This document provides guidance on the creation and implementation of certificates from an internal Microsoft Windows certificate server. This procedure was tested on a Forest integrated Certificate Server running Server 2008 R2. This procedure is intended to be performed by system administrators familiar with procedures for creating templates and issuing manually created certificates. Administrators who are unfamiliar with these procedures should consult their certificate server administrator before proceeding with this document.
For the purpose of this procedure the certificate server is assumed to be Active Directory integrated so that the root certificate is already visible to Windows clients in the domain running Internet Explorer. It may be necessary to deploy the root certificate to systems that run other browsers such as Firefox or Chrome. Other operating systems are not addressed as part of this document.
Creation of the template
In order to create a certificate for a KACE server using Microsoft Active Directory Certificate Services, you must first create a certificate template. This template defines the parameters for configuring a certificate. The following is provided as an example:
- On the server running Microsoft Active Directory Certificate Services, open Server Manager
- Expand Roles / Active Directory Certificate Services / Certificate Templates
- Right click Web Server and select Duplicate Template
Note: The Web server template is a predefined template provided by Microsoft. This template is in an old format. By duplicating the template you can update the format to a format that supports additional configuration options.
Select Windows Server 2008 Enterprise and click OK
In the Template display name field, enter a name for your template
Note: in this example we are accepting the two year validity period by default. You may wish to change this depending on your security requirements. Keep in mind that you need to make sure you renew the certificate before it expires. KACE will not automatically renew the certificate.
- Select the Request Handling tab
Select Allow private key to be exported. If you do not do this, the rest of the procedure will not work. Allowing the private key to be exported creates a vulnerability. As an administrator if you fail to handle the certificate properly, you can compromise the SSL encryption of your system. All steps with red lettering highlighted in yellow must be followed in order to ensure you protect the private key in transition to the KACE server.
- Select the Cryptography tab
- It is critical that the Algorithm name be set to RSA.
Caution: RSA is the default setting. For environments that have followed Suite B guidance for configuration of certificate servers, it is critical that you not set the Algorithm name to any of the ECDH options. ECDH Algorithms are incompatible with the web server on Kace. If you use any of the ECDH options your web server on the KACE box will not start at the next reboot. It will be necessary to start the web server using the httpd80 command from the console to start port 80 web services if this mistake is made.
- Set the Minimum key size to 2048
Note: no testing has been done with keys larger than 2048
Ensure that SHA1 has been set as the Request Hash
- Click OK to save the template and return to the Server Manager window
- Expand your CA
- Under your CA, select Certificate Templates
Note: This is not the same location that the certificate template was created in. You should be under the certificate server name that you intend to issue the certificate from.
- Right click Certificate Templates and select New / Certificate to Issue
- Select the certificate you created previously and click OK
Issuing a certificate for use by KACE
The following procedure is will issue a certificate for your Kace server and provide guidance on how to import the certificate into KACE:
You must complete this procedure on a Windows 7 or Server 2008 R2 system while logged on with Administrator rights. It is recommended that you limit the number of systems that perform this function so that you limit exposure of private keys to compromise. Perform this procedure only on systems you are confident have not been compromised. Systems used for reading email probably don't fall within this category. Ensure that you have access to the Kace website and the certificate authority before performing this procedure.
- Run MMC.exe with administrator rights
- Select File and choose the Add/Remove snap-in option
- Select Certificates from the Available Snap-ins window and click Add
- Select Computer Account and click Next
Note: If you don't select Computer Account, you may not see the template needed to complete this procedure
- Click Finish to close the Select Computer window and return to the Add or Remove Snap-ins window
- Click OK to close the Add or Remove Snap-ins window and return to the MMC
- Expand Certificates (Local Computer) and navigate to personal / certificates
- Right click Certificates and select All Tasks / Request New Certificate
- Click Next to continue from the Before you begin screen
- Active Directory Enrollment Policy should already be selected. Click Next
- Select the policy created at the begining of this document so that a check box appears next to the policy
- Select the link below the policy labeled more information is required to enroll for this certificate. Click here to configure settings
- On the Subject tab under the Subject name area, change the Type field to common name
- Type the hostname of your server in the value box and click add
Note: The KBOX Network configuration for the K1000 DNS Host Name must match what you put in this field. If you do not, the certificate will not work correctly.
- Under the alternate name section select DNS in the type field
- Enter the host name of your KBOX server in the value field and click add
Note: For many systems this will be KBOX
- Without changing the type field, enter the fully quaified server name for your Kace server and click Add
Note: When complete you should have two entries under the DNS heading that reflect the hostname and fully qualified DNS name of your server.
- Change the value field to the hostname of your kbox server and click add
- Change the lower Type field to IPAddress (V4)
Change the value field to the IP address of your Kace server and click add
- Click OK to close the Certificate Properties
- Click Enroll to create the certificate
- Click Finish
At this point you now have a certificate that contains a private key under Certificates in the MMC console containing the Certificates snap-in
Export the Certificate
- Right click the certificate and select All Tasks / Export
- Click Next to continue the export wizard
- Select Yes, export the private key and click Next
Note: If you do not have the option to select the private key, ensure that the template was created propererly, that the correct template was used, and that you have select the correct certificate to export.
- Check all three boxes and click Next
Caution: It is critical that you check the box to delete the private key if the export is successful. Deleting the private key after export ensures that no one can come back to the system the certificate was created on to get the private key from the computer store. This step is critical to protecting the integrity of the private key.
- Enter a password to protect the private key and click next.
Caution: This should not be a weak password. This password protects the private key from compromise.
- Click Browse. Select your desktop and name the file. Then click save.
Note: The only reason to save this to your desktop is to remind you to delete the file later. If you don't delete this file by the end of this procedure, anyone with the file and the password can compromise the private key. By setting a strong password and ensuring you delete all traces of the PFX file after completion of this procedure, you greatly improve the security of KACE encryption.
- Click Next and then Finished to complete the export procedure.
Import the certificate into KBOX
- Open a web browser and logon to the admin console for kbox.
- Select the Settings option
- Select Security Settings
- Click Edit Mode
- Ensure a check box is enabled for SSL Enabled on port 443
- Ensure a check box is enabled for Enable port 80 access
Ensure that the check box is disabled for Forward port 80 to port 443
- Caution: do not continue unless your configuration looks the same as the above configuration. If you do, you may need to start port 80 web services through the console using the httpd80 command to regain web access to the box if there is a certificate issue.
- Locate the PKCS-12 section and click Browse
- Select the PFX file you created containing the certificate and private key and click Open
- Enter the password for the PCF file that you created when the certificate was created.
- Click Set Security Options
- Click OK to reboot the KBOX server.
Note: If the server reboots and is pingable but the web services never come up (usually about five minutes from when you start the reboot), you will need to log onto the console and start the port 80 web services manually. The netdiag account has access to perform this function. Run HTTPD80 from the console to manually force port 80 web services back online.
- Verify that you can access the server by hostname.
- Verify that you can access the server using the fully qualified domain name.
- Verify that you can access the server using the IP address from internet explorer.
- Delete the PCF file you exported from the CA
- Empty your recycle bin
Contributions for this article also go to: Joseph (Sam) R. [Thank You for your continued KACE Support]