Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/SUBnet192/PKI

PKI Infrastructure build
https://github.com/SUBnet192/PKI

Last synced: 7 days ago
JSON representation

PKI Infrastructure build

Host: GitHub
URL: https://github.com/SUBnet192/PKI
Owner: SUBnet192
Created: 2021-01-30T16:20:55.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2022-02-10T19:52:16.000Z (almost 3 years ago)
Last Synced: 2024-08-02T17:35:17.793Z (3 months ago)
Language: PowerShell
Size: 130 KB
Stars: 42
Watchers: 7
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# PKI
Microsoft PKI 2-Tier infrastructure build

In the past year I have been working on ransomware recovery/infrastructure improvements post-incident. One thing that is always missing at each customer location is a PKI infrastructure, to implement LDAPs amongst other things.

Last year I attempted to do so with a DSC script but I didn't like the end result, so I rebuilt it from scratch over the past 2 weeks.

Steps:
- Obtain your own OID at https://pen.iana.org/pen/PenApplication.page
- Create a DNS CNAME named "pki" or something else for your Enterprise Subordinate CA.
- This is designed to be deployed on Server Core servers (Tested on Windows 2019 Core)
- Deploy 2 server core instances.
- One for the Root CA
- One for the Enterprise Subordinate CA
- Setup your IP information on both servers
(Root CA is not supposed to be network attached. While there is a small risk, I would say that having it connected for the duration of the build and then shut down after the Subordinate is issued isn't a major concern.)
- On the Root CA server (not domain joined), run the Build-RootCA.ps1
- On the Subordinate CA server (domain joined, and logged in using a domain account), run the Build-SubCA.ps1
- Root CA certificate is valid for 10 years.
- Subordinate Enterprise CA certificate is valid for 5 years
- Issued certificates are valid for 1 year

There are some prompts during the installation, so it's not fully unattended, but all prompts are made at the beginning of the script.

End result is a working PKI infrastructure in 15 mins max (if you're starting from Windows virtual templates).

NOTE: These scripts must be run LOCALLY on the servers, not through remote powershell

Video of the Root CA installation