Active Directory Certificate Services is the Windows implementation of Public Key Encryption (PKI). ADCS is needed whenever you are hosting a web server that needs to encrypt data over the wire. Instead of buying a public certificate, you implement your own trusted internal Certificate Authority (CA), deploy the Root Certificate to your clients through GPO, and then you can create as many web server certificates as you want.

My deployment consists of two servers with Windows Server 2019. The first server will be the Offline Root Certificate Authority (offline because it will be offline for most of the time) and will not be part of the domain. The second server will be a domain member and will be the Issuing CA.

So on the first server, install the ADCS role on the Workgroup server in Server Manager:

Under Role Services, select Certification Authority.

After the role installation, proceed with the configuration.

This server will be the Standalone Root CA, the domain member will be an Enterprise Subordinate CA.

Create a new private key. SHA256 should be just fine for the hash algorithm with a key length of 2048.

Give the CA a name.

The offline Root CA should be valid for 10 years. The online CA for 5.

Here a recap of the settings we chose.

Before configuring the second server, let's change the Authority Information Access (AIA) and the CRL Distribution Point (CDP). These must be reachable by clients at any time. Open the properties and head to extensions. Remove all the distribution points on the CDP and create these ones (I am not sure if IDP is needed, please let me know):

http://www.ajni.it/pki/<CRLNameSuffix><DeltaCRLAllowed>.crl

file://C:\Cert\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Here is the only distribution point for AIA:

http://www.ajni.it/pki/<CertificateName>.crt

Change the validity period of the Subordinate CA certificate we are just going to issue and the CDP (5 years for the Subordinate CA and one year for the CDP):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\AJNI-Root-CA

Now let's install and configure the second online CA server. The feature installation wizard is the same as on the first server. The configuration is slightly different.

Like previously mentioned, we are using an Enterprise Subordinate CA.

We are creating a new key. The hash algorithm is also SHA256 with a key size of 2048.

The certificate request will be uploaded to first server and digitally signed by the offline Root CA.

Here is once again the summary of all configured settings.

Now upload the certificate request file to the first CA. Open the Certification Authority MMC on the first server and submit a new request.

Under Pending Request you should see your request (it might take a few seconds). Here you can issue the certificate.

Save the signed certificate to a file as a DER format. Also, copy the Root certificate to the second server and install it in the local certificate store.

On the online CA, start the ADCS service and install the signed certificate from the offline CA.

Select the previously saved file.

You will probably get an error when attempting to start the service because the CDP is not reachable (http://www.ajni.it/pki/...). With pkiview.msc, you can check if the distribution point are reachable and up-to-date:

Now you will need a webserver where these files are going to be hosted. I will install IIS on the same server, but it is highly recommended to host it on a separate server.

Change IIS configuration to respond to requests with the DNS name www.ajni.it:

Create a DNS entry pointing to the server:

Create the CRL file on the offline Root CA and copy them to the IIS root folder (in my case it's C:\inetpub\wwwroot\pki):

The file will be created under C:\cert. We'll also need the Root CA file. The file name needs to be Ajni-Root-CA.crt though.

Here the file inside the IIS folder:

On pkiview.msc, everything should be green on the Ajni-Root-CA. When dealing with Delta CRL, IIS might block downloads because of double escaping. To solve that allow double escaping on IIS under Request Filtering:

Now that the CDP is reachable, the Subordinate CA can be started without any issues. Like on the Root CA, we have to change CDP and AIA locations:

file://C:\inetpub\wwwroot\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

http://www.ajni.it/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

With the above configuration, CRL and delta CRL will be automatically published to the IIS root folder.

Publish the first CRL manually (you need to revoke one certificate, otherwise, the list will not be created. Do that through certlm.msc). Afterward, everything should be green in pkiview.msc.

Publish both CRL and Delta CRL.

The files should be created inside C:\inetpub\wwwroot\pki. The Subordinate CA certificate has to be copied manually and named properly. You can ignore the fact that I have 2 Subordinate CA certificates. You should only see one.

Pkiview.msc is also happy:

After everything is set, you can shut down the offline CA. You only have to start it once a year when publishing the CRL.

At last, publish the Root certificate in Active Directory with certutil. This can be also achieved with GPO.

certutil.exe -f -dspublish AJNI-Root-CA.crt RootCA

A while ago I made a blog post about Differencing Disks in Hyper-V. If you mainly work with Hyper-V, you should check it out: https://www.ajni.it/2019/10/hyper-v-create-a-master-vhdx-to-save-tons-of-space/. VMware Workstation utilizes a similar concept, called Linked Clones.

Linked Clones use a read-only disk as a reference, changes made to the VM are written into a separate writable disk. This technique allows us to save disk space and create a lot of VMs. Changes, at least in the beginning after the OS installation, are very small.

Install Windows 10 or Windows Server along with VMware Tools and then Sysprep your VM.

Now the template can be "cloned"

In VMware, a Differencing Disk is called Linked Clone. Just like in a snapshot, a linked clone uses a base read-only disk and saves changes into second, writable disk.

Now a name for the new VM can be inserted.

After booting up the new VM, we can see that the writable disk only consumes 7MB. 4GB are used for the memory state.

This feature is awesome for home labs. You can create multiple VMs off of that single base disk. In a lab, changes are usually very small, so you can save a ton of space using this method. I would not recommend updating your system through Windows Updates or enabling Bitlocker.

If for some reason the base disk is corrupt or lost though, every VM will be affected.

Here is a cool trick that not everyone might know (I didn't).

If you want to open Task Manager inside an RDP session, CTRL+ALT+DEL won't work, right? That key combination would trigger on your local computer.

For remote sessions, there is CTRL+SHIFT+ESC.

This shortcut directly opens Task Manager, no additional steps required!

Today I got a new Linux VPS, therefore I decided to show you all the steps I took to migrate to my WordPress site to the new server.

So let's get started.

Firstly, it is always good practice to update the OS.

apt update

apt upgrade

Install apache2

apt install apache2

Install php7.3. By default, version 7.3 will not be detected. The repository PPA must be added. You might need the first command if the "add-apt-repository" is not available.

apt install software-properties-common

add-apt-repository ppa:ondrej/apache2

apt-get install php7.3

You should see the Apache2 default site if you enter the IP address in your browser:

Now enable the MySQL extension in the PHP config file:

nano /etc/php/7.3/apache2/php.ini

Remove the comment (semicolon) at extension=pdo_mysql. You can search with CTRL+W in Nano GNU editor.

CTRL+X saves the file.

Now install php7.3-mysql

apt-get install php7.3-mysql

The root directory of your WordPress files can be created:

mkdir -p /var/www/website

Make a config file for Apache2 from the default config.

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/website.conf

Change the config file. ServerName and ServerAlias should be your site name along with the DocumentRoot.

I use https exclusively, check my tutorial if you want to know how it is done (I highly recommend using https): https://www.ajni.it/2019/06/claiming-a-free-ssl-certificate-for-your-website/

nano /etc/apache2/sites-available/website.conf

Enable the site:

a2ensite website.conf

Reload the service like advised.

service apache2 reload

Download the latest WordPress version from https://wordpress.org/latest.tar.gz.

Since I am doing a migration, I just unzipped the files from my backup.

cd /var/www/website

wget https://wordpress.org/latest.tar.gz -O wordpress.tar.zip && tar -xzvf wordpress.tar.zip

mv wordpress/* .

Install MySQL server

apt-get install mysql-server

Now create a new database and a user in MySQL. As root you don’t have to enter a password.

mysql -u root -p

CREATE DATABASE wordpress;

CREATE USER 'someusername'@'localhost' IDENTIFIED BY 'somepassword';

GRANT ALL PRIVILEGES ON wordpress . * TO 'someusername'@'localhost';

I have to import the WordPress database from backup:

mysql -u root -D wordpress < db_20-05-2020.db

exit

Now you can access the WordPress through a browser, you will be asked to enter a site name, username with a password, etc.

You might also need to enable URL rewriting for Permalinks.

a2enmod rewrite

Disabling the default site is also a good idea

a2dissite 000-default.conf

There are some other important things you should enable in order to secure your server properly.

nano /etc/apache2/apache2.conf

These lines will not advertise the Apache2 version, enforce TLS 1.2 and strong ciphers, while unsafe ones (like MD5) are discarded.

ServerTokens Prod

SSLProtocol TLSv1.2

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM

service apache2 restart

That's it. If you have questions, just comment down here!

A few days ago I bought a very cheap Virtual Private Server (VPS) – check my post here: https://www.ajni.it/2020/03/quick-tip-cheap-private-servers-on-the-cloud/

It was very cheap (4$ or 3.75€ annually), but with a lot of gotchas.

One of them is Ubuntu 18.04 Minimal, which means a lot of packages will not be pre-installed, causing a lot of pain when installing services like in my example OpenVPN.

Here is how I managed to install OpenVPN on Ubuntu 18.04 Minimal.

Updating the system:

apt update

apt upgrade

Install OpenVPN

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

The first problem occurs with the root CA certificates:

Install the root certificates in order to trust them:

apt-get install ca-certificates

After re-running the command, another error shows up:

Install the next package (iptables):

apt-get install iptables

And finally, the OpenVPN setup can be run:

I had to set a custom port, because only specific ones were NAT’d to my server. You might leave the port to default. I am also using 1.1.1.1 for DNS.

After the setup is finished, a configuration file will be created. This file contains the public certificates and private key that are mandatory for the connection. It can be imported into the OpenVPN client (Windows) through the GUI.

On Linux, a simple

openvpn configfile.ovpn

does the trick.

If you are looking for a VPS with good performance, check out Evolution Host at https://evolution-host.com/vps-hosting.php.
They offer virtual servers starting at 5€ per month.