^[1]

This is the second part (Part 1 ^[2]) of the how-to guide on installing and configuring an offline Root Certificate Authority ^[3] on a Windows Server 2008 ^[4] R2 core edtion.

Within this part we are going to encrypt the OS drive with BitLocker. By encrypting the drive it will be almost impossible to steal the private key of the root certificate. Within this guide we are going to use a virtual machine on VMware (Hyper-V or XenServer are also supported). Because our virtual machine does not have a TPM (Trusted Platform Module) we are using a virtual floppy which will be needed everytime the server will be powered on.

This guide can also be used on all Windows Server 2008 R2 core servers. 

Prerequisites

The following must be available before using this guide:

• Root access to the server (ILO, VMware, vSphere console);
• Windows Server 2008 R2 core edition already installed;
• A server with Windows Server 2008 R2 full and the Bitlocker feature installed.

Installation steps

Part 2: Encrypting the drive with Bitlocker

1. Install the Bitlocker feature by running the following command: Dism /online /enable-feature /featurename:BitLocker

^[5]

2. Press "Y" to restart the server.

3. When restarted logon to the RootCA and run the following command: netsh advfirewall set rule group="Remote Service Management ^[6]" new enable=yes

4. Now logon to a Windows Server 2008 full version and copy three files (bdehdcfg.exe,bdehdcfglib.dll and reagent.dll ) from the %WinDir%System32 directory to the same directory on the Root CA.

5. On the same full edition server run the following command: cmdkey /add:<Hostname of Root CA>  /User:<ComputernameAdministrator> /pass:<password>

(in my case it was: cmdkey /add:RootCA /User:RootCAAdministrator /pass:myComplexPassw0rd)

6. Now run the following command on the same server: mmc

7. Click on File -> Add/Remove snap-in -> Group Policy Object editor -> Add -> Browse -> Another Computer -> Hostname of the server (RootCA) -> OK -> Finish

8. Navigate to Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System DrivesRequire Additional Authentication At Startup

9. Select Enable and make sure that Allow Bitlocker without a compatible TPM is enabled.

^[7]

10. You can now log out on the Win2K8 R2 full server.

11. Logon to the RootCA server and run the following command: GPupdate (to make sure that the settings are applied)

12. Run the following command on the Root CA to create the Bitlocker partition S: bdehdcfg -target c: shrink -newdriveletter s: -size 300

^[8]

13. Now insert an formatted (FAT32) USB (physical machine) or an virtual floppy disk (virtual machine) to the server.

14. To enable bitlocker on the OS partition run the following command: Manage-BDE -on C: -StartupKey A: (A: was the location of my virtual floppy disk)

^[9]

15. Now restart the server (with the virtual floppy or usb) by running the following command: shutdown -r -t 0

Note: Make sure to boot from you harddrive.

 16. When the server is restarted logon to the computer and run the following command to check the status of BitLocker: Manage-BDE -status

^[10]

17. Now wait for about half an hour (depends on your disk size) and check the status again with the same command as step 16.

^[11]

18. To check if the server can be restarted without the BitLock startup key please reboot the server without the virtual floppy or usb disk mounted.

^[12]

End of Part 2. Next part: Configuring Certificate Services on the Root CA.