In this Lab we will perform following tasks
- Things to know about CA
- Create a VM for Microsoft CA Server
- Our Perquisites configuration for CA Server
- Verify settings after Configuration
- Install Microsoft CA Server
- Check/Verify Microsoft CA Working after Installation
1-Things to Know about CA
Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a look at this table for reference:
|Network Device enrollment service||No||No||Yes||Yes|
|Online Responder service||No||No||Yes||Yes|
1) CA – issues certificates to users, computers and services while also managing their validity; comes in root and subordinate
2) Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive certificates based on Simple Certificate Enrollment Protocol (SCEP)
3) Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating certificate status, decoding revocation status requests, and sending back signed responses containing certificate status information
4) There are two varieties of root CA’s: the Enterprise and Stand-Alone. Each has their advantages and configuration, but in this case we are going to install an Enterprise CA. I am going to be installing this root CA server in my Lab Active directory domain named vmlab.com on a Windows Server 2008 Standard Edition version.
2-Create a VM for Microsoft CA Server
Use the following specs to create a VM for CA Server and install OS.
- Right Click on Server and Choose New Virtual Machine
- Enter VM Name (Cloud-CA) and Inventory Location
- Select Datastore
- Select Virtual Machine Version: select latest available
- Select “Microsoft Windows Server 2008 R2 (64-bit)” as OS Version
- # of Virtual Processors: 1
- Amount of RAM: 4GB
- # of NICs: 1
- Adapter Type: VMXNET3
- Select “Connect at Power On
- SCSI Controller: LSI Logic SAS
- Create New Virtual Disk: 40GB
- Use thin provision
- Install OS.
3-Our Perquisites configuration for CA Server
Before starting to install CA Server. Configure following perquisite
- Set system name (cloud-ca.vmlab.com)
- Configure an IP address (192.168.150.2)
- Enable remote desktop
- Verify time and time zone settings (GMT+5) or whatever your time zone is.
- Enter forward and Reverse DNS Entry for cloud.ca.vmlab.com
- Join CA server to domain
- Disable Windows Firewall
4-Verify settings after Configuration
In the “Server Manager”, Verify the perquisite settings are correctly configured.
Go to active directory server and make sure CA server DNS (forward and reverse) entries exists, if not then create it and check his working using ping or nslookup command.
5-Install Microsoft CA Server
Go to “Server Manager”, select Roles in the left pane, then “Add Roles” in the right pane.
Place a check mark in the check box for “Active Directory Certificate Services”. Then click “Next.”
Review and read it carefully and click “Next”
Select “Certification Authority” and “Certification Authority Web Enrollment” role service, click “Next”.
When you select “Certification Authority Web Enrollment”, web enrollment service required IIS, if it was not installed on your CA Server then he will prompt you for installation as shown below. Click “Add Required Roe services” and then click “Next”
Select “Enterprise CA” from Specify Setup Type then Click “Next”
Because it is the first CA server in our domain, so choose CA type as “Root CA”. Click “Next”
Setup Private Key section choose Create a “new private key”. Click “Next”
Configure cryptography for CA; in lab “leave default” settings but in production you should change his key length into 4096, Click “Next”
Configure CA name; “leave the default settings”. It will generate according to your domain name and computer name. Verify the highlighted information if everything is correct then click “Next”
Please keep in mind while selecting validity period for Root CA” it will take half from” the selected period, for example if you want to set your CA validity “period into 5 Years then should set 10 year instead of 5 years”.in my lab default would be fine. Click “Next”.
Configure Certificate Database will let you specify where you want to put the database and log files for the CA.I am going to “leave the default” in place. Click “Next”.
This step only appear, if IIS server is not installed on CA Server, Click “Next” to install it.
Add some extra services, if you have requirement. In my lab, I leave as default. Click “Next”
On the Confirm Installation selections you can see the answers you have chosen and you will again see a warning that you cannot change the computer name or domain settings for this server after installing the CA. go ahead and click “Install”.
After a few minutes you will see the Installation Results, and with any luck you will have the message: Installation succeeded.
After your glow of certificate happiness fades go ahead and click “Close”.
6-Check/Verify CA’s Working after Installation
Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if you get a UAC pop up just click Ok)
Now you can see the snap-in is showing the CA named “vmlab-cloud-CA-CA” in the left pane with a bunch of folders for certificates.
You can also see that if you click the Certificate Templates folder, there are quite a few default templates that are already setup and ready to go
To access CA portal from web use http://cloud-ca.vmlab.com/certsrv, it will prompt you for credentials supply domain admin credentials and click ok.
Please take a look at portal, we will use this to request the client certificate from the CA server and some other CA tasks.