Tag: PKI

Steps for renewing NDES Service Certificates

chdelay

Hello, this blog covers the process I developed to renew the NDES Service Certificates. I thought I had also created a blog with steps to enable these to autoenroll, but I can’t find it at the moment. Basically, NDES uses a CEP Encryption certificate and Exchange Enrollment Agent certificate. Unless things have changed recently there is no obvious ways to renew them hence this article. If you have a better solution feel free to let me know. Another option is to simply uninstall and then re-install NDES using the same service account.

In an upcoming article I will cover how change the service account passwords and how to replace the NDES service account in case of a compromise or security concerns around the service account.

Step 1: First give the NDES Server Read and Enroll permission to the CEP Encryption Certificate Template.

Step 2: Open the certificates MMC targeted to the computer.  Expand Personal.  Right-click on Certificates.  From the context menu select All Tasks then Renew Certificate with New Key…

Step 3: On the Before You Begin page of the wizard, click Next.

Step 4: On the Request Certificates page, click Enroll.

Step 5: On the final page of the wizard, click Finish.

Step 6: Open Certmgr.msc as a user that has Read and Enroll permissions to the Exchange Enrollment Certificate Template.  Expand Personal, right click on Certificates.  Select All Tasks, and then Request New Certificate…

Step 7: On the Before You Begin page, click Next.

Step 8: On the Select Certificate Enrollment Policy page, click Next.

Step 9: Select the Exchange Enrollment Agent certificate template, and click the More information is required to enroll for this certificate. Click here to configure settings. link.

You will want to user the same Subject Name that is in your current Exchange Enrollment certificate. The following steps illustrate the steps needed to do this. You can find the current subject name by opening the Certificates MMC targeted to the local machine and then open the existing Exchange Enrollment Agent certificate. In my example the name was CN=FCNDES01-MSCEP-RA,C=US.

Step 10: Under Subject Name ensure that Common Name is selected and under Value enter the common name that is in your existing certificate. Then click Add.

Step 11: Change the Type to Country and under Type the country code that is your existing Exchange Enrollment Agent certificate.

Step 12: Click Add

Step 13: On the Private Key tab, select Make private key exportable.  Then click OK.

Step 14: Then click Enroll.

Step 15: Right-click on the Exchange Enrollment certificate in the users personal store.  Select Export…

Step 16: When the Certificate Export Wizard opens, click Next.

Step 17: On the Export Private Key page, select Yes, export the private key.

Step 18: On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX)

Step 19: On the Password page, enter a password and click Next.

Step 20: On the File to Export page, click the Browse… button.  Select the file name and save location.  When finished click Next.

Step 21: n the final page of the wizard, click Finish.

Step 22: Then click OK.

Step 23: In the Certificate MMC on the NDES Server that is targeted to the computer, expand Personal.  Right-click on Certificates.  From the context menu, select All Tasks and then Import…

Step 24: On the Welcome page, click Next.

Step 25: Browse to the PFX file you previously created, and click Next.

Step 26: On the Password page, enter the password associated with the PFX file.

Step 27: On the Certificate Store page, click Next.

Step 28: On the final page of the wizard, click Finish.

Step 29: Then click OK.

Step 30: In the Certificate MMC on the NDES Server that is targeted to the computer, expand Personal.  Right-click on the old Exchange Enrollment certificate, and select Delete. 

Step 31: Then click Yes, to accept the deletion.

Step 32: Right click on the new Exchange Enrollment certificate.  From the context menu, select All Tasks then Manage Private Keys…

Step 33: Add the NDES service account and ensure that it just has Read permission.  Click OK.

Step 34: Right click on the new CEP Encryption certificate.  From the context menu, select All Tasks then Manage Private Keys…

Step 35: Add the NDES service account and ensure that it just has Read permission.  Click OK.

Step 36:  Reset IIS using iisreset command.

Feel free to contact me with any topics you would like me to cover with a future blog posting or YouTube video.

-Chris

Implementing Certificate Autoenrollment and Automatic Rebind for IIS (TLS/Server Auth) Certificates

chdelay

Background

In this blog posting I will cover the steps to enable autoenrollment for TLS certificates. Basically, in order to get this working you need to perform the following steps: configure autoenrollment GPO, create a certificate template with the proper settings, enroll for a certificate, configure IIS to use that certificate, and then enable re-binding in IIS.

This will allow you to request the TLS or Server Auth certificate once and then have it automatically renew and have IIS automatically use (rebind) to the new certificate. This eliminates the need to manually re-enroll for certificates.

Configuring Autoenrollment

In order for TLS certificates to be renewed autoenrollment must be enabled via GPO. This section covers configuring the Autoenrollment GPO

Step 1: Open the Group Policy Management Tool (gpmc.msc)

Step 2: Name the GPO and click OK

Step 3: Locate the new GPO

Step 4: Right-click on the GPO and select Edit from the context menu

Step 5: Navigate to \Computer Configuration\Windows Settings\Security Settings\Public Key Policies

Step 6: In the right-hand pane select the setting Certificate Services Client – Auto-Enrollment

Step 7: Double-click on this setting to open its properties

Step 8: Set the Configuration Model to Enabled

Step 9: Select Renew expired certificates, update pending certificates, and remove revoked certificates

Step 10: Select Update certificates that use certificate templates

Certificate Template

You can re-configure an existing Web Server template or create a new one to enable the autoenrollment permissions. In the example below the process for creating a new certificate template is demonstrated

Step 1: Open certtmpl.msc

Step 2: Right-click on the Web Server certificate template and select Duplicate Template from the context menu

Step 3: Provide a name for the new certificate template

Step 3: On the Compatibility tab, select Windows Server 2008 R2 for the Certification Authority, and Windows 7 / Server 2008 R2 for the Certificate recipient

Step 4: Navigate to the Subject Name tab

Step 5: Supply in the request should already be selected, but you will need to select Use subject information from existing certificates for autoenrollment renewal requests

Step 6: Navigate to the Security tab

Step 7: Click Add…

Note: In this example I will be using the name of my web server. This is obviously not a scalable solution. In an enterprise environment you would want to use a security group that contains the web servers.

Step 8: Add the computer or group name and click OK. If using computer name, you will need to click on Object Types… and select Computers

Step 9: Select either the computer or group you added and select Allow permissions for Read, Enroll, and Autoenroll

Step 10: Click OK

Adding the Certificate Template to the CA(s)

You will need to add the template to an Enterprise CA to support enrollment

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Right-click on Certificate Templates and from the context menu select New and then Certificate Template to Issue

Step 3: Select the newly created Web Server template and then click OK

Enrolling for the New Web Server Certificate Template

This document covers automatically renewing a TLS certificate and re-binding it in IIS. However, you must have an existing certificate to renew. Autoenrollment in this instance cannot be used to request the initial certificate, because web sites you custom names that must be specified during enrollment.

Step 1: Open the Certificates MMC targeted to the Local Computer (certlm.msc)

Step 2: Right-click on Personal and from the context menu select All Tasks and then Request New Certificate…

Step 3: The Certificate Enrollment Wizard will open, click Next

Step 4: On the Select Certificate Enrollment Policy page of the wizard, click Next

Step 5: On the Request Certificate page of the wizard click on the blue link (More information is required to enroll for this certificate. Click here to configure settings.)

Step 6: On the Subject tab, under Alternative name change the Type to DNS

Step 7: In the Value field, enter the DNS name that is used by the website/webserver

Step 8: Click Add

Repeat Steps 7 and 8 if you need to add additional names

Step 9: Click OK

Step 9: Select the certificate template and then click Enroll

Step 10: After enrollment completes, click Finish

Verifying Re-bind Step 1 (Optional)

The Verifying Re-bind sections of this document just show the steps to verify autoenrollmant and re-bind is working. You do not need to perform these steps unless you are demoing or troubleshooting this process. Also, the process outlined in this step is viewing the serial number of the certificate in the Certificates MMC. You could also, view the certificate by navigating to the website and clicking the lock icon and viewing the certificate.

Step 1: Locate the certificate that was previously enrolled

Step 2: Open the Detail tab and locate the Serial number field

Step 3: Take note of the serial number by copying and pasting it into a notepad file

Configuring the Certificate in IIS

Step 1: Navigate to Default Web Site

Step 2: Click Bindings…

Step 3: Click Add…

Step 4: Select https from the drop-down menu

Step 5: Select the certificate you previously enrolled from the context menu

Step 6: Click OK

Step 7: Click Close

Step 8: Navigate to the Website you want to protect with the TLS certificate

Step 9: Open SSL settings from the middle pane

Step 10: To require SSL on the Website or Virtual Directory select Require SSL

Enable Certificate Re-binding in IIS

Step 1: Navigate to the server name in IIS Manager

Step 2: In the middle pane open up Server Certificates

Step 3: In the middle pane, select the appropriate certificate

Step 4: In the Actions pane select Enable Automatic Rebind of Renewed Certificates

(Optional) Verifying Re-bind Step 2

The following steps can be re-run after the certificate was supposed to renew to verify the certificate was renewed and re-binded

If testing re-bind you will need to speed up the process of renewal as you may not want to wait a year or so to verify in your pilot that it works

Step 1: Locate the template in Certtmpl.msc

Step 2: Right-click on the template and select Reenroll All Certificate Holders

Step 3: On the Web Server run gpupdate /force or certutil -pule to trigger the autoenrollment client

Step 4: Navigate to the website to https                    

Step 5: Click on the lock icon

Step 6: In the pop up click View certificates

Step 7: Navigate to the Serial number field

Step 8: Take note of the serial number and compare it to the previously recorded serial number and verify that it is a different serial number then the one that was recorded during Verifying Re-bind Step 1

-Chris

Viewing Certificate Requests in the CA Database

chdelay

Viewing Certificate Requests in the CA Database

In this blog I will show you how to view certificate requests in the CA database. This can be useful when troubleshooting. It is especially helpful if scenarios where you have to identify what process is requesting the certificate.

Step 1: Open the Certification Authority MMC (certsrv.msc)

Step 2: Select the View menu and then Add/Remove Columns…

Step 3: In Available columns select Binary Request and then click Add

Step 4: Click OK

To view a request:

Step 1: Navigate to Issued Certificates

Step 2: Identify the certificate you are interested in viewing its associated request

Step 3: Right-click on the certificate and select All Tasks then Export Binary Data…

Step 4: Select Binary Request

Step 5: Leave View formatted text version of the data as selected

Step 6: Click OK

Now you can view the request and identify information such as the User and Machine that made the request as well as the service that initiated the request

Below is a video that covers the same topic covered in this article:

If there are any topics you would like me to cover in future blog posts, reach out to me through my contact page.

-Chris

Using Autoenrolled Certificates with Palo Alto VPN

chdelay

So, I recently did some work with an organization that uses the VPN features of the Palo Alto firewall.

The desired configuration was to have users use autoenrollment to get user certificates that would be used to connect to the VPN. If for some reason a user was not able to autoenroll for a certificate they would be provisioned a certificate from the firewall. The firewall used the SCEP protocol to enroll for a certificate from the Network Device Enrollment Server (NDES).

We were able to get the firewall to work with an NDES certificate, but not an autoenrolled certificate. After some troubleshooting, we realized that when a certificate was enrolled from the NDES server that the VPN requested an additional field in the subject. That field was serial number and it included a guid as the value data for that attribute. We realized that that serial number was key to authenticating the client. In fact it is mentioned in Palo Alto’s documentation:

If you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint, select Block sessions if the certificate was not issued to the authenticating device. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certificate-profile

Since we cannot add customer fields into certificates during autoenrollment, without writing a policy module we decided to disable this feature.

This article has the details on how to configure the Certificate Profile for Palo Alto: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

We had to disable the setting Block session if the certificate was not issued to the authenticating device.

After this change we could use certificates that did not contain the serial number field and could then use autoenrolled certificates.