Cloud Lab-3: How to Install Microsoft Certificate Authoritry (CA) Server

LAB-3 TASKS

In this Lab we will perform following tasks

  1. Things to know about CA
  2. Create a VM for Microsoft CA Server
  3. Our Perquisites configuration for CA Server
  4.  Verify settings after Configuration
  5. Install Microsoft CA Server
  6. Check/Verify Microsoft CA Working after Installation

1-Things to Know about CA

Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a look at this table for reference:

Components Web Standard Enterprise Datacenter
CA No Yes Yes Yes
Network Device enrollment service No No Yes Yes
Online Responder service No No Yes Yes

 1)  CA – issues certificates to users, computers and services while also managing their validity; comes in root and subordinate

2)  Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive certificates based on Simple Certificate Enrollment Protocol (SCEP)

3)  Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating certificate status, decoding revocation status requests, and sending back signed responses containing certificate status information

4)  There are two varieties of root CA’s: the Enterprise and Stand-Alone. Each has their advantages and configuration, but in this case we are going to install an Enterprise CA. I am going to be installing this root CA server in my Lab Active directory domain named vmlab.com on a Windows Server 2008 Standard Edition version.

2-Create a VM for Microsoft CA Server

Use the following specs to create a VM for CA Server and install OS.

  • Right Click on Server and Choose New Virtual Machine
  • Enter VM Name (Cloud-CA) and Inventory Location
  • Select Datastore
  • Select Virtual Machine Version: select latest available
  • Select “Microsoft Windows Server 2008 R2 (64-bit)” as OS Version
  • # of Virtual Processors: 1
  •  Amount of RAM: 4GB
  •  Network
  • # of NICs: 1
  • Adapter Type: VMXNET3
  • Select “Connect at Power On
  • SCSI Controller: LSI Logic SAS
  • Create New Virtual Disk: 40GB
  • Use thin provision
  • Install OS.

3-Our Perquisites configuration for CA Server

Before starting to install CA Server. Configure following perquisite

  • Set system name (cloud-ca.vmlab.com)
  • Configure an IP address (192.168.150.2)
  • Enable remote desktop
  • Verify time and time zone settings (GMT+5) or whatever your time zone is.
  • Enter forward and Reverse DNS Entry for cloud.ca.vmlab.com  
  • Join CA server to domain
  • Disable Windows Firewall

4-Verify settings after Configuration

In the “Server Manager”, Verify the perquisite settings are correctly configured.

cloud-lab3ca1

Go to active directory server and make sure CA server DNS (forward and reverse) entries exists, if not then create it and check his working using ping or nslookup command.

cloud-lab3ca2

5-Install Microsoft CA Server

Go to “Server Manager”, select Roles in the left pane, then “Add Roles” in the right pane.

cloud-lab3ca3

Click “Next

cloud-lab3ca4

Place a check mark in the check box for “Active Directory Certificate Services”.  Then click “Next.”

cloud-lab3ca5

Review and read it carefully and click “Next”

cloud-lab3ca6

Select “Certification Authority” and “Certification Authority Web Enrollment” role service, click “Next”.

cloud-lab3ca7

When you select “Certification Authority Web Enrollment”, web enrollment service required IIS, if it was not installed on your CA Server then he will prompt you for installation as shown below. Click “Add Required Roe services” and then click “Next”

cloud-lab3ca8

Select “Enterprise CA” from Specify Setup Type then Click “Next”

cloud-lab3ca9

Because it is the first CA server in our domain, so choose CA type as “Root CA”. Click “Next”

cloud-lab3ca10

Setup Private Key section choose Create a “new private key”. Click “Next”

cloud-lab3ca11

Configure cryptography for CA; in lab “leave default” settings but in production you should change his key length into 4096, Click “Next”

cloud-lab3ca12

Configure CA name; “leave the default settings”. It will generate according to your domain name and computer name. Verify the highlighted information if everything is correct then click “Next”

cloud-lab3ca13

Please keep in mind while selecting validity period for Root CA” it will take half from” the selected period, for example if you want to set your CA validity “period into 5 Years then should set 10 year instead of 5 years”.in my lab default would be fine. Click “Next”

cloud-lab3ca14

Configure Certificate Database will let you specify where you want to put the database and log files for the CA.I am going to “leave the default” in place. Click “Next”.

cloud-lab3ca15

This step only appear, if IIS server is not installed on CA Server, Click “Next” to install it. 

cloud-lab3ca16

Add some extra services, if you have requirement. In my lab, I leave as default. Click “Next” 

cloud-lab3ca17

On the Confirm Installation selections you can see the answers you have chosen and you will again see a warning that you cannot change the computer name or domain settings for this server after installing the CA. go ahead and click “Install”.

cloud-lab3ca18

After a few minutes you will see the Installation Results, and with any luck you will have the message: Installation succeeded.

After your glow of certificate happiness fades go ahead and click “Close”.

cloud-lab3ca19

6-Check/Verify  CA’s Working after Installation

Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if you get a UAC pop up just click Ok)

cloud-lab3ca20

Now you can see the snap-in is showing the CA named “vmlab-cloud-CA-CA” in the left pane with a bunch of folders for certificates.

cloud-lab3ca21

You can also see that if you click the Certificate Templates folder, there are quite a few default templates that are already setup and ready to go

cloud-lab3ca22

To access CA portal from web use http://cloud-ca.vmlab.com/certsrv, it will prompt you for credentials supply domain admin credentials and click ok.

cloud-lab3ca23

Please take a look at portal, we will use this to request the client certificate from the CA server and some other CA tasks.

cloud-lab3ca24

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s