Microsoft PKI – Port Requirements for Firewalls

Pretty basic, although the high ports are a gotcha.

Application protocolProtocolPorts
RPCTCP135
SMBTCP445, 139
Randomly allocated high portsTCPRandom port numbers between 49152 – 65535

For the web-based portions of PKI, you will also need the standard web ports:

Application protocolProtocolPorts
WebTCP80
Web SSLTCP443

Microsoft PKI – My Master Links to Documentation

Here is a list of links to what I would consider the best of the documentation that I have yet to find. Finding this stuff is not without it’s issues. Microsoft has moved and archived most of it. Indeed, one of these pages was located on one site one day, and was missing the next day, as I was using it. It took a whole lot of searching to find it again.

These first two links are the “Master” pages; links galore including the others below:

Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide

https://social.technet.microsoft.com/wiki/contents/articles/7421.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-design-guide.aspx

Windows PKI Documentation Reference and Library

https://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx


Technology overviews:

PKI:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779826(v=ws.10)

Certificates:

https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700805(v=technet.10)?redirectedfrom=MSDN

Certification Authority Guidance

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)


Tier Deployment:

ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment

https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v=ws.11)


Individual Tools and Topics:

certutil – command line Swiss Army Knife tool

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)?redirectedfrom=MSDN

Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview/ba-p/1128638

PowerShell ADCS Deployment

https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/?view=win10-ps

PowerShell ADCS Administration

https://docs.microsoft.com/en-us/powershell/module/adcsadministration/?view=win10-ps

CAPolicy.inf Syntax

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

Firewall Rules:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/firewall-rules-for-active-directory-certificate-services/ba-p/1128612

Disaster Recovery:

https://docs.microsoft.com/en-us/archive/blogs/pki/disaster-recovery-procedures-for-active-directory-certificate-services-adcs

Disaster Recovery Procedures for Active Directory Certificate Services (ADCS) | Microsoft Docs

Local Auditing Policy Setup:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739760(v=ws.10)?redirectedfrom=MSDN


Decommissioning/Replacing a CA:

Good short review of process:

https://serverfault.com/questions/276342/adding-new-root-enterprise-ca-without-disturbing-existing-one

How to decommission a Windows enterprise certification authority and remove all related objects

NOTE: This appears to contains info to wipe out the whole existing PKI.  Might want to go easy here.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

https://docs.microsoft.com/en-us/archive/blogs/pki/decommissioning-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-operations-to-a-new-one

Nice blog and hard to find (referenced in above article):

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/moving-your-organization-from-a-single-microsoft-ca-to-a/ba-p/398161

Microsoft PKI – Start Here

This page is intended to be the master table of contents to all of the Microsoft PKI pages within this blog. It will also provide additional information that may help in understanding how to read through these pages, provide outside links, and provide other pertinent info for the Microsoft PKI.

These pages are mostly about building a MS PKI, not managing templates and certificates. I may add some of that later, but it probably will not consist of too much.

This group of pages exists because anyone who has set out to learn the Microsoft PKI will surely have had an abundance of frustration.

For one, finding information is hard. Most of the stuff the Microsoft has published has been moved, superseded, or contains errors. In fact, at this point very little Microsoft published PKI documentation exists for Server 2016 and up. However, most of the published information for Server 2003 and up is still mostly applicable. But I have also found very little help in the PKI pages published outside of Microsoft. A proper PKI is complicated to learn, I suspect that I have a few screw-ups in my pages as well.

Second, the topic of PKI is large. If you don’t understand what a PKI is and the purpose of the servers, you will have a hard time getting a PKI setup and properly working. Do yourself a big favor and first learn as much as possible about certificates and how they are used in an IT infrastructure. Then learn how a PKI works to fill this need. These two things will take time but will also help you get to the point where the instructions contained in these pages start to make sense.

Speaking of making sense of these pages, no attempt was made here to explain things in which a novice can learn from. These were put together as a way for me to remember how to do things. Most of the instructions in these pages I wrote out as I worked with my test bed, trying to learn how to do a proper PKI within the Microsoft world. I do a lot of shortcuts here but anyone with Microsoft server management time should be able to follow along, especially if they followed my suggestions in the paragraph above.

There are a large number of PKI topics and configurations that exist but are not cover here in the blog, such as three tier deployment, OCSP, and web enrollment, just to name a few. Likewise, my notes on certificate management are limited. You get the idea. If you do the learning as suggested above, you will see how much is not covered here, but you will also have an easier time learning the topics not covered here.

PKI Setup Process Order

Using the Microsoft Documentation, here is the order of setup used for both a single tier and a two tier PKI:

Single Tier – From: https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

  1. Install Active Directory Forest
  2. Prepare HTTP Web Server for CDP and AIA Publication
  3. Install Enterprise Root CA
  4. Perform Post Installation Configuration On Enterprise Root CA
  5. Install and Configure Online Responder (OCSP Responder)
  6. Verify PKI Hierarchy Health

Two Tier – From: https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

  1. Install the Active Directory Forest
  2. Prepare the web server for CDP and AIA publication
  3. Install the standalone offline root CA
  4. Perform post installation configuration steps on the standalone offline root CA
  5. Install Subordinate Issuing CA
  6. Perform the post installation configuration on the subordinate issuing CA
  7. Install and configure the online responder
  8. Verify the PKI hierarchy health

Links to pages within this blog:

A list of the more important links: 
https://www.binaryrecon.net/microsoft-pki-my-master-links-to-documentation
Firewall requirements:
https://www.binaryrecon.net/microsoft-pki---port-requirements-for-firewalls
Build out a stand-alone test PKI server using the command line:
https://www.binaryrecon.net/microsoft-pki---single-tier-server-command-line-setup
Build out a stand-alone test PKI server using the graphical interface:
https://www.binaryrecon.net/microsoft-pki---single-tier-server-graphical-setup
Build out a two tier PKI: 
https://www.binaryrecon.net/microsoft-pki---two-tier-configuration
Use pkiview to check for a proper configuration:
https://www.binaryrecon.net/microsoft-pki---pki-health-pkiview
Decommission a CA server that is being replaced:
Note: this does not consider all possibilities. Make sure you understand 
what you need to do beforehand:
https://www.binaryrecon.net/microsoft-pki-decommission-ca-server