In this post I will go through steps required in the installation and configuration of Active Directory Certificate Services (AD CS) on Windows Server 2008 R2. In addition to this, I will be looking at other AD CS components in later posts. Below is brief overview of these components:
CA Web Enrollment: Web enrollment allows users to connect to a CA by means of a Web browser in order to Request certificates and review certificate requests; Retrieve certificate revocation lists (CRLs); Perform smart card certificate enrollment.
Online Responder service: The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates, evaluating the status of these certificates, and sending back a signed response containing the requested certificate status information.
Network Device Enrollment Service: The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc.
Requirements: See tables below for supported components and features and version of Windows they run on:
[table id=10 /]
[table id=11 /]
– Click Start -> Administrative Tools -> click Server Manager
– Right-click on Roles -> click Add roles
– On Before You Begin page -> click Next
– On the Select Server Roles page -> Select the Active Directory Certificate Services check box -> click Next two times
– On the Select Role Services page -> select the Certification Authority check box -> click Next
– On the Specify Setup Type page -> click Enterprise -> click Next
– On the Specify CA Type page -> click Root CA -> click Next
– On the Set Up Private Key page -> select Create a new private key -> click Next
– On Configure Cryptography for CA page -> select Suggested cryptographic service provider (CSP) -> select key character length of 2048 -> select SHA1 hash for signing certificates -> Also select Allow Administrator interaction when the private key is accessed by the CA (Note: this option ensures that use of the CA will require administrative access.) -> click Next
– On the Configure CA Name page -> type the common name of the CA -> click Next
– On the Set Validity Period page -> Accept the default or enter the number of years -> click Next
– On the Configure Certificate Database page -> Accept the default values or specify other storage locations for the certificate database and the certificate database log ->click Next
– Review the information on the Confirm Installation Selections page -> click Install
– Review the information on the Installation Results screen to verify that the installation was successful -> click Close
– After installation is completed, you will notice in Application event log an event id 103
– To verify the CA is published correctly in Active Directory, simply copy the command from the event details and run from command prompt with administrative permission. The result should display a valid certificate from the store.
Next: Install and Configure the Online Responder – Click Here