Install the Microsoft Windows Server certification authority server role and establish a root CA.
- [Instructor] In this demonstration, I'll install a PKI certificate authority on the Microsoft Windows Server 2016 platform. The first thing I'll do here on the server is check whether or not this component is already installed. I can do that in a number of ways. I can go to my start menu and I can start up Windows PowerShell and within PowerShell, I can issue the get dash Windows feature commandlet and I can tell it what I want to look for. In this case asterisk certificate asterisk and after a moment we can see that the Active Directory Certificate Services role is not installed because there's not an X in the box.
Although we could use the install dash Windows feature commandlet to install it given that we see the name here. However, I'm going to go to my start menu because an alternative way of installing the certificate services component is to go to the server manager GUI. It doesn't matter which way you do it. It ends up being the same. However here in server manager, I'm going to click add roles and features. Now on the first screen for role based or feature installation, I will leave that single server installation option enabled and I'll click next.
I'm installing it on this same server here from which I am running this tool so I'll click next and then I'm going to choose the Active Directory certificate services option on the roles screen so I'm going to put the check mark there. And then it pops up and asks if I want to add server administration features related to this role and I do so I'll click add features then I'll click next. There are no additional features I want installed on the features screen so I'll just go ahead and click next on that. Then I get a little message describing what Active Directory Certificate Services does so I'll click next on that screen.
Then I get to choose the specific role services related to Active Directory Certificate Services. We definitely need the certification authority so we can set up our PKI CA, our certificate authority. I've also got components like the certificate enrollment policy web service and the certificate enrollment web service which are both used for machines not joined to an Active Directory name although my server is actually an Active Directory domain controller. I've also got the certification authority web enrollment website that I can choose to install.
Now this gives a little web interface that lets people request certificates by pasting in certificate signing requests and so on so if I need that component, I can install it. I've also got the network device enrollment service for our network devices that can acquire PKI certificates but I'm not going to turn that on. I got the online responder server side component that is used to respond to OCSP client queries for certificate validity but I don't need that so I'm not going to install that. Okay, so now that I've made my choice or choices, I'm going to click next and then I'll click install to get this going and before too long, it's completed the installation.
It does say that configuration is required. Okay, that's fine, close. Because if I were attempt here in server manager to go directly to the tools menu and run the certification authority tool, it would result in this error message. It says cannot manage Active Directory Certificate Services. Well that's because nothing's been configured so that's fine, I'll click okay, I'll close down the tool and in the notification area here in the upper right, I see that I've got an option to configure Active Directory Certificate Services on the destination server, this server, so I'll click on that.
That starts a new wizard, excellent. I'm going to use my current logon credentials here for a domain admin account that it already came up with and I'll click next. Then I'm going to choose to configure the certification authority as well as the certification authority web enrollment. Okay, so then I'll click next. I need to install an enterprise CA here, well I don't need to, but I'm going to because this is an Active Directory domain controller. The standalone CA option is for servers that are not apart of an Active Directory domain so I'm going to leave it on enterprise CA and I'll click next.
Now I do need to specify root CA here because I don't already have a root CA. This is the top of the PKI hierarchy that we are defining. Now otherwise for other servers after we get this one running, we can configure them as subordinate CAs, otherwise called registration authorities, RAs, so that we might have subordinate CAs for different regions, different departments, different child companies and so on but here we're going to stick with root CA, next. I'm going to create a new private key.
I'm not going to use an existing private key. You would only use that option if perhaps a server failed that was hosting a CA previously, you have the back up of the private key of it and now you want to reinstall the server to host it again. That doesn't apply so create a new private key it is. Then I get to choose the cryptographic provider from the drop down list. I'm going to stick with all the defaults here. Should work just fine. So RSA as the cryptographic provider with the key length of 2,048 bits and for the digital signing algorithm for digitally signing certificates, I'll leave it on SHA256, the secure hashing algorithm and then I'll click next.
I have to come up with a common name for this certificate authority so I'm just going to called it fake domain one and down below it's come up with the distinguish name and the suffix for that, so I'm okay with that so I'm going to go ahead and click next. Now bear in mind that PKI certificates have an expiration date. They're only valid for a certain period of time and that includes certificate authorities so here it's set five years as the validity period by default for this certificate authority, not for certificates it will issue.
Let's say here I'm going to change that to 10 years in accordance with our organizational security policies so having done that, I'll go ahead and click next. I will accept the default database locations for the certificate database and the certificate database log and then I'll click next. Okay, looks good so I'm going to go ahead and click configure on the summary screen and now it's just a matter of waiting. So I can now see that the configuration has succeeded for both components, the certification authority and the certification authority web enrollment so I'm going to go ahead and click close.
Now here in the server manager if I go to the tools menu to start the certification authority tool which you could also start from the start menu, this time it will not give us an error because we've configured a CA. We can actually see it over here on the left, fake domain one. If I expand that, notice underneath it I have folders for revoked certificates, issued certificates, pending requests that might require administrator approval, failed requests, even certificate templates or blueprints that are used to issue PKI certificates and we'll be working with this in other demonstrations.
Also if I were to go let's say into my start menu on this server and run cert MGR, the certificate manager MMC console, it gives me the option then to manage computer certificates. If I look into that, just maximize that screen, under personal if I look under certificates I can see I've got a CA certificate for fake domain one and I can see the expiration date which is 10 years from today based on my configuration.
Now at the same time if I also go into my trusted root certification authorities part of my certificate store and click on certificates, here's the other certificate authorities that are trusted on this machine and we also have our entry for fake domain one. It's okay if you see what appears to be duplicate CA certificates and that's because the certificates are stored physically in a couple of different places here in the certificate store. While this exists on our server where we configured it, it's going to be important to consider the fact that our client devices that need to trust certificates issued by this CA will also need this installed in their certificate store but that's something that we'll deal with a little bit later.
The other thing we're going to take a look at here is the certificate enrollment website which we elected to install. For that, I'm going to fire up a web browser directly on this server although it certainly doesn't have to be and we're going to connect to this specific host. I'll put in HTTP colon slash slash and then the URL and then we're going to connect to the slash cert serve, C-E-R-T-S-R-V suffix on our website which prompts us to log in so I'll put in let's say my domain administrator credentials for Active Directory and after a moment that opens up the Active Directory Certificate Services web enrollment page where notice we can request a PKI certificate.
We can view the status of a pending request or even download the CA certificate to establish trust. At this point, we have successfully installed a certificate authority.
- Symmetric and asymmetric encrypting
- How certificates are issued and managed
- Configuring a Linux OpenSSL PKI environment
- How TLS supersedes SSL and is considered more secure
- Acquiring a web server certificate
- Acquiring a code-signing certificate
- Configuring a website with a certificate
- Securing files and folders with EFS
- Configuring a TLS VPN