HyperxpertRootCA -CryptoProviderName “RSA#Microsoft Software Key Storage Provider” -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 5
Configure the CRL Distribution Point on the CA
Start the Certificate Authority MMC
Right click the CA name and select Properties
In the CA Properties dialog select the Extensions tab
On the Extensions tab select Authority Information Access (AIA), and then click Add.
In the Add Location dialog, type the following location: http://<ServerDNSName>/ocsp and click OK.
In the Extensions tab, enable the following option:
- Include in the online certificate status protocol (OCSP) extension
Click OK, and restart the service when prompted.
Enable the OCSP Signing certificate template on the CA
Start the Certificate Authority MMC
Right click the Certificate Templates and select New | Certificate Template to Issue
Select OCSP Response Signing, and click OK
Publish the Revocation List
In the Certificate Authority MMC right click Revoked Certificates
Select All Tasks | Publish
In the Publish CRL dialog, select New CRL and click OK
Step 3: Configure the Certificate Template ACLs
The Enterprise CA can only enroll certificates from templates when the template ACLs are properly configured. The following procedure shows how to enable Domain Computers to enroll WebServer certificates. If you are running ADFS on a Domain Controller, make sure you also allow the group Domain Controllers to enroll certificates from the template.
Start Active Directory Sites and Services
Browse to Services\Public Key Services\Certificate Templates
Right click the WebServer certificate template and select Properties
On the Security tab add the group Domain Computers and allow Read and Enroll
If AD FS is running on a Domain Controller, also add the group Domain Controllers and allow Read and Enroll
Right click the OCSPResponseSigning certificate template and select Properties
On the Security tab add the group Domain Computers and allow Read and Enroll, and the group Domain Controllers and allow Read and Enroll.
Step 4: Configure the Online Responder
Under Tasks, select Configure Active Directory Certificate Services on th…
In the AD CS Configuration dialog, credentials screen specify the credentials for a member of the Enterprise Admins group and click Next.
In the Role Services screen, enable Online Responder, click Next and then click Configure.
Click Close when the Online Responder is successfully configured.
Open Online Responder Management
Right click, Revocation Configuration and then click Add Revocation Configuration
In the Add Revocation Configuration wizard, click Next in the getting started page.
Enter a name for the Revocation Configuration and click Next.
Select, Select a certificate for an Existing enterprise CA, and click Next
Select, Browse CA certificates published in Active Directory, and click Browse…
In the Select Certification Authority dialog, select the Enterprise Root CA, and click OK, then click Next
In the Select Signing Certificate page, select Automatically select a signing certificate, enable Auto-Enroll for an OCSP signing certificate, and then click Next
Click Finish to end the wizard
Now restart the server running the OCSP Responder
Step 5: Enroll the Web Server Certificate on a Domain Member Server
Use the following procedure to enroll the WebServer certificate on a Domain Member Server
Browse to Certificates\Personal\Certificates
Right click Certificates and select All Tasks | Request New Certificate…
In the Certificate Enrollment wizard, click Next twice
In the Request Certificates dialog, select Web Server, expand the Details and click Properties
In the Certificate Properties, configure the subject name and Alternative names (when applicable) and click OK
Now click Enroll
Step 6: Test if the OCSP Responder is functional
On the server with the enrolled certificate, export the newly enrolled Web Server certificate to a file.
On the Command Prompt, use CertUtil.exe to check OCSP operation. Use the following command to do the test:
CertUtil –URL <certificate.crt>
In the URL Retrieval Tool, select OCSP (from AIA), and click Retrieve
Check if the status for the OCSP is “Verified“.
If all is fine, you can now continue building the Workplace Join lab environment with a working PKI