This article will guide you through the steps to install and configure certification authority on Windows Server 2016. We will be using test.com as our active directory domain through out this guide.
Prerequisites
- Windows Server 2016 installed on (Bare-metal or Virtual Machine)
- Active Directory Domain Services
Installing Web Server
To begin with the certification authority, first you need to install web services on your Windows Server 2016 machine. Open up PowerShell and execute the following command:install-windowsfeature web-server -IncludeManagementTools
Creating DNS CNAME Record For Web Server
To create CNAME record, Open up DNS Console on your active directory domain server and provide the required information according to your environment as shown in image below.
Creating Shared Folder
You need to create a shared folder where Certificate Revocation List (CRL) and Certificates from Certificate Authority (CA) will be stored.Open up PowerShell and execute the following command:
New-Item c:\cert -type directory
New-SMBShare –Name 'cert'–Path 'C:\cert' -ChangeAccess 'test\cert publishers'
Now, download NTFS Security module from here and import it using the following command.
import-module .\NTFSSecurity.psd1
You need to authorize NTFS Read permissions to Everyone and Anonymous logon using the following command.
add-NTFSAccess -Path C:\cert -Account 'ANONYMOUS LOGON' -AccessRights Read
add-NTFSAccess -Path C:\cert -Account 'Everyone' -AccessRights fullcontrol
Creating Virtual Directory
Open up IIS management console and right click on Default Web Site> Add Virtual Directory
Provide the following information according to your environment and click OK.
Since we have added virtual directory, now on left pane of the virtual directory, double click Request Filtering
Click Edit Feature Settings
Check Allow double escaping and click OK
Configuring Certification Authority Server
Here, you need to create certificate authority policy file. Go to C:\Windows directory and create new file CAPolicy.inf
You need to provide following information in this file.
[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://cert.test.com/cert/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5
CRLPeriod=weeks
CRLPeriodUnits=1
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
[CRLDistributionPoint]
[AuthorityInformationAccess]
Installing Certification Authority Role on Active Directory Domain
Open up PowerShell on your Active Directory Domain and type the following command to install CA Role.Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
Open up Certificate Authority console and click Extensions tab in Select Extensions then select CRL Distribution Point (CDP).
Delete last 3 entries:(ldap,http,file) as shown in image below.
After deleting these entries click Add
and enter http:\\cert.test.com\cert\
check Include in CRL and include in CDP
Now, from select extension choose Authority Information (AIA)
Authority Information (AIA) is used to publish where a copy of the issuer’s certificate may be downloaded. Paths specified in this extension can be used by an application or service to retrieve the issuing CA certificate. These CA certificates are then used to validate the certificate signature and to build a path to a trusted certificate
Again Delete ldap,http and file entries
Then click add and enter http:\\cert.test.com\cert\
check Include in the AIA extension of issued certificates
All paths specified above points to network share on web server (\\web\cert) and to web virtual directory (http:\\cert.test.com)
Publishing the CRL
Its time to publish certificate to made it available to our users. Open up PowerShell and execute the following command.
certutil -crl
Copy CA Certificate and CRL to network share folder
copy C:\Windows\system32\certsrv\certenroll\*.crt \\WEB\cert
copy C:\Windows\system32\certsrv\certenroll\*.crl \\WEB\cert
To check CA “health” open up PowerShell and type pkiview.msc
Auto-Enrollement Certificates using GPO
On your Active Directory Domain, open up Group Policy Management Editor then Navigate to Computer Configuration> Windows Settings> Security Settings> Public Key> Certificate ServicesClient - Auto Enrollment> Configuration Model and change it toEnabled
We have successfully completed the deployment of certificate authority.