How To Deploy Certification Authority on Windows Server 2016

This article will guide you through the steps to install and configure certification authority on Windows Server 2016. We will be using test.com as our active directory domain through out this guide.

Prerequisites

• Windows Server 2016 installed on (Bare-metal or Virtual Machine)
• Active Directory Domain Services

Installing Web Server

To begin with the certification authority, first you need to install web services on your Windows Server 2016 machine. Open up PowerShell and execute the following command:

install-windowsfeature web-server -IncludeManagementTools 

Creating DNS CNAME Record For Web Server

To create CNAME record, Open up DNS Console on your active directory domain server and provide the required information according to your environment as shown in image below.

Creating Shared Folder 

You need to create a shared folder where Certificate Revocation List (CRL) and Certificates  from Certificate Authority (CA) will be stored.

Open up PowerShell and execute the following command:

New-Item c:\cert -type directory
New-SMBShare –Name 'cert'–Path 'C:\cert' -ChangeAccess 'test\cert publishers'

Now, download NTFS Security module from here and import it using the following command.

import-module .\NTFSSecurity.psd1

You need to authorize NTFS Read permissions to Everyone and Anonymous logon using the following command.

add-NTFSAccess -Path C:\cert -Account 'ANONYMOUS LOGON' -AccessRights Read
add-NTFSAccess -Path C:\cert -Account 'Everyone' -AccessRights fullcontrol

Creating Virtual Directory

Open up IIS management console and right click on Default Web Site > Add Virtual Directory

Provide the following information according to your environment and click OK.

Since we have added virtual directory, now on left pane of the virtual directory, double click Request Filtering 

Click Edit Feature Settings 

Check Allow double escaping and click OK

Configuring Certification Authority Server

Here, you need to create certificate authority policy file. Go to C:\Windows directory and create new file CAPolicy.inf

You need to provide following information in this file.

[Version] 
Signature="$Windows NT$" 
[PolicyStatementExtension] 
Policies=InternalPolicy 
[InternalPolicy] 
OID=1.2.3.4.1455.67.89.5 
Notice="Legal Policy Statement" 
URL=http://cert.test.com/cert/cps.txt 
[Certsrv_Server] 
RenewalKeyLength=2048 
RenewalValidityPeriod=Years 
RenewalValidityPeriodUnits=5 
CRLPeriod=weeks 
CRLPeriodUnits=1 
LoadDefaultTemplates=0 
AlternateSignatureAlgorithm=1 
[CRLDistributionPoint] 
[AuthorityInformationAccess]

Installing Certification Authority Role on Active Directory Domain 

Open up PowerShell on  your Active Directory Domain and type the following command to install CA Role.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA  

Open up Certificate Authority console and click Extensions tab in Select Extensions then select CRL Distribution Point (CDP).

Delete last 3 entries:(ldap,http,file) as shown in image below.

After deleting these entries click Add 

and enter http:\\cert.test.com\cert\.crl

check Include in CRL and include in CDP

Now, from select extension choose Authority Information (AIA)

Authority Information (AIA) is used to publish where a copy of the issuer’s certificate may be downloaded. Paths specified in this extension can be used by an application or service to retrieve the issuing CA certificate. These CA certificates are then used to validate the certificate signature and to build a path to a trusted certificate

Again Delete ldap,http and file entries

Then click add and enter http:\\cert.test.com\cert\_.crt

check Include in the AIA extension of issued certificates

All paths specified above points to network share on web server (\\web\cert) and to web virtual directory (http:\\cert.test.com)

Publishing the CRL

Its time to publish certificate to made it available to our users. Open up PowerShell and execute the following command.

certutil -crl

Copy CA Certificate and CRL to network share folder

copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB\cert
copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB\cert

To check CA “health” open up PowerShell and type pkiview.msc

Auto-Enrollement Certificates using GPO

On your Active Directory Domain, open up Group Policy Management Editor then Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key > Certificate Services Client - Auto Enrollment > Configuration Model and change it to Enabled

We have successfully completed the deployment of certificate authority.