Let’s get some things sorted out and some facts in place, straight way :)
- Setting up Active Directory on the server
- Setting up a Subordinate CA
- We’ll also enable the Web Enrollment for the Certification Authority so that submitting a CSR and getting it signed is made easy
- You will also find how to increase the validity of the certificates
- And how to create more certificate templates and get those under the Web Enrollment
It has just been put together and polished to create a complete end-to-end deployment guide
General tab: change the display name to something useful. In my case I called my “Long Term Web Server”. Change the Validity Period to 10 years.
What this space is not about
- Installing Windows 2012 R2 server- Setting up Active Directory on the server
- Setting up a Subordinate CA
WTF !! Then what are we here for
- We will be setting up an Enterprise Root CA on a Windows 2012 R2 server which has already been configured with AD(Active Directory) DS(Domain Services), since an Enterprise CA is integrated with DS- We’ll also enable the Web Enrollment for the Certification Authority so that submitting a CSR and getting it signed is made easy
- You will also find how to increase the validity of the certificates
- And how to create more certificate templates and get those under the Web Enrollment
Dash of courtesy
My conscious compels me to admit that the content posted here has been collected from various other blogs and forums.It has just been put together and polished to create a complete end-to-end deployment guide
Great expectations
This is all for testing purposes only. An actual production environment may demand much more intense, fine-tuned and secure configurations in place to fend of the baddies.
And there would surely be other ways to achieve the same end.
Would encourage you to explore the other config parameters too, play around and don’t be afraid to go wrong.
Be strong, google around, I am sure there would always be ways to revert errors
So let’s roll !!
Setting up the Certification Authority
1. Log on to the server that you intend to add the CA role to
2. Launch the Server Administrator tool (if it did not launch automatically) to get to the dashboard
3. In server administrator, select ADD ROLES AND FEATURES from the MANAGE Menu. You will get prompted with a dialog box to confirm that you want to add roles through the wizard. Click NEXT
4. You will be prompted to select the installation type, choose ROLE BASED OR FEATURE BASED INSTALLATION. Click Next
5. You will be prompted to select the server to install the role on. Select the server in the selection list and then click NEXT
6. Select the ROLE that you want to install. In this case, select CERTIFICATE SERVICES and click NEXT
7. You will see a dialog box prompting you for additional features. Click NEXT
8. Next, you will receive a notification that after installing Certificate Services, the domain and server cannot be modified. Click NEXT
9. You will be prompted to select the specific Role Services within the Certificate Services role that you want to enable. Leave CERTIFICATION AUTHORITY and Certification Authority Web Enrollment checked and click NEXT
10. Next you will be asked about restarting the server if it is required after install. Make your selection and click NEXT
11. After clicking NEXT, the installation of the role will begin
12. Once the installation has finished, a new role block will appear in the server administrator dashboard. Click NEXT to continue
13. You will be returned to a completion screen showing that the Certificate Services role has been installed successfully. Click on CONFIGURE ACTIVE DIRECTORY CERTIFICATE SERVICES ON DESTINATION SERVER. And if you were too careless to stop at this screen, don’t worry. Click the Exclamation Mark on the flag and choose the CONFIGURE option from there
14. Verify that you are using the proper credentials to configure the Certificate Services role, if not change to the proper account. Click NEXT
15. Again, select the specific function of Certificate Services to configure. Leave Certification Authority and Certification Authority Web Enrollment selected and click NEXT
16. Specify the Setup Type for the Certification Authority - choose ENTERPRISE CA and click NEXT
17. Next, specify the Type of CA. Select ROOT CA and click NEXT
18. Next, specify the private key to be created. Select NEW PRIVATE KEY and click NEXT
19. Next, leave the cryptography as it is and click NEXT
20. Next, specify the Certification Authority name. You may choose to leave it as default. Click NEXT
21. Specify the Validity Period. The default is 5 years. For testing purposes, increase it to 25 years to ensure that you will not have to recertify for quite a while
22. Next you will need to specify where to store the certification database. I recommend leaving the default settings, and click NEXT
23. Verify your configuration settings, and click CONFIGURE
24. The configuration will run (should only take a few seconds), and then a confirmation message indicating that the Certificate Services installation SUCCEEDED should appear.
Click CLOSE
25. You will be returned to the Roles and Features installation wizard. Click CLOSE
26. Reboot the server in order for it to receive a certificate from the CA
27. Woop Woop!! We are all done setting up the Root CA
And in the process we have also enabled the Web Enrollment page which can be reached via browser at the address ‘http://<CA-IP>/certsrv’. This will allow you to download the CA cert, submit CSR for signing and download the signed cert.
For those you have been following will notice that we already set the CA cert validity period to 25 years. So what remains is to increase the validity period of the signed CSRs.
Different OS versions will generate certs of different validity, generally 1 or 2 years.
Now you’re ready for the next step, which is to create a new template that you can use to issue SSL certs that are good for 10 years
Note: Here, choose the 2003 Server version template as the later version templates are not available from web-enrolment console.
7. You will see a dialog box prompting you for additional features. Click NEXT
9. You will be prompted to select the specific Role Services within the Certificate Services role that you want to enable. Leave CERTIFICATION AUTHORITY and Certification Authority Web Enrollment checked and click NEXT
10. Next you will be asked about restarting the server if it is required after install. Make your selection and click NEXT
11. After clicking NEXT, the installation of the role will begin
12. Once the installation has finished, a new role block will appear in the server administrator dashboard. Click NEXT to continue
13. You will be returned to a completion screen showing that the Certificate Services role has been installed successfully. Click on CONFIGURE ACTIVE DIRECTORY CERTIFICATE SERVICES ON DESTINATION SERVER. And if you were too careless to stop at this screen, don’t worry. Click the Exclamation Mark on the flag and choose the CONFIGURE option from there
14. Verify that you are using the proper credentials to configure the Certificate Services role, if not change to the proper account. Click NEXT
15. Again, select the specific function of Certificate Services to configure. Leave Certification Authority and Certification Authority Web Enrollment selected and click NEXT
16. Specify the Setup Type for the Certification Authority - choose ENTERPRISE CA and click NEXT
17. Next, specify the Type of CA. Select ROOT CA and click NEXT
18. Next, specify the private key to be created. Select NEW PRIVATE KEY and click NEXT
19. Next, leave the cryptography as it is and click NEXT
20. Next, specify the Certification Authority name. You may choose to leave it as default. Click NEXT
21. Specify the Validity Period. The default is 5 years. For testing purposes, increase it to 25 years to ensure that you will not have to recertify for quite a while
22. Next you will need to specify where to store the certification database. I recommend leaving the default settings, and click NEXT
23. Verify your configuration settings, and click CONFIGURE
24. The configuration will run (should only take a few seconds), and then a confirmation message indicating that the Certificate Services installation SUCCEEDED should appear.
Click CLOSE
25. You will be returned to the Roles and Features installation wizard. Click CLOSE
26. Reboot the server in order for it to receive a certificate from the CA
27. Woop Woop!! We are all done setting up the Root CA
And in the process we have also enabled the Web Enrollment page which can be reached via browser at the address ‘http://<CA-IP>/certsrv’. This will allow you to download the CA cert, submit CSR for signing and download the signed cert.
Certificate Expired ?? – Not any more
A certificate expiry can break all hell loose in your test environment. To avoid unleashing a havoc, we’ll see how to increase the validity period of our certificates.For those you have been following will notice that we already set the CA cert validity period to 25 years. So what remains is to increase the validity period of the signed CSRs.
Different OS versions will generate certs of different validity, generally 1 or 2 years.
Here’s how to check
Open a command prompt on your Certificate Services computer and type these commands
certutil -getreg CA\ValidityPeriodUnits
This will tell you how many years you can use with your certificates
If you really want to verify that it is years, you can run this:
certutil -getreg CA\ValidityPeriod
Now, to change it so that you can issue certs for 10 years, run this command:
certutil -setreg CA\ValidityPeriodUnits 10
After you do that restart the Active Directory Certificate Services service
net stop certsvc
net start certsvc
Now you’re ready for the next step, which is to create a new template that you can use to issue SSL certs that are good for 10 years
- Start by opening up a new MMC window (Start…Run…mmc.exe) and then Certification Authority (for the local computer) snap-in.
- Expand the Certification Authority, right-click on the Certificate Templates node and select Manage
- That opens up the Certificate Templates console
- Now, to simplify things you can just copy the existing Web SSL template. Scroll down the list of certificate templates until you find the named Web Server, right-click on it and select Duplicate Template.
Note: Here, choose the 2003 Server version template as the later version templates are not available from web-enrolment console.
This has been documented in Microsoft KB article:
https://support.microsoft.com/en-us/help/2015796/version-3-cng-templates-will-not-appear-in-windows-server-2008-or-wind- A dialog will pop up where you can set all the attributes that you want certificates based on this template to have. Here are the minimum changes you should make:
General tab: change the display name to something useful. In my case I called my “Long Term Web Server”. Change the Validity Period to 10 years.
Subject Name tab: change the setting from "Build from this Active Directory information" to "Supply in the request". This is to list this template in the ‘Web Enrollment’ certificate request templates drop down menu
- You can close the Certificate Templates console now. You should be back on the original MMC window you opened, so click on Certificate Templates again and this time select
- New -> Certificate Template to Issue:
- That will bring up a dialog that lists the certificate templates, and you can select the certificate template you just created.
- After you do that restart the Active Directory Certificate Services service
net stop certsvc
net start certsvc
But, be aware that after the issuing CA passes the fifteen year mark, it will issue certs less than 10 years until you renew the CA certificate.
The validity period will always be the lesser of:
- The validity period defined in the certificate template
- The validityPeriodUnits & ValidityPeriod registry entries
- The remaining lifetime of the issuing CA certificate
No comments:
Post a Comment