Intel vPro – Configuration – Part 2 – PKI Installation

vPro Series of Posts


At this point in the series, our goal is to set up the simplest possible configuration to get vPro working as a proof-of-concept. Since the proof-of-concept will be using a self-signed certificate, we will need to install a Certificate Authority. Since it’s unsafe to use a single-tier PKI with vPro, we will install a two-tier PKI.

This post will cover the following:

  1. Installing the Offline Standalone Root CA
  2. Installing the Online Enterprise Subordinate (Issuing) CA

Installing the Offline Standalone Root CA

Requirements

You will need two VM’s:

  • Standalone root CA: Windows Server 2008 Standard or better.
  • Enterprise subordinate CA: Windows Server 2008 Enterprise or better.

Concepts

Please read the following blog post a couple times in order to learn the concepts behind PKI. Without this information, it will be difficult to continue.

In our case, we will configure IIS on the enterprise subordinate CA and use it as the AIA and CDP locations for both the offline standalone root and the online enterprise subordinate issuing CA.

Procedure

  1. Install Windows Server 2008 Standard or above on the VM.
  2. Download the following scripts from my blog post titled Server 2008 R2 Standalone Root CA Install Script and store them on the VM at the folder C:\Install_Files.
    1. capolicy.inf
    2. SetupCA-RootCA.ps1
    3. Install-StandAloneCA.cmd
  3. Modify capolicy.inf.
    1. Remove the following lines:
      [LegalPolicy]
      URL = "http://certs.chemistry.ohio-state.edu/CertData/cps.docx"
    2. Change the line ‘renewalkeylength’ from 4096 to 2048. vPro doesn’t support keys larger than 2048.
  4. Modify SetupCA-RootCA.ps1 line 351.
    1. Replace -CAName with a friendly-name for your CA (you get to choose this).
    2. Change -DNSuffix to match the distinguished name of your domain. You can find this by running the following command in powershell:
      ([adsi]'').distinguishedname
    3. Finally, change -HashAlgorith from SHA256 to SHA1. vPro doesn’t support SHA256 certificates.
  5. Modify Install-StandAloneCA.cmd
    1. Insert your domain’s distinguished name on line 9.
    2. On line 20, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://cdp.yourdomain.com/Certdata/%%3%%8%%9.crl"
    3. On line 23, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CACertPublicationURLs  "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://aia.yourdomain.com/CertData/%%1_%%3%%4.crt"
  6. After placing all three files into C:\Install_Files, launch a command prompt as administrator and type the following commands:
    cd C:\Install_Files
    Install-StandAloneCA.cmd
    certutil -crl

Enterprise Subordinate Issuing CA

Now that your Offline Root CA is configured, it’s time to install the Enterprise Issuing CA.

Procedure

  1. Install Windows Server 2008 Enterprise or above on the VM.
  2. Create partitions on the server like the following:
    • C:\, 25GB, boot
    • D:\, 5GB, cert db
    • E:\, 5GB, logs
    • F:\, 5GB, inetpub
  3. Download the following scripts from my blog post titled Server 2008 Enterprise Subordinate CA Install Scripts and store them on the VM at the folder C:\Install_Files.
    1. capolicy.inf
    2. Setup-IssuingCA1.ps1
    3. Install-ADCS.cmd
  4. Modify capolicy.inf.
    1. Remove the following lines:
      [LegalPolicy]
      URL = "http://certs.chemistry.ohio-state.edu/CertData/cps.docx"
    2. Change the line ‘renewalkeylength’ from 4096 to 2048. vPro doesn’t support keys larger than 2048.
  5. Modify Setup-IssuingCA1.ps1 line 351.
    1. Replace -CAName with a friendly-name for your CA (you get to choose this).
    2. Change -DNSuffix to match the distinguished name of your domain. You can find this by running the following command in powershell:
      ([adsi]'').distinguishedname
    3. Finally, change -HashAlgorith from SHA256 to SHA1. vPro doesn’t support SHA256 certificates.
  6. Modify Install-ADCS.cmd
    1. Insert your domain’s distinguished name on line 9.
    2. On line 20, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n65:F:\inetpub\wwwroot\certdata\%%3%%8%%9.crl\n6:http://cdp.yourdomain.com/Certdata/%%3%%8%%9.crl"
    3. On line 23, replace the entire line with the following code. Replace the URL with the FQDN of your future Enterprise Subordinate CA.
      certutil -setreg CA\CACertPublicationURLs  "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n1:F:\inetpub\wwwroot\certdata\%%1_%%3%%4.crt\n2:http://aia.yourdomain.com/CertData/%%1_%%3%%4.crt"
  7. After placing both files into C:\Install_Files, launch a command prompt as administrator and type the following commands:
    cd C:\Install_Files
    Install-ADCS.cmd

Fixing Certificate Validation

Before we continue, we need to configure the AIA and CDP points so that certificate validation will pass. Otherwise, the subordinate CA won’t trust the root when we try to link them.

  1. Download the following scripts from my blog post titled Server 2008 Enterprise Subordinate CA Install Scripts – Part 2 – IIS and store them on the VM at the folder C:\Install_Files.
    1. Install-SubCA-IIS.cmd
    2. MoveIISRoot.cmd
  2. Open a command prompt as administrator and type the following commands:
    cd C:\Install_Files
    Install-SubCA-IIS.cmd
  3. Login to the Standalone Root CA and copy the files located at C:\Windows\System32\certsrv\certdata to the Subordinate CA’s path F:\inetpub\wwwroot\CertData. These files are the CA Certificate and the initial blank CRL, needed for the CDP and AIA locations.

Linking the two CA’s

You might notice that after running Install-ADCS.cmd, the script gives you an error that the Enterprise Subordinate CA does not have a CA certificate and thus cannot start. Here’s how we fix that.

Step 1 – Establish Trust

In order for the servers to have a parent-child relationship, the child CA must trust the parent CA.

  1. Login to the Subordinate CA.
  2. Start -> Run (or Windows+R) -> “mmc”
  3. File -> Add Snap-in -> Certificates -> Local Computer -> Computer Account.
  4. Expand until you see ‘Trusted Root Certificate Authorities’.
  5. Right-click ‘Trusted Root Certificate Authorities’ and choose ‘Install Certificate’.
  6. Follow the wizard, selecting the file at F:\inetpub\wwwroot\CertData\ that was copied from the Standalone CA.

Step 2 – Generate a CA Certificate for the Subordinate CA

  1. Look on the C drive of the Enterprise Subordinate CA. You will see a certificate request file. Copy this file to your Standalone Root CA.
  2. Login to the standalone root CA and launch the Certificate Authority snap-in from ‘Administrative Tools’.
  3. Right-click the Standalone Root CA and choose ‘All Tasks’ -> ‘Submit New Request’.
  4. Open the request file saved from the C drive of the Enterprise Subordinate CA.
  5. Navigate to ‘Pending Requests’.
  6. Right-click the Pending Request for the Enterprise Subordinate CA’s certificate and choose ‘Approve’.
  7. Navigate to ‘Issued Certificates’.
  8. Double-click the Enterprise Subordinate CA’s certificate.
  9. Navigate to the ‘Details’ tab.
  10. Choose ‘Copy to File…’
  11. Follow the wizard, accepting the defaults. Save the file and copy the file to the Enterprise Standalone CA.

Step 3 – Install the Subordinate CA’s CA Certificate

  1. Login to the Enterprise Subordinate CA and launch the Certificate Authority snap-in from ‘Administrative Tools’.
  2. Right click the Enterprise Subordinate CA and choose ‘Install CA Certificate’.
  3. Select the certificate file copied from the Standalone Root CA.
  4. Right-click the Enterprise Subordinate CA and choose ‘All Tasks’ -> ‘Start Service’.

Verification

Both certificate servers should now be theoretically working and can issue and verify certificates. To test this, login to the Enterprise Subordinate CA and run the command ‘PKIView.msc’. It should enumerate your PKI and there should be no errors.

Congrats! Your PKI is now installed. Look to the next post for configuring your PKI for Intel AMT.

Advertisements

11 thoughts on “Intel vPro – Configuration – Part 2 – PKI Installation

  1. Pingback: Intel vPro – Configuration – Part 3 – PKI Configuration | windowsmasher

  2. Pingback: Intel vPro – Configuration – Part 4 – Install and Configre Intel SCS | windowsmasher

  3. Pingback: Intel vPro – Configuration – Part 4 – Install and Configure Intel SCS | windowsmasher

  4. Pingback: Intel vPro – Configuration – Part 5 – Configure Active Directory | windowsmasher

  5. Pingback: Intel vPro – Configuration – Part 6 – Basic SCS Profile | windowsmasher

  6. Pingback: Intel vPro – Configuration – Part 7 – Provisioning Your First System | windowsmasher

  7. Pingback: Intel vPro – Configuration – Part 8 – Adding Kerberos | windowsmasher

  8. Pingback: Intel vPro – Configuration – Part 9 – Adding TLS | windowsmasher

  9. Pingback: Intel vPro – Configuration – Part 1 – Architecture Overview | windowsmasher

  10. Pingback: Intel vPro – The Basics of vPro | windowsmasher

  11. Pingback: Intel vPro – Configuration – Part 10 – SCCM Integration | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s