How to Install Certificate Services on Windows Server 2008 R2
Posted by Alin D on February 11, 2011
Active Directory Certificate Services (AD CS) is the Microsoft implementation of public key infrastructure (PKI). PKI deals with the components and processes for issuing and managing digital certificates that are used for encryption and authentication. It is not mandatory to
implement AD CS as part of a Windows Server 2008 Active Directory structure. However, many organizations find it useful to deploy this service internally rather than relying on an external provider.
AD CS is the component of Windows Server 2008 that can be used to issue and manage digital certificates. The digital certificates issued by AD CS can be used for encrypting file system (EFS), e-mail encryption, secure sockets layer (SSL), and authentication. A server with AD CS installed is referred to as a certification authority (CA).
Digital certificates are used for asymmetrical encryption, which requires two keys. The first key is the private key, which is securely stored by the user or computer that a digital certificate has been issued to. The second key is the public key that is distributed to other users and
computers. The data encrypted by one key can only be decrypted by the other key. This relationship ensures protection of the encrypted data. Each key is sufficiently large to prevent computation of the private key via possession of the public key.
How to implement AD CS
AD CS is a complex product with various options for implementations. The implementation options for root and subordinate CAs vary, and you need to be aware of the process for each. Web enrollment is commonly used in many environments and must be configured. You must also manage certificate revocation by using either certificate revocation lists or OCSP. Finally, you must be aware of how to perform key archival and recovery.
I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s. You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA. In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.
Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.
In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane. Place a check mark in the checkbox for Active Directory Certificate Services. Then click Next.
On the ‘Introduction to Active Directory Certificate Services’ window, you can read up on the certificate services technology, how to manage a CA, and naming. Click Next.
On the ‘Select Role Services’ page, make sure Certification Authority is selected, then selectCertification Authority Web Enrollment, when the ‘Add Roles Wizard’ window appears click the Add Required Role Services button. Click Next.
On the ‘Specify Setup Type’ page, leave Enterprise selected. Click Next. On the ‘Specify CA Type’ page, leave Root CA selected and click Next. On the ‘Set Up Private Key’ page, leaveCreate a new private key selected and click Next.
On the Configure Cryptography for CA page, you can leave the defaults selected or adjust as necessary for your needs. You can also pause here and research the providers and hashes as necessary, but for this tutorial and most environments, the default will suffice. ClickNext.
On the ‘Configure CA Name’ page, set the common name to the same as the server name since this server is a domain controller. This is an acceptable practice. Leave the ‘Distinguished name suffix’ alone. Click Next.
On the ‘Set Validity Period’ page, feel free to adjust the validity period or leave the default. This should be adjusted based on your needs. Click Next. On the ‘Configure Certificate Database’ page, you can adjust the paths or leave the defaults set. Click Next.
Next we see the ‘Web Server (IIS)’ page. You can read the description and check out the links listed on the page if you’d like. Click Next.
On the ‘Select Role Services’ page, leave the defaults selected. Click Next. On the ‘Confirm Installation Selections’ page, you can review your choices, go back and make changes, or clickInstall. After the ‘Installation Progress’ page finishes, you can view your ‘Results’.
You’ve now got a domain controller that is capable of issuing certificates to your servers and users. You can go back through the wizard and install additional CA components, for example, that will allow you to issue certificates to users and computers that are not part of your domain. That option is called ‘Certificate Enrollment Web Service’.
One Response to “How to Install Certificate Services on Windows Server 2008 R2”
Sorry, the comment form is closed at this time.