L2TP Server with MS 2012 CA server certificates (CA details)

Security Gateway Articles and How to's
Post Reply
Posts: 5
Joined: 13 Sep 2016, 12:01

L2TP Server with MS 2012 CA server certificates (CA details)

Post by TobiasE » 19 Sep 2016, 08:58

This How-to applies to:

Windows 2012 R2 server and windows 10 client.


Installing and using a CA(Certified Authority) certificate server can be hard, tough and annoying but once done very rewarding. This guide assumes that you have a fresh installation of windows 2012 R2 server and a windows 10 machine, also freshly installed. You should also have a working L2TP server running over IPsec using PSK(it is recommended to have a fully working L2TP/IPsec scenario with PSK before attempting to use certificates).

This document will not go into details about every option, this is an installation guide that is primary suited for testing purposes.


Installation and preparation of the Windows 2012 server – DNS and AD
1. First boot up and update the windows 2012 server and then set the password for the user 'Administrator' (not the local user with administrator rights but literally the account administrator).
2. Set a static IP-address and a DNS, the primary DNS should be with no secondary DNS.
3. Name the computer to something you’ll remember, mine is named DCPR2 and reboot.
4. Start the 'Dashboard - Add roles and features ' then press next until you hit the server roles in the menu. In the list mark the DNS and install it, just follow the wizard and leave all configuration values at default.
5. Once installed go to 'Server Manager – Dashboard - Tools – DNS' and you should see it, press it and if it opens we’re done with the DNS and you can close the window.
6. Next we’ll add Active Directory Domain Service in ‘Dashboard - Add roles and features wizard’. Just press next, next and install (just leave the values to their default).
7. In the Dashboard press the yellow flag(should be in the top) and then ‘Promote this server to a domain controller’ which should open a wizard. Press ‘Add a new forest’ and type down the domain, in this case it's keramila.se, look at figure 1 for for detailed information and press next.
Figure 1 AD DS installation
dep1.png (30.34 KiB) Viewed 3679 times

8. Under 'domain controller options' you shouldn’t change any values, just type in the ‘administrator’ password, which we added in step 1. Press next and you’ll see a yellow warning but keep on going with next.
9. We’re now at ’additional options’, don’t change anything here and press next, next and next.
10. Under ‘prerequisites check’ there might be some yellow texts but unless it’s red you should be able to press install. If you get a red error message read them, in most cases they are self-explanatory and will tell you what the issue is and how to solve it.
11. Now reboot the server and login to the new domain with either the user or administrator account. Keep in mind that the user must have administrator rights, I used the 'administrator' account.

Installation of the CA-server
This will be the standalone server which will be able to issue, revoke and manage certificates.

1. Still on the Windows 2012 server open up the ‘Dashboard - Add roles and features’ and add ‘Active Directory Certificate Services’ and press next until you get to 'Role services'. Under role service mark the option ‘Certification Authority’ as in figure 2 and press next and install.
Figure 2 Installation of CA server
dep2.png (18.45 KiB) Viewed 3679 times
2. Once installed press the link ‘Configure AD certificate on the destination server’ as figure 3 shows.
Figure 3 Configuration of the CA server
dep3.png (31.9 KiB) Viewed 3677 times
3. In credentials don’t change anything just press next. In role service mark the ‘Certification Authority' and press next.
4. In the step ‘setup type’ you should pick ‘standalone CA’ which also figure 4 shows and press next.
Figure 4 options under setup type, standalone CA should be used.
dep4.png (21.64 KiB) Viewed 3679 times
5. In the next menu which is named ‘CA type’ you should mark ‘Root CA’ and then press next. Mark the option ‘Create a new private key’ and once again press next. In the next window look at figure 5 for configuration. Depending on security you might want to change some of these values but once done press next.
Figure 5 illustrates which cryptographics you want to use
dep5.png (38.98 KiB) Viewed 3679 times
6. In the ‘CA name’ you can leave everything at default and press next. In the ‘Validity period’ once again depending on security and policies you might want to decrease the amount of years to maybe 1 or 2 and press next, next and configure.
7. Once done you should see a ‘configuration succeeded’ which figure 6 illustrates. Then press close.
Figure 6 illustrates a complete example of a successful installation
dep6.png (20.2 KiB) Viewed 3677 times
Configure the CA
1. Go to ‘Dashboard – Tools – Certification Authority’ which should open you a new window. Next right click on the domain and press properties which figure 7 shows. Once pressed a new window will open and you should switch tab to ‘extensions’.
Figure 7 illustrates the CA properties
dep7.png (13.27 KiB) Viewed 3679 times
2. Under the extension tab press ‘add’, then add the string that’s printed in figure 8 with a few modifications, the sting should be http://computername.domain.se/CertData/ ... lowed>.crl so in my case the string is
http://dcpr2.keramila.se/CertData/<CaNa ... lowed>.crl – Obviously you need to change the dcpr2 and domain but the /CertData/ and the rest should be added. Now press ok but don’t restart the server just yet.
Figure 8 shows what values that should be added as the location.
dep8.png (14.69 KiB) Viewed 3677 times
3. Next step look on figure 9 and mark the same values ‘Include CRLS’s. Clients use this to find Delta CRL locations.' and 'Include in the CDP extensions of issued certificates’ and press apply but don’t restart the server.
Figure 9 illustrates a picture on which options should be added.
dep9.png (43.01 KiB) Viewed 3677 times
4. In the ‘Select extenstion’ switch to ‘Authority Information Access(AIA)’ and press add, which figure 10 also shows.
Figure 10 illustrates how to add a AIA.
dep10.png (13.41 KiB) Viewed 3677 times
5. We should add a similar string here as with the previous configuration, obviously the ‘dcpr2.keramila.se’ should be replaced with your own domain http://dcpr2.keramila.se/CertData/<Serv ... eName>.crt and press OK, mark the option ‘include in the AIA extension of issued certificates’ as in figure 11. Press ok and finally yes to restart the AD CS.
Figure 11 illustrates the AIA string and what to include.
dep11.png (22.84 KiB) Viewed 3677 times
6. Next we’ll publish our certificate, right click the ‘Revoked Certificates’and press publish as the figure 12 shows and press ‘new CRL’ and OK.
Figure 12 illustrates how to publish our certificate.
dep12.png (15.2 KiB) Viewed 3677 times
7. Next one step above ‘Revoked certificates’ right click on ‘Keramila-DCPR2-CA’ and press properties. Under ‘General‘ tab press ‘view certificate’. Next locate and press the Details tab and ‘Copy to file’ .Keep the format ‘DER encoded binary X.509(.CER)’ and press next. Browse to a place to save it, this is the ROOT CA(root certificate) so a name that defines it should be used, I used RootCA(for convenience), then saved the RootCA to the private cloud as it’ll be needed later. Next press next and finish.
8. Now go to ‘C:\Windows\System32\CertSrv\CertEntroll’ and copy both of these files and add them to the same place as the RootCA. It should look like figure 13. For clarification, all of the certificates are now placed on a cloud also for you the naming might be different.
Figure 13 illustrates which certificates that should be on the cloud.
dep13.png (17.39 KiB) Viewed 3677 times
Web Enrollment(optional).
Using web enrollment on a standalone CA server is bad practice so this part is optional, the reason why this part is in this post is to give you an idea on how web enrollment work. You can transfer certs much safer with an enterprise solution or with a private cloud. To keep the standalone CA safe you should in most cases keep it offline and only connect it when signing certificates.

1. Go to ‘Dashboard – Add role and features’and press next until you get to the menu ‘server roles’ , expand the ‘Active Directory Certificate Service’ and mark the ‘Certification Authority Web Enrollment’ and press ‘Add feature’.
2. Just press next and leave all of the options as default until you get to the install, then press install.
3. Next we’ll continue with the wizard, press on the ‘Configure ADCS’ which figure 14 shows.
Figure 14 shows where to press to install the AD CS.
dep14.png (17.87 KiB) Viewed 3677 times
4. Under ‘Credentials’ you can leave the defaults but under ‘Role service’ mark the ‘Certification Authority Web enrollment’ which figure 15 shows then press next and then configure.
Figure 15 shows roles services
dep15.png (11.01 KiB) Viewed 3677 times
5. Now open up a web browser and type ‘keramila.se/Certsrv/’, you should be redirected to a website. On this site you can request certificates and download certificates. If the domain does not work try with the local machines IP-address, for example 192.168.x.x/certsrv/).
6. This concludes the installation of CA server, web enrollment, AD DS and a DNS.

Client Certificate and openSSL

1. Now that we have the CA certificate server up and running we need to create certificate request from the client, as mentioned earlier a windows 10 machine will be used. openSSL can be found and downloaded from https://wiki.openssl.org/index.php/Binaries
2. After openSSL has been installed start cmd(don’t close cmd window until we’re done with openSSL) and type ‘set path=%PATH%;C:\OpenSSL-win32\bin’ (the path should be to openSSL bin folder, so if you changed the path during the installation you will have to modify the path). You can also add the path permanently under path variable in ‘environmental variable’. Setting these path variables enables us to type openSSL wherever we are in CMD. If we don’t set this path we need to manually type the path to openSSL every single time we want to use openSSL.
3. Make a folder under 'C:' with the name 'cert' which you later will store the created certificates in. Next use CD command in CMD to the newly created folder, since I’ve got mine under ‘C:\cert’ my path is ‘cd C:\cert’.
4. Once in the folder we’ll first create our private key, use the command ‘openssl genrsa -out keramila.se.key 2048’(the smaller the keysize the more insecure, the bigger the size the more overhead, for this purpose a 2048 is good enough). For convenience the name of the certificate is the name my domain.
5. Next we’ll extract a cert request from the private key which will in later steps be signed by the CA. Use the command ‘openssl req -new -sha256 -key keramila.se.key -out keramila.se.csr’(sha256 was considered secure at this point of time but that might not be the case when you read this). You might want to modify the hash algorithm depending on your policies. If you’re getting an error here that it can’t open the openSSL.cfg you might have to map it. You do this in CMD by typing ‘set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg’ – This path might be different but hopefully you’re getting the idea.
6. You should see fields that you can type in, enter country name 2 letters, common name and email and leave the rest of the fields empty, even the challenge password. I type SE for country letters, keramila.se as common name and my mail address under mail.
7. You should now have 2 files, one key and one CSR(certificate request). The CSR needs to be signed by the CA server and there are many ways to get the CSR to the CA, in a previous step we created a Web Enrollment which we now will use(you can also transfer the file using a private cloud). So open a web browser and enter the IP/domain name to the server for example ‘keramila.se/certsrv/’.If the domain does not work try with the server IP-address which in this case was ‘’ which is the IP-address of the server.
8. Once on the site go to the link ‘Request a certificate – Or, submit an advanced certificate request’. Open the CSR in notepad and it should look something like figure 16. Then copy everything from the CSR and paste it to the website which figure 17 illustrates, then press submit. Please note that every CSR should start with -----BEGIN CERTIFICATE REQUEST-----.
9. Don't close the CMD just yet!

Figure 16 shows how a cert request looks like in notepad
dep16.png (50.43 KiB) Viewed 3677 times
Figure 17 illustrates what should be copied to the CA server
dep17.png (21.28 KiB) Viewed 3677 times
Signing the certificate

1. Go to the Windows 2012 CA sever and go to ‘Dashboard – tool – Certified authority’ which should open a new window, next go to pending request. Now right click on the certificate and press issue, basically we’re saying that this certificate is valid, figure 18 illustrates this.
Figure 18 illustrates how to issue a certificate.
dep18.png (25.53 KiB) Viewed 3676 times
2. If everything is correct you should see the certificate under the folder ‘Issued Certificate’, if it's under failed request you're in trouble. Now the certificate needs to be extracted and installed on the client so first go to ‘issued Certificates’ double click on the certificate and press details, as figure 19 shows and press copy to file.
Figure 19 illustrates how to distribute the issued certificate.
dep19.png (36.61 KiB) Viewed 3676 times
3. A new window should open and press next and when you get to ‘Export file format’ you MUST chose base-64, which figure 20 illustrates, otherwise openSSL will not be able to convert the certificate, private key and root certificate to a .pfx(this will be explained later) and press next.
Figur 20 shows which option that should be used for encoding.
dep20.png (18.24 KiB) Viewed 3676 times
4. This client need this certificate so browse the newly signed certificate to a location accessible from the windows 10 machine; in this case I’m using a private cloud. A side note which will be covered later is that the Claivster SGW will also be using this certificate. Figure 21 shows my path, now press next and finish.
Figur 21 shows the path to the cloud used in this example.
dep21.png (4.91 KiB) Viewed 3676 times
Install the signed certificate to the client
1. Go back to the windows 10 machine and copy the newly signed certificate to the same place as the key and the cert request file as in figure 22(as you might recall the path in this case was C:\cert). To clarify this even more the folder should contain the CSR, the private key and the newly signed certificate.
Figure 22 shows the folder C:\cert, a place which contains the certificates.
dep22.png (9.31 KiB) Viewed 3676 times
2. Next we need to install the root certificate on the windows 10 machine, which is if you recall the first certificate that we created on the CA server(‘RootCA’) and saved on a private cloud. NOTE: If the RootCA is on a cloud you need to copy it to the windows 10 machine before installing it. You install it by simply double click RootCA.cer and press install certificate – choose the option ‘Local machine’ and place it under ‘trusted root certification authorities’. Figure 23 illustrates this.
Figure 23 illustrates how to install the rootCA to the machine.
dep23.png (23.07 KiB) Viewed 3676 times
3. Once installed go to the C:\cert which contains our private key, CSR and signed cert. Double click on the signed certificate and press the tab ‘Certification path – Press the ROOT CA(keramila-DCPR2-CA) – Show certificate – Information – Copy to file’ which figure 24 illustrates. Now press ‘copy to fie‘ and as earlier noted you must chose ‘Base 64-coded X.509(.cer)’. Name it RootCA or something like that and put it to the same folder as your private key(C:\cert). if you for some reason cannot find the Root certificate under Certification path redo step 2 in this section.
Figure 24 shows how to find the root CA from the client CA.
dep24.png (31.99 KiB) Viewed 3676 times
4. As I said before you should still have CMD open on the windows 10 machine, if you closed it you might have to path up openSSL and the config file as we did in step 2 and 5 under the section ’Client Certificate and openSSL’. Anyway go to the folder where all your certs are in CMD (cd C:\cert) and type ‘openssl pkcs12 -export -out keramila.se.pfx -inkey keramila.se.key -in keramila.se.cer –certfile RootCA.cer’. This will add the private key, the signed certificate and the rootCA to a pfx.
5. You should now have a new .pfx file with the name ‘keramila.se.pfx’. Double click it and a new window should open, choose ’local computer’, verify the path(should be correct by default) and press next, we never added any password so don’t do it here and press next. This pfx should be in ‘personal’, look on figure 25 for more details and press next.
Figure 25 shows the personal folder.
dep25.png (18.25 KiB) Viewed 3676 times
Installation of certificates on the Clavister firewall.
1. As mentioned in the introduction, you should already have a L2TP over IPsec configured and verified that it works with a PSK.
2. Now you should create new certificates but for the SGW, you can do this with openSSL as before, the only thing that you do not need is a pfx file so just follow the same instructions as for the client but save them in a new folder, this cert must also be signed by the CA. Once you've the private key and the signed certificate you can transfer them to the cloud. (I named the cert gw_cert and the key gw_cert.key)
3. First we need to create 2 keyrings, the rootCA and the gateway CA. Basically the rootCA will be used when communication from the SGW to the CA server and the gateway certificate will be used for communication between the SGW and the windows 10 machine. Using a chain of trust.
4. Login to the SGW webUI and go to ‘Objects – Key Ring - +Add Certificate’. First we’ll add the root CA I named it RootCA and turned the ‘CRL check to Disable’. Next I uploaded the certificate(not any key) and 'source should be left at default which is upload', then press ok.
5. Press add again and name it GW_cert1 and once again set ‘CRL check to Disable’. This time you should upload the client certificate (gw_cert.se) and the key (gw_cert.se.key). As with the previous key the source should be upload and press ok.
6. Next go to ‘Network – Ipsec - Authenticaiton’ and change Pre-shared key to X.509 Certificate. Change the Gateway certificate to GW_Cert1 and add the Root_CA to root certificate which figure 26 illustrates
Figure 26 illustrates the sGW configuration.
dep26.png (31.96 KiB) Viewed 3676 times
7. Save and activate the configuration.

Windows 10 VPN configuration.

1. Configure the VPN as usually and in the advanced setting under VPN-type user ‘L2TP/IPsec with certificate’.
2. Verify connectivity.

Post Reply