Active Directory Certificate Services
What is PKI?
Public Key Infrastructure (PKI) is the combination of software, encryption technologies, processes, and services that enables an organization to secure its data, communications, and business transactions. PKI relies on the exchange of digital certificates between authenticated users and trusted resources.
In this lab we will use certificates to secure data and to manage identification credentials from users and computers both within and outside of your organization.
What is AD CS?
You can implement a PKI solution by using the AD CS Windows Server role. AD CS provides all PKI-related components as role services. Each role service is responsible for a specific portion of the certificate infrastructure while working together to form a complete solution.
The AD CS role includes the following role services:
Certification Authority (CA). The main purpose of CAs is to issue certificates, to revoke certificates, and to publish authority information access (AIA) and revocation information. The first CA you deploy becomes the root of your internal PKI. Subsequently, you can deploy subordinate CAs, positioned within the PKI hierarchy, with the root CA at its top. Subordinate CAs implicitly trust the root CA and, by implication, certificates it issues.
Certification Authority Web Enrollment. This component provides a method to issue and renew certificates in scenarios where users use devices that are not joined to the domain or are running operating systems other than Windows.
Online Responder. You can use this component to configure and manage Online Certificate Status Protocol (OCSP) validation and revocation checking. An Online Responder decodes revocation status requests for specific certificates, evaluates the status of those certificates, and returns a signed response that has the requested certificate status information.
Network Device Enrollment Service (NDES). With this component, routers, switches, and other network devices can obtain certificates from AD CS.
Certificate Enrollment Web Service (CES). This component works as a proxy client between a computer running Windows and the CA. CES enables users, computers, or applications to connect to a CA by using web services to:
Request, renew, and install issued certificates.
Retrieve certificate revocation lists (CRLs).
Download a root certificate.
Enroll over the internet or across forests.
Renew certificates automatically for computers that are part of untrusted AD DS domains or are not joined to a domain.
Certificate Enrollment Policy Web Service. This component enables users to obtain certificate enrollment policy information. Combined with CES, it enables policy-based certificate enrollment in scenarios where user devices are not joined to the domain or can't connect to a domain controller.
In this lab, we will learn the steps on how to install and configure an Enterprise Root Certificate Authority on Windows Server.
An Enterprise Certificate Authority requires Active Directory and is typically used to issue certificates to users, computers, devices, and servers for an organization. Users can request certificates using manual enrollment, web enrollment, auto-enrollment, or with the use of an enrollment agent.
Step1: Install Active Directory Certificate Services
As this is a virtual test lab, I have chosen to install the CA in the Domain Controller rather than a creating it from a stand-alone server. We are logging in as the domain admin throughout this process to ensure that there would be no restrictions or conflicts that will be encountered during the service installation.
Domain Controller: Harchit.local
1. Open Server Manager Console
2. In the Server Manager console, click on Manage and select Add roles and features.
3. On before you begin screen, click Next.
4. On the Select installation type page, make sure you choose Role-based or feature-based installation. Click Next.
5. On the Select destination server page, choose the local server. Click Next.
6. On the Select server roles page, select Active Directory Certificate Services.
7. When the Add Roles and Features Wizard window appears, click Add Features.
8. Click Next to continue.
9. On the Select features page, click Next.
10. On the Active Directory Certificate Services page, click Next.
11. On the Select role services, make sure you tick Certificate Authority and Certification Authority Web Enrollment checkbox.
12. When you select Certification Authority Web Enrollment, which will open a window explaining additional features that are required to install Certification Authority Web Enrollment. Click on Add Features.
13. Click on the Next button until you reach the Confirm installation selection page.
14. We will be using the defaults for this lab so from the Web Server Role (IIS) window, click on Next.
The next window will show you a selection of role services under the Web Server Role (IIS) but simply click Next.
Lastly, click Install in the Confirm installation selections window to start the installation process.
Wait for a few minutes to complete the installation.
Step 2: Configure Active Directory Certificate Services
15. Once the installation is done, you may close the window. From the Server Manager Dashboard, click on the notification icon next to the flag on the upper right part of the dashboard and click on the link that states Configure Active Directory Certificate Services on the destination server.
16. On the Credentials page, click Next.
17. On the Select role services to configure page, select Certification Authority and Certification Authority Web Enrollment service. Click Next.
18. On the Setup Type page, select Enterprise CA, and then click Next.
19. On the CA Type window, ensure that Root CA is selected, and then click Next.
20. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
21. On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm SHA256. Although 2048 would be sufficient, we can change the Key length to 4096 for better security and then click Next.
22. On the CA Name page, you can specify any name of your choice for your Certificate Authority. Click Next when you are done.
23. On the Validity Period page, we will keep the default value of 5 years. Click Next.
24. The CA Database page displays the location where the certificate database will be stored. Click Next.
25. The Confirmation window will show you the configuration summary for you to review, click Configure to proceed.
26. On the Results page, click Close.
Step-3 Verify AD CS installation and configuration
27. To confirm that the web enrollment page is working, open a web browser and access the URL http://localhost/certsrv.
28. To launch the CA Management Console, On Server Manager console, click on Tools and select Certification Authority.
Last updated
