Before we begin, I will go over which role services we will be selecting for our Active Directory Certificate Services implementation.
- Certificate Authority
- We will be selecting this role in order to establish our Certificate Authority. Certificate Authority Role installs either root or subordinate Certificate Authorities in your environment which institutes certificates. A Certificate Authority role is to issues certificates to computers, users, and services in your environment.
- Certificate Web Enrollment/Services
- Certificate Web Enrollment/Services Role establishes a web interface in order for users to request and retrieve certificates revocation lists (CRLs). Web Services provides a way for users to request CA to issue a certificate for users, computers, and services. For more info about CRLs please see here.
- Online Responder
- Online Repsonder is Online Certificate Status Protocol (OCSP). OCSP Responder allows a OCSP client to retrieve information about certificates in order to validate whether they are valid or have been revoked. OCSP improves on CRL process which allows OCSP client to retrieve information in timely manner. More information about Online Responder can be found here.
Our goal is to install and configure AD CS. I will be using Windows Server 2019 for this demo. The AD CS server will need to be joined to domain and the user account used will need to be member of “Enterprise Admins” and “Domain Admins” of domain your installing and configuring AD CS. Okay, lets get started!
How to Install AD CS
On Windows Server 2019 (Desktop Experience) go to your start menu and open Server Manager
Click manage and select Add Roles and Feature
The Add Roles and Features Wizard should appear, Choose installation type Role-Based or Feature-Based Installation. At the Server Roles page select Active Directory Certificate Authority.
Go to Role Services under AD CS page and select the following Role services:
Certificate Web Service (This will add IIS features needed.)
Certification Authority Web Enrollment (This will add IIS features needed.)
Continue to confirmation page. Add Roles and Features Wizard will have already selected everything needed for Web Server Role. At Confirmation page select Install.
After installation, we will now run the Post-Deployment Configuration Wizard by selecting Configure Active Directory Certificate Services.
AD CS Configuration Wizard should appear. press next at credentials to continue to role services page. Select the following Role Services
Certification Authority Web Enrollment
Setup type page select “Enterprise CA”
CA Type page select “Root CA”
Private Key page select Create a new Private Key. Cryptography page will be based on requirement for your environment. I will provide a sample configuration for our lab purposes for now.
Configure the Validity page. Note: Your Validity period may be based on requirement for your environment
Once your at the Certificate Database specify the database locations (I recommend placing the certificate database separate drive from the windows operating system.)
Once the confirmation page has verified the configuration. Press configure to finish the AD CS Configuration
After AD CS Configuration has been completed. Lets go back into Server Manager and Run the AD CS Configuration wizard again to complete Certificate Enrollment Web Service
After verifying your credentials, lets go to the role services page and select “Certificate Enrollment Web Service”
At the CA for CES page the AD CS Configuration wizard should fill in the Target CA for you. However, if it doesn’t click on the select button and choose your CA.
At the Authentication Type for CES page lets configure authentication type for “Windows Integrated Authentication”.
At the Service Account for CES lets select “Use the Built-in application pool identity”.
At the Service Certificate page lets select “Choose an existing certificate for SSL encryption”.
At the Confirmation page press configure in order to complete the configuration. You now have Certificate Authority in your environment! Will go over configuring Online Repsonder on the next page.