Stand-alone certification authority: installation on Windows Server


Windows Server 2019

Presentation

A Certificate Authority (CA) can issue certificates for internal internet sites, RDS connections …

The advantage of having a CA is having to deploy a single certificate on the computers, and some Windows services require certificates from a CA to work:

  • RemoteApp
  • Client RDP HTML5

On Windows, there are two types of CAs (summary):

  • Company : CA linked to an Active Directory that can issue certificates for domain members (posts / users).
  • Standalone: AC that can be a member or not of a domain that issues certificates of the generations of “manual request”.
Difference certification authority

Role installation

1. From the server manager, click Add Features Roles 1 .

Server manager

2. When launching the wizard, click Next 1 .

Role installation assistant

3. Choose Role Based Installation or 1 Feature and click Next 2 .

Installation type

4. Choose server 1 and click Next 2 .

Select server

5. Check the box for Active Directory Certificate Service 1 .

Choose the Active Directory Certificate Services role

6. Click Add Features 1 .

Add additional features

7. Click Next 1 .

Take the next step

8. Skip the list of features by clicking Next 1 .

Skip features

9. Click Next 1 , this page displays the summary of the role.

Role summary

10.1 (optional) Check the Registration of certification authority via Web 1 box, this makes it possible to make certificate requests using a web interface.

Adding the web interface

10.2 (optional) Validate adding features by clicking the 1 > button.

Adding IIS functionality

10.3 Click Next 1 .

AC component

11. (optional) Click Next 1 .

Configuring IIS

12. (optional) Click Next 1 to validate the IIS features.

IIS component

13. Click Install 1 .

Confirm installation

14. Wait during the installation …

Installation in progress ....

15. When the installation is complete, click Close 1 .

Installation complete

The CA role is installed, we will proceed to its configuration.

Configuration of the certification authority

In this part we will configure a stand-alone CA.

1. From the server manager, click on the 1 flag and then Configure Active Directory Certificate Services 2 to open the configuration wizard.

Configure certification authority

2. Specify a local Administrators group member use 1 and click Next 2 .

Credential

3. Check the services to configure 1 and click Next 2 .

Choose services

4. Select stand-alone CA 1 and click Next 2.

Type d'AC

5. Type de l’AC, choisir Autorité de certification racine 1 puis cliquer sur Suivant 2.

Type of CA

6. Select Create private key 1 and click Next 2 .

Private key creation

7. If necessary change the encryption options and click Next 1 .

Configure encryption

8. Configure the name of the Certificate Authority 1 and click Next 2 .

CA configuration

9. Configure the period of validity of the authority (5/10 / … years) 1 then click Next 2 .

Lifetime

10. Specify the location of the AC 1 data and click Next 2 .

Location of CA files

11. Click Configure 1 to start the creation of the certification authority.

Start configuration

12. Wait while creating AC …

Configuration in progress ...

13. When finished, exit the wizard by clicking the Close 1 button.

Installation complete

Export the root certificate

1. Open the “Certificates” MMC on the Local Computer account and go to the Trusted Root Certification Authorities 1 store.

CA console

2. Right-click on the authority certificate 1 , Go to All Tasks 2 and click Export 3 .

Export the certificate

3. When launching the wizard, click Next 1 .

export Wizard

4. Choose export format 1 then click Next 2 .

Export format

5. Indicate the location where the certificate will be exported 1 and click Next 2 .

Name and location

6. Click Finish 1 to start the export.

Start export

7. Export is finished, close the message by clicking OK 1 .

export finished

You can now deploy the root certificate to all the computers / servers in your infrastructure.

Now that we have the root certificate and that it is deployed on the entire farm, we will see how to generate a certificate.

Generating a certificate

The generation of a certificate with an autonomous CA takes place in several steps:

  • Generation of the request (Certificate Signing Request).
  • Submissions of the application to AC.
  • Generation of the answer.
  • Finalization of the request to obtain the certificate.

Generation of the CSR

There are several ways to generate a CSR, in this tutorial we will do it under IIS.

1. Open an IIS console and click Server Certificates 1 .

IIS Console

2. On the Actions menu, click Create Certificate Request 1 .

Create a request

3. Complete the certificate information 1 and click Next 2 .

Certificate information

The common name is the URL of the certificate.

4. Configure the 1 encryption then click Next 2 .

Certificate encryption

5. Enter the request save location (CSR) 1 and click Finish 2 .

Save location of csr

The CSR is now generated, if you have done it on an IIS server other than the CA, you must copy the file to it.

Soumissions de la demande à AC

1. From the Authority Administration Console, right-click on the authority 1 , All Tasks 2 and click on Submit a new request 3 .

Submit request

2. Select the request file (CSR) 1 and click on Open 2 .

Text file CSR

3. Go to the Pending Request file 1 to see the pending certificate 2 .

Pending request

Deliver the certificate

1. Right click on request 1 and click on All tasks 2 / Deliver 3 .

Deliver the certificate

2. Go to Certificates issued 1 and double-click on certificate 2 .

List

3. Go to the Details tab 1 and click on the button Copy to a file 2 .

Detail

4. When launching the wizard, click Next 1 .

Export

5. Select export format 1 then click Next 2 .

Export format

6. Enter the location and file name 1 and click the Next 2 button.

file name and location

7. Click Finish 1 to close the wizard.

Start export

8. Verify that the certificate is exported.

Certificat

Finalizing the request to obtain the certificate

1. Go to the IIS / Certificates console where the request was made and click Finish Certificate Request … 1 .

Console IIS

2. Select the certificate generated by CA 1 , enter a name 2 and click OK 3 .

Clôture demande

3. The certificate is available 1 .

Certificat genere

It is now possible to export the certificate with its private key




Leave a Comment