-
Notifications
You must be signed in to change notification settings - Fork 21
Scenarios
adam-kosseck edited this page Nov 7, 2022
·
1 revision
This page details various environment configuration scenarios for cepces.
Note: In this scenario the Windows AD domain is test.local
Microsoft documentation for Cert Enrolment via CEP/CES can be found here.
The solution comprises of the following Windows servers:
- AD DC
- AD & DNS Roles.
- Promoted to DC
- AD CA
- AD Certificate Services
- Setting the CA to use the hostname for the certificates is advisable
- AD Member Server
- Joined to the domain
- Optional server, its just for confirming that the client certificate enrolment process works from Windows.
- Install Windows Server
- Configure OS Network settings
- Disable IPv6
- Assign a static IP (e.g.
192.168.0.50)
- Set the correct Timezone
- Ensure the DC has a clear and unique hostname (e.g.
dc) - Add Roles using Server Manager
- "Active Directory Domain Services" role, and management tools.
- Configure Roles
- AD DS - Run post-install configuration
- Promote to DC (Add a new forest)
- Root domain name (e.g.
test.local) - Note: This adds and configures the DNS Server role
- AD DS - Run post-install configuration
- Add Roles using Server Manager
- "DHCP Server" role, and management tools.
- Configure Roles
- DHCP - Run post-install configuration.
- Add a new user (service account) to the domain:
svc_cepces- User cannot change password
- Password never expires
- Install Windows Server
- Configure OS Network settings
- Disable IPv6
- Assign a static IP (e.g.
192.168.0.55) - Ensure the DC is set as the DNS server
- Set the correct Timezone
- Ensure the CA has a clear and unique hostname (e.g.
ca) - Join to the domain
-
NOTE: After the reboot ensure that:
- You login as a domain administrator
- Server Time is the same as the DC
- Add Roles using Server Manager
- "Active Directory Certificate Cervices" role, and associated management tools.
- Add the following role services:
- Certification Authority
- Certification Authority Web Enrollment
- Certificate Enrollment Policy Web Service
- Certificate Enrollment Web Service
- Online Responder (potentially not required)
- NOTE: This adds and configures the Web Server (IIS) role
- Configure the svc_cepces service account
- Edit Local Users and Groups
- Add
svc_cepcesto IIS_IUSRS
- Add
- From the Command Prompt or PowerShell, create a SPN connecting HTTP to svc_cepces:
# setspn -s http/ca.test.local test\svc_cepces- Setup Delegation via PowerShell:
# Get-ADUser -Identity svc_cepces | Set-ADAccountControl -TrustedToAuthForDelegation $True # Set-ADUser -Identity svc_cepces -Add @{'msDS-AllowedToDelegateTo'=@('HOST/CA.test.local','RPCSS/CA.test.local')} - Edit Local Users and Groups
- Configure Roles
- AD CS - Run post-install configuration
- Select "Certification Authority", "Certification Authority Web Enrollment" and "Online Responder" as the Role Services to configure
- Setup as Enterprise CA (must be logged on as a domain admin otherwise greyed out)
- Select Root CA
- Create a new private key
- The default key is RSA 1024 which is too weak, choose something more secure like
ECDSA_P384, with a key length of384and theSHA256hash algorithm. - Specify the Common name for the CA, e.g.
Test Root CA - Note: The DN for this example will be
CN=Test Root CA,DC=test,DC=local - Accept defaults for the remaining options
- AD CS - Run post-install configuration
- Select "Certificate Enrollment Web Service" and "Certificate Enrollment Policy Web Service" as the role services to configure
- Ensure that "CA Name" is the selected method for Cert Enrollment Web Services
- Choose Windows integrated authentication for CES (lets Linux client auth using Kerberos)
- Specify the service account (e.g.
TEST\svc_cepces) - Choose Windows integrated authentication for CEP (lets Linux client auth using Kerberos)
- Select "Choose and Assign a certificate for SSL later"
- Take note of the instructions displayed post configuration:
-
- CES - Delegation must be enabled for the web service account (completed in step 8 above)
-
- CEP - A server auth cert must be configured to encrypt comms between clients and the service. Use the IIS snap-in to verify the server auth certificate (steps 14-18)
-
- CEP - Group Policy settings must be applied to client computers to direct Cert enrolment requests to the web service (step 19)
- AD CS - Run post-install configuration
- Confirm CEP & CES IIS Application pools are configured to use the service account
- Start IIS Manager
- Navigate to CA -> Application Pools
- Select
WSEnrollmentPolicyServer - Select "Advanced Settings"
- Under the "Process Model" heading, ensure "Identity" is set to the service account (e.g.
TEST\svc_cepces) - Repeat for
WSEnrollmentServer
- Assign a "Friendly Name" for the Kerberos CEP Provider
- Start IIS Manager
- Navigate to CA -> Sites -> Default Web Site
- Select
ADPolicyProvider_CEP_Kerberosand click "Application Settings"- Edit the "FriendlyName" field and assign something like
CA_CEP
- Edit the "FriendlyName" field and assign something like
- Enable Certificate Templates on the CA (needs to be done before any can be requested)
- Start CA Manager
- Navigate to Test Root CA -> Certificate Templates
- Right-Click -> New -> Certificate Template to Issue
- Select certificate type(s) and click OK
- Do this for each of these certificate types:
- Administrator
- Authenticated Session
- CEP Encryption
- Code Signing
- Computer
- Enrollment Agent
- Enrollment Agent (Computer)
- Kerberos Authentication
- User
- User Signature Only
- Web Server
- Workstation Authentication
- TODO: The above cert type list is excessive, and should be culled.
- Ensure that svc_cepces account has permissions to request a certificate on the CA
- Start CA Manager
- Navigate to Test Root CA -> Properties -> Security
- Add ->
svc_cepces - Check "Allow" under "Request Certificates" and click "OK".
- Update MS Certificate Services to allow a SAN to be set on certificates
- NOTE: By default IIS does not allow SANs to be set via the web interface, but these are required for the certificate to be recognised and accepted.
- Open up a command prompt, and run the following:
# certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 # net stop certsvc # net start certsvc- NOTE: Steps 14 & 15 are not necessary if you generate a CSR (including SANs) via the CLI
- Generate a Certificate Request for IIS Webserver
- Start IIS Manager
- Navigate to CA
- Click "Server Certificates"
- NOTE: Normally done via "Create Domain Certificate" under "Server Certificates" in IIS under the root node, this method cannot be used as it only creates 1024 bit RSA keys.
- Click "Create Certificate Request"
- Populate at least the minimm Certificate fields:
- CN:
ca.test.local - Org
- City
- State
- Country
- CN:
- Select Cryptography
- Provider: Microsoft RSA SChannel Cryptographic Provider
- Bit length:
4096
- Specify a Filename for the request
- Submit the CSR
- Open up the IIS Certserver by navigating to http://localhost/certsrv
- Request a certificate > advanced certificate request
- Saved Request: Paste the contents of the CSR you generated
- Certificate template: Web Server
- Additional Attributes (Add the SAN here)
san:dns=ca.test.local&dns=ca - Click Submit, the certificate should download into your downloads folder.
- Sign the IIS Webserver CSR
- Start IIS Manager
- Navigate to CA
- Click "Complete Certificate Request"
- Navigate to the file created in the previous step
- Input a friendly name, e.g.
CA - Store it in the "Web Hosting" Store
- Issue a Certificate for IIS
- Start IIS Manager
- Navigate to CA
- Click "Server Certificates"
- Click "Create Domain Certificate"
- Populate at least the minimum Certificate fields:
- CN:
ca.test.local - Org
- City
- State
- Country
- CN:
- Specify the CA details:
- Online CA:
Test Root CA\ca.test.local - Friendly name:
CA
- Online CA:
- Confirm IIS is configured to use Certificate for HTTPS
- Start IIS Manager
- Navigate to CA -> Sites -> Default Web Site
- Click "Bindings"
- Select HTTPS and click "Edit"
- Ensure the CA Server web cert (
CA) is selected under "SSL certificate"- View this certificate, ensure that it has an EKU of "Server Authentication".
- AD Cert Enrolment GPO Configuration
- Start the Group Policy Management tool on the DC via Server Management
- Expand Forest -> Expand Domains
- Right-click on the domain and select "Create a GPO in this domain, and link it here"
- Name: Certificate Enrollment Policy Web Service Certificates"
- Select this new GPO, right-click on it and select "Edit"
- Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies
- Double Click "Certificate Services Client - Certificate Enrollment Policy"
- Change "Configuration Model" to Enabled
- Click Add, Enter the URI in the text field, and click "Validate Server".
- https://ca.test.local/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
- Click Add if successful.
- Note: If a failure occurs, try running
iisreseton the CA server.
- Validate settings via PowerShell:
# Get-CertificateEnrollmentPolicyServer -Scope All -context Machine
-
Install Windows Server
-
Set the correct Timezone
-
Configure OS Network settings
- Disable IPv6
- Assign a static IP (e.g.
192.168.0.60) - Ensure the DC is set as the DNS server
-
Ensure the member server has a clear and unique hostname (e.g.
ms1) -
Join to the domain
-
Login as the local (not domain) administrator
-
Open the MMC certificates snapin
-
Select "Computer Account" and "Local computer"
-
Navigate to "Certificates" -> "Personal"
-
Right-Click -> "All Tasks" -> "Request New Certificate"
-
Click "Add New" under "Configured by you"
- Enter the enrolment policy server URI
https://ca.test.local/ADPolicyProvider_CEP_Kerberos/service.svc/CEP- Note: This URL can be confirmed by checking IIS on the CA: Default Web Site -> ADPolicyProvider_CEP_kerberos -> Application Settings -> "URI".
- Click "Validate Server" to confirm
- You should see a confirmation message appear stating that the URI validated successfully. There should be no warnings.
- Note: If warning about duplicate ID is received, change the ID GUID on the CA Server, under IIS Application Settings for ADPolicyProvider_CEP_Kerberos, and re-validate.
- Click Add -> Next
- Select "Computer" and click "Enroll"
- If enrolment succeeds, view the certificate to confirm the details appear correct.
-
Shut down this machine, as it is no longer required.
- Add EPEL Repository definitions:
- Install the EPEL repository definitions
# rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8`
# dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
- Install
cepcesand required support packages:
# dnf install -y certmonger cepces
# dnf install -y cepces-certmonger cepces-selinux
- Download and extract CEPCES
# wget https://github.com/openSUSE/cepces/archive/refs/tags/v0.3.6.tar.gz
# tar -xzvf v0.3.6.tar.gz
# cd cepces-0.3.6
- Install CEPCES and dependencies
# dnf install -y krb5-devel gcc platform-python-devel
# python3 -m pip install --upgrade pip
# python3 -m pip install -r requirements.txt
# python3 setup.py install
- Ensure your machine time is synced with the network, either via Chrony or VM agent.
- Install SSSD package and associated dependencies:
# sssd realmd sssd-tools adcli oddjob oddjob-mkhomedir krb5-workstation
- Set a fully qualified hostname:
# hostnamectl set-hostname vm1.test.local
- Join the target domain
- Ensure DNS is configured correctly to resolve the new domain
- Perform discovery and join:
# realm discover test.local # realm join test.local- The above realm join should by default configure SSSD to use mkhomedir
- Enable oddjobd service:
# systemctl enable --now oddjobd.service- Sample SSSD config
[sssd] domains = test.local config_file_version = 2 [domain/test.local] #debug_level = 1 realmd_tags = manages-system joined-with-adcli id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = test.local ldap_schema = ad ldap_id_mapping = true ldap_sasl_mech = gssapi ldap_sasl_authid = vm1.test.local ldap_krb5_init_creds = true krb5_realm = TEST.LOCAL krb5_store_password_if_offline = True # krb5_keytab = /etc/sssd/krb5.keytab use_fully_qualified_names = False cache_credentials = True- Ensure krb5.conf is pointing to the new domain
- Ensure DNS search and hostname is configured for new domain in
/etc/resolv.conf - Ensure krb5.conf configured properly:
# kinit <user> # HN=$(hostname) # DN=$(hostname -d) # kinit –kt /etc/krb5.keytab ${HN^^}\$@${DN^^} ## Confirm kerberos keys look ok # klist -kt- backup /etc/krb5.keytab to /etc/sssd/krb5.keytab
- Update sssd.conf to point to the new kerberos keytab.
krb5_keytab = /etc/sssd/krb5.keytab
- Ensure
/etc/cepces/cepces.confand/etc/cepces/logging.confexist. If not, copy them from/usr/local/etc/cepces/ - Configure cepces.conf for Certmonger:
# sed -i "s/^server=.*/server=ca.test.local/" /etc/cepces/cepces.conf
# sed -i "s/^#cas=.*/cas=etc/ssl/certs/ca-bundle.crt
- Ensure the logging.conf file is also present in /etc/cepces/, otherwise logs will just output to the syslog
- Start and enable CertMonger service:
# systemctl enable certmonger --now
- Configure the CA (Option 1, vanilla)
# sudo getcert add-ca -c cepces -e '/usr/local/libexec/certmonger/cepces-submit'
- Configure the CA (Option 2, if you don't want to define settings in cepces.conf)
# sudo getcert add-ca -c cepces -e '/usr/local/libexec/certmonger/cepces-submit --server=ca.test.local --keytab=/etc/krb5.keytab [email protected]`
- Ensure we have the CA certificate in our trust store
- Get a Copy of the Certificate for the root CA
- Copy CA cert with a .cer extension to machine under /etc/pki/ca-trust/source/anchors:
# echo | openssl s_client -servername ca.test.local -connect ca.test.local:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > etc/pki/ca-trust/source/anchors/ca.crt- NOTE: If the above doesn't work properly, then:
- Run the following command on the CA:
certutil -ca.cert <filename.cer>- Copy the CA cert to /etc/pki/ca-trust/source/anchors/
- Update trust store
update-ca-trust extract - Get a Copy of the Certificate for the root CA
- Request a machine cert from the CA
# sudo getcert request -c cepces -w -v -M 644 -T Machine -I Computer -k /tmp/computer.key -f /tmp/computer.crt
- Note: the
-Tparameter is the name of the certificate template type on the CA. - Note: Saving the key and certificate to locations other than /tmp may cause SELinux denials
- Delete any failed requests and investigate (check the
Troubleshootingsection).
# sudo getcert stop-tracking -i Computer
- If the request appears to succeed, inspect the generated certificate to confirm.
openssl x509 -in computer.crt -text -noout
- Navigate to the CEP URL in a browser or via curl/wget to confirm that the SSL certificate is trusted (e.g.
https://ca.test.local/ADPolicyProvider_CEP_Kerberos/service.svc/CEP) - Check for SELinux denials
- Power up the 3rd Windows Server to ensure that Windows cert enrolment still work. If they've stopped working execute an
iisreseton the CA server. - Make sure your Kerberos ticket is valid
- Test the CEP URL via PowerShell or the command prompt on Windows:
# certutil -ping -Kerberos https://ca.test.local/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
- Note: This command can sometimes be blocked by Windows Defender, as it can be incorrectly identified as a threat. If so, whitelist it.