In the IT world a Certificate Authority is an entity that issues digital certificates that are used for a broad range of scopes that go from certify identity of a server or service to encrypt communication among two entities, in the last couple of years certificates have become increasingly important for applications and services like email, device management and websites.
Starting with Exchange 2007, for example, digital certificates have become a required component to enable services like TLS Enabled Send Connectors or ActiveSync.
In the post I will go through the process of deploying a Windows Certificate Authority that will be used to issue digital certificates to the services that will be configured in the lab.
Deploy Windows Certificate Authority – Requirements and Architecture
When Windows 2008 was released Certificate Services to Active Directory Certificate Services to highlight the strict integration between Active Directory and the Certificate Authority role so you will require a an Active Directory instance to follow along.
When you deploy a Windows Certificate Authority you have the option to deploy a good number of different architectures and CA type that will have a pros/cons and typical deployment scenarios to keep things as simple as possible in the lab environment I will be installing an Online Enterprise Root CA on a Domain Controller the reference architecture is below
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: If you are interested in a more detailed discussion about possible deployment scenarios and Windows Certificate Authority deployment types you can refer to this Technet Article which contains a lot of useful information and links [/su_note]
Deploy Windows Certificate Authority – Installation
Login to the Domain Controller where you will be installing the Windows Certificate Authority and go to Server Manager → Manage → Add Roles and Features
When you choose to install Active Directory Certificate Services you will be proposed to install Management Tools together with the role
In the Active Directory Certificate Services Role Services page you will be able to install additional components for the Certificate Authority just select Certification Authority Web Enrollment which will allow the request and creation of certificates via Web Interface Server Manager will take care of installing all necessary extra components like IIS and the Web Server Role
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: In the IIS Role Services page just accept the defaults proposed components selected by Server Manager [/su_note]
Review the installation summary that will list all components that will be installed and configure auto restart as appropriate
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: You can also install AD CS roles via PowerShell with the Install-AdcsCertificationAuthority cmdlet as documented in this Technet Article [/su_note]
Deploy Windows Certificate Authority – Post-Installation steps
Once the Windows Certificate Authority Role installation is over you will need to configure the role so that the server will be able to start issuing Certificates
In the first screen specify credentials for the account that will be used to carry on installation and configuration steps be sure that the account being used has appropriate permissions
In role services page select to configure all required components and in the CA type Setup be sure to select Enterprise CA → Root
In the Private Key page choose to create a private key, you would use Use existing private key in case of Certificate Authority reinstallation or restore
In the Cryptography for CA and CA Name simply accept default values proposed by the installation wizard
In the Validity Period page specify for how long certificates issued by the CA will be valid I have used the default value of 5 years
Finally specify paths that will be used for the Certificate Authority database and log files again I’ve accepted the default ones
In the Confirmation page review configuration parameters click the Configure button and wait till the configuration process is over
Deploy Windows Certificate Authority – Verify Installation
While installation wizard will alert you in case of any issue or failure in the installation you can manually very Certificate Authority role installation, open IIS Manager expand → Sites → Default Web site you will notice the CertSrv virtual directory has been created
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: By default connection will be in clear via HTTP as you need to manually configure HTTPS for the Default Web Site [/su_note]
To verify Web Enrollment component functionality just open a browser window and navigate to http:///CertSrv if everything is working as expected you will see the a page similar the following
The Web Enrollment interface can be used to download Certificate CA Chain, Request certificates or view the enrollment status of requested certificates.
Lethe HeloCheck 
We have a single standalone root and issuing CA setup on domain member server. Can add enterprise subordinate ca to it?
LikeLike
Hello Herry,
as per best practice the root CA should be installed and put offline, so no domain join, as its main purpose is to is publishing CRL and issue certificates for the subordinate CAs, just be aware when the root CA is domain joined and installed by a Domain Admin (I assume this was the case) there are some caveats.
Anwwering your question yes you can still create a subordinate CA here’s an article from technet with the procedure https://technet.microsoft.com/en-us/library/cc772192.aspx but I can gladly give you further assistance if you need it, just drop me a message ora comment.
LikeLike
Someone installed and setup a single standalone root and issuing ca on a domain member which so far issued a couple of certificates. Now we need more… I have been asked to either upgrade it to a single enterprise ca and reissue the certs or add enterprise ca to an existing standalone ca. what do you think I should do?
LikeLike
**add subordinate enterprise ca to an existing standalone ca
LikeLike
Hi Herry,
from a best design best practice and security point of view you should go for the setup I’ve mentioned in my previous comment (Root CA + subordinate) given the fact you already have the various pieces in place I would just go with this setup as independently of the chosen setup you will need to revoke issued certificates and re-issue them from the new CA.
LikeLike
Thank you.
If i have to set up new ca, it has to be simultaneously and can not remove the certificate service role from the source server as it will remove the configuration data that will be needed by the destination server.
Disabling just the service on source server will be enough? Or do i have clean up AD?
LikeLike
Herry you’re most welcome, more or less the high level process would be:
– Install the Enterprise Root CA side by side with the standalone one
– Configure parameters as necessary
– Request certificates for servers/applications
– Make sure everything is working and then phase out old issued certificates (basically remove the certificate from the application/server)
– Phase out the CA
As the CA is a root standalone there is not much AD cleanup involved, unless you’re using those certificates for user authentication etc.
Of course you should test everything and go through steps but I’ve recently migrated a PKI environment for one of my customers in a similar scenario and it was a painless process even if they are making heavy use of certificates.
If you have doubts or need further guidance let me know.
LikeLike
Thank you for your help!!!
LikeLike
You’re most welcome Herry!
LikeLike
Hi Lethe, what is your email address that I can reach you?
LikeLike
Hello Herry,
sorry for the late answer, you can use the contact form here http://blog.helocheck.com/contact/ I will get your message and reply from my mail address.
LikeLike
getting invalid email address.
LikeLike