A while back I wrote a post on Configuring CA Server on Server 2008 so that one can use signed certificate in lab or even in production.

Most vSphere appliances/softwares comes with a self-signed certs and works just fine in home lab. But if you are like me and get annoyed by  the warning message “Your connection is not secure”, then generate signed certificates to use in your lab and get rid of the ugly browser warning message.

As I stated in my earlier post on SSL certs that self-signed certs works just fine but it’s good to know how to work with signed certificates as in production environment organizations don’t use self-signed certificates and rely on SSL certificates bought from 3rd party like Thawte or Verisign.

There are 2 types of CA server: Standalone and Enterprise.

Enterprise Root CA: The enterprise root CA is the most trusted CA in an organization and should be installed before any other CA. All other CAs are subordinate to an enterprise root CA. This CA should be highly physically secured, as a compromise of the enterprise CA effectively makes the entire chain compromised.

Enterprise Subordinate CA:  An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing of an enterprise root CA.

Standalone Root CA: A standalone root CA is the root of a hierarchy that is not related to the enterprise domain information. Multiple standalone CAs can be established for particular purposes. A standalone root CA is often used as the root for other enterprise subordinate CAs to improve security in an environment. In other words, the root is configured as standalone, and subordinate enterprise domain integrated CAs are set up within the domains in a forest to provide for autoenrollment across the enterprise.

Standalone Subordinate CA: A standalone subordinate CA receives its certificate from a standalone root CA and can then be used to distribute certificates to users and computers associated with that standalone CA.

An enterprise CA is typically used to issue certificates to users, computers, and services, and is not typically used as an offline CA. Enterprise CA requires AD DS, which can be used as a configuration and registration database. An enterprise CA also provides a publication point for certificates issued to users and computers.

In this post we will be setting up Enterprise CA Server.

Users can request certificates from an Enterprise CA using the following methods:

1. Manual Enrollment
2. Web Enrollment
3. Auto enrollment
4. Enrollment agent

For more information on CA please read this Article

In this post I am going to share the steps needed to configure a Windows 2012 R2 Server as Certificate Authority.

Prerequisites

• Active Directory Domain already setup and configured.
• Server 2012 installed and joined to domain.

Let’s jump into action now.

1: Launch Server Manager and click on Add Roles and features.

2: Select Role-based or feature-based installation.

3: From the list of roles available select “Active Directory Certificate Service” and hit Next.

4: A new window will pop-up. Click on Add Features

5: On Select features page hit Next.

6: Hit Next to continue.

7: On select role page, select “Certification Authority” and hit Next.

8: On the confirmation page hit Install.

9: Once installation is complete hit Close.

Note: The above steps can be achieved via command line as well. You can run following command to add the windows cert role

Add-WindowsFeature ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools

10: Click on Manage button on top of Server Manager window and click on “Configure Active Directory Certificate Services” option to complete the post-deployment configuration of CA server.

11: On specify Credentials page specify the user accounts that have local administrator rights on the server where you are configuring CA server role. Hit Next to continue.

12: On Role Services page select “Certification Authority” and hit Next.

13: Select “Enterprise CA” on Setup type page. Hit Next to continue.

14: On CA Type page select “Root CA” and hit next.

15: On Private Key page select “Create a new private key”

16: Select SHA 1 and key length as 4096 as cryptographic options. The bigger is the key length, the most secure it is and most hard to break.

Update: 08/06/2016

Since SHA-1 is has been retired, update hash algorithm on CA server by running the command from powershell:

certutil -setreg cacspCNGHashAlgorithm SHA256

Reboot the server after that for changes to take effect.

17: Dont change the defaults on CA name page and hit next.

18: Default validity period is 5 years. Change this to any value as per your need and hit next.

19: Choose default for CA Database location and hit next.

20: On the confirmation page click on configure to finish configuration.

21: On Results page hit close to complete the configuration wizard.

Add Certification Authority Web Enrollment service

The Web Enrollment service is very useful while making requests for certificates from computers that are not members of AD domain. This essentially allow certificates to be enrolled directly over HTTP, enabling non-domain or Internet-connected clients to connect and request certificates from a CA server.

Once “Certificate Authority” role is installed completely, you can add Certification Authority Web Enrollment service to it from server manager page.

22: Launch server manager again select “Certification Authority Web Enrollment” and hit Next.

23: Click on Add features to add IIS role.

24: On select features page just hit next.

25: Hit next to continue.

26: Add the roles as shown in below screenshot and hit next.

27: Hit Install to start the role installation process

28: Once installation is completed, continue with Post-deployment configuration.

29: Specify the credentials and hit next.

30: Make sure “Certification Authority Web Enrollment” role is selected. Hit next.

31: On confirmation page click on configure.

32: Hit close once configuration is succeeded.

Verify Certificate Authority Functionality

To verify that the CA server is operational, we can check both from within our browser as well as by checking the Certificate Authority management console. On your CA server, start the Certificate Authority Management tool. If all is well, this will show your CA server with a green icon, it means the CA services are up and running.

Once the installation/configuration of web-enrollment completes,  open a browser and see if the certificate enrollment web page is working.

From a client, type your CA server name followed by /certsrv (http://CA-SRV-FQDN/certsrv). If you opened browser on the CA server itself you can use localhost followed by /certsrv.

Access CA server over https

By default the web portal for CA server is accessible over http. However if you want to access CA server over secure connection, you can change the protocol to https.

Launch IIS manager and navigate to default Web Site. You will see  a virtual directory “CertSrv” created.

Select certsrv and look on right hand side pane and you will see it can be browsed over http.

To make it accessible over https, select the default web site and right click on it and choose “Edit Bindings”

Click on ADD

On Add Site Binding page, select type as https and select the IP address of the CA server. Provide a hostname for the ca srv and hit OK.

You will see now https has been added now. You can chose to remove http from site bindings if you wish. This means your ca srv web portal will be accessible only over https.

In our Next post we will see Set Up Automatic Certificate Enrollment.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable