This week I was looking for setting up CA Server for generating SSL certificates which can be used in my vSphere Home Lab. Using Self-Signed certificates usually work in a lab environment, but its good to know how to work with signed certificates as in production environment organizations don’t use self-signed certificates and rely on SSL certificates bought from 3rd party like Thawte or Verisign.

Having your own CA is useful for testing SSL and other services that require certificates without the need to purchase certificates from a third party.  However, these certificates will not be automatically trusted by computers external to your AD domain, so there are some limitations.

In this post I am going to share the steps needed to configure a Windows 2008 R2 Server as Certificate Authority.

Prerequisites

  • Active Directory Domain already setup and configured
  • Server 2008 installed and joined to domain

Lets begin with configuring Server 2008 as CA server.

1: Launch Server Manager and click on Add Roles. From the list of roles available select “Active Directory Certificate Service” and hit Next.

ssl-1

2: Hit Next on Introduction to AD CS page.

ssl-2

3: Under Role Services select “Certification Authority” and hit Next.

ssl-3

4: Select “Enterprise” as setup type for your CA server and hit Next.

For SSL deep dive I would recommend reading this Article by Derek Seamen.

ssl-4

5: Under Specify CA type select “Root CA” and hit Next.

ssl-5

6: This is a new CA without existing keys so select Create an new private key and hit Next.

ssl-6

7: Keep the default CSP, hashing method, and key length and hit Next.

ssl-7

8: Keep the default CA name and hit Next.

ssl-8

9: Keep the default validity period of 5 years and hit Next.

ssl-9

10: Dont change the default database location for certs unless you have specific requirements. Hit Next.

ssl-10

11: Click on Install button on Confirm Installation Selections page.

ssl-11

12: Wait for installation to finish.

ssl-12

Installing Certification Authority Web Enrollment service

The Web Enrollment service is very useful while making requests for certificates from computers that are not members of AD domain.

Once “Certificate Authority” role is installed completely, you can add Certification Authority Web Enrollment service to it from server manager page.

13: Click on Add Role Services.

ssl-13

14: Under Role Services select “Certification Authority Web Enrollment” and hit Next.`

ssl-14

15: Click on Add Required Role Services button to add the IIS services.

ssl-15

16: On IIS page hit Next.

ssl-16

17: Keep the default selection and hit Next. If you have specific requirements you can add additional options by selecting the appropriate components check boxes.

ssl-17

18: Hit Next to start installing the services and components.

ssl-18

19: Hit Close once the components are installed.

ssl-19

With this installation of CA Server role has finished. In our Next post we will see how to configure and use signed certificates.

Additional References:

1: Install an Enterprise Certificate Authority in Windows 2008 R2

2: Create a Windows Enterprise CA and issue certificates for vRA and other VMware Products with examples

3: Install Certification Authority in Windows Server 2008 R2

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Posted in: SSL Certs.
Last Modified: January 12, 2017