Certificate Authority
Denes, Laszlo
Hello Everyone and thanks in advance for insights.
Never done this before hence the question as guidance.
We have a number of internal appliances now that complain that the site is not secure
I am assuming that this can be easily resolved through an internal Certificate Authority and can then be pushed to all users via computer GPO settings as seen below
But I have a few questions. We have 2 x 2016 DC and no other server that I can really put this on right now and would rather not bring up yet another server just for this, but I know it is not best practice to put it on a DC, but how risky is it?
Is it better to make your own certificate (internal only) or should I look at an external cert that I import and push out?
Can anyone make a suggestion for a clear article that explains the steps for this item?
Cheers in advance.
Laszlo Denes
Technical Analyst Servers
Information Systems
NOTICE: This message, including any attachments, may contain privileged or confidential information and is intended for use only by the individual to whom it is specifically addressed (or those responsible for the delivery of the message to such person). Any distribution, copying or disclosure is strictly prohibited without the written consent of the sender. If you are not the intended recipient or have received this message in error, please notify us by reply email and permanently delete the original transmission from us. Thank you for your cooperation. If you have any questions about this message please contact the Information Systems Department, Salvation Army Toronto Grace Health Centre, 650 Church St., Toronto, ON M4Y 2G5. Phone: (416) 925-2251
Kurt Buff - GSEC, GCIH
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/3ed720c081f34acfb8c1a4ab28fd5b20%40TGHVSEX2013ACT.torontograce.org.
Denes, Laszlo
Hey Kurt thank you… will look at it shortly…
Laszlo Denes
Technical Analyst Servers
Information Systems
t: ext. 214
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce48nYzyqMBaGZicRJNDPL71mvdo%3DHzYCO0i6Tn%2B_8bAVQ%40mail.gmail.com.
Denes, Laszlo
Okay I have found a 2016 server (WDS or WSUS) that I can install it on to avoid the DC issue. Thanks for pointing that out.
But other than that is there any better way to avoid the errors for users than installing a certificate and pushing it to desktops via GPO?
Would an internal one suffice or should I get an external Digicert, etc. ?
Laszlo Denes
Technical Analyst Servers
Information Systems
t: ext. 214
From: ntsys...@googlegroups.com [mailto:ntsys...@googlegroups.com]
On Behalf Of Kurt Buff - GSEC, GCIH
Sent: Tuesday, February 25, 2020 3:18 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Certificate Authority
1) Are you going to have a single-tier CA? That's generally not a good idea.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce48nYzyqMBaGZicRJNDPL71mvdo%3DHzYCO0i6Tn%2B_8bAVQ%40mail.gmail.com.
Dennis Pinckard
Will the appliances EVER be accessible directly from an external PC? Not through a VPN, but from somewhere on the internet?
If not, then don't pay for a certificate to put on them.
Is your internal DNS domain name the same as your external DNS domain name? If not, then you probably won't be able to purchase a public certificate for them. Most public CAs will no longer issue certificates for internal domain names. (company.ad, company.local)
An internal CA structure is generally fairly inexpensive, especially when compared to the cost of purchasing several external certs and renewing on a regular basis.
Another reason to NOT install a CA on a DC: DCs do not have local groups. This makes it more difficult to lock down management of the CA.
Please install a 2-tier CA. It will require 2 servers, but it gives so much more flexibility and security.
A very good reference that will walk you through step-by-step is from SANS: https://www.sans.org/reading-room/whitepapers/certificates/implementing-public-key-infrastructure-pki-microsoft-windows-server-2012-certificate-services-35427
It is written for 2012, but still applicable to a 2016/2019 server. Just be sure to read completely through it before starting. Once you have all of the information gathered, it generally should only take less than a day to get it set up.
I also recommend that you take the time to register for a Private
Enterprise Number (PEN) as described in the document BEFORE you
start. It is not required, but can make things easier if you ever
need to publish certificates publicly or federate with other
companies. It can take some time to get the PEN issued, but it is
no cost and is perpetual.
NOTICE: This message, including any attachments, may contain privileged or confidential information and is intended for use only by the individual to whom it is specifically addressed (or those responsible for the delivery of the message to such person). Any distribution, copying or disclosure is strictly prohibited without the written consent of the sender. If you are not the intended recipient or have received this message in error, please notify us by reply email and permanently delete the original transmission from us. Thank you for your cooperation. If you have any questions about this message please contact the Information Systems Department, Salvation Army Toronto Grace Health Centre, 650 Church St., Toronto, ON M4Y 2G5. Phone: (416) 925-2251 --
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/28a4cdb34e2244e5a0b2ad1ca8b524b0%40TGHVSEX2013ACT.torontograce.org.
Kurt Buff - GSEC, GCIH
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/9791c2f0-ad59-2951-926a-88643e758c3a%40doomsdaypig.com.
Michael Leone
.
A very good reference that will walk you through step-by-step is from SANS: https://www.sans.org/reading-room/whitepapers/certificates/implementing-public-key-infrastructure-pki-microsoft-windows-server-2012-certificate-services-35427
Denes, Laszlo
Thank you for the detailed insight J
No they will never hit the Internet.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/9791c2f0-ad59-2951-926a-88643e758c3a%40doomsdaypig.com.
Dennis Pinckard
I agree. I used it as a primary reference for the last 3 companies to build PKI. The configs and scripts were used as a basis for my own PowerShell scripts to automate most of the setup.
There are other sources from the web that I also use, as well as
"the book" from Microsoft (Really wish they would update that). I
like the SANS document for the explanations in the 1st half. Most
of the other walk-throughs I've seen just do step-by-steps, but I
didn't feel they explained enough of what the options are or how
they interact.
Currently, my team is expanding our 2-tier to add a 2nd Issuing
CA. The original will be used for user/workstation certs with the
new CA handling server/applications. I can foresee eventually
adding a third to handle the non-windows appliances. Mostly the
reason is to split the management roles among different groups.
Additionally, I am walking my team through building a two-tier PKI in our test domain. It is really appreciated since it is not a system that gets built very often and most of the team don't really have much knowledge of how it all works.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7hwXT4FoRk_7V6-yaWNwQwtOGtc8qhVARPE%2BZF3h9wqQ%40mail.gmail.com.
Dennis Pinckard
The 1st half covers some of the concepts and the 2nd half covers the installation and configuration.
Here are some other sources you can refer to:
https://777notes.wordpress.com/2016/07/11/certificates-the-dos-and-donts-of-pki/
https://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-1.html
https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-1/
https://blogs.technet.microsoft.com/xdot509/tag/operating-a-pki/
https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx
It's been a while since I went through my Certificate Services
links folder. Too many of them are broken now. The ones above
were working just now.
The best advice I can give is to read up on AD CS and try to plan
out the design before you get started.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bj3k2dLck15gAbtzmzv%3DaWB-FpNROgk5%3DpQR1oF7FGA0Q%40mail.gmail.com.
Denes, Laszlo
Thanks for all the great insights and discussion
From: ntsys...@googlegroups.com [mailto:ntsys...@googlegroups.com]
On Behalf Of Dennis Pinckard
Sent: Thursday, February 27, 2020 9:01 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Certificate Authority
The 1st half covers some of the concepts and the 2nd half covers the installation and configuration.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/33104a9d-3bd1-7a9b-60b9-6015103cbaa4%40doomsdaypig.com.
Michael Leone
The 1st half covers some of the concepts and the 2nd half covers the installation and configuration.
Here are some other sources you can refer to:
Michael B. Smith
Interesting.
It’s still in the cache. I referred to it just a couple weeks ago.
From: ntsys...@googlegroups.com [mailto:ntsys...@googlegroups.com]
On Behalf Of Michael Leone
Sent: Friday, February 28, 2020 10:02 AM
To: NTSysAdmin
Subject: Re: [ntsysadmin] Certificate Authority
On Thu, Feb 27, 2020 at 9:01 PM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgmD6pgvFwYmDhEcNE%3DwB%3DgmmermV7g31bD%3DcPr4%2Bcs1A%40mail.gmail.com.
Michael Leone
Interesting.
It’s still in the cache. I referred to it just a couple weeks ago.
--
From: ntsys...@googlegroups.com [mailto:ntsys...@googlegroups.com] On Behalf Of Michael Leone
Sent: Friday, February 28, 2020 10:02 AM
To: NTSysAdmin
Subject: Re: [ntsysadmin] Certificate Authority
On Thu, Feb 27, 2020 at 9:01 PM Dennis Pinckard <ntsys...@doomsdaypig.com> wrote:
The 1st half covers some of the concepts and the 2nd half covers the installation and configuration.
Here are some other sources you can refer to:
https://blogs.technet.microsoft.com/xdot509/tag/operating-a-pki/
This one's broke, BTW, came up 404 Unknown page.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgmD6pgvFwYmDhEcNE%3DwB%3DgmmermV7g31bD%3DcPr4%2Bcs1A%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/bd2afc684931481384529d3f0c3285a5%40smithcons.com.
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...