{"id":212,"date":"2022-12-17T21:47:00","date_gmt":"2022-12-17T21:47:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=212"},"modified":"2024-11-18T15:11:42","modified_gmt":"2024-11-18T15:11:42","slug":"install-certificate-services-on-windows-server-2022","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/install-certificate-services-on-windows-server-2022\/","title":{"rendered":"Install Certificate Services on Windows Server 2022"},"content":{"rendered":"

A Certificate Authority is an entity that stores, signs and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures made about the private key that corresponds to the certified public key.<\/p>\n

Microsoft\u2019s Certification Authority is based on Public Key Infrastructure. The Active Directory Certificate Services role can be deployed on most Windows Server operating systems and provides the ability to act as an Enterprise or Standalone Root CA.<\/p>\n

Using a Windows Root CA server is very useful for many applications, for example \u2013 if deploying 802.1x with certificate-based authentication or EAP-TLS for Wireless 802.1x, a Windows Server provides the ability to enrol and automatically distribute certificates to endpoints with ease through Microsoft Group Policy.<\/p>\n

A CA Server can also be used to sign certificates for Servers, Network and Security Devices within an internal organisation. Certificate based authentication is considered one of the most secure methods as its uses public key and private key to encrypt and decrypt data.<\/p>\n

In this basic step-by-step guide, we will install the Active Directory Certificate Services role and configure it.<\/p>\n

A fresh new virtual instance of Windows Server 2022 has been installed, this server has been renamed, basic networking has been configured and it has been joined to the Active Directory Domain.<\/p>\n

Let\u2019s get started!<\/p>\n

Install the Certification Authority Server Role<\/h4>\n

1.<\/strong> Login to Windows Server 2022 and launch \u201cServer Manager\u201d<\/p>\n

<\/p>\n

2.<\/strong> Click the \u201cManage\u201d button select \u201cAdd roles and features\u201d<\/p>\n

<\/p>\n

3.<\/strong> At the Wizard click \u201cNext\u201d<\/p>\n

<\/p>\n

4.<\/strong> Select \u201cRole-Based or Feature-based installation\u201d and click \u201cNext\u201d<\/p>\n

<\/p>\n

5.<\/strong> Click \u201cSelect a server from a server pool\u201d and highlight the current server, click \u201cNext\u201d<\/p>\n

<\/p>\n

6.<\/strong> Tick the \u201cActive Directory Certificate Services\u201d box, a new Window will pop up click \u201cAdd Features\u201d<\/p>\n

<\/p>\n

<\/p>\n

7.<\/strong> Click \u201cNext\u201d<\/p>\n

<\/p>\n

8.<\/strong> At the features window, click \u201cNext\u201d we are not installing any additional features<\/p>\n

<\/p>\n

9.<\/strong> Read of the role description and, note the tasks that cannot be performed once the CA role is installed. click \u201cNext\u201d<\/p>\n

<\/p>\n

10.<\/strong> From the role services list select \u201cCertification Authority\u201d and \u201cCertification authority Web Enrollment\u201d<\/p>\n

<\/p>\n

Click \u201cAdd Features\u201d at the popup for IIS installation<\/p>\n

<\/p>\n

11.<\/strong> Click \u201cNext\u201d<\/p>\n

<\/p>\n

12.<\/strong> Click \u201cNext\u201d<\/p>\n

<\/p>\n

13.<\/strong> Click \u201cNext\u201d<\/p>\n

<\/p>\n

14.<\/strong> Select the \u201cRestart the destination server automatically if required\u201d tick box. This will allow the server to restart automatically if a reboot is required at the end of the install. Finally click \u201cInstall\u201d<\/p>\n

<\/p>\n

15.<\/strong> Once the role is installed, click \u201cClose\u201d<\/p>\n

<\/p>\n

Configure the Role<\/h4>\n

1.<\/strong> From Server Manager click on the yellow warning message, select \u201cConfigure Active Directory Certificate Services on this Server\u201d<\/p>\n

<\/p>\n

2.<\/strong> At the configuration wizard click \u201cchange\u201d<\/p>\n

<\/p>\n

3.<\/strong> Provide the Domain Admin user account credentials and click \u201cOK\u201d<\/p>\n

<\/p>\n

4.<\/strong> Note the change in the \u201cCredentials\u201d window, click \u201cNext\u201d<\/p>\n

<\/p>\n

5.<\/strong> Tick both role services and click \u201cNext\u201d<\/p>\n

<\/p>\n

6.<\/strong> Select \u201cEnterprise CA\u201d and click \u201cNext\u201d<\/p>\n

<\/p>\n

7.<\/strong> Select \u201cRoot CA\u201d and click \u201cNext\u201d<\/p>\n

<\/p>\n

8.<\/strong> Select \u201cCreate a new private key\u201d and click \u201cNext\u201d<\/p>\n

<\/p>\n

9.<\/strong> Leave the default values for the private key information and click \u201cNext\u201d<\/p>\n

<\/p>\n

10.<\/strong> Specify the common name for the CA or leave as default. Click \u201cNext\u201d<\/p>\n

<\/p>\n

11.<\/strong> Specify the CA Certificate default validity period, this is set to 5 years by default, this can be changed if required, Click \u201cNext\u201d<\/p>\n

<\/p>\n

12.<\/strong> leave the default location of storing the database files and click \u201cNext\u201d<\/p>\n

<\/p>\n

13.<\/strong> Review the configuration and click \u201cConfigure\u201d<\/p>\n

<\/p>\n

14.<\/strong> Once configuration has successfully completed, click \u201cClose\u201d<\/p>\n

<\/p>\n

Configure IIS<\/h4>\n

By default, IIS does not have HTTPS enabled for the web enrollment service, we need to allow HTTPS connections and define a certificate for the service to use. HTTP connections will work, however in the event the CA server is being accessed from another source to request a certificate, the credentials will be sent over in clear text. It\u2019s important we modify this to use SSL.<\/p>\n

1.<\/strong> Click \u201cStart\u201d and type \u201cIIS Manager\u201d<\/p>\n

<\/p>\n

2.<\/strong> Expand \u201cServer Name\u201d \u2013 \u201cSites\u201d, right click \u201cDefault Web Site\u201d and select \u201cEdit Bindings\u201d<\/p>\n

<\/p>\n

3.<\/strong> Click \u201cAdd\u201d<\/p>\n

<\/p>\n

4.<\/strong> Select \u201chttps\u201d then from the \u201cSSL Certificate\u201d drop down menu, Select the Server certificate that should have been generated automatically by the CA, in this case it\u2019s the \u201cLNS-LNS-CA-01-CA\u201d.<\/p>\n

If for any reason this certificate is not yet present, one can be generated by selecting \u201cCreate a Self-Signed\u201d Certificate\u201d from the right-hand pane within IIS.<\/p>\n

Click \u201cView\u201d to check the contents of the certificate, then click \u201cOK, and \u201cOK\u201d to save the changes and return to the IIS window.<\/p>\n

<\/p>\n

<\/p>\n

5.<\/strong> From the right-hand pane within IIS, select \u201cBrowse*:443 (https)\u201d<\/p>\n

<\/p>\n

6.<\/strong> The browser will launch with \u201chttps:\/\/localhost\/certsrv\u201d in the address field. Click \u201cContinue\u201d<\/p>\n

<\/p>\n

From the web interface, we can start requesting certificates from the CA for our organisation. To access this portal from other devices, you can navigate to \u201chttps:\/\/IP Address or DNS name\/certsrv\u201d<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

A Certificate Authority is an entity that stores, signs and issues digital certificates. A digital certificate certifies the ownership of a public key by the<\/p>\n","protected":false},"author":1,"featured_media":256,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[151],"tags":[29,30,31,34,32,33],"class_list":["post-212","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-server-endpoint","tag-ca","tag-certificate","tag-certificate-authority","tag-encryption","tag-pki","tag-ssl"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=212"}],"version-history":[{"count":3,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/212\/revisions"}],"predecessor-version":[{"id":258,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/212\/revisions\/258"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/256"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}