In the IT world a Certificate Authority is an entity that issues digital certificates that are used for a broad range of scopes that go from certify identity of a server or service to encrypt communication among two entities, in the last couple of years certificates have become increasingly important for applications and services like email, device management and websites.
Starting with Exchange 2007, for example, digital certificates have become a required component to enable services like TLS Enabled Send Connectors or ActiveSync.
In the post I will go through the process of deploying a Windows Certificate Authority that will be used to issue digital certificates to the services that will be configured in the lab.
Deploy Windows Certificate Authority – Requirements and Architecture
When Windows 2008 was released Certificate Services to Active Directory Certificate Services to highlight the strict integration between Active Directory and the Certificate Authority role so you will require a an Active Directory instance to follow along.
When you deploy a Windows Certificate Authority you have the option to deploy a good number of different architectures and CA type that will have a pros/cons and typical deployment scenarios to keep things as simple as possible in the lab environment I will be installing an Online Enterprise Root CA on a Domain Controller the reference architecture is below
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: If you are interested in a more detailed discussion about possible deployment scenarios and Windows Certificate Authority deployment types you can refer to this Technet Article which contains a lot of useful information and links [/su_note]
Deploy Windows Certificate Authority – Installation
Login to the Domain Controller where you will be installing the Windows Certificate Authority and go to Server Manager → Manage → Add Roles and Features
When you choose to install Active Directory Certificate Services you will be proposed to install Management Tools together with the role
In the Active Directory Certificate Services Role Services page you will be able to install additional components for the Certificate Authority just select Certification Authority Web Enrollment which will allow the request and creation of certificates via Web Interface Server Manager will take care of installing all necessary extra components like IIS and the Web Server Role
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: In the IIS Role Services page just accept the defaults proposed components selected by Server Manager [/su_note]
Review the installation summary that will list all components that will be installed and configure auto restart as appropriate
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: You can also install AD CS roles via PowerShell with the Install-AdcsCertificationAuthority cmdlet as documented in this Technet Article [/su_note]
Deploy Windows Certificate Authority – Post-Installation steps
Once the Windows Certificate Authority Role installation is over you will need to configure the role so that the server will be able to start issuing Certificates
In the first screen specify credentials for the account that will be used to carry on installation and configuration steps be sure that the account being used has appropriate permissions
In role services page select to configure all required components and in the CA type Setup be sure to select Enterprise CA → Root
In the Private Key page choose to create a private key, you would use Use existing private key in case of Certificate Authority reinstallation or restore
In the Cryptography for CA and CA Name simply accept default values proposed by the installation wizard
In the Validity Period page specify for how long certificates issued by the CA will be valid I have used the default value of 5 years
Finally specify paths that will be used for the Certificate Authority database and log files again I’ve accepted the default ones
In the Confirmation page review configuration parameters click the Configure button and wait till the configuration process is over
Deploy Windows Certificate Authority – Verify Installation
While installation wizard will alert you in case of any issue or failure in the installation you can manually very Certificate Authority role installation, open IIS Manager expand → Sites → Default Web site you will notice the CertSrv virtual directory has been created
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: By default connection will be in clear via HTTP as you need to manually configure HTTPS for the Default Web Site [/su_note]
To verify Web Enrollment component functionality just open a browser window and navigate to http:///CertSrv if everything is working as expected you will see the a page similar the following