Install AD Certificate Services on Windows Server 2008 R2 – AD CS Part1

In this post I will go through steps required in the installation and configuration of Active Directory Certificate Services (AD CS) on Windows Server 2008 R2. In addition to this, I will be looking at other AD CS components in later posts. Below is brief overview of these components:

CA Web Enrollment: Web enrollment allows users to connect to a CA by means of a Web browser in order to Request certificates and review certificate requests; Retrieve certificate revocation lists (CRLs); Perform smart card certificate enrollment.

Online Responder service: The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates, evaluating the status of these certificates, and sending back a signed response containing the requested certificate status information.

Network Device Enrollment Service: The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc.

Requirements: See tables below for supported components and features and version of Windows they run on:

[table id=10 /]

[table id=11 /]

Setup Guide:

– Click Start -> Administrative Tools -> click Server Manager

– Right-click on Roles -> click Add roles

– On Before You Begin page -> click Next

– On the Select Server Roles page -> Select the Active Directory Certificate Services check box -> click Next two times

– On the Select Role Services page -> select the Certification Authority check box -> click Next

– On the Specify Setup Type page -> click Enterprise -> click Next

– On the Specify CA Type page -> click Root CA -> click Next

– On the Set Up Private Key page -> select Create a new private key -> click Next

– On Configure Cryptography for CA page -> select Suggested cryptographic service provider (CSP) -> select key character length of 2048 -> select SHA1 hash for signing certificates -> Also select Allow Administrator interaction when the private key is accessed by the CA (Note: this option ensures that use of the CA will require administrative access.) -> click Next

– On the Configure CA Name page -> type the common name of the CA -> click Next

– On the Set Validity Period page -> Accept the default or enter the number of years -> click Next

– On the Configure Certificate Database page -> Accept the default values or specify other storage locations for the certificate database and the certificate database log ->click Next

– Review the information on the Confirm Installation Selections page -> click Install

– Review the information on the Installation Results screen to verify that the installation was successful -> click Close

– After installation is completed, you will notice in Application event log an event id 103

– To verify the CA is published correctly in Active Directory, simply copy the command from the event details and run from command prompt with administrative permission. The result should display a valid certificate from the store.

Next: Install and Configure the Online Responder – Click Here

comments powered by Disqus