Introduction
Active Directory Certificate Services (AD CS) provides the certificate infrastructure to enable scenarios such as secure wireless networks, virtual private networks, Internet Protocol Security (IPSec), Network Access Protection (NAP), encrypting file system (EFS) and smart card logon.
This walkthrough provides step-by-step instructions on how to stand-up an Enterprise Subordinate Certificate Authority (CA).
Prerequisites
- The user performing the installation and configuration of the Active Directory Certificate Services Role must be a member of the Enterprise Admins group.
Notes
- CA = Certificate Authority
- All CA roles mentioned in this post are integrated with Active Directory, as such, are known as Enterprise CAs.
- A Root CA already exists in my lab environment.
- During this walkthrough, you will install and configure a new Subordinate CA.
Overview
- Install Active Directory Certificate Services.
- Configure Active Directory Certificate Services.
- Obtain a signed certificate from the Root CA.
- Install the Subordinate CA certificate
Install Active Directory Certificate Services
- RDP to the server designated as the new Subordinate CA.
- Server Manager
- Add Roles and Feature
- Click Next
- Accept the default Role-based or feature-based installation option
- Click Next
- Select a server from the server pool
- Click Next
- Check Active Directory Certificate Services
- Click Next
- Ensure the Include management tools (if applicable) option is checked
- Click Add Features
- Click Next
- No additional Features required
- Click Next
- Click Next
- Optionally check Certification Authority Web Enrollment
Certificate Authority Web Enrollment provides a simple Web interface that allows users to perform tasks such as request and renew certificates, retrieve certificate revocation lists (CRLs), and enroll for smart card certificates.
- Ensure the Include management tools (if applicable) option is checked
- Click Add Features
- Ensure both Certificate Authority and Certification Authority Web Enrollment are checked
- Click Next
- Review the Web Server Role (IIS) – Things to note.
- Click Next
- Click Next
- Click Install
- Click Close
- This concludes the installation of the Active Directory Certificate Services role.
Configure Active Directory Certificate Services
- While on the server designated as the new Subordinate CA.
- Server Manager
- Post-deployment Configuration
- Configure Active Directory Certificate Services…
- Ensure the account is a member of the Enterprise Admins group.
- Click Next
- Check Certification Authority
- Check Certification Authority Web Enrollment
- Click Next
- Select Subordinate CA
- Click Next
- Select Create a new private key
- Click Next
- Select the appropriate cryptographic options for your environment.
- I used the defaults.
- Click Next
- If necessary, modify the Subordinate CA certificate attributes.
- Click Next
- Select Save a certificate request to file on the target machine
- Later you will copy the certificate request file (.req) to the Root CA.
- Click Next
- If necessary, change the CA Database locations, i.e. have the database and/or log files written to different disks.
- As this is a lab environment, I used the defaults.
- Click Next
- Review and click Configure.
- Review the next steps
- Click Close
- This concludes the configuration of the Active Directory Certificate Services role.
Obtain a Signed Certificate From the Root CA
- Copy the Subordinate CA .req file to the Root CA.
- RDP to the Root CA
- Server Manager
- Certification Authority
- Submit new request…
- Save the generated Subordinate CA .cer file locally.
Install the Subordinate CA Certificate
- Copy the .cer file to the Subordinate CA server
- RDP to the Subordinate CA server
- Server Manager
- Find and select Certification Authority
- All Tasks
- Install CA Certificate…
- Find and select the .cer file
- Click Open
- All Tasks
- Start Service
- Verify the CA service has started.
Conclusion
This concludes the installation and configuration of the Enterprise Certificate Authority (CA).
Ray's Notebook 