cOS Core L2TP server setup with Windows Server CA certificates

Last modified on 21 Feb, 2023. Revision 16
Up to date for
cOS Core version 12.00.xx.
Windows 2012 R2 server as CA
Windows 10 as client
Supported since
cOS Core 10.xx.
Status OK


Introduction

Installing and using a CA(Certified Authority) server can be difficult but once done it can be very beneficial as it is then easy to perform new certificate requests and signings. This guide assumes that there is a fresh installation of Windows Server 2012 R2 server and a Windows 10 based computer. The guide also assumes that a working L2TP server running over IPsec using PSK (it is recommended to have a fully working L2TP/IPsec scenario with PSK before attempting to use certificates) is already configured.
This document will not go into details about every option. This is an installation guide that is primary suited for testing purposes.

Note: Even though we now recommend the use of IKEv2 and OneConnect, this guide will remain as reference material since many parts would most likely still be relevant in newer versions of e.g. Windows Server. If you are reading this guide to setup a new L2TP/IPSec connection, it is strongly recommended to instead look at IKEv2 or a OneConnect solution as the default encryption algorithms in L2TP/IPsec using the built in client in e.g. Windows is no longer considered secure. However, the section regarding CA certificates might still be of interest.

Solution

Installation and preparation of the Windows 2012 server – DNS and AD

1. First boot up and update the windows 2012 server and then set the password for the user ‘Administrator’ (not the local user with administrator rights but literally the account administrator).
2. Set a static IP-address and a DNS , the primary DNS should be 127.0.0.1 with no secondary DNS.
3. Name the computer to something we’ll remember, in the example we will use DCPR2 and reboot.
4. Start the ‘Dashboard - Add roles and features’ then press next until we hit the server roles in the menu. In the list mark the DNS  and install it, just follow the wizard and leave all configuration values at default.
5. Once installed go to ‘Server Manager – Dashboard - Tools – DNS’ and we should see it, press it and if it opens we’re done with the DNS and we can now close the window.
6. Next we’ll add Active Directory Domain Service  in ‘Dashboard - Add roles and features wizard’ . Just press next, next and install (just leave the values to their default).
7. In the Dashboard press the yellow flag(should be in the top) and then ‘Promote this server to a domain controller’ which should open a wizard. Press ‘Add a new forest’ and type down the domain, in this case it’s keramila.se , look at figure 1 for for detailed information and press next.


8. Under ‘domain controller options’ we should not change any values, just type in the ‘administrator’ password, which we added in step 1. Press next and we will see a yellow warning but we keep on going with next step.
9. We’re now at ’additional options’ , don’t change anything here and press next, next and next.
10. Under ‘prerequisites check’ there might be some yellow texts but unless it’s red we should be able to press install. If encountering a red error message read them, in most cases they are self-explanatory and will tell us what the issue is and how to solve it.
11. Now reboot the server and login to the new domain with either the user or administrator account. Keep in mind that the user must have administrator rights, I used the ‘administrator’ account.

Installation of the CA-server

This will be the standalone server which will be able to issue, revoke and manage certificates.

1. Still on the Windows 2012 server open up the ‘Dashboard - Add roles and features’ and add ‘Active Directory Certificate Services’ and press next until we get to ‘Role services ** . Under role service mark the option **‘Certification Authority’ as in figure 2 and press next and install.

2. Once installed press the link ‘Configure AD certificate on the destination server’ asfigure 3 shows.

3. In  credentials  don’t change anything just press next. In  role service  mark the‘Certification Authority’ and press next.
4. In the step ‘setup type’ we should pick ‘standalone CA’ which alsofigure 4 shows and press next.

5. In the next menu which is named ‘CA type’ we should mark ‘Root CA’ and then press next. Mark the option ‘Create a new private key’ and once again press next. In the next window look at figure 5 for configuration. Depending on security we may want to change some of these values but once done press next.

6. In the ‘CA name’ we can leave everything at default and press next. In the ‘Validity period’ once again depending on security and policies we may want to decrease the amount of years to maybe 1 or 2 and press next, next and configure.
7. Once done we should see a ‘configuration succeeded’ which figure 6 illustrates. Then press close.

Configure the CA

1. Go to ‘Dashboard – Tools – Certification Authority’ which should open a new window. Next right click on the domain and press properties which figure 7 shows. Once pressed a new window will open and we should now switch tab to ‘extensions’.

2. Under the extension tab press ‘add’, then add the string that’s printed in figure 8 with a few modifications, the sting should be

http://computername.domain.se/CertData/<CaName><DeltaCRLAllowed>.crl

so in this case the string is

http://dcpr2.keramila.se/CertData/<CaName><DeltaCRLAllowed>.crl

– Obviously we need to change the dcpr2 and domain but the /CertData/ and the rest should be added. Now press ok but don’t restart the server just yet.

3. Next step look on figure 9 and mark the same values ‘Include CRLS’s. Clients use this to find Delta CRL locations.’ and ‘Include in the CDP extensions of issued certificates’ and press apply but don’t restart the server.

4. In the ‘Select extenstion’ switch to ‘Authority Information Access(AIA)’ and press add, which figure 10 also shows.

5. We should add a similar string here as with the previous configuration, obviously the‘dcpr2.keramila.se’  should be replaced with your own domain

http://dcpr2.keramila.se/CertData/<ServerDNSName>_<CaName><CertificateName>.crt

and press OK, mark the option ‘include in the AIA extension of issued certificates’ as in figure 11. Press ok and finally yes to restart the AD CS.

6. Next we’ll publish our certificate, right click the ‘Revoked Certificates’ and press publish as the figure 12 shows and press ‘new CRL’ and OK.

7. Next one step above ‘Revoked certificates’ right click on ‘Keramila-DCPR2-CA’ and press properties. Under ‘General‘ tab press ‘view certificate’. Next locate and press the  Details  tab and ‘Copy to file’. Keep the format‘DER encoded binary X.509(.CER)’ and press next. Browse to a place to save it, this is the  RootCA(root certificate) so a name that defines it should be used, I used  RootCA(for convenience), then saved the  RootCA  to the private cloud as it’ll be needed later. Next press next and finish.
8. Now go to ‘C:\Windows\System32\CertSrv\CertEntroll’ and copy both of these files and add them to the same place as the  RootCA. It should look like figure 13. For clarification, all of the certificates are now placed on a cloud also for you the naming might be different.

Web Enrollment(optional)

Using web enrollment on a standalone CA server is bad practice so this part is optional, the reason why this part is in this post is to give us an idea on how web enrollment work. We can transfer certificates much safer with an enterprise solution or with a private cloud. To keep the standalone CA safe you should in most cases keep it offline and only connect it when signing certificates.

1. Go to‘Dashboard – Add role and features’and press next until we get to the menu ‘server roles’, expand the ‘Active Directory Certificate Service’ and mark the ‘Certification Authority Web Enrollment’ and press ‘Add feature’.
2. Just press next and leave all of the options as default until we get to the install, then press install.
3. Next we’ll continue with the wizard, press on the ‘Configure ADCS’ which figure 14 shows.

4. Under ‘Credentials’ we can leave the defaults but under ‘Role service’ mark the ‘Certification Authority Web enrollment’ which figure 15 shows then press next and then configure.

5. Now open up a web browser and type‘keramila.se/Certsrv/’, we should be redirected to a website. On this site we can request certificates and download certificates. If the domain does not work try with the local machines IP-address, for example192.168.x.x/certsrv/).
6. This concludes the installation of CA server, web enrollment, AD DS and a DNS.

Client Certificate and openSSL

1. Now that we have the CA certificate server up and running we need to create certificate request from the client, as mentioned earlier a windows 10 machine will be used. openSSL can be found and downloaded from https://wiki.openssl.org/index.php/Binaries
2. After openSSL has been installed start cmd(don’t close cmd window until we’re done with openSSL) and type ‘set path=%PATH%;C:\OpenSSL-win32\bin’ (the path should be to openSSL bin folder, so if we changed the path during the installation we will have to modify the path). We can also add the path permanently under path variable in‘environmental variable’. Setting these path variables enables us to type openSSL wherever we are in CMD. If we don’t set this path we need to manually type the path to openSSL every single time we want to use openSSL.
3. Make a folder under ‘C:’ with the name ‘cert’ which we later will store the created certificates in. Next use CD command in CMD to the newly created folder, since I’ve got mine under ‘C:\cert’  my path is ‘cd C:\cert’.
4. Once in the folder we’ll first create our private key, use the command ‘openssl genrsa -out keramila.se.key 2048’(the smaller the keysize the more insecure, the bigger the size the more overhead, for this purpose a 2048 is good enough). For convenience the name of the certificate is the name my domain.
5. Next we’ll extract a cert request from the private key which will in later steps be signed by the CA. Use the command ‘openssl req -new -sha256 -key keramila.se.key -out keramila.se.csr’(sha256 was considered secure at this point of time but that might not be the case when you read this). You might want to modify the hash algorithm depending on your policies. If you are getting an error here that it can’t open the openSSL.cfg you might have to map it. We do this in CMD by typing ‘set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg’ – This path might be different but hopefully you’re getting the general idea.
6. We should see fields that we can type in, enter country name 2 letters, common name and email and leave the rest of the fields empty, even the challenge password. I type  SE for country letters, keramila.se as common name and my mail address under mail.
7. We should now have 2 files, one key and one CSR(certificate request). The CSR needs to be signed by the CA server and there are many ways to get the CSR to the CA, in a previous step we created a Web Enrollment which we now will use(We can also transfer the file using a private cloud). So open a web browser and enter the IP/domain name to the server for example ‘keramila.se/certsrv/’ .If the domain does not work try with the server IP-address which in this case was ‘192.168.1.110/certsrv/’ which is the IP-address of the server.
8. Once on the site go to the link ‘Request a certificate – Or, submit an advanced certificate request’. Open the CSR in notepad and it should look something like figure 16. Then copy everything from the CSR and paste it to the website which figure 17 illustrates, then press submit. Please note that every CSR should start with —–BEGIN CERTIFICATE REQUEST—–.
9. Don’t close the CMD just yet!

Signing the certificate

1. Go to the Windows 2012 CA sever and go to ‘Dashboard – tool – Certified authority’ which should open a new window, next go to pending request. Now right click on the certificate and press issue, basically we’re saying that this certificate is valid, figure 18 illustrates this.

2. If everything is correct we should now see the certificate under the folder ‘Issued Certificate’ , if it’s under failed request we are in trouble. Now the certificate needs to be extracted and installed on the client so first go to ‘issued Certificates’ double click on the certificate and press details, as figure 19 shows and press copy to file.

3. A new window should open and press next and when we get to ‘Export file format’ we MUST chose base-64, which figure 20 illustrates, otherwise openSSL will not be able to convert the certificate, private key and root certificate to a .pfx(this will be explained later) and press next.

4. This client need this certificate so browse the newly signed certificate to a location accessible from the windows 10 machine; in this case I’m using a private cloud. A side note which will be covered later is that the Clavister will also be using this certificate. Figure 21 shows my path, now press next and finish.

Install the signed certificate to the client

1. Go back to the windows 10 machine and copy the newly signed certificate to the same place as the key and the cert request file as in figure 22(as you might recall the path in this case was C:\cert’). To clarify this even more the folder should contain the CSR, the private key and the newly signed certificate.

2. Next we need to install the root certificate on the windows 10 machine, which is if you recall the first certificate that we created on the CA server(‘RootCA’) and saved on a private cloud. NOTE: If the RootCA is on a cloud we need to copy it to the windows 10 machine before installing it. We install it by simply  double click RootCA.cer  and press install certificate – choose the option ‘Local machine’ and place it under ‘trusted root certification authorities’. Figure 23 illustrates this.

3. Once installed go to the C:\cert  which contains our private key, CSR and signed cert. Double click on the signed certificate and press the tab ‘Certification path – Press the ROOT CA(keramila-DCPR2-CA) – Show certificate – Information – Copy to file’ which figure 24 illustrates. Now press ‘copy to file‘ and as earlier noted we must chose ‘Base 64-coded X.509(.cer)’ . Name it RootCA  or something like that and put it to the same folder as ourr private key(C:\cert). if you for some reason cannot find the Root certificate under Certification path redo step 2 in this section.

4. As mentioned before we should still have CMD open on the windows 10 machine, if we closed it we might have to path up openSSL and the config file as we did in step 2 and 5 under the section’Client Certificate and openSSL’. Anyway go to the folder where all our certificates are in CMD(cd C:\cert)  and type‘openssl pkcs12 -export -out keramila.se.pfx -inkey keramila.se.key -in keramila.se.cer –certfile RootCA.cer’.  This will add the private key, the signed certificate and the rootCA to a pfx.
5. We should now have a new .pfx file with the name‘keramila.se.pfx’. Double click it and a new window should open, choose’local computer’, verify the path(should be correct by default) and press next, we never added any password so don’t do it here and press next. This pfx should be in‘personal’, look onfigure 25  for more details and press next.

Installation of certificates on the Clavister Firewall

1. As mentioned in the introduction, you should already have a L2TP over IPsec configured and verified that it works with a PSK.
2. Now we should create new certificates but for the Firewall, we can do this with openSSL as before, the only thing that we do not need is a pfx file so just follow the same instructions as for the client but save them in a new folder, this cert must also be signed by the CA. Once we have the private key and the signed certificate we can transfer them to the cloud. (we named the cert gw_cert and the key gw_cert.key)
3. First we need to create 2 keyrings, the rootCA and the gateway CA. Basically the rootCA will be used when communication from the Firewall to the CA server and the gateway certificate will be used for communication between the Firewall and the windows 10 machine. Using a chain of trust.
4. Login to the Firewall webUI and go to ‘Objects – Key Ring - +Add Certificate’. First we’ll add the root CA I named it RootCA and turned the ‘CRL check to Disable’. Next I uploaded the certificate(not any key) and ‘source should be left at default which is upload’, then press ok.
5. Press add again and name it  GW_cert1 and once again set‘CRL check to Disable’. This time we should upload the client certificate (gw_cert.se) and the key (gw_cert.se.key). As with the previous key the source should be upload and press ok.
6. Next go to ‘Network – Ipsec - Authenticaiton’ and change Pre-shared key to X.509 Certificate. Change the Gateway certificate to GW_Cert1 and add the Root_CA to root certificate whichfigure 26  illustrates

7. Save and activate the configuration.

Windows 10 VPN configuration

1. Configure the VPN as usually and in the advanced setting under VPN-type user ‘L2TP/IPsec with certificate’.
2. Verify connectivity.



Related articles

Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
OneConnect VPN certificate not trusted
18 Mar, 2024 onetouch sslvpn oneconnect troubleshoot certificate
Automation of Lets Encrypt certificate updates
23 Jan, 2024 core howto certificate management letsencrypt
Clavister OneConnect server using cOS Core as CA Server
11 May, 2023 oneconnect certificate howto
Roaming Windows IKEv2 setup with NetWall as CA server
22 May, 2024 netwall ikev2 windows certificate vpn core