Menu
- Microsoft Certificate Authority Server Ports
- Microsoft's Free Test Certificate Authority Server
- Microsoft Certificate Authority Server Best Practices
- Microsoft Certificate Authority Server 2012
New Certificate Authority on Windows Server 2016 Windows Server Please use technology-specific Windows Server forums for areas like File Server and Storage, High Availability (Clustering), Directory Services, etc. Installing the AD CS Server Role: Select Active Directory Certificate Services then click Next: On the pop up window click the box Include management tools then Add Features: Click Next: No additional Features are needed. Click Next: Click Next: Select the services you want to enable. At a minimum enable Certificate Authority.
Install Standalone CA (Certificate Authority) on Windows Server 2012 R2 for use with Operations Manager. It’s best if you use the fully qualified domain name (FQDN) as shown in the picture below. Make sure you configure the AIA and CLR extensions in the Certification Authority tool as shown in the screenshots below. This tool is accessed from the Server Manager console and should have been installed with the Powershell command above. Oct 03, 2018 Install the Certification Authority. For more information on how to accomplish these tasks, see the Windows Server 2016 Core Network Guide. To perform this procedure, the computer on which you are installing AD CS must be joined to a domain where Active Directory Domain Services (AD DS) is installed.
Setting up an Enterprise Root Certificate Authority isn’t a task that you’ll complete on a regular basis and something I think I’ve done twice, maybe 3 times, ever. Each time I forget what I did previously and you can guarantee I’m using a different version of Windows Server each time. Please note as you read these article and the next, that whilst I have an interest in PKI, I don’t consider myself an expert. Deploying a PKI is not a simple task, so read up carefully if you’ve not done this before.
So here’s how to setup an Enterprise Root Certificate Authority (CA) on Windows Server 2012 R2. Now that I’ve documented this, I’m hoping I won’t forget for next time.
Basics
I’m not going to go into too much detail here on the specific choices or considerations you should be making when setting up a CA in your environment; however, I would recommend that you do the following at least, to ensure certificate services is deployed securely:
- Configure a Root CA on a member server (not a member of the domain) and aim for this CA to be offline. This machine can be deployed just about anywhere and when turned off, you could protect it by removing the virtual machine from the environment and storing it in an encrypted format. This will help protect the root CA certificate. Just document where you left it, in case someone else has to take care of updates and changes.
- Deploy a subordinate CA that will be used to issue certificates. This will be a member of Active Directory to simplify management, issuance of certificates to domain members and enable certificate templates.
Using certificate templates requires Active Directory and also requires that you install and configure the subordinate CA as a member of the Enterprise Admins group. Potentially not an issue in most environments; however for large enterprise environments that may not be the case (permissions can be delegated). This also means that you won’t be installing an Enterprise CA in an environment using Azure Active Directory Domain Services because you won’t have rights.
Further Reading
There are a number of articles that I’ve drawn from and others worth reading for additional details or in-depth discussions on certificate services. I’ve listed a few here to provide some further detail:
Deploying an Enterprise Root Certificate Authority
The following steps are taken on a virtual machine running Windows Server 2012 R2 with all current updates as a stand-alone server. Installing the root CA on a stand-alone server ensures no issues with domain communication when the VM is booted at a later date.
Installing Certificate Services
Deploying Certificate Services on Windows Server 2012 R2 is simple enough - open Server Manager, open the Add Roles and Features wizard and choose Active Directory Certificate Services under Server Roles. Ensure you choose only the Certificate Authority role for the Root CA.
Installing Active Directory Certificate Services
To make installing Certificate Services simpler, do it via PowerShell instead via Add-WindowsFeature:
Which will look like this, no reboot required:
Install Certificate Services via PowerShell
Configuring Certificate Services
After Certificate Services is installed, start the configuration wizard from Server Manager:
Start the Certificate Services configuration wizard
Set the credentials to be used while configuring Certificate Services. In this case, we’re configuring CA on a stand-alone machine and I’m logged on as local Administrator.
Certificate Services wizard - configuration credentials
For the Root CA, we have only one role to configure.
Certificate Services wizard - roles to configure
This certificate authority is being configured on a stand-alone server not a member of Active Directory, so we’ll only be able to configure a Standalone CA.
Certificate Services wizard - configure a standalone CA
This is the first CA in our environment, so be sure to configure this as a root CA.
Certificate Services wizard - configure as a root CA
With the first CA in the environment, we’ll won’t have an existing private key, so must choose to create a new one.
Certificate Services wizard - choose a new private key
When selecting a cryptographic provider and a hash algorithm, SHA1 will be the default hashing algorithm; however, Windows will no longer accept certificates signed with SHA1 after 1st of January 2017, so be sure to choose at least SHA256.
Certificate Services wizard - choosing cryptographic options
Specify a name for the new certificate authority. I’d recommend keeping this simple using the ANSI character set, using a meaningful name.
Certificate Services wizard - specify a CA name
Select the validity period - perhaps the default is the best to choose; however, this can be customised based on your requirements. This is a topic that is a whole security conversation in itself; however, renewing CA certificates isn’t something that you want to be doing too often. Considerations for setting the validity period should include business risk, the size and complexity of the environment you are installing the PKI into, and how mature the IT organisation is.
Certificate Services wizard – select the CA certificate validity period
On the next page of the wizard, you can choose the location of the certificate services database and logs location (
C:WindowsSystem32Certlog
), which can be changed depending on your specific environment.On the last page, you will see a summary of the configuration before committing it to the local certificate services.
Certificate Services wizard – summary page
Configuring the Root CA
Now that certificate services have been installed and the base configuration is complete, a set of specific configuration changes is required to ensure that an offline Root CA will work for us.
If you open the Certificate Authority management console, you can view the properties of the certificate authority and the Root CA’s certificate:
The freshly installed and configured certificate authority
Check the details and ensure the certificate hash algorithm is SHA256:
Certificate authority with SHA256 hashing algorithm
Configure CA Extensions
Before we take any further steps, including deploying a subordinate CA for issuing certificates, we need to configure the Certificate Revocation List (CRL) Distribution Point. Because this CA will be offline and not a member of Active Directory, the default locations won’t work.
In the properties of the CA, select the Extensions tab to view the CRL Distribution Points. By default, the
ldap://
and file://
locations will be the default distribution points. These, of course, won’t work for the reasons I’ve just stated, and because these locations are embedded in the properties of certificates issued by this CA, we should change them.Configuring the Certificate Revocation List settings
The default CRL distribution points are as below. These can be copied by selecting each from within the dialog box and pressing Ctrl-C.
To set up a CRL distribution point that will work with a location that’s online (so that clients can contact the CRL), we’ll add a new distribution point rather than modify an existing DP and use HTTP.
Before that we’ll want to do two things:
- Ensure that ‘Publish CRLs to this location’ and ‘Publish Delta CRLs to this location’ are selected on the default
C:WindowsSystem32CertSrvCertEnroll
location. This should be the default setting. - For each existing DP, remove any check marks enabled for ‘Include in CRLs’.
Now add a new CRL location, using the same HTTP location value included by default; however, change
<ServerDNSName>
for the FQDN for the host that will serve the CRL. In my example, I’ve changed:to
This FQDN is an alias for the subordinate certificate authority that I’ll be deploying to actually issue certificates to clients. This CA will be online with IIS installed, so will be available to serve the CRLs.
Adding a new CRL distribution point
Repeat the same process for the Authority Information Access (AIA) locations:
- Disable ‘Include in the AIA extensions of issued certificates’ for all existing locations
- Copy the existing
http://
location - Add a new
http://
location, changing<ServerDNSName>
for the FQDN of the alias also used for the CRL distribution point
Adding an Authority Information Access location
Apply the changes, and you will be prompted to restart Active Directory Certificate Services. If you don’t remember to manually restart the service later.
Applying the changes will require restarting the CA service
Configure CRL Publishing
Before publishing the CRL set the Publication Interval to something other than the default 1 week. Whatever you set the interval to, this will be the maximum amount of time that you’ll need to boot the CA, publish the CRL and copy it to you CRL publishing point.
Open the properties of the Revoked Certificates node and set the CRL publication interval to something suitable for the environment you have installed the CA into. Remember that you’ll need to boot the Root CA and publish a new CRL before the end of this interval.
Setting the CRL Publication Interval on the Root CA
Ensure that the Certificate Revocation list is published to the to the file system - right-click Revoked Certificates, select All Tasks / Publish. We will then copy these to the subordinate CA.
Publish the Certificate Revocation list
Browse to C:WindowsSystem32CertSrvCertEnroll to view the CRL and the root CA certificate.
Certificates and CRL published to C:WindowsSystem32CertSrvCertEnroll
Setting the Issued Certificate Validity Period
The default validity period for certificates issued by this CA will be 1 year. Because this is a stand-alone certification authority, we don’t have templates available to use that we can use to define the validity period for issued certificates. So we need to set this in the registry.
As we’ll only be issuing subordinate CA certificates from this root CA, 1 year isn’t very long. If the subordinate CA certificate is only valid for 1 year, any certificates that it issues can only be valid for less than 1 year from the date of issue - not long indeed. Therefore, we should set the validity period on the root CA before we issue any certificates.
To change the validity period, open Registry Editor and navigate to the following key:
In my lab, this path is:
Here I can see two values that define how long issued certificates are valid for - ValidityPeriod (defaults to 1) and ValidityPeriodUnits (defaults to “Years”).
Viewing the Root CA certificate validity lifetime
Open ValidityPeriodUnits and change this to the desired value. My recommendation would be to make this 1/2 the lifetime of Root CA’s certificate validity period, so if you’ve configured the Root CA for 10 years, set this to 5 years. You’ll need to restart the Certificate Authority service for this to take effect.
Setting the Root CA’s ValidityUnits
An alternative to editing the registry directly is to set this value to certutil.exe. To change the validity period to 5 years run:
There are a couple of old articles on setting this value, but they still apply to current versions of Windows Server - How to change the expiration date of certificates that are issued by a Windows Server 2003 or a Windows 2000 Server CA and How to Set an Enterprise Subordinate CA to Have a Different Certificate Validity Period than the Parent CA.
Microsoft Certificate Authority Server Ports
Conclusion
In this article, I’ve provided the basic steps to creating a root certificate authority on Windows Server 2012 R2. The next step is to create a subordinate CA that will issue certificates to devices and users, allowing us to take the root CA offline and protecting it from attack. Games of thrones game online.
Don’t shut down the Root CA just yet. In the next article, we’ll create and configure the subordinate CA.
- [Instructor] In this demonstration,I'll install a PKI certificate authorityon the Microsoft Windows Server 2016 platform.The first thing I'll do here on the server is check whetheror not this component is already installed.I can do that in a number of ways.I can go to my start menuand I can start up Windows PowerShell and within PowerShell,I can issue the get dash Windows feature commandletand I can tell it what I want to look for.In this case asterisk certificate asteriskand after a moment we can see thatthe Active Directory Certificate Services roleis not installed because there's not an X in the box.
Although we could use the install dash Windowsfeature commandlet to install itgiven that we see the name here.However, I'm going to go to my start menubecause an alternative way of installingthe certificate services component is to go tothe server manager GUI.It doesn't matter which way you do it.It ends up being the same.However here in server manager,I'm going to click add roles and features.Now on the first screen for role basedor feature installation, I will leave thatsingle server installation option enabledand I'll click next.
I'm installing it on this same server herefrom which I am running this tool so I'll click nextand then I'm going to choose the Active Directorycertificate services option on the roles screenso I'm going to put the check mark there.And then it pops up and asks if I want to addserver administration features related to this roleand I do so I'll click add features then I'll click next.There are no additional features I want installedon the features screen so I'll just go aheadand click next on that.Then I get a little message describing whatActive Directory Certificate Services doesso I'll click next on that screen.
Then I get to choose the specific role servicesrelated to Active Directory Certificate Services.We definitely need the certification authorityso we can set up our PKI CA, our certificate authority.I've also got components like the certificate enrollmentpolicy web service and the certificate enrollmentweb service which are both used for machinesnot joined to an Active Directory namealthough my server is actuallyan Active Directory domain controller.I've also got the certification authorityweb enrollment website that I can choose to install.
Now this gives a little web interfacethat lets people request certificatesby pasting in certificate signing requests and so onso if I need that component, I can install it.I've also got the network device enrollment servicefor our network devices that can acquire PKI certificatesbut I'm not going to turn that on.I got the online responder server side componentthat is used to respond to OCSP client queriesfor certificate validity but I don't need thatso I'm not going to install that.Okay, so now that I've made my choice or choices,I'm going to click next and then I'll click installto get this going and before too long,it's completed the installation.
Microsoft's Free Test Certificate Authority Server
It does say that configuration is required.Okay, that's fine, close.Because if I were attempt here in server managerto go directly to the tools menuand run the certification authority tool,it would result in this error message.It says cannot manage Active Directory Certificate Services.Well that's because nothing's been configuredso that's fine, I'll click okay,I'll close down the tool and in the notification areahere in the upper right, I see that I've got an optionto configure Active Directory Certificate Serviceson the destination server, this server,so I'll click on that.
That starts a new wizard, excellent.I'm going to use my current logon credentials herefor a domain admin account that it already came up withand I'll click next.Then I'm going to choose to configurethe certification authorityas well as the certification authority web enrollment.Okay, so then I'll click next.I need to install an enterprise CA here,well I don't need to, but I'm going tobecause this is an Active Directory domain controller.The standalone CA option is for serversthat are not apart of an Active Directory domainso I'm going to leave it on enterprise CAand I'll click next.
Now I do need to specify root CA herebecause I don't already have a root CA.This is the top of the PKI hierarchythat we are defining.Now otherwise for other servers after we getthis one running, we can configure them as subordinate CAs,otherwise called registration authorities, RAs,so that we might have subordinate CAsfor different regions, different departments,different child companies and so onbut here we're going to stick with root CA, next.I'm going to create a new private key.
I'm not going to use an existing private key.You would only use that option if perhaps a server failedthat was hosting a CA previously,you have the back up of the private key of itand now you want to reinstall the server to host it again.That doesn't apply so create a new private key it is.Then I get to choose the cryptographic providerfrom the drop down list.I'm going to stick with all the defaults here.Should work just fine.So RSA as the cryptographic providerwith the key length of 2,048 bitsand for the digital signing algorithmfor digitally signing certificates,I'll leave it on SHA256, the secure hashing algorithmand then I'll click next.
I have to come up with a common namefor this certificate authority so I'm justgoing to called it fake domain oneand down below it's come up with the distinguish nameand the suffix for that, so I'm okay with thatso I'm going to go ahead and click next.Now bear in mind that PKI certificateshave an expiration date.They're only valid for a certain period of timeand that includes certificate authoritiesso here it's set five years as the validity periodby default for this certificate authority,not for certificates it will issue.
Let's say here I'm going to change that to 10 yearsin accordance with our organizational security policiesso having done that, I'll go ahead and click next.I will accept the default database locationsfor the certificate databaseand the certificate database log and then I'll click next.Okay, looks good so I'm going to go aheadand click configure on the summary screenand now it's just a matter of waiting.So I can now see that the configurationhas succeeded for both components,the certification authorityand the certification authority web enrollmentso I'm going to go ahead and click close.
Now here in the server manager if I go to the tools menuto start the certification authority toolwhich you could also start from the start menu,this time it will not give us an errorbecause we've configured a CA.We can actually see it over here on the left,fake domain one.If I expand that, notice underneath itI have folders for revoked certificates,issued certificates, pending requeststhat might require administrator approval,failed requests, even certificate templatesor blueprints that are used to issue PKI certificatesand we'll be working with this in other demonstrations.
Also if I were to go let's say into my start menuon this server and run cert MGR,the certificate manager MMC console,it gives me the option then to manage computer certificates.If I look into that, just maximize that screen,under personal if I look under certificatesI can see I've got a CA certificate for fake domain oneand I can see the expiration datewhich is 10 years from today based on my configuration.
Microsoft Certificate Authority Server Best Practices
Now at the same time if I also go into mytrusted root certification authoritiespart of my certificate store and click on certificates,here's the other certificate authoritiesthat are trusted on this machineand we also have our entry for fake domain one.It's okay if you see what appears to beduplicate CA certificates and that's becausethe certificates are stored physicallyin a couple of different places herein the certificate store.While this exists on our server where we configured it,it's going to be important to consider the factthat our client devices that need to trust certificatesissued by this CA will also need this installedin their certificate store but that's somethingthat we'll deal with a little bit later.
Microsoft Certificate Authority Server 2012
The other thing we're going to take a look at hereis the certificate enrollment websitewhich we elected to install.For that, I'm going to fire up a web browserdirectly on this server although it certainlydoesn't have to be and we're going to connectto this specific host.I'll put in HTTP colon slash slashand then the URL and then we're going to connectto the slash cert serve,C-E-R-T-S-R-V suffix on our websitewhich prompts us to log in so I'll put inlet's say my domain administrator credentialsfor Active Directory and after a momentthat opens up the Active Directory Certificate Servicesweb enrollment page where notice we canrequest a PKI certificate.
We can view the status of a pending requestor even download the CA certificate to establish trust.At this point, we have successfully installeda certificate authority.