PKI Assist v1.1

May 27, 2012

Public Key Infrastructure has always been a complicated subject to learn and understand. Being almost invisible to the end-user it carries nevertheless multiple important infrastructure role of managing device, user and service certificates.

Security has always been imperative for the enterprise and with all new services and products coming out it’s usually strongly suggested to utilize certificate based authentication and encryption over the network.

This makes the necessity to have highly-available and correctly built PKI infrastructure as important as the well-known infrastructure services such as DNS, Active Directory and Messaging.

The correct deployment of most of PKI server roles running under Windows 2008 +, requires following specific steps in order to avoid future surprises which will only be seen after the certificate is already issued.

Step1 – Is to create CAPolicy.inf file which will contain properties of the Certification Authority you want to build.

Step2 – Is to deploy the role with CAPOlicy.inf already there in %SystemRoot% folder

Step3 – Is to run post-role installation batch file to set some other values

Step4 – Is to finalize configuration using MMC GUI

“PKI Assist” in its current version 1.1 is supposed to help with the first 3 steps.

We did not want to create a replacement for Microsoft CA MMC GUI rather than to help the admins and consultants to automate pre-GUI configuration and deployment tasks.

After you launch “PKI Assist” you can visually select the required components of your future PKI infrastructure.

Having Root CA out of the domain triangle is pictured intentionally and with the best practices of PKI infrastructure deployment.

By selecting the necessary components here you activate the corresponding tabs.

The next step will be switching to those tabs and configuring the properties of PKI hosts.

If you are not sure which values should be set, click “Set recommended values” button is all you need.

The thing which you have to enter yourself though is the IP address of the server which is supposed to run this PKI role.

Follow the corresponding tabs and set the values accordingly or use the “Recommended values” button again.

After all values have been set for all hosts its time to generate the installation and configuration scripts. You have to click “Generate files” button and look into the same folder where “PKI Assist” executable resides.

The same will have to be done in the other tabs.

What’s inside the folder

  1. CAPolicy.inf – the pre-installation INF file which will be copied to %SystemRoot% of the destination host

  2. InstallCA.bat – The batch file which calls setupca.vbs with the corresponding key values

  3. Setupca.vbs – VBS file from TechNet library which installs the role

  4. PostInstallConfig.bat – Batch file which sets the selected registry values after the role has been installed

The next step is to make sure that you have write access to the remote host’s C$. Verify this by running

If you prompted to enter password make sure you select “Save password” box.

The next step, before launching the remote install is to download and save Sysinternal’s PSEXEC file into the same folder where PKI Assist executable is. So, please navigate to http://live.sysinternals.com and download that file.

The last step is to install the role by hitting “Launch remote install” button. Scripts and configuration files created in previous steps will be copied to the remote system’s %SystemRoot% folder and executed remotely.

That’s all. The next step will be GUI based configuration of the installed role which is outside of the scope of this tool at the moment.

Download link

Please send bugs and suggestions to akbarov@live.com or dan.card@blue-computing.com

 

 

About

 

Dan and Nazim work in consulting companies across the UK.

The idea to create this program came from their practical experience and automation needs.