Transfer certificate revocation lists to revocation list distribution points using SSH Secure Copy (SCP) with public key authentication (Windows Server 2019).

Author Uwe GradeneggerPosted on Categories Internet Information Services (IIS), SecurityTags , , ,

If the servers providing the revocation list distribution points are located in a Demilitarized Zone (DMZ), for example, or data transfer via Server Message Block (SMB) is not possible for other reasons, the blacklists can be transferred to the distribution points using SSH Secure Copy (SCP). As of Windows Server 2019, the OpenSSH server and client packages are available. The following describes the setup with authentication via public keys (Public Key Authentication) instead of passwords as an example

Optional: Procure installation media

If the systems on which the SSH server or SSH client is to be installed can communicate with the Internet (which is not recommended, of course), you can proceed directly to the next step.

However, if they do not have access to the Internet, the Featured On Demand ISO files for Windows 10 and for Windows Server 2019 are required.

The contents of the Features On Demand ISO file for Windows Server 2019 are copied in their entirety to a local folder (for example: C:\LabFiles\Install\OpenSSH).

From the Features on Demand ISO file, the following two files are copied to the previously created folder:

  • OpenSSH-Client-Package~31bf3856ad364e35~amd64~~.cab
  • OpenSSH-Server-Package~31bf3856ad364e35~amd64~~.cab

Preparing the client

On the system that is to initiate the copy process, the SSH client is installed with the following PowerShell command, provided that the system can communicate with the Internet.

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

If it cannot communicate with the Internet, the -Source argument is given with the path to the installation files.

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0 -source C:\LabFiles\Install\OpenSSH

The SSH identities are managed by the ssh-agent service, which must be configured and started to start automatically.

Set-Service ssh-agent -StartupType Automatic
Start service ssh-agent

Afterwards, an SSH key pair can be made under the identity of the user account that is to perform the copy process. The following command is executed for this purpose:

ssh-keygen

For automatic tasks, it is convenient to run it with the identity of the computer account (NT-AUTHORITY\SYSTEM), because it has all the necessary rights and automatically changes its password. Thus, neither a local, nor a domain account is required and there is no need to change the password manually on a regular basis.

This is also possible when running the ssh-keygen command under this identity. This can be done for example with psexec take place.

psexec -s -i cmd.exe

The SSH key pair is stored in a .ssh subfolder within the user profile.

For the SYSTEM account this is C:\Windows\System32\config\systemprofile\.ssh.

  • The file id_rsa contains the private key, this must not be given out.
  • The id_rsa.pub file contains the public key, which is stored on the target systems.

Prepare the server

On the system to which the files are to be copied, the SSH server is installed with the following PowerShell command, provided that the system can communicate with the Internet.

Add-WindowsCapability -online -name OpenSSH.Server~~~~0.0.1.0

If it cannot communicate with the Internet, the -Source argument is given with the path to the installation files.

Add-WindowsCapability -online -name OpenSSH.Server~~~~0.0.1.0 -source C:\LabFiles\INSTALL\OpenSSH

The sshd and ssh-agent services must be configured and started for automatic startup.

Set-Service sshd -StartupType Automatic
Start service sshd 
Set-Service ssh-agent -StartupType Automatic 
Start service ssh-agent

Optional: Configure Windows firewall

With the installation of the OpenSSH server, an incoming firewall rule for SSH is automatically created. This can be left as is without further ado.

Optionally, you can restrict the source IP addresses that are allowed to communicate with the system via SSH.

Create user for copy task

An unprivileged user should be created on the target system, under whose identity the blacklists are copied

Attention: The user must not be a member of the Administrators group, because then a different procedure for depositing the public keys is required.

It is advisable to choose a very strong password for this user account.

The user must log on to the system once for a user profile to be created.

Deposit SSH identity

A subfolder .ssh must be created in the user profile of the copy account. The Windows Explorer will refuse this, but via command line it is possible without any problems.

mkdir .ssh

The file id_rsa.pub is copied into this folder and renamed to authorized_keys.

If several keys are to be stored, they can be entered in the authorized_keys file with a text editor.

Assign write permissions

Since the user is unprivileged, he still needs write permissions to the destination folder.

Establish connection

Now an SSH connection can be established from the sending system to the target system.

First, a shell connection should be established to make the server key of the target system known. The syntax is:

ssh {username}@{target server}

If successful, you now have a shell connection on the target system.

You can log out of it with the exit command.

Now the copy process can be made. The syntax is:

scp {source folder}\*.crl {username}@{destination system}:{destination path}

One thought on “Übertragen der Zertifikatsperrlisten auf die Sperrlistenverteilpunkte mit SSH Secure Copy (SCP) mit Authentifizierung über öffentliche Schlüssel (Windows Server 2019)”

  1. Pingback: Creating a backup of a certification authority - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish