Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part IX, Configuring High Availability for the HTTP AIA and CDP Repositories
AIA and CDP Repositories are very important for certificate validation. The Authority Information Access or AIA repository host CA Certificates. This location is “stamped” in the Authority Information Access extension of issued certificates. A client that is validating a certificate may not have every CA certificate in the chain. The client needs to build the entire chain to verify that the chain terminates in a self-signed certificate that is trusted (Trusted Root). So, if a client does not have every certificate in the chain, the client can download these missing CA certificates from the AIA repository.
CDP Repositories host the CRLs that the CA publishes. The CRL Distribution Points extension is “stamped” in certificates. Client use this location to download CRLs that the CA Publishes. When a client is validating a certificate it will build the chain to a Root CA. If the Root CA is trusted this means the certificate is acceptable for use. However, for applications that require revocation checking, the client must also validate that every certificate in the chain (with the exception of the Root) is not revoked. The client does this buy downloading a CRL file and parsing the CRL to see if the serial number of the certificate being validated is not listed. If it is listed the certificate is revoke and should not be trusted.
So, we need these repositories to be available when a client is performing revocation checking. If the AIA and CDP repository is hosted on a web server we need to make the web server highly available. We don’t want clients to begin failing revocation checking because a single web server is down or unavailable. One way to make the HTTP repositories highly available is to host them on Load Balanced web servers.
In this blog entry I am going to cover on how to make the HTTP AIA and CDP repositories highly available. I am going to perform the following steps:
- Install IIS (Web Server)
- Configure a virtual directory
- Copy CA certificates to the repository
- Configure the CA to publish CRLs to the Repository on the two web servers
- Install and configure Network Load Balancing (NLB)
- Configure DNS
I have two web servers: FCWeb01 and FCWeb02. I am only going to illustrate the following steps one time, but I have to perform the same steps on both Web Servers:
- Install IIS (Web Server)
- Configure a virtual directory
- Copy CA certificates to the repository
Install IIS (Web Server)
Thanks to PowerShell installing IIS is a breeze. Once I have the PowerShell CLI open I run:
Add-WindowsFeature Web-WebServer –IncludeManagementTools
Configure a virtual directory
Earlier in this blog series I configured my HTTP AIA and CDP locations for the both the Root and Issuing CA to be located here: https://pki.fourthcoffee.com/certenroll/
So, I need to create a "certenroll” virtual directory in order to support the AIA and CDP extensions that I defined earlier. To meet this requirement, I simply added a CertEnroll folder underneath the C:\Inetpub\wwwroot\ directory. There are of course other alternatives, a virtual directory could be created at another location on the C Drive or another drive if one is available.
Next I have to perform a couple steps. 1. I need to create a share, so that the Issuing CA can copy files via SMB to the CertEnroll folder. This is how the Issuing CA will update the CRL on the repository. 2. I have to give the Issuing CA, at least Change Permissions to the share so that it has access to write the CRL file. 3. I have to configure NTFS Permissions so that the CA has at least Modify permissions, again this is to facilitate the writing of the CRL file to the SMB share.
Configuring share permissions
After creating the CertEnroll directory, I right-click on the directory and select Properties from the context menu.
On the Sharing Tab, I select Advanced Sharing…
I select Share this folder, then enter a share name of CertEnroll$. Next I click the Permissions button. On the Permissions page, I click on the Add… button. On the Select Users, Computers, Service Accounts, or Groups Dialog box, I click the Object Types… button, and ensure that Computers is selected. Next I type the name of the server hosting my Issuing CA, and click the Check Names button. Once the name is validated, I click OK. This takes me back to the Permissions page, where I select the CA Machine name that I specified previously. I configure permissions so that the computer hosting the Issuing CA has Change and Read Permissions to the share. Finally on the Advanced Sharing page, I click OK.
Configuring NTFS permissions
This takes me back to the Properties page for the CertEnroll folder. I click on the Security Tab, and click the Edit… button.
Next, I click the Add… button. On the Select Users, Computers, Service Accounts, or Groups Dialog box, I click the Object Types… button, and ensure that Computers is selected. Next I type the name of the server hosting my Issuing CA, and click the Check Names button. Once the name is validated, I click OK.
Finally on the Permissions page for the CertEnroll folder, I configure the permissions to give the CA’s machine Modify permissions.
Copying CA Certificates and CRLs
The web servers are going to host the AIA repository for the Root and Issuing CA. So, I need to manually copy the Root and Issuing CA certificate to the CertEnroll directory. Also, the web servers are going to host the CDP repository for the Root and Issuing CA. So, I need to copy the Root CRL to the Web Servers. I am not going to copy the Issuing CAs CRL, because I am going to configure the Issuing CA to automatically publish it’s CRL to the CertEnroll folder. The CA certificate and CRL files can be located in the C:\Windows\System32\CertSrv\CertEnroll\ folder on each CA. So, I copy the files.
Configure the CA to publish CRLs to the Repository on the two web servers
Next, I have to configure the Issuing CA to publish it’s CRL to the repository via SMB. Once I make this configuration change, the Issuing CA will publish it’s CRL to the Web Servers hosting the repository, every time it publishes a new CRL. I am going to use the built in mechanism the CA has for publishing CRLs. Keep in mind if you want to use some other tool like SSH or SFTP to copy the files, you can do this. However, you will need to script the copy process and run it as a scheduled task.
So, I create a file I am calling CRLFixUp.bat. The file rewrites the configuration I made in Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part VI, Post Configuration of an Enterprise Subordinate Certification Authority. I also, add the following to the configuration: n1:file:\\fcweb01.fourthcoffee.com\certenroll$\%%3%%8%%%9.crl and n1:file:\\fcweb02.fourthcoffee.com\certenroll$\%%3%%8%%%9.crl. These two additions configure the CA to publish the CRL to the two web servers.
Next I have to restart Certificate Services for the changes to be read from the registry by the CA.
Publishing a new CRL file
Next, I need to publish a new CRL so that the CA publishes it’s CRL to the web server. I open the Certification Authority management console. I right-click on Revoked Certificates, then I select All Tasks and then Publish from the context menu.
Next, I am prompted to publish a New CRL, and I click OK.
If the CRL Publish failed a dialog box would pop-up with the error and an event would be logged to the Application Log. In my case the publication succeeded. Next I can view the CertEnroll directory on each web server to ensure that the file copy succeeded.
Install and configure Network Load Balancing (NLB)
Next, I am going to install and configure Network Load Balancing to provide a mechanism for High Availability between the two web servers. In most environments, there are dedicated Load Balancers that are used for this. Since this is a very simple demo environment I am using NLB as an illustration of one way HA can be accomplished.
To install NLB and the management tools, I enter the following in the PowerShell CLI:
Add-WindowsFeature NLB –IncludeManagementTools
To access the Network Load Balancing Manger, I select Tools from Server Manager, and select Network Load Balancing Manager.
To create a new NLB Cluster, I select the Cluster menu, and then select New from the context menu.
This opens the New Cluster “Wizard”. On the Connect page, I enter the name FCWeb01, and click Connect. Next, I click Next.
On the Host Parameters page I accept the defaults and click Next.
On the Cluster IP Address page I click the Add… button. Then on the Add IP Address page, I enter the IP address I want clients to use to access the Load Balanced Web Servers. I enter the subnet, and click OK.
Then I click Next.
On the Cluster Parameters page, I select Multicast, and click Next.
On the Port Rules page I accept the defaults and click Finish.
Next, I need to add the second web server to the Cluster. So, I right-click on the cluster name and select Add Host to Cluster from the context menu.
On the Connect page of the wizard, I enter the name of the second web server, and click Connect.
On the Host Parameters page I accept the defaults and click Next.
On the Port Rules page of the wizard, I accept the defaults and click Finish.
My NLB Cluster is now configured.
In the blog posting Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part VI, Post Configuration of an Enterprise Subordinate Certification Authority, I created a CNAME recored and pointed it at the Issuing CA as that was hosting my repositories. To undo that changes I previously made I open up DNS Manager (dnsmgmt.msc), and delete the CNAME record that I previously created.
Next I need to create an A record. So, I right-click on the fourthcoffee.com zone and select New host (A or AAAA)… from the context menu.
I enter in the name pki under Name. Next, I enter the IP Address of the front-end of my NLB Cluster, and click Add Host.
This completes the installation of my highly available HTTP AIA and CDP Repositories.
Conclusion
So, far in this series I have installed and configured a Root and Issuing CA. I have taken steps to secure the Web Enrollment website and the CAs themselves. And finally I have configured the HTTP AIA and CDP Repositories to be highly available. I am going to continue this series. In the next couple blog postings I am going to focus on enrollment.
-Chris