{"id":1243,"date":"2015-12-31T21:09:00","date_gmt":"2015-12-31T21:09:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=1243"},"modified":"2024-11-18T15:12:46","modified_gmt":"2024-11-18T15:12:46","slug":"install-certification-authority-on-server-2012-r2","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/install-certification-authority-on-server-2012-r2\/","title":{"rendered":"Install Certification Authority on Server 2012 R2"},"content":{"rendered":"

Microsoft\u2019s Certification Authority is designed on Public Key Infrastructure, the CA is responsible for attesting to the identity of users, computers and organizations. the CA authenticates an entity and vouches for an identity by issuing a digital certificate which is signed by the CA. The CA also manages the revocation and renewal of certificates. Certificates are used everywhere to validate identities, most common application is the Internet where a web site is verified its authenticity with\u00a0a certificate signed by a known CA. Certificates also play a major part in the internal organisation for security and authentication. Certificate based authentication is considered one of the most secure methods as its uses public key\/private key to encrypt data\/decrypt data. In wireless networking EAP-TLS uses certificates to authenticate users who join the network, users are individually issued certificates signed by the CA.<\/p>\n

In this basic step-by-step guide we will install the certification Authority server role and configure it. Lets get started!<\/p>\n

Install the Certification Authority Server Role\u00a0<\/strong><\/p>\n

1.<\/strong>\u00a0Login to Windows Server 2012 and launch\u00a0\u201cServer Manager\u201d\u00a0from the toolbar<\/p>\n

\"0.0.0.1\"<\/p>\n

\"0.0.1\"<\/p>\n

2.<\/strong>\u00a0From the \u201cManage\u201d\u00a0button select\u00a0\u201cAdd roles and features\u201d<\/p>\n

\"0.1\"<\/p>\n

3.<\/strong>\u00a0At the Wizard click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

4.<\/strong>\u00a0Select\u00a0\u201cRole-Based or Feature-based installation\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

5.<\/strong>\u00a0Click\u00a0\u201cSelect a server from a server pool\u201d\u00a0and highlight the\u00a0current\u00a0server, click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

6.<\/strong>\u00a0Tick the\u00a0\u201cActive Directory Certificate Services\u201d\u00a0box , a new Window will pop up click\u00a0\u201cAdd Features\u201d<\/p>\n

\"7\"<\/p>\n

<\/p>\n

7.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

8.<\/strong>\u00a0At the features window, click\u00a0\u201cNext\u201d\u00a0no need to select anything further as we are not installing any additional features<\/p>\n

<\/p>\n

9.<\/strong>\u00a0Have a quick read of the role description and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

10.<\/strong>\u00a0From the role services list select\u00a0\u201cCertification Authority\u201d\u00a0and\u00a0\u201cCertification authority Web Enrolment\u201d<\/p>\n

<\/p>\n

Click\u00a0\u201cAdd Features\u201d\u00a0at the popup for IIS installation<\/p>\n

\"13\"<\/p>\n

11.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"14\"<\/p>\n

12.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"15\"<\/p>\n

13.\u00a0<\/strong>Click\u00a0\u201cNext\u201d<\/p>\n

\"16\"<\/p>\n

14.<\/strong>\u00a0Select the\u00a0\u201cRestart the destination server automatically if required\u201d\u00a0tick box.\u00a0This will allow the server to restart automatically if a reboot is required at the end of the install.<\/p>\n

<\/p>\n

at the warning prompt select\u00a0\u201cYes\u201d<\/p>\n

\"18\"<\/p>\n

15.<\/strong>\u00a0Once the role is installed, click\u00a0\u201cClose\u201d<\/p>\n

<\/p>\n

 <\/p>\n

Configure the Role<\/strong><\/p>\n

1.<\/strong>\u00a0\u00a0From server manage click on the yellow warning message, select\u00a0\u201cConfigure Active Directory Certificate Services on this Server\u201d<\/p>\n

\"21\"<\/p>\n

2.\u00a0<\/strong>\u00a0At the configuration wizard click\u00a0\u201cNext\u201d<\/p>\n

\"22\"<\/p>\n

3.<\/strong>\u00a0Tick both role services and click\u00a0\u201cNext\u201d<\/p>\n

\"23\"<\/p>\n

4.\u00a0<\/strong>Select\u00a0\u201cEnterprise CA\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"24\"<\/p>\n

5.\u00a0<\/strong>Select\u00a0\u201cRoot CA\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"25\"<\/p>\n

6.\u00a0<\/strong>Select\u00a0\u201ccreate a new private key\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"26\"<\/p>\n

7.\u00a0<\/strong>Leave the default values for the private key information and click\u00a0\u201cNext\u201d<\/p>\n

\"27\"<\/p>\n

8.<\/strong>\u00a0The name of the CA server can be changed in this step however in this example we will leave the default name. Click\u00a0\u201cNext\u201d<\/p>\n

\"28\"<\/p>\n

9.\u00a0<\/strong>The CA Certificate default\u00a0validity period is 5 years this can be changed if required, Click\u00a0\u201cNext\u201d<\/p>\n

\"29\"<\/p>\n

10.\u00a0<\/strong>leave the default location of storing the database files and click\u00a0\u201cNext\u201d<\/p>\n

\"30\"<\/p>\n

11.\u00a0<\/strong>Review the configuration and click\u00a0\u201cConfigure\u201d<\/p>\n

\"31\"<\/p>\n

\"32\"<\/p>\n

12.\u00a0<\/strong>Once configuration is complete, click\u00a0\u201cClose\u201d<\/p>\n

\"33\"<\/p>\n

 <\/p>\n

Configure IIS<\/strong><\/p>\n

By default IIS does not have https enabled for our web enrolment service, we need to allow https connections and define a certificate for the service to use. http connection will work, however in the event the CA server is being accessed from another source to request a certificate, the credentials will be sent over in clear text therefore its important to set this up so SSL can be used.<\/p>\n

1.<\/strong>\u00a0Click\u00a0\u201cStart\u201d\u00a0and type\u00a0\u201cIIS Manager\u201d<\/p>\n

\"35\"<\/p>\n

2.\u00a0<\/strong>Expand\u00a0\u201cServer Name\u201d \u2013 \u201cSites\u201d, right click\u00a0\u201cDefault Web Site\u201d\u00a0and select\u00a0\u201cEdit Bindings\u201d<\/p>\n

\"36\"<\/p>\n

3.<\/strong>\u00a0Click\u00a0\u201cAdd\u201d<\/p>\n

\"37\"<\/p>\n

4.<\/strong>\u00a0From the SSL drop down Menu, Select the Server certificate that should have been generated automatically by the CA, in this case its the\u00a0\u201cLNS-VCENTRE-01.Internal\u201d\u00a0if for any reason this certificate is not yet present, one can be generated by selecting\u00a0\u201cCreate a Self-Signed\u201d Certificate\u201d\u00a0from the right hand pane within IIS. the CA certificate doesn\u2019t always work when using web enrolment so selecting the correct certificate is important.<\/p>\n

<\/p>\n

5.\u00a0<\/strong>From the right hand pane within IIS, select\u00a0\u201cBrowse*:443 (https)\u201d<\/p>\n

\"39\"<\/p>\n

6.\u00a0<\/strong>The browser will launch with\u00a0\u201chttps:\/\/localhost\/certsrv\u201d\u00a0in the address field. Click\u00a0\u201cContinue\u201d<\/p>\n

\"40\"<\/p>\n

From the web interface, we can start requesting certificates from the CA for our organisation.<\/p>\n

\"41\"
\n<\/strong><\/a><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft\u2019s Certification Authority is designed on Public Key Infrastructure, the CA is responsible for attesting to the identity of users, computers and organizations. the CA<\/p>\n","protected":false},"author":1,"featured_media":1269,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[151],"tags":[31,120,121,32,119,123,122],"class_list":["post-1243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-server-endpoint","tag-certificate-authority","tag-iis","tag-microsoft-ca","tag-pki","tag-server-role","tag-tagsca","tag-web-enrolment"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=1243"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1243\/revisions"}],"predecessor-version":[{"id":1284,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1243\/revisions\/1284"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/1269"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=1243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=1243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=1243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}