Windows Server 2008 R2 : Active Directory certificate services (part 2) - Deploying Active Directory Certificate Services

2. Deploying Active Directory Certificate Services

Now that we have explored the planning process for an Active Directory Certificate Services-based PKI, we will walk through the process to install and set up a two-level or two-tier PKI deployment. In our exercise, we will be using a server named RootCA which will be deployed as a standalone CA used for our Root CA. We will be using a secondary server named SyngressCA which will be a policy and issuing subordinate CA. The SyngressCA will be an Enterprise CA installation.

First, we need to set up and install our Root CA. To set up the Root CA, log on to the RootCA server and perform the following tasks:

1. Open Server Manager.

2. Select the Roles node and then click the Add Role link in the middle pane which will launch the Add Roles Wizard.

3. Click Next to begin the wizard.

4. Select the Active Directory Certificate Services role as seen in Figure 3, then click Next.

   

   Figure 3. Active Directory Certificate Services Role.

5. On the introduction page, click Next to continue.

6. Be sure that only the Certificate Authority role service is selected (see Figure 4), then click Next.

   

   Figure 4 Active Directory Certificate Services Role Services Selection.

7. You will notice that since the computer is not a member of an AD domain, it can only be a Standalone CA (see Figure 5). Ensure that the Standalone CA is selected, then click Next.

   

   Figure 5 Selecting Stand alone CA.

8. Select the Root CA option for the CA type (see Figure 6), then click Next.

   

   Figure 6 Selecting to install root CA.

9. You now need to create a new private key for the CA. If you happen to restore a CA from backup, you would want to select the option Use existing private key. This would ensure that the certificate chain remains intact and all issued certificates would remain valid in the event of the need to restore the CA. Since we are setting up a new CA, choose the option Create a new private key and then click Next.

10. You now need to select a cryptography service and hash algorithm (see Figure 7) to use for signing certificates. The stronger the encryption level, the more secure the key is, however, this also adds additional load on the CPU of the server. In most cases, the default selections should be sufficient. For high-security environments, you may want to increase the key character length and algorithms used. Then click Next to continue.

    

    Figure 7 Selecting cryptography service and hash algorithm.

11. You now need to provide a meaningful name and description for the CA. In our example, we will name the CA “SyngressRootCA.” After entering a name for the CA, click Next to continue.

12. Select the number of years that you want certificates issued from this CA to be valid (see Figure 8). Since the Root CA is only issuing certificates for other CAs, this period can be longer than certificates being issued from issuing CAs. In our example, we selected 10 years. After selecting the validity period, click Next to continue.

    

    Figure 8. Select Certificate Validity Period.

13. You now need to select the location to store CA and certificate configuration information. Remember that standalone CAs do not store the information in AD but to the file system on the local server. As a best practice, you will want to ensure that this data is on a reliable and redundant disk subsystem such as a mirrored disk drive. After selecting the path to store configuration information, click Next to continue.

14. Confirm the settings on the confirmation page, then click Install.

15. After the install completes successfully, click Close to close the Add Roles Wizard.

You have now successfully installed your Root CA. The next step is to set up the issuing subordinate CA named SyngressCA. On this server, we will be setting up an Enterprise CA. You will want to ensure it is part of the domain before you begin installation. To set up the CA, log on to the server SyngressCA and perform the following tasks:

1. Open Server Manager.

2. Select the Roles node and click the Add Roles link in the middle pane. This will launch the Add Roles Wizard.

3. Click Next to continue.

4. Select the Active Directory Certificate Services role and then click Next.

5. On the Introduction page, click Next.

6. For this CA, select all of the Role Services except Network Device Enrollment Service and Certificate Enrollment Web Server as those cannot be installed at the same time as the CA (see Figure 9). If prompted to add any required role services, such as IIS, choose to add those. Then click Next to continue.

   

   Figure 9 Certificate Authority Role Services.

7. This time you want to select the option to install an Enterprise CA. Notice that the Enterprise CA option is not grayed out as the server is a member of an AD domain. After selecting to install an Enteprise CA, click Next to continue.

8. You now want to select the option to set up this server as a Subordinate CA as seen in Figure 10; then click Next.

   

   Figure 10 Select the subordinate CA install option.

9. Since this is a new CA, select the option Create a new private key and click Next to continue.

10. Select the cryptography and hash methods to use. In this exercise, accept the defaults and click Next to continue.

11. Enter a meaningful name for your CA. This is how the CA will be referred in certificates and by computers. In our example, we name this CA SyngressCA as seen in Figure 11, then click Next.

    

    Figure 11. Name the Certificate Authority.

12. We now need to select the parent CA from which we want to be issued a certificate. However, the parent CA (RootCA) is not a member of the domain and thus cannot be selected. To request a certificate, we need to choose the option to Save the request to file and manually send it later to a parent CA (see Figure 12); then click Next.

    

    Figure 12. Request Certificate from Parent CA.

13. Select the location to save the certificate database, then click Next. Remember you may want to put the CA database files on disk drives that have RAID redundancy.

14. You now need to select the authentication type. This is how clients will authenticate when sending Web requests to the server. In our example, we will use Windows Authentication. After selecting authentication type, click Next.

15. Verify settings on the confirmation page, then click Install.

16. After installation successfully finishes, click Close to close the Add Roles Wizard.

You have completed the process to install the CA role on each server. The next step is to configure the RootCAs CRLs publishing and complete the certificate request from the issuing child CA. Perform the following procedures to accomplish these tasks:

First, we will create a CRL distribution point. Since the Root CA will be taken offline, we will publish the CRL to a folder on the local C: drive of the Root CA. We can then copy the CRL to removable media such as a USB drive.

1. Log on to the Root CA (RootCA).

2. Create a new folder at the root of C:\named CRL.

3. Open Server Manager.

4. Expand the node Roles | Active Directory Certificate Services.

5. Right-click on the Root CA node (SyngressRootCA) and choose Properties.

6. Select the Extensions tab.

7. Make sure the CRL Distribution Point is selected from the drop-down menu, then click Add.

8. In the location text box, enter the path C:\CRL\, then select each of the following options from the drop-down menu, and choose Insert:

   1. <CAName>

   2. <CRLNameSuffix>

   3. <DeltaCRLAllowed>

   At the end of the string at .crl., these options will create a full location string of C:\CRL\<CAName><CLRNameSuffix><DeltaCRLAllowed>.crl (see Figure 13). By including these variables, the CRL file will be named using the name of the CA and include options to allow delta CRLs. Click OK to save the CRL location.

   

   Figure 13. Create CRL Location.

9. Select the options to Publish CRLs to this location and to Publish Delta CRLs to this location (see Figure 14); then click OK.

   

   Figure 14 CRL Publishing options.

10. When prompted to restart Active Directory Certificate Services, click Yes.

11. Expand the CA node in Server Manager and right-click the Revoked Certificates node and choose All Tasks | Publish.

12. When prompted to publish a new CRL (see Figure 15), click OK.

    

    Figure 15 Publishing New CRL.

You should now be able to browse the path C:\CRL and see the newly published CRL as seen in Figure 16.

Figure 16 Published CRL.

Now that you have created the CRL, you need to copy it to the subordinate CA (SyngressCA). After copying the file to the subordinate CA, we need to import it into the certificate store. Perform the following tasks to import the CRL:

1. Open a new MMC console by opening a run prompt from Start | Run. Enter mmc in the run box and click OK.

2. Add the Certificates snap-in by going to File | Add/Remove Snap-in….

3. Add the Certificates snap-in and choose Computer Account, then click OK.

4. Right-click the Person certificate store and choose All Tasks | Import.

5. Click Next to begin the Import Wizard.

6. Enter the path to the CRL file copied to the subordinate CA (see Figure 17), then click Next.

   

   Figure 17 Path to CRL.

7. Accept the setting to place certificate in the Personal store and then click Next. Then click Finish to import the CRL.

8. Now that the CRL is imported to the subordinate CA, we are ready to issue a certificate from the Root CA to the subordinate CA creating a certificate chain between the two. To issue the certificate, perform the following tasks: Copy the request file that was created while adding the Active Directory Certificate Services role to the subordinate CA to the Root CA.

9. On the Root CA (RootCA), open Server Manager.

10. Expand the node Roles | Active Directory Certificate Services.

11. Right-click on the Root CA and choose All Tasks | Submit New Request.

12. Browse to the request file you copied over and click OK.

13. You should now see the certificate request in the Pending Requests section (see Figure 18). Right-click the certificate request and choose All Tasks | Issue.

    

    Figure 18. Pending Certificate Request.

14. You should now be able to click on the Issued Certificates node and see the certificate.

15. Double-click the certificate to open it, then select the Details tab.

16. Click the Copy to File button which will launch the Certificate Export Wizard. Click Next to begin. Now that the certificate has been issued, we need to copy it back to the subordinate CA and import it.

17. Select the option Cryptographic Message Syntax Standard - PKCS #7 Certificates. Then, select the checkbox to include all certificates in the certificate path if possible. Then click Next.

18. Select a location and name to save the exported certificate. This is the location you need to copy the file from to be copied onto the subordinate CA. After selecting a path and file name, click Next. Click Finish to complete the wizard.

Now that you have issued and exported the certificate, copy the file to the subordinate CA (SyngressCA) and perform the following tasks to import the issued certificate.

1. Open Server Manager on the subordinate CA.

2. Expand the node Roles | Active Directory Certificate Services.

3. Right-click the subordinate CA node (SyngressCA) and choose All Tasks | Install CA Certificate.

4. Browse to the location of the issued certificate that was copied from the Root CA and select that certificate.

5. You should now be able to start the subordinate CA by right-clicking on the CA and choosing All Tasks | Start Service.

After the service starts, the CA can now begin to issue certificate requests as needed.