CA Configuration and Installation Documentation

Updated: 12/11/2003

CalNetPKI hierarchy design (Visio PNG format)

Off-line Root Certificate Authority (UCB Root Certificate Authority 01)

1. Setup off-line root CA with custom capolicy.inf file.
2. Generate the root certificate keys.
3. Setup the calnetpki.berkeley.edu website.
4. Create CertEnroll folder for root CA files
5. Copy root certificate and CRL to folder
6. Create cps folder and redirect to smartcard website with CPS
7. Run Netscape compatibility script for Netscape support.
8. Run CA smtp configuration script.

Enterprise Subordinate Certificate Authority (UCB Subordinate Certificate Authority 01)

1. On the Schema Master (actdir01), run adprep /forestprep from the /i386 folder on the Server 2003 CD
2. On the Infrastructure Master for each domain (actdir02), run adprep /domainprep from the /i386 folder on the Server 2003 CD
3. Use create-computer script to create computer account for ad-pe02.berkeley.edu in the uc.berkeley.edu domain
4. Disable CA GPO, old server settings conflict with Server 2003.
5. Apply hisecws.inf to Local Security Policy
6. Join machine to domain.
7. Publish Root CA in AD: certutil -f -dspublish ".crt file name" RootCA
8. Publish Root CRL in AD: certutil -f -dspublish ".crl file name" ad-pe01.berkeley.edu (script)
9. Launch Certificate Templates MMC to update forest templates
10. Copy CAPolicy.inf to systemroot folder
11. Install Certificate Services
    • Microsoft Strong Encryption, SHA-1, 2048 bit key
    • CN=UCB Subordinate Certificate Authority 01
    • OU=University of California Berkeley
    • O=University of California
    • C=US
    • Install CertLog to the E: drive
12. Copy certificate request to off-line Root CA
13. Use certreq on Root CA to submit request
14. Use Certificate Authority MMC or certutil to approve the request
15. Use certreq -retrieve <requestID> to get signed certificate from off-line root CA.
16. Launch Certificate Authority MMC.
    1. Open CA properties.
    2. Change security so only Domain Users, Domain Computers, and Enterprise Domain Controllers can request Certificates
    3. Enable all auditing
    4. Change CDP to point to http://calnetpki.berkeley.edu/CertEnroll/%CAName%/%CAName%%CRLNameSuffix%.crl
    5. Add file://\\ad-pw01.berkeley.edu\CertEnroll\%CAName%\%CAName%%CRLNameSuffix%.crl as a location to publish CDP
    6. Change AIA to point to http://calnetpki.berkeley.edu/CertEnroll/%CAName%/%ServerDNSName%_%CAName%%CRLNameSuffix%.crt
    7. Add file://\\ad-pw01.berkeley.edu\CertEnroll\%CAName%\%ServerDNSName%_%CAName%%CRLNameSuffix%.crt as a location to publish CDP
17. Run Netscape compatibility script for Netscape support.
18. Run CA smtp configuration script.

Enterprise Issuing Certificate Authority (UCB Issuing Certificate Authority 02)

1. On the Infrastructure Master for each domain (actdir02), run adprep /domainprep from the /i386 folder on the Server 2003 CD
2. Use create-computer script to create computer account for ad-pe03.berkeley.edu in the campus.berkeley.edu domain
3. Disable CA GPO, old server settings conflict with Server 2003.
4. Apply hisecws.inf to Local Security Policy
5. Join machine to domain.
6. Copy CAPolicy.inf to systemroot folder
7. Install Certificate Services
   • Microsoft Strong Encryption, SHA-1, 2048 bit key
   • CN=UCB Issuing Certificate Authority 02
   • OU=University of California Berkeley
   • O=University of California
   • C=US
   • Install CertLog to the E: drive
8. Launch Certificate Authority MMC.
   1. Open CA properties.
   2. Change security so only Domain Users, Domain Computers, and Enterprise Domain Controllers can request Certificates
   3. Enable all auditing
   4. Change CDP to point to http://calnetpki.berkeley.edu/CertEnroll/%CAName%/%CAName%%CRLNameSuffix%.crl
   5. Add file://\\ad-pw01.berkeley.edu\CertEnroll\%CAName%\%CAName%%CRLNameSuffix%.crl as a location to publish CDP
   6. Change AIA to point to http://calnetpki.berkeley.edu/CertEnroll/%CAName%/%ServerDNSName%_%CAName%%CRLNameSuffix%.crt
   7. Add file://\\ad-pw01.berkeley.edu\CertEnroll\%CAName%\%ServerDNSName%_%CAName%%CRLNameSuffix%.crt as a location to publish CDP
9. Run Netscape compatibility script for Netscape support.
10. Run CA smtp configuration script
11. RA setup: on ad-pe03.berkeley.edu run dcomcnfg and add authenticated users to launch permissions for Certsrv module.

UCB Registration Authority

1. Install RA services on ad-pw01.berkeley.edu for calnetpki.berkeley.edu
2. Add permissions to \\ad-pw01.berkeley.edu\CertEnroll to allow Cert Publishers to connect to the share and write updates.
3. Leaving the CertSrv files in the system32 directory caused errors: CA service word report as not started and external realm lookup would fail.
4. Copy CertSrv files to InetPub folder.
5. Change security settings on certrqma.asp, certsces.asp, and certrqxt.asp to deny read access to Internet Guest Account.
6. Setup https://ad-pw01.berkeley.edu/certsrv to use SSL and basic authentication for extranet and non-Integrated Authentication.
7. Add CertSrv, CertControl, and CertEnroll virtual folders to the https site.

Domain Controller

• Use dsstore DC=uc,DC=berkeley,DC=edu -display to display Root certs in the store.
• Use dsstore DC=uc,DC=berkeley,DC=edu -del to remove one.

1. Open the Active Directory Users and Computers snap-in, and right-click the domain node.
2. Click Delegate Control, at which point the Delegation wizard starts.
3. In the wizard:
   1. Click Next, click Add, and then add the Cert Publishers group from the parent domain.
   2. Click Next.
   3. Select the Create a custom task to delegate option, and then click Next.
   4. Select the Only the following objects in the folder.
   5. Select the User objects option, and then click Next.
   6. Select the Property-specific option.
   7. Select the Read userCertificate option.
   8. Select the Write userCertificate option.
   9. Click Next, and then click Finished.
4. Added Certificate AutoEnroll to DC GPO.