You'll need two certificates. The HTTPS Certificate created when you installed the CCP (not covered here) and the Client Certificate which is what we will cover here. > [!example]- [[08 - Extras & Helpful Tips#HTTPS Certificate]] > [!tip]- Leading Practice > As security architects we would provide the Application Team needing the Client Auth Certificate the steps to generate the Certificate. This helps ensures the **private-key** stays private. **HTTPS Cert** - Used for HTTPS - CCP - Binded to 443 on the CCP via IIS **CLIENT Cert** - Certificate for requesting applications - Serial Number will be added to the relevant applications Of course including certificate chains or intermediate certs is needed, but in most environments the CCP machine is a domain joined machine and the trust is inherited --- ### Certificate Signing Request When creating a certificate you first start with creating a Certificate Signing Request(CSR) > [!Tip] Auto Generating Certificates > If you are more comfortable with certificates check out > [[08 - Extras & Helpful Tips#Automating Certificate Creation]] When you submit the CSR the certificate will get created based off a certificate template in your certificate authority. What does this mean.....? If your CSR has parameters that aren't in the template then those parameters won't be on your certificate. For example, you can create and submit a CSR with Enhanced Key Usage having 2 Extensions. - Client Authentication - Server Authentication But if the corresponding template only has **server authentication** available then your certificate will only have server authentication, dropping the client authentication. Most environments will have a template that can be used. > [!Warning]- Certificate Template Creation > You can potentially run into issues if no templates have "Client Authentication". If you are in lab, I suggest you create a certificate template. I provided the links below for reference. I have create one for this lab [Microsoft Creating & Publishing Certificate Templates](https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-server-certificate-template) [Default Templates](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730826(v%3dws.10)) ## What's needed for the Client Auth Certificate? **Requirements** - Enhanced Key Usage - Client Authentication - Subject Alternatives Name - Set Correctly - FQDN ![[Pasted image 20250418143904.png]] ![[Pasted image 20250418144124.png]] ## 02.1 Creating CSR and Certificate - MMC > [!Tip]- Leading Practice > > It's easiest if you generate the CSR from the requesting application machine so when you get the certificate back and install it, the private key is where it needs to be. In the lab our requesting applications is my laptop so I did this from the PVWA 1. Open MMC \> Add/Remove Snap-in \> Certificates \> Add \> Computer Account \> Next \> Local computer \> Finish \> Ok 2. In the Left Pane Click Personal. 3. Now Click in the Middle Pane \> Right Click \> Advanced Operations \> Create Custom Request 4. A prompt will appear for Certificate Enrollment. Click Next 5. Select Proceed Without enrollment policy > [!abstract]- Extra Info > *You can choose Active Directory Enrollment Policy if you knew what template you needed to create from. To avoid template conflicts choose "Select Proceed Without enrollment policy"* ![[Pasted image 20250418154626.png]] 6. The default values are correct click next again ![[Pasted image 20250418155433.png]] 7. Select Properties ![[Pasted image 20250418155628.png]] 8. Provide a Friendly Name for example: ClientAuthApp01 9. Select Subject → Add the certificate properties ![[Pasted image 20250418161139.png]] ``` CommonName(CN) ------ lab-ccp.clab.com Country —------------- US Organization —-------- ClAB Organizational Unit -- SEC State—------------- NY Locality—----------- NY Alternative Name: DNS lab-ccp.clab.com lab-ccp ccp ``` 10. Select **Private Key Tab** \> Expand **Key Options** 1. Key Size \= 4096 2. Check **Make Private Key Exportable** ![[Pasted image 20250418161232.png]] 10. Select **Extensions** \> Expand **Extended Key Usage** 1. Select **Client Authentication \> Add** ![[Pasted image 20250418161304.png]] 11. We can now click **Apply \> Ok** 12. This will return you to the Certificate Enrollment Prompt > Click **Next** ![[Screenshot 2025-04-18 at 4.17.52 PM.png]] 13. Name and Save the File in Base64 format 🥂 Congrats you now have a CSR 🥂 ## 02.2 Submitting CSR It will be different for all environments so I will show you the most common method In this lab I am using Microsoft's Certificate Authority - Web Enrollment. I just need to open up a browser and login to the CA Web Enrollment Page. Since I created the CSR from the PVWA machine I can do it from here 1. Navigate http://clab.com/certsrv & Login ![[Pasted image 20250418174623.png]] 2. Click > Request a Certificate > Advanced User Request ![[Pasted image 20250418174520.png]] 3. Open the CSR you generated and Select All & Copy ![[Pasted image 20250418174809.png]] 4. Go back to the **Advanced User Page** - Paste the entire contents in the Base64 Box - Select the Correct Template - AppClientAuth (In my lab) - Click Submit ![[Pasted image 20250418175917.png]] 5. Select Base64 & Download Certificate > [!info] > You can download the Chain if needed > ![[Pasted image 20250418180138.png]] 🥂 Congrats you now have a Certificate for Client Authentication 🥂 ## 02.3 Install & Export the Certificate Now that we have the Certificate you can install it. This allows us to export it with it's private key (PFX format). > [!info] These same install steps can be used for installing the certificate on the CCP machine 1. Double Click on the Certificate you previously created & Click Install certificate 2. Select Local Machine & Click Next ![[Screenshot 2025-04-18 at 6.19.28 PM.png]] 3. Select **Place all certificates in the following store** and chose **Personal** 1. Click Next ![[Screenshot 2025-04-18 at 6.21.42 PM.png]] 4. Click Finish ## 02.3.1 Exporting the Certificate as a PFX 1. Open MMC \> Add/Remove Snap-in \> Certificates \> Add \> Computer Account \> Next \> Local computer \> Finish \> Ok 2. In the Left Pane Click Personal, select your newly installed certificate ![[Screenshot 2025-04-18 at 6.27.07 PM.png]] 3. Right Click -> All Task -> Export -> Click Next 4. Choose Yes, export the private key > Click Next ![[Screenshot 2025-04-18 at 6.30.25 PM.png]] 5. Check Include all Certs and Click Next ![[Pasted image 20250418183434.png]] 6. Set a Password Click Next - My Password is **CCP** ![[Pasted image 20250418183523.png]] 7. Select Where to Save the File and Name it -> **Click next** ![[Pasted image 20250418183716.png]] 8. Click Finish ![[Pasted image 20250418183803.png]] ![[Screenshot 2025-04-18 at 6.33.26 PM 1.png]] ## Where do I install the certificate.....? For clarity, installing the certificate where the CSR was generated is typically needed so you can export it with the private-key in the PFX format ### Requesting Application Machine You have a few options depending on where and how you are making your API calls If you are using the PFX format there may not be a need to install it all since you are sending the private-key via the PFX. "Essentially" you can move the PFX anywhere and makes calls successfully If you aren't using the PFX you can install the certificate on the Requesting Application machine and pull it from the corresponding certificate store when sending the request This might require you to install the full certificate chain due to trust issues especially on linux machines due to them not being domain joined I cover this slightly in [[08 - Extras & Helpful Tips#Configure Linux Node (Requesting applications)]] ### CCP Machine Typically you just need to install the certificate(.cer) in the personnel store on the CCP machine. you can review the steps in the above [[01 - Projects/CCP-Client Cert Auth/02 - Certificates#02.3 Install & Export the Certificate]] If you are facing issues with trust on the CCP then installing the full chain on the CCP machine can help resolve most trust issues