22019 Deploy a Windows Server 2012 R2 Certfiate Authority The Ultimate Guide To Records Management in the Cloud DOWNLOAD E-BOOK Ree About Advertise Forums Login Peiri IT Knowledgebase Deploying a Windows Server 2012 R2 Certificate Authority Posted on March 25, 2014 by Peter De Tender in Windows Server 2012 with 4 Comments share Tweet Share ‘As more services and device connections inside and outside of your network rely on certificate services, | thought it was a good idea to write an article about how to deploy such a Windows 2012 R2 Certificate Authority (CA). Popular features that require a certificate include secure HTTPS connections to your web applications, device authentication for both domain and non-domain joined clients, Server 2012 R2 Work Folders, DirectAccess, and more. Before | dive into the technical aspects of certificates, CA, and the various types of certificates, let me give you a high-level comparison between using an internal vs. public Certificate Authority. Internal CA\ External CA Easy to manage No control of Certificate Authority itself, you can only “buy” SSL certificates htps:wwn pot comideploy-windows-server-2012.2-certiicate-authorty ano22019 hitps:iwwn-petr comideploy-windows-ser Deploy a Windows Servar 2012 R2 Certificate Authority Can be configured as Active Directory No administration overhead integrated No cost per certificate SSL certificates can become expensive, depending on types and functionalities Auto-enrollment feature makes Not advised for configuring internal configuration of clients/devices easier devices authentication Not really useful for internet-facing Trusted by most browsers applications, as not trusted by external parties Often more complex to install/configure _Less flexible on SSL certificate properties than just buying a public SSL certificate Install Active Directory Certificate Authority ‘+ From the Windows Server 2012 R2 Server Manager, click Add Roles and Features. + Select Active Directory Certificate Services. z Install Active Directory Certificate Authority ‘+ Click the Add Features in the popup window to allow installation of the Certification ‘Authority Management Tools ‘Ad features that are required for Active Directory CCertifiate Services? 4. Acve Directory Cerca Services Toot 1) ince management ol (ppb) (raromes| [oe ‘Select the options you want to install, | recommend the following services - Certification Authority (this is your main CA) ~ Certification Enrollment Policy Web Service - Certificate Enrollment Web Service (web portal to request certificates) - Certification Web Enrollment ano22019 Deploy a Windows Servar 2012 R2 Certificate Authority ‘Once installed, Select AD CS in your Server Manager. Notice the button warning that no configuration is done yet. Click on More. S me = = A roar] fa 2 @®@ * — F os : as ETE Receipt» * ‘This will bring you to the All Servers Task Details and Notifications. Click on Configure Active Directory Certificates Se the AD CS configuration wizard. es in the Action column, This will launch Use the following parameters when going through the different steps in the wizard: PowerShet T Role Services to configure Certificate Authority + Certificate Authority Web Enro 2 5 type of ca Enterprise CA Cif Active Directory integrated; otherw 4 5 Type of cA Root CA Cif 1^st one) or Subordinate CA Cada 6 7 Type of Private Key in most cases, will be 5 3. Cryptographic options RSAIMi.crosort Software Key Storage Provider 2 31 2048 as Key Length 2 13 SHAL as hash algorithm 4 35 (or any other corbination for your situation: + Enter a descriptive name for your Certificate CA in the Common Name field. In my ‘example, | named it 2012R2 domain CA. Click Next. ‘© Update the validity period to S years (or whatever fits your need). ‘© Accept the default database locations or modify according your own requirements. ‘© This completes the configuration of the first two CA components. Let's continue with the other two. In the Select Role Services to configure, choose Certificate Enrollment Web Service and Certificate Enrollment Web Policy Service. hitps:iwwn-petr comideploy-windows-ser ana22019 Deploy a Windows Server 2012 R2 Certificate Authority Role Services soonest sorte Select Role Services to congue Ee 2 Content arr Re Semce Use the following parameters when going through the configuration wizard: Paver TTT Y Spectty SeLecE Ck Wa Cotg STEED 5 ype oF authentication Windows Integrated 5 service account use the built-in appication poot identity 5 hushentscetion type for CEP nds Integrated 5 specity Authentication Certificate select an existing SSL certificate fram the 1656) centimeter asence Gatton ted (O tere cers ct wwe tee odoin onan arte ced Tacs dn be soes ct toeap eee hitps:wwwn pot comideploy-windows-server-2012.2-certiicate-authorty 4022019 Deploy a Windows Server 2012 R2 Certfiate Authority Verify Certificate Authority Functionality To verify that the CA server is operational, we can check both from within our browser as well as by checking the Certificate Authority management console, Using the Browser: Certificate Authority Web Services From any server in the domain, you can connect to http:/certsry. This will launch the Certificate Authority Web Enrollment portal Use the Web ste to request a cereale or your Wa brouser e-mal lent or ete program, By using a ‘atical, you can vedy your anMy fo people you coriai wth verte Web, sgh ar ancy rossages and deponding sponte ype oferta you request. peo ator sek asks, ‘Yau can sto seth Web ste to downoad a certfcate aunty (CA) ceca, certate cin, oF Tati tovcaiin tel (CAL) or trv the sia ota pony Sue Fermar fematan abut Aetve Otecory Cotteale Services sce Acie Dvectoy Cerieate Senses Becumenttion Select ates: eaues certeate View e situs ot a pending concate request We will use this portal later on to complete a certificate request... Using the Certificate Authority Management Too! + From the CAserver, start the Certificate Authority Management tool. IF alls well, this, will show your CA server with a green icon, meaning the different CA services are up and running, Teen Yew Hee #9 a54a bls «© even aciay toid | Sane “ig sions ered coco Gh trste cece Bi towescomene 1 Cet one Complete an Internal Certificate Request In this last step, we will walk through the process on how to request an internal SSL certificate from an IIS web server in the domain, against our internal deployed CA. ‘+ From within IIS, select your server. Click on Server Certificates in the middle pane. ‘+ On the right, click on Create Certificate Request. ‘= Enter the different fields in the request template. Most important field here is the ‘common name, which should be set to the same name as the URL you want to use (eg. Workfolders.pdtit.be in my situation) hitps:iwwn-petr comideploy-windows-ser sno