CERTIFICATE

This part should only be done if you are convinced that the ADCS server has not been compromised.

EXPORT CERTIFICATE ON THE OLD INFRASTRUCTURE

The purpose of this part is to recover all the certificates present in your environment. The objective is twofold:

• To be able to re-inject them in the new infrastructure in emergency for some critical services

• To be able to analyze all present certificates and identify potential unwanted certificates

To do this, use the following command and save it in an archive with a password. Backup-CertificationAuthority -Path C:\CertSave -BackupKey -Password P@ssw0rd -Extended

Documentation : https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/ca-backup-and-restore-windows-powershell-cmdlets

ISOLATE OLD ADCS

Once the certificates are recovered, disconnect the old ADCS servers.

DELETE THE OLD ADCS ON YOUR NEW INFRASTRUCTURE

Get-ADComputer -Identity "OLD_ACDS" | Remove-ADObject -Recursive

INSTALL NEW ADCS

• Deploy a new server in a new isolated infrastructure.

  • This installation must not be done via a template, VM copy or other. It must be done via an ISO downloaded for the occasion.

• Achieve maximum hardening of OS.

• Open the ports and URLs necessary for the proper functioning of the environment (at least WIndows Update for the moment).

  • Use the URL.txt

UPDATE THE OS

Once the computer is installed and hardened, it is advisable to apply all the updates available from the Internet and not from an internal share, which can be compromised.

PowerShell : Use Powershell gallery

ADD AND CONFIGURE NEW ROLE

• Add the ADCS role

• When ask for private key :

  • Select "Use existing private key"

  • Select a certificate and use its associeted private key

• Import the key save previously

• Check

• Execute the two reg files create during the backup