NIPR NCVI v4.0.0
Maintenance Guide
for COMPOSE v4.0.0
Document Version 1.01
March 2016
DISTRIBUTION STATEMENT D: Distribution authorized to the Department of Defense and U.S. DoD contractors only; Software Documentation, 17 April 2012. Other requests shall be referred to PMW 160, PEO C4I.
DESTRUCTION NOTICE: For UNCLASSIFIED, limited distribution of documents, destroy by any method that will prevent disclosure of contents or reconstruction of the document.
This Page Intentionally Left Blank
Record of Changes
| Change Number | Date | Document Version | Description of Change |
| 3/29/2016 | 1.01 | Updated email address for Pacific Region LRA/RA | |
Documentation Conventions
| Document Item | Convention | Example |
| Screen elements (buttons, menu options, system options, fields, tabs, window names, screen names, dialog boxes, radio buttons, and checkboxes) | Bold | When you are done, click OK. |
| Applications | Bold | Open Internet Explorer. |
| Indicate sequential actions | Bold, separated by arrow icons ( →) or dash and right angle bracket ( -> ) | To open the dialog box, click File → Style → Configure. |
| User-initiated data entry | Marked by quotation marks | Type “Yes“ at the command prompt. |
| System Responses | Boldface italics and marked by quotation marks. | “That is not a valid entry.” |
| Names of the keys on the keyboard | All CAPS and enclosed in square brackets. | Press the [ENTER] key. |
| File names, command-line entries | Courier New font | To change the configuration, open c:\settings.conf in a text editor. |
| Variables in file names, command-line entries | Courier New font and marked with <angle brackets> | To change the configuration, open <install directory\settings.conf.> Please enter the <IP address> of your computer. |
| NOTES, WARNINGS & CAUTIONS | Notes, warnings and cautions will appear in text boxes throughout the document. |
Table of Contents
SECTION PAGE
2 NCVI Maintenance Procedures. 3
2.3 Review, Backup, Archive and Delete the SVA Logs. 5
2.4 Backing Up, Archiving and Deleting Historical Audit Records. 5
2.5 Copy the Backup of VA, CRL and Configuration Files to CDROM… 5
2.6 Remove Old Log and Configuration files. 6
2.7 Install New DoD CA Certificates. 6
2.8 Renewing SVA Administration Server SSL Certificate. 7
2.9 Generate an SSL Certificate Request for the VA Admin Server 7
2.10 Remove the Passphrase from the Admin Server SSL Private Key. 10
2.11 Submit Certificate Request 11
2.12 Retrieve and Install Certificates. 13
2.13 Renew SVA OCSP Signing Certificate. 15
2.14 Renew the SVA OCSP Signing Certificate. 15
2.15 Update DV Enterprise Clients with New SVA OCSP Signing Certificate. 17
2.16 Update DV Standard Clients with New SVA OCSP Signing Certificate. 19
2.17 Update Tumbleweed DV Standard Group Policy Settings. 20
2.18 Renew NOC MVA Certificate. 22
2.19 Flush SVA CRL/OCSP Database SOP. 24
2.21 CRL/OCSP Database Flush. 24
2.22 Manual CRL Import Procedures. 26
2.23 Download CRLs to the SVA.. 27
2.24 Configuring the SVA Server for Manual CRL Imports. 27
2.25 Verifying CRLs Published to SVA Server 28
2.26 Remove the Manual CRL Import Configuration. 29
3 Domain Controller Certificate Renewal SOP.. 31
3.3 Create the Required Scripts and Files for DC Certificates. 31
3.4 Copy each DCinfo… Folder to the Appropriate Domain Controller 32
3.5 Create the Certificate Request for each DC in the Domain. 33
3.6 Locate Certificate Requests for Domain Controllers. 34
3.7 Submit Certificate Requests. 34
3.8 Retrieve the DC Certificates. 37
3.9 Install the DC Certificates on the Domain Controllers. 38
3.10 Update the AD DC Store. 39
3.11 Back-up the Domain Controller Certificate. 40
4 Member Server IIS Website Certificates. 43
4.2.1 Generate Certificate Request for IIS Server 43
4.2.2 Submit IIS Server Certificate Request 44
4.2.3 Retrieve COMPOSE Member Server Certificates. 46
4.2.4 Install and Replace the New COMPOSE Member Server Certificate. 47
4.2.5 Backup the COMPOSE Member Server Certificate. 49
4.3 Restore IIS Server Certificate to Web Server 50
5 SmartCard Logon Management 53
5.1 Enable SmartCard Only Logon. 53
5.2 Disable SmartCard Only Logon. 54
List of Tables
TABLE PAGE
Table 1 – Restoring Backup Data……………………………………………………………………………………… 3
Table 2 – Copy the Backup of VA, CRL and Configuration Files to CDROM……………………….. 5
Table 3 – Removal of Old Log and Configuration Files………………………………………………………. 6
Table 4 – Installing New DoD CA Certificate(s)…………………………………………………………………. 6
Table 5 – Generate SSL Certificate Request……………………………………………………………………….. 8
Table 6 – Remove Passphrase from Admin Server SSL Private Key……………………………………. 10
Table 7 – Submit Certificate Request for SVA Administration Console from DoD CA…………. 11
Table 8 – Retrieve DoD-Issued Certificate for SVA Administration Console from DoD CA….. 13
Table 9 – Renew the SVA OCSP Signing Certificate………………………………………………………… 15
Table 10 – Update SVA Signing Certificate in DV Enterprise Clients…………………………………. 17
Table 11 – Update SVA Signing Certificate in DV Standard Client Configuration……………….. 19
Table 12 – Update DV Standard Group Policy………………………………………………………………….. 20
Table 13 – Renew the NOC MVA Certificate…………………………………………………………………… 22
Table 14 – CRL/OCSP Database Flush……………………………………………………………………………. 24
Table 15 – Download CRLs……………………………………………………………………………………………. 27
Table 16 – Import the Vpublish Dod Stand Alone.txt Configuration File……………………………… 28
Table 17 – Verify CRLs Published to SVA Server…………………………………………………………….. 28
Table 18 – Remove the Manual CRL Import Configuration……………………………………………….. 29
Table 19 – Obtain DC GUID and Create Batch Files…………………………………………………………. 31
Table 20 – Copy each DCinfo folder to Appropriate DC……………………………………………………. 32
Table 21 – Create Certificate Request for DCs………………………………………………………………….. 33
Table 22 – Gather DC Certificate Files…………………………………………………………………………….. 34
Table 23 – Submit Certificate Requests……………………………………………………………………………. 34
Table 24 – Retrieve the DC Certificates…………………………………………………………………………… 37
Table 25 – Install the DC Certificates on the Domain Controllers……………………………………….. 38
Table 26 – Update the AD DC Store……………………………………………………………………………….. 39
Table 27 – Backing up the Domain Controller Certificates…………………………………………………. 40
Table 28 – Generate Certificate Request for IIS Server……………………………………………………… 43
Table 29 – Submit Certificate Request…………………………………………………………………………….. 44
Table 30 – Retrieve DoD-Issued Certificates……………………………………………………………………. 46
Table 31 – Install and Replace IIS Server Certificate(s)……………………………………………………… 47
Table 32 – Backup/Export the IIS Web Server Certificate………………………………………………….. 49
Table 33 – Import Exported Certificate into Server’s Certificate Store………………………………… 50
Table 34 – Configure User Account(s) to Force SmartCard Logon(s)………………………………….. 53
Table 35 – Configure User Account(s) to Not Require SmartCard Logon(s)………………………… 54
This Page Intentionally Left Blank
1 Introduction
This document describes the procedures for maintaining the Navy Certificate Validation Infrastructure (NCVI) system on the Non-secure Internet Protocol Router Network (NIPRNET) shipboard network. Procedures in this document will provide guidance in routine and non-routine maintenance procedures.
The Ship Validation Authority (SVA) Server requires periodic maintenance to ensure that it is working as designed and prevent backups/logs from filling the server hard drive space. Also over time, all digital certificates expire. The procedures in this document will provide guidance to maintain properly SVA server backups/logs and provide steps to update and replace expiring digital certificates for the various servers on the ship’s NIPR network. As certain certificates are replaced on the network, other NCVI configurations must be updated to accept the new certificates and enable the NCVI structure to continue working properly.
This Page Intentionally Left Blank
2 NCVI Maintenance Procedures
Corrective and Preventive Maintenance of the NIPR NCVI SVA must be performed periodically. This section of the document provides various procedures required to maintain the NIPR NCVI SVA system.
- Restore Backup Data
- Image the SVA Server
- Review and Archive the SVA Admin Server audit logs
- Install new Department of Defense (DoD) Certificate Authority (CA) certificates
- Renew the SVA Server Administration SSL Certificate
- SVA Certificate Revocation List (CRL) / Online Certificate Status Protocol (OCSP) Database Flush
2.1 Restore Backup Data
A System Administrator can restore all the SVA configuration data or individual configurations. Restoration of all data can be done manually. This procedure would be followed if there were problems with the SVA server and it was reloaded. This would return the SVA server back to a previously working condition. A System Administrator can restore:
- Certificates
- Private keys
- VA configuration
- Apache configuration
- Revocation data
Table 1 – Restoring Backup Data
2.2 Image the SVA Server
Imaging the SVA server is the process of making a full backup (or complete image) of the server which will allow for the restoration of the server from a certain point in time. This image can be applied to the SVA server and return it to normal condition in one “restore” operation. Upon restart of the SVA server, the only updates that should be needed are CRL Deltas from the NOC MVA server, antivirus updates, and system updates that have occurred since the SVA server was backed-up/imaged.
- Create an image of the server every time any server software is upgraded, or any configuration value is changed.
- Create an image periodically (suggest once every three months).
| NOTE | The SVA Server downloads CRLs twice a day. Having a backup/image that is not too old will help with returning the SVA to full operation faster if a casualty to the SVA were to occur. |
- Use the current imaging capabilities available at your site to perform the image capture of your VA server (e.g., Acronis, Symantec, etc.).
- Always keep an image of the VA, stored in a fire rated container not co-located with the site.
- Keep the backup for three (3) years, stored in a fire rated container not co-located with the site.
2.3 Review, Backup, Archive and Delete the SVA Logs
Audit trails should be reviewed regularly for inappropriate or unusual activity. Logs from the following directories need to be reviewed, archived, and deleted.
Archive and deletion of the on-line historical audit records must be performed periodically in order to keep the disk from reaching its capacity. The frequency of archive and deletion is dependent on the OCSP traffic on the network.
2.4 Backing Up, Archiving and Deleting Historical Audit Records
In compliance with the NCVI CPS the following are requirements for Audit Records:
- Backup all records older than 90 days.
- Verify the records were successfully copied to your archive media.
- Delete from your SVA system the records that were successfully archived.
- Keep the archived records for three (3) years, stored in a fire rated container not co-located with the site. The sites may also delete CRLs older than 5 days.
2.5 Copy the Backup of VA, CRL and Configuration Files to CDROM
Perform the following procedure, as per the site’s routine backup schedule:
Table 2 – Copy the Backup of VA, CRL and Configuration Files to CDROM
| STEP | DESCRIPTION |
| Log in to the SVA Server as domain administrator. | |
| The Backup Configuration places VA config, VA Log and CRL files in the E:\Program Files\Tumbleweed\VA\ServerBackup\<DATE/TIME>\ folders. The CRLs were backed up into these directories and can be deleted to reduce the size of the folder prior to copying log and configuration files to CDROM. Open each of the backup subdirectories and go to the ..\ServerBackups\<DATE/TIME>\entserv\ sub-folders. The configuration files are located here as well as a crls sub-folder. Delete the crls sub-folder only from these backups. | |
| Create a folder named Backups off the root of the E: drive (if not already present). Create a sub-folder under the E:\Backups\ folder, with the server name and date (e.g., ShipVA_25Jun15). | |
| Copy the following folders/files into the backup folder: E:\Program Files\Tumbleweed\VA\ServerBackups\* (copy last 2 weeks, or any other folders that were not previously backed up and removed.) | |
| Navigate to the E:\Backups\ folder, right-click on the date stamped current backup (e.g., E:\Backups\ShipVA_25Jun10\) folder, select Send To and then Compressed (zipped) Folder. | |
| Copy the compressed folder to a workstation that has CD Burning software (e.g., Easy CD Creator) and burn this backup to a DVD. | |
| Remove the old files from the system using the procedures in the next section. |
2.6 Remove Old Log and Configuration files
- After the DVD backups are complete, backed-up files older than 90 days should be removed from the SVA server hard drives.
- Verify the DVD media created in the previous section is valid and files are readable prior to deleting.
Table 3 – Removal of Old Log and Configuration Files
| STEP | DESCRIPTION |
| If not already logged in, log onto the SVA Server as a domain administrator. | |
| In the E:\Backups\ folder, delete all folders older than 90 days. | |
| In the E:\Program Files\Tumbleweed\VA\ServerBackups\ folder, delete all sub-folders (all the backup folders should already be located in the E:\Backups folder). |
2.7 Install New DoD CA Certificates
In order to receive CRLs from any new DoD CA, the SVA server must be configured with the certificate(s) of the new CA(s). The Ship’s VA Administrator will be informed via a FAM that there is/are new DoD CA(s) that need to be installed in the Ship’s NCVI configuration. Normally the FAM will be related to a new InstallRoot.exe that is available for download. The procedure below will download the new DoD CA(s) NOC MVA server and add to the SVA server configuration.
Table 4 – Installing New DoD CA Certificate(s)
| STEP | DESCRIPTION |
| Log into the SVA Server as a domain administrator. | |
| Double-click on the Tumbleweed Validation Authority(TM)’s Administration shortcut. | |
| If a prompt appears stating there is a problem with this website’s security certificate click the Continue to this website (not recommended) hyperlink to continue. | |
| At the USG Warning and Consent Banner page, click the OK button. | |
| Enter a SVA administrator’s login credentials and click the Login button. | |
| From the CONFIGURATION menu, click on Keys and Certificates → Certificates. | |
| On the Manage Certificate Store page, under the Mandatory Stores section, select the CA Certificates [OCSP Protocol] radio button, scroll to the bottom of the page and click the Submit button. | |
| On the Configure VA Certificate Store page, in the upper right-hand corner of the page, click the Add button. | |
| On the Certificate Import Method page, select the VA Server radio button and click on the Submit Certificate Import Method button. | |
| On the Import Certificates from VA Server page, enter mva.nocv.navy.mil in the Host Name: field and 80 in the Port: field. Leave the Use SSL checkbox unchecked and click the Get VA Certificates. | |
| On the Select Certificatespage, ensure the Select All checkbox is checked, scroll to the bottom of the page and click Submit Certificates. Note! This procedure assumes the NOC MVA Server has been updated with the new certificate(s) prior to release of the FAM. | |
| When returned to the Configure VA Certificate Store page returns, note that the Certificate Count: in the top left-hand section of the page has gone up. | |
| From the CONFIGURATION menu, click Start/Stop Server menu option. At the Server Start/Stoppage, click the Restart Server button. |
2.8 Renewing SVA Administration Server SSL Certificate
The SVA Administration server certificate will need to be renewed once every three years since server certificates are only good for a period of three years. Prior to the certificate expiring, the SVA server should send notices to the VA Administrators distribution group notifying that the certificate will expire soon. The certificate renewal process should be started 60 days prior to the expiration of the current certificate.
| NOTE | In this procedure, the process of obtaining a DoD Server certificate, as per the steps below, may take 1 or more days to complete. |
2.9 Generate an SSL Certificate Request for the VA Admin Server
Perform the steps below to generate the certificate keys and request file for the VA Administration Server SSL certificate:
Table 5 – Generate SSL Certificate Request
| STEP | DESCRIPTION |
| Log on to the SVA server as a domain administrator. | |
| Double-click on the Tumbleweed Validation Authority ™’s Administration shortcut. Note! If a prompt appears stating there is a problem with this website’s security certificate click the Continue to this website (not recommended) hyperlink to continue. | |
| At the USG Warning and Consent Banner page, click the OK button. | |
| Enter a SVA administrator’s login credentials and click the Login button. | |
| From the CONFIGURATION menu, select Keys and Certificates and Create/Import Private Key. | |
| On the Key Type Selectionpage, under the Mandatory section, select the SSL Communication For Admin Server radio button and click the Submit Key Type button. | |
| On the Key Generation/Import Mechanism: SSL Communication For Admin Server page, select the Generate/Import Software Key radio button and click the Submit Key Generation Technique button. | |
| On the second Key Generation/Import Mechanism: SSL Communication For Admin Server page, select the Generate new private key radio button and click the Submit Key Generation Or Import button. | |
| On the Generate Software Key and Certificate: SSL Communication For Admin Server page, enter the following: Private Key Parameters *Server Password: (Password will be grayed out). *Friendly Key Name: Note! Enter a name for this key. Each time a certificate key is generated, it will need a unique Friendly Key Name. e.g., Admin_SSL4March 2015 *Key Expiration in days: ‘0’ *Key Algorithm: RSA *Key Length: 2048 *Hash Algorithm: SHA1 Certificate Request Information *Type: Certificate Request Ensure the Simple DN Entry: radio button is selected. Country: United States of America State and City fields: blank Organization: U.S. Government Department: DoD,OU=PKI,OU=USN *Common Name: Shipva.<Domain FQDN> e.g., shipva.cvn65.navy.mil Email Address: va_administrators@cvn65.navy.mil Certificate Request Options Leave the password fields blank. Scroll to the bottom of the page and click the Submit button. | |
| A SUCCESS! page will display. If you want to view the certificate information, click on the Click here to view certificate information link on the page. Note! The certificate request will be saved as a file under the E:\Program Files\Tumbleweed\VA\entserv\.ckbak folder and named SSL_COMM_<Date/Time stamp>.req. Note! To make the certificate request process a little easier, save a copy of the certificate request file in a shared network location that can be accessed later. | |
| If the SUCCESS! page does not display, but instead Operation Failed. Please check the admin logs for detailed information error is displayed, proceed with the following: Click the Back button on the browser to go back to the Generate Software Key and Certificate: SSL Communication for Admin Server page.For the Friendly Key Name enter a new name (different from the previous attempt). Ensure all other information is still entered correctly and select Submit. |
2.10 Remove the Passphrase from the Admin Server SSL Private Key
Perform the following steps to remove the passphrase from the private key generated in the previous section. By removing the private key passphrase the Admin Server will start without requiring the user to enter the passphrase.
Table 6 – Remove Passphrase from Admin Server SSL Private Key
| STEP | DESCRIPTION |
| Create a backup copy of the adminserver.key file. Navigate to the E:\Program Files\Tumbleweed\VA\entserv\ folder.Right-click adminserver.key and select Copy.Right-click in the white area of the Explorer window and select Paste.Right-click on the new file adminserver – copy.key and select Rename. Rename the file to adminserver.key.bak. | |
| Remove the passphrase. Click Start and then Command Prompt.Change directories to the E:\Program Files\Tumbleweed\VA\entserv\ folder. E: [ENTER] cd \Program Files\Tumbleweed\VA\entserv\ [ENTER] Remove the passphrase. ..\tools\openssl rsa –in adminserver.key –out adminserver.key [ENTER] Note! A warning may appear that states: “WARNING: can’t open config file: /usr/local/ssl/openssl.cnf.” This message may be safely ignored. Enter the password when prompted. | |
| Verify the passphrase has been removed. Click Start → Administrative Tools → Services.At the UAC prompt, click the Continue button.Scroll down in the list of services and locate the Tumbleweed VA Admin service.Right-click the Tumbleweed VA Admin service and select Restart.If the service restarts without requiring a password to be entered, then the passphrase has been removed.If prompted to enter a password, repeat step 2 (above) to remove the passphrase. |
2.11 Submit Certificate Request
The next step in requesting a DoD issued certificate for the SVA server, is to submit a certificate request to a DoD CA server.
Table 7 – Submit Certificate Request for SVA Administration Console from DoD CA
| STEP | DESCRIPTION |
| Log on to a domain workstation as a domain user. | |
| To determine the DoD Certification Authority (CA) server that will be used to obtain a new Server Certificate, open Internet Explorer and browse to https://infosec.navy.mil/PKI/server.jsp. | |
| Infosec’s web site will list the DoD CAs that are available to request new certificates. Click on the hyperlink for one of the listed DoD CA URLs provided on the Infosec webpage. | |
| If a prompt appears indicating that there is a problem with the website’s security certificate, click Continue to this website (not recommended). | |
| At the DoD Warning prompt, click OK. | |
| For the selected DoD CA website, the Certificate Profile page will display. | |
| Ensure the Enrollment tab is selected. Click on Regular 2048-bit SSL Server Enrollment.If a Web Access Confirmation prompt is displayed, click Yes. The Certificate Profile page for the specific enrollment displays. Open the VA server certificate request using Notepad. In the Notepad File menu, select Format → Word Wrap. Note! Keep the Server Certificate Enrollment window displayed in the browser. Copy the certificate information from Notepad into this browser screen. In Notepad, highlight all of the text for the certificate, including the “——BEGIN CERTIFICATE REQUEST——“ header and the “——END CERTIFICATE REQUEST——“ trailer, including all the dashes.Right-click the highlighted text and select Copy. Click on the Internet Explorer Certificate Profile browser window to make it active.For the =Certificate Request Type field, ensure PKCS #10 is selected.In the Certificate Request text box, right-click and select Paste. Note! This will paste the contents of the certificate request file. Complete the following informational fields: Requestor Name: <Name>Requestor Email: <Email>Requestor Phone: <Phone>Once all fields are filled in on the webpage, click Submit.The Request Successfully Submitted web page appears. This page will provide the Request ID # for the certificate. Print, or by other means, document the Request ID #. | |
| Work with the local Information Assurance Manager (IAM) or Information Assurance Officer (IAO) to send a digitally signed email to the Registration Authority (RA), providing notification that the certificate requests are ready for review and approval. | |
| The NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM (NCMS) provides Registration Authority support for all server (SSL) certificates. Atlantic region installs: Merkeshia McKnight (RA) (240)857-9865; Alesia Blake(RA) (240)857-9735; NCMS_NAFW_NAVY_PKI@navy.mil Pacific region installs: Michelle Hughes(RA) (808)472-0388; NCMS_NAFW.PKI_HI@navy.mil The following must be included in the digitally signed email: Reference Number from CA: <Request ID#> Note! The Request ID # from CA-XX was obtained in step 7 where XX is the number of the DoD CA URL used for the certificate requests. Host Name: <Servers Hostname>IP Address: <Servers IP Address>Region: <Location>Base: <Base Name>Network System Administrator (NSA): < Name of Administrator>System Owner: SPAWARSecurity Level: UNCLASSApplications on Server: <Description of Apps on Server> (e.g., Domain Controller, Sharepoint Web Server, etc.) Note! If the requestor does not receive anything from LRA/RA within one – two days after the initial email has been sent, resend email or contact the LRA/RA by phone. Have the Request ID # ready for reference. |
2.12 Retrieve and Install Certificates
Table 8 – Retrieve DoD-Issued Certificate for SVA Administration Console from DoD CA
| STEP | DESCRIPTION |
| Log into a domain workstation as a domain user. | |
| Using Internet Explorer, navigate to the URL which was used to request the server certificate. Note! If the link to the DoD CA that was used to request the certificates is unknown, the below URLs can assist in determining the correct URL to retrieve the approved certificates: https://infosec.navy.mil/PKI/server.jsp | |
| If a prompt appears indicating that there is a problem with the website’s security certificate, click Continue to this website (not recommended). | |
| At the DoD Warning prompt, click OK. | |
| When the Certificate Profile page displays, click the Retrieval tab. | |
| On the Check Request Status page, in the Request identifier: field, enter the request ID that was previously recorded and click Submit. | |
| Highlight the text under Base 64 encoded certificate including the ——BEGIN CERTIFICATE—— header and the ——END CERTIFICATE—— trailer with all the dashes. Note! Do NOT use the section that includes the CA certificate chain. Click on the blue underlined text to the right of Issued certificate: Note! The blue underlined text is the serial number of the certificate. Once the Certificate page displays, showing the Certificate contents, scroll down to the Installing this certificate in a server section. Right-click the highlighted text and select Copy. | |
| Open Notepad. Paste the text copied from the webpage into the Notepad window. Click File and then Save As. Navigate to a network location that can be accessed from the SVA server.Name the file adminserver.crtClick Save. | |
| Log off the domain workstation and log back on as a domain administrator. | |
| Open a Windows Explorer window and navigate to the SVA’s E: drive \Program Files\Tumbleweed\VA\entserv\ folder. \\shipva\e$\Program Files\Tumbleweed\VA\entserv\ Note! If a file named adminserver.crt is already present, rename to adminserver.crt.bak. | |
| Right-click in the white area of the Windows Explorer window and select Paste. | |
| Open the Tumbleweed VA Authority Server Administrative console from an Internet Explorer browser window. https://shipva:13333/cgi-bin/forms.exe | |
| At the USG Warning and Consent Banner page, click the OK button. | |
| At the logon prompt, enter the appropriate credentials. Note! If the SVA Administration web page doesn’t display, it may be necessary to restart both Tumbleweed services. Open the Services mmc and restart both Tumbleweed VA Server services. | |
| On the Welcome to Tumbleweed Validation Authority 4.11.xpage, under the Configuration menu, click on Keys and Certificates and Certificates. | |
| On the Manage Certificate Store page, under the Mandatory Stores section, select the SSL Communication For Admin Server radio button, scroll down to the bottom of the page and click Submit. | |
| On the Configure VA Certificate Store page, in the upper right-hand corner, click on the Add button. | |
| On the Certificate Import Method page, select the Local File radio button and click on Submit Certificate Import Method. | |
| On the Import Certificate File page, click on the Browse button and manually type in: \\<SVA server>\E$\Program Files\Tumbleweed\VA\entserv\ to navigate to that location on the SVA server and select the adminserver.crt file and click the Open button. | |
| On the Import Certificate File page, click the Submit Certificate File. | |
| On the Select Certificates page, ensure the Select All checkbox is selected and click Submit Certificates. The new certificate will be listed in the Table on the Configure VA Certificate Store page. | |
| If the self-signed shipva certificate is listed, select the checkbox to the left of the self-signed certificate line and click the Delete button above. You should now see only the new DoD issued certificate for the shipva listed. | |
| Log off the domain workstation. | |
| Restart the Tumbleweed VA services: | |
| Log onto the SVA Server as a domain administrator. | |
| Click Start → Administrative Tools → Services. | |
| Scroll down and highlight the Tumbleweed Validation Authority service. | |
| Right-click the Tumbleweed Validation Authority service and select Stop. | |
| Right-click the Tumbleweed VA Admin service and select Restart. | |
| Right-click the Tumbleweed Validation Authority service and select Start. | |
| Close the Services console and log off the SVA server. | |
2.13 Renew SVA OCSP Signing Certificate
The following procedures detail how to renew the VA’s signing certificate. This will have to be done once every three years. The SVA’s OCSP signing certificate expires every three years and must be renewed for NCVI to continue working properly. Once the SVA OCSP signing certificate expires, there will be no ability to verify DoD related certificates until a new SVA OCSP signing certificate is created. Along with the creation and installation of the new SVA OCSP signing certificate, DV Standard and Enterprise configurations must be updated with the new certificate.
2.14 Renew the SVA OCSP Signing Certificate
The procedures below provide guidance on creating a new SVA OCSP Signing Certificate.
Table 9 – Renew the SVA OCSP Signing Certificate
| STEP | DESCRIPTION |
| Log on the SVA Server as a domain administrator. | |
| Double-click on the Tumbleweed Validation Authority (TM)’s Administration shortcut from the desktop. | |
| If a prompt appears stating there is a problem with this website’s security certificate, click the Continue to this website (not recommended) hyperlink to continue. | |
| At the USG Warning and Consent Banner page, click the OK button. | |
| Enter the Administrative Login credentials and click the Login button. | |
| From the CONFIGURATION menu, select Keys and Certificates → Create/Import Private Key. | |
| On the Key Type Selection page, under the Mandatory section, select the Default OCSP Response Signing radio button and click the Submit Key Type button. | |
| On the Key Generation/Import Mechanism: Default OCSP Response Signing page, select the Generate/Import Software Key radio button and click the Submit Key Generation Technique button. | |
| On the second Key Generation/Import Mechanism: Default OCSP Response Signing page, select the Generate new private key radio button and click Submit Key Generation or Import button. | |
| On the Generate Software Key and Certificate: Default OCSP Response Signingpage, enter the following information: Private Key Parameters: *Server Password: (This field will be grayed out & unable to be changed.) *Friendly Key Name: (Enter a name for this key. Each time a certificate key is generated, it will need a unique Friendly Key Name.) e.g., OCSP27March2015 *Key Expiration in days (Enter 0 for never expiring keys): 0 *Key Algorithm: RSA *Key Length: 2048 *Hash Algorithm: SHA1 Certificate Information: *Type: Select “Self-signed Certificate” *Certificate Validity (days): 1096 Ensure the Simple DN Entry: radio button is selected. Country: select United States of America For State and City, leave blank. Organization: U.S. Government Department: DoD, ou=PKI, ou=USN Common Name: shipva Email Address: VA_Administrators@<FQDN of Domain> Scroll to the bottom of the page and click the Submit button to continue. | |
| A Success! page will display stating Self signed certificate for Default OCSP/SCVP Response Signing was created successfully. | |
| Remove the old SVA Signing certificate. Under the CONFIGURATION menu, click Keys and Certificates → Certificates. On the Manage Certificate Store page under Mandatory Stores, ensure the Default OCSP/SCVP Response Signing radio button is selected. Scroll to the bottom of the page and click Submit. On the Configure VA Certificate Store page, two shipva certificates will be shown. Select the old shipva certificate checkbox and click the Delete button at the top left side of the page. | |
| Restart the SVA server. Under the CONFIGURATION menu, click the Start/Stop Server menu option.” On the Server Start/Stop page, click Stop Server → Start Server. Note! Clicking Restart Server will accomplish the same action. | |
| Update of the SVA OCSP Signing certificate is complete. |
2.15 Update DV Enterprise Clients with New SVA OCSP Signing Certificate
After updating the SVA OCSP signing certificate, ALL DV clients will need to have the new SVA OCSP signing certificate added to their configurations. If this step is not done, DV Standard and Enterprise client OCSP certificate requests will stop working and the DV Enterprise clients will be unable to download VACRLs.
Table 10 – Update SVA Signing Certificate in DV Enterprise Clients
2.16 Update DV Standard Clients with New SVA OCSP Signing Certificate
After updating the SVA OCSP signing certificate, ALL Tumbleweed DV Standard clients will need to import the new signing certificate. If this step is not done, OCSP CRL responses will stop working for the Tumbleweed DV Standard clients.
Table 11 – Update SVA Signing Certificate in DV Standard Client Configuration
| STEP | DESCRIPTION |
| Log into a workstation as a domain administrator. Note! Use a workstation that doesn’t have any issues with its Tumbleweed DV Client configuration. | |
| Note! If upon opening the Axway Desktop Validator configuration page, the options are grayed out and none can be changed, exit out from the Axway Desktop Validator console. Right-click the Axway Desktop Validator icon in the System Tray and select Close. At the You will no longer receive alert messages for Certificate Revocation Checking on you system … prompt, click the Yes button. Right-click the Axway Desktop Validator shortcut on the desktop and select Run as administrator. At the UAC prompt, click Allow. | |
| Update the Axway DV Configuration for workstations by right-clicking the Axway Desktop Validator icon in the System Tray and select Properties. Note! If the desktop shortcut is not present, click Start → All Programs → Tumbleweed → Desktop Validator → Tumbleweed Desktop Validator System Tray Utility. This will start the Tumbleweed Desktop Validator and place an icon in the System Tray. Double-click the Tumbleweed Desktop Validator icon in the System Tray. | |
| Ensure the General tab is selected. | |
| Under the CA Specific Validation Options section, click the Settings button. | |
| Ensure the Show Only Configured CAs checkbox is selected. Highlight the first certificate in the listing, scroll to the bottom of the listing, hold the [Shift] key down and select the last certificate in the certificate listing. Note! The certificates highlighted should only be the DoD/ECA Root certificates. | |
| Click the Set Validation Options button. | |
| On the CA Specific Validation Options page, under the Validation Options section, highlight the shipva.<FQDN of Domain> line that shows OCSP as the protocol and click the Edit button. | |
| On the Validation Options page, click the AutoConfig button next to the shipva’s Address: text box. | |
| When prompted that Autoconfiguration was successful, click the OK button. | |
| Click the OK three times. | |
| When returned to the General tab, click the Apply → OK buttons. | |
| Double-click on the Tumbleweed Desktop Validator shortcut on the desktop. | |
| Select the Import / Export tab. | |
| Ensure the Share Configuration and Text Format radio buttons are selected. | |
| Under the Configuration File Pathname section, click the Browse… button. | |
| Using Windows Explorer, navigate to the \\<DC0001>\COMPOSE\Incl\OCSP\ folder and select the current DVStandard.txt file and click the Open button. | |
| When returned to the Import / Export page, click the Export button. | |
| When prompted that Desktop Validator configuration exported successfully, click the OK button. | |
| Click the OK button to close Tumbleweed DV Standard Configuration console. | |
| Log off the workstation. |
2.17 Update Tumbleweed DV Standard Group Policy Settings
The actual Tumbleweed DV Client settings are distributed to the workstations via the DV Standard Group Policy. When the workstations require the DV Standard settings to be updated, the DV Standard Group policy is updated so it will trigger all workstations to download the latest DV Standard configuration.
Table 12 – Update DV Standard Group Policy
| STEP | DESCRIPTION |
| Log into DC0001 as domain administrator. | |
| Click Start → All Programs → Administrative Tools → Group Policy Management. | |
| At the UAC prompt, click the Continue button. | |
| In the left pane of the Group Policy Management console, expand Forest → Domains → FQDN of the domain and select DV Standard Config Policy. | |
| Right-click the DV Standard Config Policy and select Edit. | |
| In the left pane of the Group Policy Object Editorwindow, expand Computer Configuration → Policy → Administrative Templates → Classic Administrative Templates (ADM) → DESKTOP VALIDATOR and select Configuration. | |
| In the right pane, double-click Settings. | |
| On the Settings Properties page: Update the ModificationID field to a current date/time stamp. e.g., 29Jan151530 Verify the location is the correct path for the DVStandard.txt file. e.g., \\cvn65ucsDC0001\compose\incl\ocsp\DVStandard.txt Verify the Type, RefreshPeriod and MaxRefreshSalt text fields are ‘0’. Click the OK button to close the Settings Properties page. | |
| Close the Group Policy Object Editorand Group Policy Managementwindows. Note! The domain workstation DV Standard Clients will update their settings as group policies are updated on the workstations. | |
| Log off DC0001. |
| NOTE | DV Enterprise and Standard Client configurations are now updated with the new SVA OCSP signing certificate. |
2.18 Renew NOC MVA Certificate
The NOC MVA certificate expires every three years. The procedures below provide guidance on downloading and installing the latest NOC MVA certificate. Normally, a FAM will be sent that will direct the SVA administrators to download and install the new NOC MVA certificate.
Table 13 – Renew the NOC MVA Certificate
| STEP | DESCRIPTION |
| Log into the SVA server as a domain administrator. | |
| Double-click on the Tumbleweed Validation Authority Administration shortcut from the desktop. | |
| If a prompt appears stating there is a problem with this website’s security certificate, click the Continue to this website (not recommended) hyperlink to continue. | |
| At the USG Warning and Consent Banner page, click the OK button. | |
| Enter the Administrative Login credentials and click the Login button. | |
| From the CONFIGURATION menu, select Keys and Certificates → Certificates. | |
| On the Manage Certificate Store window in the right pane, under Optional Stores, select the Trusted Responder’s CRL Signing Certificates [CRL Mirroring] radio button. Scroll to the bottom of the page and click the Submit button. | |
| Note! On the Configure VA Certificate Store page, you will see the old NOC MVA certificate. Click the Add button to the right side of the screen. | |
| On the Certificate Import Method page, select the VA Server radio button and click the Submit Certificate Import Method button. | |
| On the Import Certificates from VA Server page, enter the following: Host Name: mva.nocv.navy.milPort: 80Leave the Use SSL checkbox unchecked. Click the Get VA Certificates button. | |
| Note! The Ship Validation Authority (SVA) server requires connectivity to the shore side NOC MVA server. If an error is received stating, Error: Cannot get configuration data from VA, this indicates a failure of the shipboard VA server to reach the shore side NOC MVA server. Verify and correct connectivity issues preventing communications between the SVA and the NOC MVA server. If the NOC MVA server can’t be reached, perform the steps below to manually add the NOC MVA server certificate (These procedures assume a soft copy of the MVA cert is available): From the CONFIGURATION menu, click on Keys and Certificates and then Certificates.On the Manage Certificate Store page, under the Optional Stores section, select the Trusted Responder’s CRL Signing Certificates [CRL Mirroring] radio button. Scroll to the bottom of the page and click the Submit button.On the Configure VA Certificate Store page, click the Add button at the upper right hand corner of the frame.On the Certificate Import Method page, select the Local File radio button and then click the Submit Certificate Import Method button.On the Import Certificate File page, click the Browse… button.Using Windows Explorer, navigate to a file location that contains the new NOC MVA certificate.Select the NOC MVA.cer file and click the Open button. Note! The actual file sent with the FAM may be named slightly different from this example. When returned to the Import Certificate File page, click the Submit Certificate File button. | |
| On the Select Certificates page, locate the old NOC MVA certificate and select the checkbox in front of it. Click the Delete button at the top of the table. | |
| When prompted, Please confirm that you would like to delete the selected Certificate(s) by clicking OK below. Otherwise, click Cancel, click the OK button. | |
| On the left-hand side of the window under the CONFIGURATION menu, click the Start/Stop Server menu option. The Server Start/Stop page displays. | |
| On the Server Start/Stop page click the Start Server button. The Server Status: will now show on. | |
| Close the Tumbleweed VA Administration console and log off the SVA server. |
2.19 Flush SVA CRL/OCSP Database SOP
This section of the document is to provide the procedures required for maintenance of the Shipboard Validation Authority (SVA) Certificate Revocation List (CRL) Database. The recommendation is for ships to perform these procedures at least once while the ship is in port and not while at sea. These procedures should be performed after a ship returns to port, after a Shipboard Validation Authority (SVA) server is reconfigured from Manual CRL downloads to automatic CRL downloads and when the SVA administrator determines CRLs are not downloading and updating properly, and the cause is problems with the base CRLs.
2.20 Background
The SVA may occasionally experience difficulties in downloading and installing the manufactured delta CRLs that download from the NOC MVA server. In the SVA Server Logs, the administrator may see statements that roughly state “Rejecting CRL for issuer (Various Certificate Authorities information). Reason: Do not have the base for delta CRL.” This error may occur from the SVA shifting its connection from a NOC MVA server of one AOR to another. It may also occur after switching the SVA server from being configured for Manual CRL updates to automatically downloading CRL updates from the NOC MVA server.
To prevent this issue from causing future problem with SVA operability, it’s recommended for the SVA administrator(s) to flush the CRL/OCSP databases upon a ship’s return to port or after switching from manual to automatic CRL downloads. These procedures should not be performed while the ship is underway due to bandwidth considerations. A full CRL download could be 190 MB or more of data to download from the NOC MVA server.
2.21 CRL/OCSP Database Flush
The procedures below provide guidance in flushing the CRL/OCSP databases. This essentially means the databases are emptied and will start a full database download of affected CRLs the next time the SVA Server service is started.
| NOTE | Perform the steps in this SOP after the ship pulls in to port. These procedures only need to be performed once per in-port period and should not be performed when out-at-sea. |
| NOTE | In the occasion that the CRLs had to be flushed while underway, CLO and other PKI functionality may not work properly until all applicable CRLs are downloaded. On a limited bandwidth configuration, this could be a considerable amount of time. |
Table 14 – CRL/OCSP Database Flush
| STEP | DESCRIPTION |
| Log into the SVA Server as a domain administrator. | |
| Double-click the Tumbleweed Validation Authority Administration icon on the desktop. | |
| At the USG Warning and Consent Banner page, click the OK button. | |
| The Administrative Login window displays. Enter your credentials for the SVA server and click Login. The Welcome to Tumbleweed Valicert Validation Authority window appears. | |
| On the left-hand side, under CONFIGURATION menu, click the Start/Stop Server menu option. The Server Start/Stop window displays. | |
| On the Server Start/Stop window, click the Stop Server button. The Server Status: should now show: off. | |
| On the left-hand side, under the CONFIGURATION menu, select CRLs → CRLs & OCSP Databases. The CRL Summary page displays. | |
| On the Cleanup All Crls column header cell, check the checkbox to the left of Cleanup All Crls. All Certificate Authority (CA) checkboxes will now be selected with checkmarks next to Flush CRLs. | |
| Scroll to the top of the CRL Summary page and click the Flush Selected Crls or OCSP DBs button. The Confirm CRL and OCSP DB Flush Action page displays. | |
| On the Confirm CRL and OCSP DB Flush Action page click the Flush CRL and OCSP DB Information button. A SUCCESS! window displays. | |
| On the left-hand side under the CONFIGURATION menu, click CRLs → CRLs & OCSP Databases. The CRL Summary page displays with all CAs showing CRL absent. Note! An alternate method to verify all CRLs are flushed/removed is to use Windows Explorer and navigate to the E:\Program Files\Tumbleweed\VA\entserv\crls\ folder. This folder should be empty at this point in the procedures. If for any reason there are still files in this folder, highlight the files and delete. Never delete the crls folder itself. If the crls folder is deleted, the SVA will not restart. Only delete the files within the E:\Program Files\Tumbleweed\VA\entsrv\crls\ folder. | |
| Close the Explorer window and return to the Tumbleweed SVA Administration window. | |
| On the left-hand side under the CONFIGURATION menu, click the Start/Stop Server menu option. The Server Start/Stop page displays. | |
| On the Server Start/Stop page click the Start Server button. The Server Status: will now show on. | |
| On the left-hand side under the CONFIGURATION menu, click CRLs → CRLs & OCSP Databases. The CRL Summary page will display. | |
| As the CRLs are downloaded, the CRL absent statuses will be replaced with the date/time of the last issuance of the CA CRL and the date/time the SVA downloaded the CRL from the NOC MVA server. Note! Depending on the bandwidth available, it may take a while for all CA CRLs to download to the SVA server. | |
| To refresh the screen, on the left-hand side under the CONFIGURATION menu, click CRLs → CRLs & OCSP Database. | |
| The CRLs will normally download in the order of the CAs listed on the CRL Summary page. After refreshing the screen, continue scrolling to the bottom of the CRL Summary page. This procedure is complete when all CA CRLs on the CRL Summary page no longer have the status of CRL absent. | |
| Close the Tumbleweed Validation Authority Administration window. | |
| Log off the SVA server. |
| NOTE | CRL Troubleshooting http://mva.nocv.navy.mil:80 URL. The page displayed should be mainly a white page with “Welcome to the Tumbleweed Validation Authority Server” at the top of the window. |
2.22 Manual CRL Import Procedures
This section provides procedures for the Shipboard Validation Authority (SVA) Administrator to setup the SVA server for manual CRL imports to update the Certificate Revocation List (CRL) database when the NOC MVA server is not available.
2.23 Download CRLs to the SVA
When connectivity to the RCVS Server is not available, CRLs can be manually downloaded to a location on the local network. Once the CRLs are downloaded, the SVA can be configured to use these local CRLs vice trying to connect to the RCVS server. If configured in this fashion, this process will need to be done at least weekly until connectivity to the RCVS server is established or restored. To download CRLs to the SVA follow these steps:
Table 15 – Download CRLs
| STEP | DESCRIPTION |
| Log on to the SVA server as a domain administrator. | |
| If not already created, on the SVA server, create the folder: E:\CRLS\. | |
| Open Internet Explorer and navigate to SIPR: https://crl.gds.disa.smil.mil or https://crl.chamb.disa.smil.mil NIPR: https://crl.gds.disa.mil or https://crl.chamb.disa.mil Note! If the SVA server is not configured to browse offship, the same files may be downloaded to a workstation and then copied to the E:\CRLS\ folder on the SVA server. | |
| On the DoD Warning banner page click the OK button to continue. | |
| On the DoD PKI Management Welcome Screen page, in the left window pane under PLEASE SELECT ONE CA, highlight All CRL ZIP and click on the SUBMIT SELECTION button directly below. | |
| In the right window pane an ALL CRL ZIP Certificate Revocation List window will display. Click on the Download ZIP hyperlink. | |
| When prompted Do you want to open or save this file?, click the Save button. Browse to the E:\CRLs\ folder and save the file to this location. Note! The directory path E:\CRLS is pre-configured in the vpublish_DoD_Stand_Alone_v1.0.txt configuration file which the SVA will use to load the CRLs from. This drive and folder must be used for the SVA to properly retrieve CRLs from files. | |
| Open an Explorer window and navigate to the E:\CRLS\ folder. Right-click the ALLCRLZIP.zip and extract all files to the E:\CRLS\ folder. Note! Ensure that the E:\CRLs\ folder only contains the extracted CRL files. The CRLs will not be updated if the extracted files are in a folder inside of the E:\CRLs folder. | |
| Close the Windows Explorer window and continue to the next section. |
2.24 Configuring the SVA Server for Manual CRL Imports
To configure the SVA server to load the CRL data from a local folder on the SVA, the vpublish DoD Stand Alone.txt configuration file must be imported to the SVA server. Perform the following steps to import the Vpublish DoD Stand Alone.txt configuration file.
Table 16 – Import the Vpublish Dod Stand Alone.txt Configuration File
| STEP | DESCRIPTION |
| Double-click the Tumbleweed Valicert Validation Authority Administration icon from the desktop. Note! If the SVA Administration logon page does not display, you can log on to a domain workstation as a domain administrator and manage the SVA from there. From the workstation, use the URL: https://shipva.<FQDN of the Domain>:13333/index.html | |
| On the USG Warning and Consent Banner page, acknowledge the warning by scrolling to the bottom of the page and click the OK button. | |
| Enter the appropriate SVA server administrator username and password. Click the Login button. | |
| On the Welcome to Tumbleweed Valicert Validation Authority 4.11.1 window, in the left window pane under the CONFIGURATION menu, click CRLs → CRL import. | |
| On the Configure CRL Import page, click the Upload Config button. | |
| On the Upload Publisher Configuration page, click the Browse… button, and browse to the NIPR NCVI v4.0.0 for COMPOSE v4.0.0 installation media, \Configuration\ folder. | |
| Select the vpublish_DoD_Stand_Alone_v2.0.txt file and click the Open button. | |
| On the Upload Publisher Configuration page click the Upload Publisher Configuration button. | |
| On the Configure CRL imports page, under the CRL Source column, you should see sources for each CA’s CRL which should indicate they are located in the E:\CRLs\ folder. | |
| In the left window pane under the CONFIGURATION menu, click the Start/Stop Server menu option. | |
| In the right window pane on the Server Start/Stop page, click the Restart Server and continue to the next section. |
| NOTE | Weekly, download the latest ALLCRLZIP.zip file, extract the files to the E:\CRLs\ folder and restart the SVA Server service. |
2.25 Verifying CRLs Published to SVA Server
After performing the previous steps, it will take a few minutes for the all the CRLs to be published to the VA. To verify that all CRLs have been published follow these steps:
Table 17 – Verify CRLs Published to SVA Server
| STEP | DESCRIPTION |
| From the CONFIGURATION menu, select CRLs → CRL & OCSP Databases. | |
| On the CRL Summarypage, you should see a database table listing with all the DoD CA CRLs. Under the This Update (GMT) column, you will see a recent date and time listed for when the CRL was actually loaded into the CRL database. All CAs will eventually have an entry in this column. When all CAs CRLs show a current date/time, the import process is complete. | |
| If CRLs don’t show up or appear to be missing, log into the SVA server and check the E:\CRLs\ folder and ensure the CRL is present for the applicable CA. Also, open the vpublish DoD Stand Alone v1.0.txt file and verify the paths and file names are correct for the applicable CRL. If any changes are made to this file, the vpublish DoD Stand Alone v1.0.txt configuration file will need to be re-imported into the SVA server and the SVA server service will need to be restarted. | |
| Close all Internet Explorer windows and log off SVA Server. |
2.26 Remove the Manual CRL Import Configuration
Once the issue with the SVA server not being able to connect to the NOC MVA server has been resolved, this configuration is no longer needed and could possibly interfere with regular SVA operation. To remove the manual CRL update configuration on the SVA server, follow these steps:
Table 18 – Remove the Manual CRL Import Configuration
| STEP | DESCRIPTION |
| Log on to the SVA server as a domain administrator. | |
| Double-click the Tumbleweed Valicert Validation Authority (TMs) Administration icon from the desktop. | |
| At the USG Warning and Consent Banner page, click the OK button. | |
| Enter the appropriate SVA server username and password. Click the Login button. | |
| On the Welcome to Tumbleweed Valicert Validation Authority 4.11.2 window, in the left window pane under the CONFIGURATION menu, select CRLs → CRL import. | |
| On the Configure CRL Import window, in the right window pane, select the check box next to CRL Source. Note! By selecting this check box, it will select all the CRL source check boxes below. | |
| Scroll down and click the Delete button at the bottom of the page. Note! The Configure CRL Imports page will no longer have any CRL Source entries listed. | |
| In the left window pane, under the CONFIGURATION menu, click the Start/Stop Server menu option. | |
| In the right window pane, under the Server Start/Stop page, click the Restart Server button. | |
| Close all Internet Explorer windows and log off the SVA server. |
| NOTE | Once the SVA server restarts, it will connect to the NOC MVA server to download CRLs and/or CRL deltas. If after 30 minutes none of the CRLs listed on the CRL Summary page appear to update, review the Server logs to determine the cause. |
| NOTE | If the vpublish standalone v1.0.txt file has been imported numerous times (for various reasons) there may be multiple copies of CRLs listed in the table on the Configure CRL Imports page. Perform the steps above to remove the configurations for manual CRL imports and restart the SVA server service from the administrator console. Then re-import the vpublish DoD Stand Alone v1.0.txt configuration file. Restart the SVA server service. |
3 Domain Controller Certificate Renewal SOP
This section describes the Standard Operating Procedure (SOP) for domain controller certificate renewal.
3.1 Purpose
This section provides procedures to the Domain Administrator on how to renew the Domain Controller certificate and delete expired certificates from the Domain Controller certificate stores and Active Directory.
3.2 Background
The Domain Controller certificates expire three years after their issuance. For this reason, the Domain Controller certificate needs to be renewed at least thirty days prior to expiration. In addition, the expired certificate needs to be removed from the Domain Controller certificate stores and Active Directory.
3.3 Create the Required Scripts and Files for DC Certificates
Information from the Domain Controllers will need to be gathered to request and properly install the Domain Controller DoD-issued Certificates. The GrabDCinfo_v2.0.1.vbs script will create the files, folders and scripts required to request and install the DoD-Issued DC certificates.
Table 19 – Obtain DC GUID and Create Batch Files
| STEP | DESCRIPTION |
| Log into DC0001 as a domain administrator, if not already logged in. | |
| Open a cmd prompt: Click Start, in the Start Search field enter cmd. In the listing above, right-click cmd.exe and select Run as administrator. | |
| At the UAC prompt, click the Continue button. | |
| At the Command Prompt window prompt, change drives to the E: drive and navigate to the E:\DC_Tools\Scripts\ folder. E: [ENTER] cd \DC_Tools\Scripts [ENTER] | |
| At the Command Prompt window prompt, run the grabdcinfo script. cscript GrabDCinfo_v2.0.1.vbs [ENTER] Note! The GrabDCinfo_v2.0.1.vbs script will create a folder for each DC that exists. Under the E:\DC_Tools\ folder, the folders will be named with the FQDN of the domain controllers with a date appended to the end of the file name. Example: DCinfoCVN75GCSDC0001.cvn75.navy.mil20180124 DCinfoCVN75GCSDC0002.cvn75.navy.mil20180124 Within each DC’s folder, there will be three sub-folders (certs, CertTool and Scripts) and a text file named getguid<FQDN>. Example: getguidCVN75GCSDC0001.cvn75.navy.mil.txt | |
| In the Command Prompt window, type exit and press [ENTER] to close the Command Prompt window. |
3.4 Copy each DCinfo… Folder to the Appropriate Domain Controller
Copy the DCinfo folder for each Domain Controller to the appropriate Domain Controller’s E: drive.
Table 20 – Copy each DCinfo folder to Appropriate DC
| STEP | DESCRIPTION |
| Log into DC0001 as a domain administrator. | |
| Using Windows Explorer, navigate to the E:\DC_Tools\ folder. | |
| Right click on the DCinfo… folder that is specific to DC0001 and select Copy. | |
| Navigate to the root of E:\, right click in the white area of the window and select Paste. Note! It is possible the previous DCinfo… folder is still present in the root of the E: drive. This folder may be deleted to reduce confusion. | |
| Navigate to the E:\DC_Tools\ folder. | |
| Right click on the DCinfo… folder that is specific to DC0002 and select Copy. | |
| Click Start → Run… and in the Open: text field, type in: \\<DC0002>\e$ and click OK. Note! Replace <DC0002> with the NETBIOS name of DC0002. | |
| In the white area of the Windows Explorer window, right-click and select Paste. This will copy the DCinfo… folder to the root of DC0002’s E: drive. Note! It is possible the previous DCinfo… folder is still present in the root of the E: drive. This folder may be deleted to reduce confusion. | |
| Close all Windows Explorer windows. |
3.5 Create the Certificate Request for each DC in the Domain
The procedures in the section below will create certificate request files for the Domain Controllers. This will need to be repeated on DC0002.
Table 21 – Create Certificate Request for DCs
| STEP | DESCRIPTION |
| Log into DC0001 as a domain administrator (if not already logged in). | |
| Open a cmd prompt: Click Start, in the Start Search field enter cmd. In the listing above, right-click cmd.exe and select Run as administrator. | |
| At the UAC prompt, click the Continue button. | |
| At the command prompt, change drives to the E: drive and go to the E:\DCinfo<DC0001 FQDN>\Scripts\ folder. E: [ENTER] cd \DCinfo (Press [TAB] until the DCinfo<DC0001 FQDN plus date stamp> folder is shown). Press [ENTER]. cd Scripts\ [ENTER] | |
| At the Command Prompt window, do a directory listing and then run the script to create a certificate request file for the Domain Controller. dir [ENTER] Note! This will give you a listing of files in this folder so the entire script filename is known. Type: DCcertReq and then press [TAB]; the rest of the file name should fill in. Example: DCcertReqCVN75GCSDC0001.bat Press [ENTER] to execute the script. When completed, you’ll be prompted with Press any key to continue… Press any key on the keyboard to continue. | |
| In the Command Prompt window, type exit and press [ENTER] to close the Command Prompt window. | |
| Repeat steps 1 through 5 on DC0002, substituting DC0002’s information for DC0001. | |
| Return to DC0001. |
3.6 Locate Certificate Requests for Domain Controllers
After the scripts have been run to generate the certificate requests, the certificate requests need to be moved to a centralized location.
Table 22 – Gather DC Certificate Files
| STEP | DESCRIPTION |
| On DC0001, navigate to the E:\DCinfo<FQDN of DC0001><Date>\certs\DC_Cert\ folder and locate the certificate request file. Example: CVN75GCSDC0001.req Highlight the two files: certificate request file and the empty <DC0001 FQDN>.cer files. | |
| Right click on the two highlighted files and select Copy. Navigate to a centralized/shared location on the network where the files can be easily accessed later, Paste the files. Note! When both Domain Controllers are done up to this point, there should be two DC certificate requests and two empty DC certificate files at this location on each DC. | |
| On DC0001, navigate to the E:\DCinfo<FQDN of DC0001><Date>\ folder, right-click the getguid<FQDN of DC0001>.txt file and select Copy. | |
| Navigate to the same network location where the DC certificate files are stored, right click and Paste the file to this folder. | |
| Close all Explorer windows. | |
| Repeat steps 1 through 5, substituting DC0002’s information for DC0001. | |
| Return to DC0001. |
3.7 Submit Certificate Requests
Now that all the files needed for requesting certificates are ready in a single network location, the files will be used to request DoD-Issued Domain Controller certificates. The following steps provide guidance for submitting the DC certificate requests.
Table 23 – Submit Certificate Requests
| STEP | DESCRIPTION |
| Log into a workstation as a user that has access to the file location where the Domain Controller certificate request files are stored. | |
| Open an Internet Explorer window and type in the URL of the CA which you will request the certificate from. Note! Although it is not necessary, it is recommended that the same DoD CA be used for all certificate requests. | |
| On the Certificate Manager page, click on the Manual PKCS10 Domain Controller 2048-bit Certificate Enrollment hyperlink. | |
| On the Certificate Profile – Manual PKCS10 Domain Controller 2048-bit Certificate Enrollment page, ensure PKCS#10 is selected for the =Certificate Request Type field. | |
| Open a Windows Explorer window and navigate to the network location where the Domain Controller certificate request files are stored. | |
| Right click on the certificate request file for DC0001, select Open With… and select Notepad. | |
| Uncheck the Always use the selected program to open this kind of file checkbox and click OK. | |
| In the Notepad window, from the file menu, click Edit → Select All. | |
| Again from the file menu, click Edit → Copy. | |
| Close the Notepad window. | |
| Back on the Certificate Request Inputpage, enter the following: Certificate Request: (Click in the white area of this field, right click and select Paste. Enter the following information for a designated shipboard administrator to be POC for this request. Requestor Name: (Enter the SVA administrator’s name) Requestor Email: (Enter the SVA administrator’s email account.) Requestor Phone: (Enter the SVA administrator’s phone number.) | |
| Return to the Windows Explorer window, navigate to the network location where the DC certificate request files are located and open the getguid<FQDN of the Domain>.txt file that is specific for DC0001 in Notepad. | |
| In the Notepad window, after DNS= text, highlight the FQDN of the Server, right click the text and select Copy. | |
| Return to the Internet Explorer window, right click in the text field for DNS Name and select Paste. | |
| Return to the Notepad window, highlight the text after GUID: to the end of the line, right click and select Copy. | |
| Return to the Internet Explorer window, right-click in the text field for GUID and select Paste. | |
| Verify the entries on this request page. Once verified, click the Submit button to submit the request. Note! It is possible that by using Internet Explorer, the Submit button will not be visible. Using Firefox, follow the steps above again to submit the certificate request. | |
| From the Certificate Profile page, record the request ID that is displayed. Also, take a screenshot of this page and save it for later use. | |
| Close all Notepad windows. | |
| From the Internet Explorer page, click the List Certificate Profiles hyperlink if DC0002’s certificate request still needs to be processed. | |
| Repeat steps 3 through 19 substituting DC0002’s information for DC0001. | |
| Close all Internet Explorer windows. | |
| Work with the local Information Assurance Manager (IAM) or Information Assurance Officer (IAO) to send a digitally signed email to the Registration Authority (RA), providing notification that the certificate requests are ready for review and approval. | |
| The NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM (NCMS) provides Registration Authority support for all server (SSL) certificates. Atlantic region installs: Merkeshia McKnight (RA) (240)857-9865; Alesia Blake(RA) (240)857-9735; NCMS_NAFW_NAVY_PKI@navy.mil Pacific region installs: Michelle Hughes(RA) (808)472-0388; NCMS_NAFW.PKI_HI@navy.mil The following must be included in the digitally signed email: Reference Number from CA: <Request ID#> Note! The Request ID # from CA-XX was obtained in step 18 where XX is the number of the DoD CA used for the certificate requests. Host Name: <Servers Hostname>Applications on Server: <Description of Apps on Server> (e.g., Domain Controller, Sharepoint Web Server, etc.) Note! If the requestor does not receive anything from LRA/RA within one – two days after the initial email has been sent, resend email or contact the LRA/RA by phone. Have the Request ID # ready for reference. |
3.8 Retrieve the DC Certificates
The RA will notify you via e-mail once the certificate requests have been approved and the certificate is ready for download. When notified, follow the steps below to retrieve the DoD PKI Domain Controller certificates.
Table 24 – Retrieve the DC Certificates
| STEP | DESCRIPTION |
| Log into a workstation as a user that has access to the file location where the Domain Controller certificate request files are stored. | |
| Open the Internet Explorer web browser and navigate to the DoD CA URL where the certificate request was submitted. | |
| At the DoD Warning prompt, click OK. | |
| On the Certificate Profile page, click on the Retrieval tab. | |
| On the Check Request Status page, in the Request identifier: field, enter the request ID that was previously recorded and click the Submit button. | |
| On the Request Status page, verify the Status: shows as complete. If the request is not complete, the certificate will not be able to be downloaded. | |
| Click on the blue underlined text to the right of Issued certificate: Note! The blue underlined text is the serial number of the certificate. | |
| Once the Certificate page displays, showing the Certificate contents, scroll down to the Installing this certificate in a server section. | |
| Under Base 64 encoded certificate section, highlight all text from “—-BEGIN CERTIFICATE” to “END CERTIFICATE—–“ making sure to include the dashes. | |
| Right click the highlighted text and select Copy. | |
| Open Windows Explorer and navigate to the network location where the DC certificate request and blank Domain Controller certificate files are stored. | |
| Right-click on the empty <FQDN of DC0001>.cer file, select Open With… and select Notepad. | |
| Uncheck the Always use the selected program to open this kind of file checkbox and click OK. | |
| From the Notepad file menu, click Edit and then Paste. | |
| From the file menu, click File and Exit to save the file. | |
| When prompted to save changes, click the Save button. | |
| If the certificate for DC0002 still needs to be downloaded, on the Internet Explorer page for retrieving certificates, click the Check Request Status hyperlink to enter the request ID number for DC0002. | |
| Repeat steps 4 through 15 substituting DC0002’s information for DC0001. | |
| Close all Windows Explorer and Internet Explorer windows. | |
| Log off the domain workstation. |
3.9 Install the DC Certificates on the Domain Controllers
The domain controller certificates need to be installed in the local computer certificate stores on DC0001 and DC0002. The procedures below will provide guidance to install the DoD-issued domain controller certificates in the domain controller local computer certificate stores.
Table 25 – Install the DC Certificates on the Domain Controllers
| STEP | DESCRIPTION |
| Log on to DC0001 as a domain administrator. | |
| Open Internet Explorer and navigate to the network location where the Domain Controller certificate and certificate request files are stored. | |
| Right click and select Copy on the <FQDN of DC0001>.cer file. | |
| Navigate to the E:\DCinfo<FQDN of DC0001><Date>\certs\DC_Cert\ folder, right-click in the open area of this folder and select Paste to paste the file to the folder. | |
| Close all Windows Explorer windows. | |
| Repeat steps 1 through 5, substituting DC0002’s information for DC0001. | |
| If not already logged on, log on to DC0001 as a domain administrator. | |
| Open a cmd prompt: Click Start, in the Start Search field enter cmd. In the listing above, right-click cmd.exe and select Run as administrator. | |
| At the UAC prompt, click the Continue button. | |
| At the Command Prompt window prompt, change drives to the E: drive and navigate to the E:\DCinfo<FQDN of DC0001>\Scripts\ folder. E: [ENTER] cd \DCinfo*\Scripts [ENTER] | |
| At the Command Prompt window prompt, perform a directory listing and then run the script to install the certificate for the Domain Controller. dir [ENTER] Note! This lists the files in this folder so the entire script filename is known. DCcertAccept<DC0001>.bat [ENTER] Hint: After typing DCcertAccept, press the [TAB] key and the rest of the filename will fill in. Note! After running the script, look for error messages to make sure the batch file ran properly. | |
| Double click the Certificates MMC from domain administrator’s desktop. | |
| At the UAC prompt, click the Continue button. | |
| Expand Certificates → Personal → Certificates. | |
| Ensure the <DC0001> certificate is installed in this location. | |
| Highlight, right click the old Domain Controller certificate and select Delete. | |
| Close the Certificates console. | |
| Repeat steps 7 through 14 on DC0002, replacing DC0001 with DC0002’s specific information. |
3.10 Update the AD DC Store
As well as importing the Domain Controller certificates to the local computer certificate stores of both Domain Controllers, the same certificates must be published to Active Directory to the domain controller objects in Active Directory.
Table 26 – Update the AD DC Store
| STEP | DESCRIPTION |
| While still logged in as a domain administrator on DC0001, at the Command prompt, navigate to the E:\DCinfo<DC0001><Date>\scripts\ folder. E: [ENTER] cd \DCinfo*\scripts [ENTER] | |
| Remove the previous Domain Controller certificates in Active Directory. The commands below will bring up a window to select the certificates. Click OK to delete the certificate from Active Directory. Repeat for each Domain Controller. Certutil –viewdelstore “ldap:///CN=<Domain Controller>,OU=Domain Controllers,DC=<Domain>,DC=NAVY,DC=MIL?usercertificate” Example: Certutil –viewdelstore “ldap:///CN=cvn65ucsDC0001,OU=Domain Controllers,DC=cvn65,DC=NAVY,DC=MIL?usercertificate” [ENTER] | |
| Execute the DCcertPublish<DC0001>.bat script. Hint! After typing DCcertPublish, press the [TAB] key and the rest of the filename will fill in. | |
| After the script runs, look for error messages to make sure the batch file ran properly. | |
| While logged into DC0002 as a domain administrator, repeat steps 1 through 3, replacing DC0002’s information for DC0001. | |
| Return to DC0001 and verify that DC0001’s certificate was imported into Active Directory by entering the following commands at the command prompt: Note! Substitute the NETBIOS name of DC0001 for <Domain Controller> Certutil –viewstore “ldap:///CN=<Domain Controller>,OU=Domain Controllers,DC=<Domain>,DC=NAVY,DC=MIL?usercertificate” Example: Certutil –viewstore “ldap:///CN=cvn65ucsDC0001,OU=Domain Controllers,DC=cvn65,DC=NAVY,DC=MIL?usercertificate” [ENTER] | |
| A View Certificate Store window will open displaying the certificates for DC0001. Verify this is the new DoD-Issued certificate for the Domain Controller. Note! If the window is blank, the DCcertPublish script for the Domain Controller didn’t run properly. Possibly the downloaded DoD-issued certificate was not copied to the correct folder prior to running the DCcertPublish script. | |
| Repeat step 6 through 7 again, this time substituting the NETBIOS name for DC0002 for DC0001. | |
| Close all command prompt windows on both DC0001 and DC0002. |
3.11 Back-up the Domain Controller Certificate
Once the DoD-issued certificates for DC0001 and DC0002 have been properly installed, a backup of the certificates will prevent the need to repeat the request process again for the certificates again in case there is a reason to reload the DC certificate(s). The procedures below provide guidance to back-up the domain controller certificates.
Table 27 – Backing up the Domain Controller Certificates
| STEP | DESCRIPTION |
| Log into DC0001 as a domain administrator and open the Certificates console. The Certificates icon should still be on the desktop. | |
| At the UAC prompt, click the Continue button. | |
| Expand the Personal → Certificates containers. | |
| Export the certificate and private key pair of the Domain Controller. Right click on DC0001’s certificate and click All Tasks → Export…. | |
| Click the Next button. | |
| Select the Yes, export the private key radio button and select Personal Information Exchange – PKCS # 12(.PFX) checkbox. | |
| Click Next. | |
| Type in password (twice) which will be used when importing the certificate back into the Domain Controller if the need arises. Click the Next button. | |
| Click the Browse button and select a location and name for the certificate. Example: CVN65UCSDC0001_backup.pfx It is suggested that the certificate key pair is handled as would any controlled media and be accessible, if needed, for reinstallation. Click the Save button. | |
| Click the Next button. | |
| Click Finish → OK. | |
| Repeat steps 1 through 10 to back up the certificates on DC0002. | |
| Each Domain Controller should only have one certificate in their Personal Certificates store. |
This Page Intentionally Left Blank
4 Member Server IIS Website Certificates
This section provides information on Member Server (MS) Internet Information Server (IIS) website certificates.
4.1 Introduction
This section provides procedures for the Web Server Administrator on how to renew the Web Server certificate on a Microsoft Internet Information Services (IIS) 7.0 Web Server without removing the old certificate while waiting for the new certificate to get approved.
4.2 IIS Certificate
The MS IIS certificate is required to provide a secure website using the HTTPS protocol. All DoD-issued certificates expire every three years. The procedures below will walk the administrator through how to request and replace the expiring IIS website with a newly issued DoD certificate.
4.2.1 Generate Certificate Request for IIS Server
Perform the steps in the following table to generate a certificate request for each website.
Table 28 – Generate Certificate Request for IIS Server
| STEP | DESCRIPTION |
| Log on to an IIS server with an expiring certificate as a domain administrator. | |
| Open the Internet Information Services (IIS) Manager. Click Start → Administrative Tools → Internet Information Services. | |
| At the UAC prompt, click the Continue button. | |
| In the left pane, select the servername. | |
| In the middle pane under the IIS section, double-click the Server Certificates. | |
| In the right pane under Actions, click Create Certificate Request… | |
| On the Distinguished Name Properties page, enter the following information: Common name: <FQDN of the server> Organization: U.S. Government Organization unit: USN PKI DoD City/locality: <Homeport city> (e.g., Norfolk) State/province: <Homeport state> (e.g., VA) Country/region: US Click the Next button. | |
| On the Cryptographic Service Provider Properties page, for the Cryptographic service provider field shows Microsoft RSA Schannel Cryptographic Provider. | |
| For the Bit length field, select 2048 from the pull-down control. | |
| Click the Next button. | |
| On the File Name page, click the […] to the right of the Specify a file name for the certificate request: field. Browse to a location that is easy to access when logged onto a domain workstation to submit the certificate request. | |
| Once the file location is set, click the pulldown for the field that shows *.txt. Change this field to *.*. | |
| In the File name: field, enter a descriptive filename for the certificate request with the req file extension (e.g., CVN65UCSFS0001.req). | |
| Once the folder location is selected and the filename is filled in, click the Open button. | |
| When returned to the File Name page, click the Finish button. | |
| Repeat the procedures in this table for any other IIS servers that have expiring certificates. |
4.2.2 Submit IIS Server Certificate Request
The next step in requesting a DoD issued certificate for the COMPOSE Member Server is to submit a certificate request to a DoD CA server.
Table 29 – Submit Certificate Request
| STEP | DESCRIPTION |
| Submit Certificate Request for COMPOSE Member Server from DoD CA: | |
| Log on a domain workstation as a domain user. | |
| With your CAC card inserted into the CAC reader, open an Internet Explorer window and navigate to https://infosec.navy.mil/PKI/server.jsp. From Windows Security, select one of your certificates to log on to the Infosec website and click OK. Enter your CAC PIN and click OK. | |
| Infosec’s website will list hyperlinks to DoD CA websites that provide forms to request DoD. Click on one of the hyperlinks to access the DoD CA’s website for requesting DoD-Issued certificates. Note! If possible, use the same DoD CA website for all certificate requests for simpler tracking purposes. | |
| If a prompt indicates that there is a problem with the website’s security certificate, click Continue to this website (not recommended). | |
| At the DoD Warning prompt, click the OK button. | |
| From the selected DoD CA website, the Certificate Profile page will display. | |
| Ensure the Enrollment tab is selected. | |
| Click on the Regular 2048-bit SSL Server Enrollment hyperlink. The Certificate Profile – Regular 2048-bit SSL Server Enrollment page will display. | |
| Open a Windows Explorer window and navigate to the shared network location where the certificate requests for the COMPOSE Member Servers are stored. | |
| Open the first COMPOSE Member Server certificate request file in Notepad. | |
| In the Notepad File menu, select Format → Word Wrap. | |
| In the Notepad window, highlight all of the text for the certificate, including the “——BEGIN CERTIFICATE REQUEST——” header and the “——END CERTIFICATE REQUEST——” trailer, including all the dashes. Right click the highlighted text and select Copy. | |
| Return to the Internet Explorer Certificate Profile – Regular 2048-bit SSL Server Enrollment page, fill out the form as follows: For the =Certificate Request Type field, ensure PKCS #10 is selected. In the Certificate Request text box, right click and select Paste. Complete the following informational fields: Requestor Name: <Name> Requestor Email: <Email> Requestor Phone: <Phone> Once all fields are filled in on the webpage, click the Submit button. | |
| The Request Successfully Submitted web page appears. This page will provide the Request ID # for the certificate. Print, or by other means, document the Request ID #. | |
| Close the Notepad window for the certificate request. | |
| If there are more COMPOSE Member Server certificate requests to process, return to the Windows Explorer window and open the next certificate request in Notepad. On the IE Browser window, click the List Certificate Profiles hyperlink. Repeat steps 8 – 15 to process the next certificate request. | |
| Work with the local Information Assurance Manager (IAM) or Information Assurance Officer (IAO) to send a digitally signed email to the Registration Authority (RA), providing notification that the certificate requests are ready for review and approval. | |
| The NAVAL COMMUNICATIONS SECURITY MATERIAL SYSTEM (NCMS) provides Registration Authority support for all server (SSL) certificates. Atlantic region installs: Merkeshia McKnight (RA) (240)857-9865; Alesia Blake(RA) (240)857-9735; NCMS_NAFW_NAVY_PKI@navy.mil Pacific region installs: Michelle Hughes(RA) (808)472-0388; NCMS_NAFW.PKI_HI@navy.mil The following must be included in the digitally signed email: Reference Number from CA: <Request ID#> Note! The Request ID # from CA-XX was obtained in step 14 where XX is the number of the DoD CA used for the certificate requests. Host Name: <Servers Hostname> Applications on Server: <Description of Apps on Server> (e.g., Domain Controller, Sharepoint Web Server, etc.) Note! If the requestor does not receive anything from LRA/RA within one – two days after the initial email has been sent, resend email or contact the LRA/RA by phone. Have the Request ID # ready for reference. | |
| Log off the COMPOSE Workstation. | |
4.2.3 Retrieve COMPOSE Member Server Certificates
Once an email has been received stating the certificates are approved and are ready for retrieval, use Internet Explorer to browse to the issuing DoD CA site where the requests were originally submitted.
Table 30 – Retrieve DoD-Issued Certificates
4.2.4 Install and Replace the New COMPOSE Member Server Certificate
The following steps will assist in installing the COMPOSE Member Server certificates. This section assumes the certificate being installed is for the Default Website. If the certificate is to be installed on other sites on the server, modify the steps accordingly.
Table 31 – Install and Replace IIS Server Certificate(s)
| STEP | DESCRIPTION |
| Log on to a COMPOSE Member Server to install the new DoD-issued certificate as a domain administrator. | |
| Ensure the DoD-issued certificate for the COMPOSE Member Server is in a location that is easily accessible from the COMPOSE Member Server. | |
| Open the Internet Information Services (IIS) Manager console. Click Start → Administrative Tools → Internet Information Services (IIS) Manager. | |
| At the UAC prompt, click the Continue button. | |
| At the Internet Information Services (IIS) Manager window, select the servername for <MS0001>. | |
| In the center window pane, under IIS, double-click on the Server Certificates icon. | |
| In the right pane, under Actions, click on Complete Certificate Request… | |
| At the Specify Certificate Authority Response page, for the File name containing the certificate authority’s response:” field, click the […] button to the right of the field, navigate to the location of the downloaded certificate for <MS0001>. | |
| In the Friendly name: field, enter a name for the certificate. e.g., CVN65UCSMS0001_IIS (if the previous certificate was named the same, change the name slightly so you can easily identify the new certificate.) | |
| Click the OK button. | |
| With the servername selected in the left window pane of the Internet Information Services (IIS) Manager window, in the middle window pane you will see the new certificate that was just added. | |
| In the left pane, expand <Server> (local computer) → Sites → Default Web Site. | |
| In the right pane, under the Edit Site section, click Bindings… | |
| Highlight the line that begins with https under the Type column. Click the Edit button. Note! If the https line is not present, click the Add button to the right of the Site Bindings window. In the Add Site Binding window, select the following: For the Type field, click the pull down and select https.For the IP Address: field, leave All Unassigned selected.For the Port: field, leave 443 selected. For the SSL certificate: field, select the friendly name of the certificate that was just added. (e.g., CVN65UCSMS0001_IIS) Click the OK button. At the Site Bindings window, click the Close button. | |
| In the left pane, select the <server name> (e.g., CVN65UCSMS0001). | |
| In the right pane, under Actions, click Restart. | |
| Close the Internet Information Services (IIS) Manager window. | |
| Log off <MS0001>. | |
| Repeat the steps in this table for remaining COMPOSE Member Servers with certificates that need to be installed. |
4.2.5 Backup the COMPOSE Member Server Certificate
Once the new DoD-Issued COMPOSE Member Server certificate is installed and working properly, it is recommended that the certificate’s keys be backed up, so if a casualty were to occur, the certificate could be restored quickly without having to go through the request and installation processes again.
Table 32 – Backup/Export the IIS Web Server Certificate
| STEP | DESCRIPTION |
| Open the Certificates MMC, if it is not already open. | |
| If required, at the UAC prompt, click the Continue button. | |
| Right click on the server certificate (e.g., cvn65ucsex0001.cvn65.navy.mil) and select All Tasks → Export…. | |
| On the Welcome to the Certificate Export Wizard page, click the Next button to continue. | |
| On the Export Private Key page, select the Yes, export the private key radio button and then click on the Next button. | |
| On the Export File Format page, configure the three options below as follows: Include all certificates in the certificate path if possible is checked.Delete the private key if the export is successful is unchecked.Export all extended properties is checked. Click the Next button. | |
| On the Password page, enter a password for the Password: and Confirm password: text fields. Ensure the password is kept in a secure location. | |
| Click the Next button. | |
| On the File to Export page, click Browse… | |
| On the File to Exportpage, choose the file name you want to save this as and location. Do not include an extension in your file name; the wizard will automatically add the PFX extension for you. Click on the Browse… button to make this choice. | |
| Once a filename and location has been selected and saved, click on the Next button to continue. | |
| On the Completing the Certificate Export Wizard page, click the Finish button. | |
| At theThe export was successfulprompt, click the OK button. | |
| Close the Certificates MMC and log off the COMPOSE Member server. |
| Note! | Burn the exported IIS Web Server Certificates and private keys to CD/DVD ROM and keep in a secure location. Remove any copies of the exported IIS Web Server Certificates with private keys from all domain locations. Ensure there is a way to document the passwords used with these exported files since they will need to be known to import the certificates in the future if the need arises. |
4.3 Restore IIS Server Certificate to Web Server
Perform the steps in this section to install a previously exported Server Certificate (.pfx file) for a specific web server, into that Web Server and configure it for use with the default web site.
Table 33 – Import Exported Certificate into Server’s Certificate Store
| STEP | DESCRIPTION |
| Open the Internet Information Services (IIS) Manager console. Click Start → Administrative Tools → Internet Information Services (IIS) Manager. | |
| At the UAC prompt, click the Continue button. | |
| In the left pane of the Internet Information Services (IIS) Manager window, select the <server name>. | |
| In the middle pane under the IIS section, double-click the Server Certificates. | |
| In the right pane under Actions, click Import… | |
| In the Import Certificate window, to the right of the Certificate file (.pfx): field, click the […] button. | |
| Navigate to the location of the saved COMPOSE Member Server PFX file and highlight the file. Click the Open button. | |
| Back in the Import Certificate window, in the Password: field, enter the password for the certificate. (Password should be documented) | |
| Ensure the Allow this certificate to be exported checkbox is selected. | |
| Assign Server Certificate to the Default Web Site | |
| In the left pane, expand <Server> (local computer) → Sites → Default Web Site. | |
| In the right pane under Actions, click Bindings. | |
| In the Site Bindings window, select the https line and click the Edit… button. | |
| Ensure the IP Address field shows : All Unassigned and the Port : field is 443. | |
| Click the pulldown control button to the right of the SSL certificate field. In the list of certificates displayed, select the one certificate that is the certificate which was just installed. Click the View… button to the right to view the certificate properties to verify. | |
| Once the certificate is selected, click the OK button. | |
| On the Site Bindings window, click the Close button. | |
| In the left pane, highlight the <server name>. | |
| In the right pane under Actions, click Restart. | |
| Close the Internet Information Services (IIS) Manager console. | |
| Test the website. | |
| Log off the COMPOSE Member Server. | |
This Page Intentionally Left Blank
5 SmartCard Logon Management
This section provides information on how to enable and disable the SmartCard logon requirement for user accounts. Section 5.1 describes how to configure user accounts to enable Cryptographic Logon (CLO) and Section 5.2 describes how to configure user accounts to disable CLO.
5.1 Enable SmartCard Only Logon
NCVI v4.0 provides administrators with the capability to enable users to login to the network using their SmartCard and PIN only. The procedures in the following table describe how to configure the system to enforce CLO for specified user accounts.
Table 34 – Configure User Account(s) to Force SmartCard Logon(s)
5.2 Disable SmartCard Only Logon
Various situations may occur where users are unable to logon using their smartcard and PIN. For example, a user’s CAC has expired and the user needs to access the domain until a new CAC is obtained. The procedures in this section provide guidance on removing the requirement to login with SmartCard only and allow the user to logon using username and password credentials. The procedures in the following table describe how to configure the system to disable the CLO setting on user accounts.
Table 35 – Configure User Account(s) to Not Require SmartCard Logon(s)
This Page Intentionally Left Blank
