Enterprise certification authority: installation and configuration with Windows Server


Windows Server 2012R2 Windows Server 2016 Windows Server 2019 Windows Server 2022

In this tutorial, I will explain how to set up an enterprise CA that is linked to an Active Directory, unlike the stand-alone CA.

This type of CA allows you to automate certificate generation with direct submission to the CA. Automatically issue computer and user certificates to, for example, secure VPN access with Windows NPS.

Prerequisites

The server where the role will be installed must be a member of the domain. Ideally you have to dedicate a server to this role.

Install the AD CS role

From the server manager, launch the installation wizard by clicking Add Features Roles 1 .

Server manager

At the launch of the wizard click Next 1 .

Wizard welcome

Choose the Role Based Installation option or 1 feature then click Next 2 .

Select type install

Select server 1 where the AD CS role installation is to be performed and click Next 2 .

Select Server AD CS

Check the box for Active Directory Certificate Server 1 .

Select AD CS role

Click Add Features 1 to add the administration tools.

Install management console

With the AD CS role selected, click Next 1 .

role AD CS checked

Skip the list of features by clicking Next 1 .

Features

A summary of the AD CS role is displayed, click Next 1 .

Overview AD CS - Aperçu autorité certification entreprise

Check the “Certification Authorities 1 and Certification Authority Web Authoring 2 services then click Next 3 .

Select role - rôle pour autorité certification entreprise

The certification authority service will allow us to generate certificate, registration via the web will allow the user to request certificates using a graphical interface in a browser.

Web-based registration relies on the IIS role, click Next 1 to skip the IIS role summary.

Click Next 1 to validate the services that will be installed for IIS.

IIS Services for AD CS

Confirm the installation by clicking Install 1 .

Confirm install

Wait during the installation …

When the installation is complete, exit the wizard by clicking Close 1 .

Install completed

Configuration of the certification authority

Now that the AD CS role is installed on the server, we will configure the service to be an enterprise CA.

From the server manager, click the notification icon and then click Configure Active Directory Certificate Services 1 to open the setup wizard.

Lauch wizard AD CS

Indicate the user account 1 for the configuration then click Next 2 .

Credential informations - identifiant pour autorité certification entreprise

For the configuration of an enterprise CA that is linked to the Active Directory, the account must be a member of the Enterprise Admins group.

Check both 1 services that have been installed then click Next 2 .

Select services

Choose the type of enterprise certification authority 1 and click Next 2 .

Type of CA

Unlike a stand-alone CA that can be offline, the enterprise CA server must remain on.

Choose the Root Certification Authority 1 option and click Next 2 .

Type CA

If you have a stand-alone CA and want to set up a PKI hierarchy, you must choose the Secondary CA option. Following the configuration, you will be brought to generate using the root authority.

Select Create private key 1 and click Next 2 .

New private key

Configure the encryption of the key 1 then click Next 2 .

key configuration

Configure the validity period 1 and click Next 2 .

Configure expiration

If necessary change the location of the databases and click Next 1 .

Databses folder

Confirm the information and click on Configure 1 .

Configure

When the configuration is complete, click Close 1 to exit the wizard.

Configuration completed

Authority Administration

On the server where the role is installed, a Certification Authority console is available.

Console AD CS

The CA Administration Console has several folders that will include certificates as well as templates.

Management console

We will come back in more detail on the various files following the tutorial during the various manipulations.

To access the service settings, right-click on the server 1 then click on Properties 2 .

Parameters service

The two tabs except special cases that we change regularly are:

Extensions: which allows you to configure certificate revocation locations.

Extensions

Audit: which enables logging of events.

Audit

Export and install the authority certificate

Before you start to generate certificates with the CA, you must export the CA certificate to the CAs. By installing the certificate on the computers it avoids having the error message in the internet browsers and this allows services to work as the RDS gateway, VPN SSTP …

Export the authority certificate

Access the MMC console certlm available several ways.

Start menu

In the console, go to Trusted Root Certification Authority 1 then in Certificates 2 and look for this one from the authority. Right click on 3 and go to All tasks 4 / Export 5 .

Autority certificate

When launching the export wizard, click Next 1 .

Export certificate export

Choose export format 1 and click Next 2 .

Format export

Indicate the location and name of the certificate export file 1 and click Next 2 .

File name

Click Finish 1 to close the wizard.

End of export

A message appears indicating that the export is successful, click OK 1 to close it.

Export completed

The certificate is exported.

certificate file

Install the certificate

Now that we have the file, we need to deploy it on the domain. It can be done by GPO or manually installed.

Copy the file to a computer where it must be installed, right click on 1 and click Install Certificate 2 .

Install certificate

A wizard launches to perform the import, choose Local Computer Location 1 and click Next 2 .

Import certificate in computer

Select Trusted Root Certification Authorities Store 1 and click Next 2 .

location selection

Click Finish 1 to import the certificate.

Import certificate

A message appears indicating that the import is successful, click OK 1 .

Import completed

The computer can now use certificates that emanate from the enterprise CA.

Generate a certificate from the Certificates console

In this section, we will see how to request a certificate from the Certificates MMC console of a computer that is a member of the Active Directory domain. The account used is a member of the Domain Admins group.

To illustrate the tutorial, we will generate a Computer certificate that will be used for Remote Desktop connections.

On the console go to the Personal folder 1 and right click in the central area and go to All tasks 2 and click on Request a new certificate 3 .

Request certificate

At the launch of the wizard click Next 1 .

Wizard request certificate

Select Computer 1 certificate template then click Register 2 .

Select computer certificate

The certificate has been generated, click on Finish 1 .

Request completed

The certificate is now available in the store.

installed certificate

Copy / paste to Remote Desktop Store 1 and delete the server self-signed certificate.

Certificate computer by CA

It is possible to view the certificate generated on the CA from the Administration Console in the Certificates issued folder.

Certificat in AC

To use the certificate, you must pass this command : wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<certificate thumbprint>"

Certificate request from IIS

In this part, we will see how to perform a domain certificate request using the IIS console. In order to be able to contact the enterprise CA, the server must be a member of the domain.

From the IIS console of a server, click Server Certificates 1 .

IIS Console

Right-click in the certificates area and click Create Domain Certificate 1 or go through the Actions menu.

New certificate

Enter the certificate information 1 , the common name contains the address this one will identify. It is possible to create a certificate for another domain. Click Next 2 .

Certificate Properties

You must now choose the enterprise CA, click on Select 1 .

Select autorty

Choose authority 1 and click OK 2 .

Select autority

With the authority selected, enter the server’s friendly name 1 and click Finish 2 .

Select autorty

Certificate 1 is generated and available in IIS.

generated certificate

The certificate is also available in the Certificates Issued from Certification Authority store.

Delivred certificates

Make a custom certificate request

Now that we have seen how to make certificate requests for computers and web sites in IIS, we will now see how to make a custom certificate request with multiple DNS names and IP addresses.

From the Certificates console of a domain member computer, go to the Personal / Certificates 1 folder. Right-click in the display area and go to All Tasks 2 / Advanced Operations 3 and click Create Custom Request 4 .

Custom certificate request

When launching the wizard, click Next 1 .

Wizard

Select the Active Directory Enrollment Policy 1 and click Next 2 .

Select policy

Choose model 1 (Web Server) and click Next 2 .

Select model

A summary of the certificate template is displayed, click Properties 1 .

Information certificate

Configure the common name of certificate 1 and click on Add 2 .

Common name

Now that the common name is added, in the Other Name 1 section, select the DNS type 2 , enter the desired name 3 and click on Add 4 .

Add name

As you can see below, it is possible to add several DNS names. We will now add an IP address, select the type IP address (v4) 1 , indicate the IP address 2 and click on Add 3 .

address IP

Now that the IP address is added, click Apply 1 and OK 2 to validate the certificate information.

Certificat informations

Click Next 1 to continue the request.

Continue the request

Enter the location and file name 1 (CSR) to save the request and click Finish 2 .

Save CSR

The request file has been generated, the application must now be submitted to the enterprise CA. Open an internet browser and enter the url http: // server-name / certsrv / 1 . Click on the link Request Certificate 2 .

Webpage request

Click on advanced certificate request 1 .

custom request

Open the query file with a test editor and copy the string 1 .

CSR

Paste the request 1 in the field Registered application, choose the template 2 and click on Send 3 .

Submission of the certificate

Retrieve the certificate by clicking Download Certificate 1 .

Download certificat

Return to the Certificates console, go to Certificate Application 1 / Certificates 2 , right click on then All 3 / Import 4 .

Import certificat

When launching the wizard, click Next 1 .

wizard import

Select the downloaded certificate 1 and click Next 2 .

Select certificate file

Leave the store, click Next 1 .

select folder

Click on Finish 1 to finish the import.

Finish the import

The certificate is generated and we see that it has been issued by the enterprise certification authority.

generated certificate

You can now move the store certificate to Personal.

It is not possible by default to export the certificate with its private key, it is necessary to modify the model.

Create a certificate template

In this part, we will see how to create a model of certificate based on an existing model, we will modify the server model in order to export the private key to install it for example on an off-domain IIS server.

Open Administration Administration Console, right click on certificate store 1 and click Manage 2 .

Model Management

Right click on the model 1 and click on Duplicate the model 2 .

Duplicate model

Name the model 1 .

Names model

Go to the Processing tab of the 1 request and check the box Allow the export of the private key 2 .

Allow export private key

Once the template is configured, click Apply and OK to save the changes.

Back on the CA Administration Console, right click on the Certificate Template 1 folder then go to New 2 and click Certificate Template to Issue 3 .

Add model

Select model 1 and click OK 2 .

select model

The template is added to list 1 .

Model added

It is also available in requests.

available model

Automatic registration of user certificates and computers – AutoEnroll

In this part, we will see how to generate certificates automatically for the posts and computers of the domain by GPO.

Prerequisites

For user certificates some prerequisites are needed for this to work.

It is necessary that the e-mail field in the Active Directory is filled because the certificate relies on it.

Email user

Create a certificate template based on the Users template by allowing automatic registration for domain users.

Configure model user

Group Policy – GPO

Create a new GPO and place there at the root of the domain to reach all computers and users.

Computer settings

Activation of automatic registration

Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies / Certificate Services Clients – Automatic Registration.

Activate 1 the parameter and tick the two boxes 2 .

Configure stratégy
Configuring the certificate template

In Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies, right-click on Automatic Certificate Request Settings 1 then go to New 2 and click on Automatic Certificate Request 3 .

Request certificate

When launching the wizard, click Next 1 .

Wizard

Choose Computer 1 and click Next 2 .

Select model for computer

Click Finish 1 to exit the wizard and confirm the settings.

Model configured

The template has been added to the automatic request.

Model for auto enroll

User settings

Activation of automatic registration

User Configuration / Policies / Windows Settings / Security Settings / Public Key Policies / Certificate Services Clients – Automatic Registration.

Activate 1 the parameter and tick the two boxes 2 .

Configure stratégy

Validate automatic registration

Validate automatic registration…

certificates issued

Back up the certification authority

From the Administration Console, right-click on server 1 , go to All Tasks 2 and click Save Certificate Authority 3 .

Backup CA

When launching the wizard, click Next 1 .

Backup wizard

Select the items 1 to save, indicate the save location 2 and click Next 3 .

Elements backup

Enter a password to access the private key 1 then click Next 2 .

Password for private key

Click Finish 1 to close the wizard and perform the backup.

Start backup

Check that the backup has done well by going to see the files.

CA saved



Leave a Comment