Securing Wireless LANs with PEAP and Passwords
Chapter 4: Building the Network Certification Authority
On This Page
OverviewThis chapter guides you through installing and configuring Microsoft Windows Server™ 2003 Certificate Services. Certificate Services is an optional component of Windows Server 2003 and is not installed by default. An installation of Certificate Services is referred to as a Certification Authority (CA). Only one CA is required for the Securing Wireless LANs with PEAP and Passwords solution. This CA will be used to issue certificates to the Internet Authentication Service (IAS) servers (discussed in the subsequent chapters of this solution). The goal of this chapter is to provide you with a very simple, special purpose CA. Unlike most CAs, it will be used to issue only one type of certificate — server certificates for the IAS servers used in the solution. For this reason, it has been designed to be extremely simple to install, configure, and manage. It is important to note that if your organization plans on using certificates for additional purposes, such as IPSec or VPN in the future, Microsoft recommends considering a more robust Public Key Infrastructure (PKI) architecture for your environment. See the planning materials referenced in Chapter 2, "Planning a Wireless LAN Security Implementation," for more details. The information in this chapter is limited to the implementation instructions for the CA. This chapter does not explain any of the general concepts of PKI, or any of the implementation details of Microsoft Certificate Services other than what is necessary to complete the installation. It also does not address using this CA to issue any types of certificates other than the server authentication certificates for IAS. This chapter is based on the assumption that you do not currently have a PKI in your organization. If you do have one, it may be possible to issue certificates to the IAS servers from this rather than installing the CA described in this chapter. However, guidance on how to do this or how to install this CA into your existing PKI is outside the scope of this solution. Instead of installing your own CA, you can obtain certificates from a commercial CA such as VeriSign or Thawte. For a discussion on the relative merits of installing your own CA versus buying certificates from an external provider, see the "Obtaining Certificates for IAS Servers" section in Chapter 2, “Planning a Wireless LAN Security Implementation.” This chapter does not include any guidance on obtaining and using certificates from a commercial CA. At the end of the chapter, however, there is a reference to a Microsoft document that describes this process. Chapter PrerequisitesIn addition to the prerequisites listed in Chapter 3, “Preparing Your Environment,” you should be familiar with Certificate Services and PKI concepts (although in-depth knowledge is not required). Before implementing the instructions in this chapter, you need to read and implement the guidance provided in Chapter 3, “Preparing Your Environment.” You should also have read the design and planning information in Chapter 2, “Planning a Wireless LAN Security Implementation,” and have a thorough understanding of the architecture and design of the solution. Preparing for ImplementationPermissions NeededTo carry out the procedures in this chapter, you need to log on with an account that is a member of the following groups:
By default, the built-in Administrator account of the forest root domain (the first domain created in the forest) is a member of both these groups, but you may use any other account with the same group memberships. Note: If you are not installing the CA into the forest root domain, and the forest is a Windows 2000 Active Directory (or has been upgraded from a Windows 2000 Active Directory), the account used for the installation will also need to be a member of the forest root domain. Tools NeededYou need the following tools to carry out the procedures in this chapter. Table 4.1: Tools Needed to Build and Install a CA
Certification Authority ParametersThe following table lists the parameters that are used for installing and configuring the CA in this solution. These parameters are all set in the PKIparams.vbs script file and may be modified there if required. Table 4.2: CA Settings Used in the Solution
Note: The validity period of the CA is set to a large value to avoid the administrative overhead of having to renew the CA certificate periodically. Unlike the certificates issued to computers and users, CA certificates cannot be renewed automatically and if the CA certificate is not renewed before it expires, all certificates issued by the CA will fail. Important: The settings listed in the previous table were used in the internal testing of this solution and are known to work as documented. Many of these values can be changed, but you should do this only if you fully understand the purpose of a particular setting and the implications of changing it. Checking Readiness for InstallationBefore installing Certificate Services on your server, you must ensure that the domain is contactable and that the required tools have been installed. To check the server prior to installation of the CA
The script checks for the following:
If any problem is detected, you are notified with an error logged to the script console window. You should investigate and correct this error before continuing. Installing Certificate ServicesThis section describes how to install Certificate Services to create a CA. The CA is installed as an Enterprise Root CA. Installing the Certificate Services Software ComponentsYou must install the CA software components using the supplied script. This script uses the Windows Optional Components Installation Manager to install the CA, building all required configuration files as it runs. To perform the installation, use the Windows Server 2003 installation CD (or the network path to a Windows installation source. Caution: If a CA was previously installed, or if you are trying to reinstall the CA, you must first remove the existing installation. Before removing the CA, ensure that it is not in use by other applications. Use Add/Remove Windows Components of the Add/Remove Programs applet in Control Panel to remove Certificate Services. To install Certificate Services
Verifying the CA InstallationYou can verify successful completion of the Certificate Services installation using the following procedure. To verify correct installation of the CA
If any of the previous values are not what you expected, you restart the Certificate Services installation. Note: If you need to rerun the CA installation, you must first remove the installed Certificate Services as described earlier. Configuring the CAAfter the CA is installed, you must run some additional scripts to configure some of the remaining CA parameters. Configuring the CA PropertiesThis procedure sets a number of parameters on the CA, which govern how it behaves. Some of these parameters are set during the CA installation while others must be set after the installation. The values of these parameters are specified in the "Certification Authority Parameters" section earlier in this chapter. The script used in this procedure configures the CA properties as listed in the following table. Table 4.4: CA Configuration Properties
Note: Many of these parameters affect the configuration of the CA's CRL. A CRL is a list of certificates that were issued by the CA but were subsequently canceled (or revoked) by the administrator. Even though you are unlikely to ever need to revoke any certificates while managing this solution, many applications rely on being able to read a current CRL to check the revocation status of a certificate (even though the CRL might be empty). If the application cannot find a CRL, it may reject the certificate. To configure the CA properties
If the script reports an error, investigate the reason by tracing through the log file (%systemroot%\debug\MSSWLAN-Setup.log) and rerun the configuration script after correcting the problem. Note: You can rerun this configuration script as many times as required. Importing the Automatic Certificate Request GPOThis procedure imports the IAS Certificate Autoenrollment Policy GPO that is preconfigured to allow automatic issuance of certificates to the IAS servers in the domain. It uses a feature called the Automatic Certificate Request Service (ACRS). ACRS should not be confused with the Autoenrollment capabilities in Windows Server 2003, Enterprise Edition, although the two perform similar functions. It is a more limited service than Autoenrollment and was first used in Windows 2000. It only allows computer (not user) certificates to be enrolled and works only with version 1 certificate templates. However, ACRS is adequate for the limited certificate usage in this solution, and using it allows the CA to be installed on (the less expensive) Standard Edition of Windows Server 2003. Important: If there are multiple domains in your Active Directory forest, you need to repeat this procedure for each domain in which you install an IAS server. The script used in the following procedure imports a preconfigured GPO with a policy to automatically enroll certificates. The GPO specifies the predefined "Computer” certificate type as the type to enroll. The script then applies security permissions to the GPO so that only members of the RAS and IAS Servers group are affected (the default setting is to apply GPOs to all authenticated users and computers). Note: In some contexts, the Computer certificate template may be referred to as the Machine template. "Machine" is the internal name of the template, whereas "Computer" is its display name. To install the Automatic Certificate Request GPO into your domain
Next, you must link this GPO to the domain so that the GPO settings will be applied to the IAS servers. This is given as a manual procedure to allow you to control the process of linking the GPO. Automating this step would run the risk of overwriting existing GPO link settings in your domain. To apply the Automatic Certificate Request GPO
Verifying CA ConfigurationThe following procedure confirms that you have configured the CA correctly. The script verifies that:
These values are checked against the settings stored in the PKIParams.vbs file. The script does not check for absolute values; it only checks if the settings have been configured on the CA correctly. To verify the CA configuration
If the script output shows any failures, you should retrace the steps in this chapter and rectify the indicated problems. SummaryThis chapter guided you through the installation process of a special purpose CA to issue server certificates to IAS servers. The CA configuration used is designed to be extremely low maintenance and therefore, should require minimum management in the future. However, the operational and support information that you may require is included in Chapter 8, "Maintaining the Secure Wireless LAN Solution." You are now ready to install the IAS servers. This will be covered in Chapter 5, “Building the Wireless LAN Security Infrastructure." ReferencesThis section provides references to important supplementary information or other background material relevant to the content of this chapter.
|
In This Article
|
