IT Master Services, Sparks Nevada - Your Information Technology Pros
Office Phone: (775) 287-0770
Email: [email protected]

Setting up Active Directory Certificate Services

Looking for a new IT partner? Call Us Now (775) 229-4254

Below we are going to install Active Directory Certificate Services. Microsoft recommends that we not run Active Directory Certificate Services on your domain controller. It is very important to realize and understant that deploying this role/features takes alot of planning. The below instructions are meant to be a guide, with the understanding that this is for a lab environment.

To install Active Directory Certificate Services onto your server, use the following set of instructions:

  1. On your designated CA server, open add roles and features. Under Server Roles check Active Directory Certificate Services, then click Add Features. Select the server path.
  2. Click Next three times until you come to the Role Services screen. Here you will see some different options that can be used on your CA server.
  3. On this CA, we want to be able to request certificates from a web interface on the CA, we are going to check the additional box for Certification Authority Web Enrollment. After selecting this box, you will receive an additional pop-up box, asking you to add features. Make sure you allow those features to be installed: Select the server path. Selecting the Certification Authority Web Enrollment role.
  4. Click Next through the remaining screens until you reach the last page, where you need to click on the Install button to start installing the role.
  5. Once completed, you will see a link inside your installation summary screen that says Configure Active Directory Certificate Services on the destination server. You can click either on this link or on the Server Manager yellow exclamation mark near the top of the Server Manager screen in order to continue configuring the CA role. Select the server path.
  6. On the first configuration screen, the wizard may auto-insert the username of the currently logged-in user. If it doesn't, click Change and enter your credentials. As stated in the text on that screen, make sure the user you are logged in as has Enterprise Admin rights on the domain, because we be setting this CA server up as an Enterprise root CA.
  7. To get certificate services rolling on our server, go ahead and check the top two options used to configure Certification Authority and Certification Authority Web Enrollment: Selecting the roles to configure for the CA server
  8. Choose Enterprise CA.
  9. Choose Root CA
  10. Choose Create a new private key.
  11. On the Cryptography screen, you can choose the kind of cryptography options you will provide on your CA server. Typically, the default options will work best if you're unsure of these settings. Just make sure that the Key length field is set to 2048 as a minimum. This is the industry standard for the minimum key length. Similarly, hash standards have changed recently to SHA256, so you should no longer be using SHA1 for any of your certificates: CA cryptography options for the new private key.
  12. If desired, you may modify the Common name for this CA option. Keep in mind that this does not have to match the hostname of the server in any way and that it can never be changed. It is usually a good idea to not use the server name in this field as you may move the CA role to a different server many years down the line and then have a mismatched certificate/server name. This name will show up inside Active Directory, as well as inside the certificates that you issue from this CA.
  13. Change the Validity Period section of your root certificate if desired. Some people leave it set at the default 5 years, but this means in 5 years, you will invalidate every single certificate that you have ever issued from this CA server. We recommend increasing that number to 10. This validity period will determine how often the root certificate must be renewed.
  14. For the rest of the screens, you can use the default options. the Confirmation page verify settings for Active Directory Certificate Services, if anything is mis-configured you can go back to correct the settings, Press Configure button, In the Result if everything is good it shows all configuration succeeded.
  15. Now we need verify CA server website is working and functioning with url http://ca1.company.local/certsrv/Default.asp. It asks for admin username and password for CA server. Screen asking for admin username and password for CA server
  16. Now we need to deploy the CA root chain certificate on all your computer clients in the domain. The first thing we need to do is click Download a CA certificate, certificate chain, or CRL link. if you are seeing error An unexpected error has occurred: The Certification Authority Service has not been started, Go to Internet Options on Settings, Under Security tab select Trusted sites and click Sites button. In the last Add CA server base url to trusted zone, uncheck Require server varification (https:) for all sites in this zone. In the end click OK twice. this will resolved the issue, Refresh page. Screen asking for admin username and password for CA server An unexpected error has occurred: The Certification Authority Service has not been started. Screen asking for admin username and password for CA server
  17. Once problem is resolved, click on Download a CA certificate, certificate chain, or CRL and click Download CA certificate. Save the certnew.cer file. Screen asking for admin username and password for CA server
  18. We will now deploy the downloaded certificate with a new Group Policy. Collapse domain name and go to Group Policy Objects and right click on it press New. Type a name to a New GPO and press OK. Screen asking for admin username and password for CA server
  19. In the GPO Editor, collapse and go to the Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies | Right click on Trusted Root Certification Authorities and click Import. This opens Certificate import wizard, select your download certificate. Screen asking for admin username and password for CA server
  20. Once certificate is imported, it shows with a successful pop up box and will show the certificate on Group Policy Management Editor. Close editor. Screen asking for admin username and password for CA server Screen asking for admin username and password for CA server
  21. In the Group Policy Management window, right click the domain name and select Link an Existing GPO, This shows the Group Policy Objects list and select the GPO configured for SSL certificate deployment, click OK. Screen asking for admin username and password for CA server Screen asking for admin username and password for CA server
  22. GPO is now linked to the domain. It will take around 90 minutes to get updated group policy on Client. Screen asking for admin username and password for CA server