Install a certificate authority (CA) that is integrated with Active Directory. Configure a root CA for an organization.
- [Instructor] In this chapter, we'll be covering the Active Directory certificate services and looking at how to install and configure an Active Directory certificate authority. This is another one of these services that's easy to install and deceptively easy to configure. But the decisions made during this configuration cannot be changed without starting over. We're going to step through the installation of a certificate authority and the preparation of the different types of certificates that may be available. And we'll point out some of the different decisions that will be made along the way.
Then we'll wrap up this video by preparing a certificate template to be requested by an ADFS server in our domain, like the one that we used in the last chapter. It's always a good idea to install the first certificate services server on a server that is not a domain controller because that really locks that machine into keeping both roles pretty much indefinitely. You can't remove Active Directory from a server without first removing the certificate services, and you don't want to uninstall your certificate root authority unless you no longer have needs of certificates for anything.
So for that reason, I'm installing on a server that is a member of my domain. You can see the identity here. It's a server that's in the landoncafe.com, but it is not the domain controller. So from the Server Manager, I can begin the installation by selecting Add roles and features. This is a role-based installation. So again we'll move forward through these first few steps. And from the list of roles, we're going to select Active Directory Certificate Services.
We'll let Windows add the necessary components and administration tools. And when I click Add Features, you'll notice immediately to the left, a new step will appear in the process. This means that we're headed to at least one more question specific to this installation. We have no features to add, so we'll move straight through to that additional step. Here's a note that kind of adds to the warning that I made earlier about installing on a domain controller. It's pointing out that once you've installed a certificate authority, you really shouldn't do anything to change the identity of this computer.
It will make it so that the certificates can't be verified against this server later on. Next is the list of services that you can select in association with this role. We're installing the enterprise root authority, so the only one we need is the top one, Certification Authority. The other options here may be implemented on other servers down the road, depending on the hierarchy and the design of your network. Next it confirms, and you can proceed with the installation. We'll fast-forward through the installation part so we can get to the configuration.
The installation succeeded, but the service isn't doing anything because we still need to configure it. You'll notice that like ADFS, we have a link to configure it here, or we have an alert up here to configure it if you've already closed the install box. Since we have this open, I'm going to use this link on the "Congratulations, you installed it" screen. And we're gonna start off with a series of four questions to ask about the type of certification authority. First we'll ask what account we'll use to set this up.
The domain administrator account has all of the rights and permissions, so that's what I always use. Next is which role you're going to configure. This is easy, since all of them are grayed out but one, the one we selected to install. Third, whether we're installing as an enterprise or a standalone certificate authority. A standalone can work without a domain, or in an environment where it may be offline. But what we need is for our smaller environment to oversee all certificates and take full advantage of Active Directory.
So we're going to choose enterprise certificate authority. The question of root or subordinate is easily answered also by knowing whether this is the first certificate authority and the top of the certificate hierarchy, or if this is a new certificate authority in an existing hierarchy. This is our first, so it is the root. Now we're being asked about our private key. If you are re-installing a certificate authority or adding a certificate authority to an environment that already has a private key, here's your option to select a certificate and use its private key, or select an existing private key on the computer.
Otherwise you're going to need to create one. Here you'll select the cryptographic provider for the certificates that you will issue, followed by questions where you'll likely select the defaults. We'll confirm the name and domain of our certificate authority. This always populates itself with the information of your current domain, so it's usually right. You can specify how long your certificates will be valid. And you can make some changes on an individual template-by-template basis, but this is your starting point.
And identify where you're going to put the database. And you're just about done. There's your confirmation of all the choices made. It's your chance to use the previous button and go back if there's one that needs to be fixed before you click on Configure, watch the progress bar, and you're done. So congratulations, it's installed and configured. In the next video, we'll start off with creating certificate templates.
Note: The topics covered here map to the Configure Identity and Access Solutions domain for Microsoft Certified Solutions Associate (MCSA) Exam 70-412, Configuring Advanced Windows Server 2012 Services. Use these tutorials to study for the exam.
- Implementing Active Directory Federation Services (AD FS)
- Configuring AD FS authentication policies
- Configuring multifactor authentication
- Installing and configuring Active Directory Certificate Services (AD CS)
- Creating certificate templates
- Configuring certificate authority backup and recovery
- Managing certificates, including templates and renewal
- Installing and configuring Active Directory Rights Management Services (AD RMS)