Set up CNSA mode

Prerequisites

  • You have a computer or virtual machine running Linux to generate the required certificates.

  • You have set up the Windows FIPS repository.

  • You have installed Windows Server 2016 or later versions. In Windows Server 2012 or earlier versions, TLS 1.2 cipher suites are not available.

Procedure
  1. Generate the required certificates for the Windows web server using OpenSSL that is installed on a computer or virtual machine running Linux.

    • Obtain and install OpenSSL.

      yum install openssl

    • Set CN to FQDN. Enter the command ping -a IP_ADDR to get the FQDN of the server.

    • Set subjectAltName with DNS and IP address of the web server. 

    openssl genrsa -out key.pem 3072
 
openssl req -subj "/CN=<FQDN or IP address>/C=US/ST=CA/L=PA/O=HPE/OU=Org" -sha384 -new -key key.pem -out \
certreq.csr -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:<FQDN>,\
IP:<IP address>\nkeyUsage=digitalSignature,keyEncipherment,dataEncipherment\nbasicConstraints=CA:FALSE"))
 
openssl req -x509 -sha384 -key key.pem -out cert.pem -nodes -days 3650 -extensions v3_req -in certreq.csr \
-config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[v3_req]\nsubjectAltName=DNS:<FQDN>,IP:<IP address> \
\nkeyUsage=digitalSignature,keyEncipherment,dataEncipherment\nbasicConstraints=CA:FALSE"))
  2. Create the pfx file that has the public and private key.

    openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

  3. To import the pfx file into the IIS web server, perform the following steps:
    1. Open IIS Manager.
    2. On the home page of IIS Manager, select Server Certificates > Import.
    3. Select the pfx file and enter the password.

      Write down the password that you entered.

    4. Select Default web site from the connections panel, and in the Actions pane, select Bindings.
    5. Click Add, and from the Type drop-down list, select https. The default port assigned is 443.
  4. Restart the IIS web server.
  5. Connect to the web server using a browser. If you used a self-signed certificate, you will see a certificate error. To proceed, accept the certificate exception.
  6. To set the Windows server mode to CNSA, perform the following steps:
    1. Open the Run application and enter the gpedit.msc command.

      The Local Group Policy Editor opens.

    2. In Local Group Policy Editor, select Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
    3. Open SSL Cipher Suite Order.
    4. Select Enabled, and add the suites. 
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    5. Restart the OS.