Tech News

How To Deploy Certification Authority on Windows Server 2016


This article will guide you through the steps to install and configure certification authority on Windows Server 2016. We will be using test.com as our active directory domain through out this guide.





Prerequisites

  • Windows Server 2016 installed on (Bare-metal or Virtual Machine)
  • Active Directory Domain Services

Installing Web Server

To begin with the certification authority, first you need to install web services on your Windows Server 2016 machine. Open up PowerShell and execute the following command:

install-windowsfeature web-server -IncludeManagementTools 


Creating DNS CNAME Record For Web Server

To create CNAME record, Open up DNS Console on your active directory domain server and provide the required information according to your environment as shown in image below.


Creating Shared Folder 

You need to create a shared folder where Certificate Revocation List (CRL) and Certificates  from Certificate Authority (CA) will be stored.

Open up PowerShell and execute the following command:

New-Item c:\cert -type directory
New-SMBShare –Name 'cert'–Path 'C:\cert' -ChangeAccess 'test\cert publishers'


Now, download NTFS Security module from here and import it using the following command.

import-module .\NTFSSecurity.psd1

You need to authorize NTFS Read permissions to Everyone and Anonymous logon using the following command.

add-NTFSAccess -Path C:\cert -Account 'ANONYMOUS LOGON' -AccessRights Read
add-NTFSAccess -Path C:\cert -Account 'Everyone' -AccessRights fullcontrol


Creating Virtual Directory

Open up IIS management console and right click on Default Web Site > Add Virtual Directory


Provide the following information according to your environment and click OK.


Since we have added virtual directory, now on left pane of the virtual directory, double click Request Filtering 


Click Edit Feature Settings 


Check Allow double escaping and click OK





Configuring Certification Authority Server

Here, you need to create certificate authority policy file. Go to C:\Windows directory and create new file CAPolicy.inf


You need to provide following information in this file.

[Version] 
Signature="$Windows NT$" 
[PolicyStatementExtension] 
Policies=InternalPolicy 
[InternalPolicy] 
OID=1.2.3.4.1455.67.89.5 
Notice="Legal Policy Statement" 
URL=http://cert.test.com/cert/cps.txt 
[Certsrv_Server] 
RenewalKeyLength=2048 
RenewalValidityPeriod=Years 
RenewalValidityPeriodUnits=5 
CRLPeriod=weeks 
CRLPeriodUnits=1 
LoadDefaultTemplates=0 
AlternateSignatureAlgorithm=1 
[CRLDistributionPoint] 
[AuthorityInformationAccess]


Installing Certification Authority Role on Active Directory Domain 

Open up PowerShell on  your Active Directory Domain and type the following command to install CA Role.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA 
 


Open up Certificate Authority console and click Extensions tab in Select Extensions then select CRL Distribution Point (CDP).

Delete last 3 entries:(ldap,http,file) as shown in image below.




After deleting these entries click Add 


and enter http:\\cert.test.com\cert\.crl

check Include in CRL and include in CDP


Now, from select extension choose Authority Information (AIA)

Authority Information (AIA) is used to publish where a copy of the issuer’s certificate may be downloaded. Paths specified in this extension can be used by an application or service to retrieve the issuing CA certificate. These CA certificates are then used to validate the certificate signature and to build a path to a trusted certificate

Again Delete ldap,http and file entries


Then click add and enter http:\\cert.test.com\cert\_.crt

check Include in the AIA extension of issued certificates


All paths specified above points to network share on web server (\\web\cert) and to web virtual directory (http:\\cert.test.com)

Publishing the CRL


Its time to publish certificate to made it available to our users. Open up PowerShell and execute the following command.

certutil -crl

Copy CA Certificate and CRL to network share folder

copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB\cert
copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB\cert



To check CA “health” open up PowerShell and type pkiview.msc






Auto-Enrollement Certificates using GPO

On your Active Directory Domain, open up Group Policy Management Editor then Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key > Certificate Services Client - Auto Enrollment > Configuration Model and change it to Enabled



We have successfully completed the deployment of certificate authority.

4 comments:

  1. Andy SyrewiczeFebruary 10, 2017

    Can we set up two server in fail-over environment for certification authority?

    ReplyDelete
  2. Romain SerreFebruary 10, 2017

    Good tutorial

    ReplyDelete
  3. Sascha FredrichFebruary 10, 2017

    Can we install Active directory domain services and certification authority on a single server?

    ReplyDelete