In this article I will explain the installation and configuration of Certificate Services (AD CS) on Windows Server 2008 R2 operating system. Of course, a perfectly running Active Directory infrastructure is a must for a perfectly running AD CS. You can find the details about creating an Active Directory Infrastructure in one of my previous articles; Mail Infrastructure with Exchange Server 2010 (from scratch) (http://www.ipsure.com/blog/2010/exchange-2010-organization-from-scratch/ ).
Let me first introduce the new features that comes with Windows Server 2008 R2 AD CS. Today, most organizations use certificates to encrypt data over the network, verify the identity of users and computers. Active Directory Certificate Services (AD CS) increase the security by binding the users, devices or services to their private keys. It helps to secure identity by storing the certificates and private keys in Active Directory. In addition to that, Active Directory serves as a central location for applications to reach appropriate information when they request it.
Features added with Windows Server 2008
Enrollment Agent Templates: Enrollment Agent Templates. Delegated enrollment agents can be assigned on a per-template basis.
Integrated Simple Certificate Enrollment Protocol (SCEP): Certificates can be issued to network devices, such as routers.
Online Responder: Certificate Revocation List (CRL) entries can be returned to the requestor as a single certificate response instead of the entire CRL. This reduces the total amount of network traffic consumed when clients validate certificates.
Enterprise PKI (PKI View): Enterprise PKI (PKI View). A new management tool for AD CS, this tool allows a Certificate Services administrator to manage Certification Authority (CA) hierarchies to determine the overall health of the CAs and to easily troubleshoot errors.
Features added with Windows Server 2008 R2
Cross Forest Enrollment: ADCS can be deployed in one forest but can service users and clients from multiple forests.
Improved support for High Volume CA: When services such as Network Access Protection in Windows uses certificates to provide access to the network it does not need to maintain history of certificates, so with this new capability the CA can be configured to just issue certain certificates but not store the history.
New Certificate Enrollment Web Service: Enables certificate enrollment over HTTP and HTTPs, resulting in simpler and more firewall-friendly deployments.
After this brief explanation of certificate services improvements, lets talk about the requirements for using AD CS. Actually, the certificate services can be installed on one server in a basic scenario whereas if the certificate services roles are seperated, it can be installed on (i.e.) four servers. Although Certificate Authority (CA) server can run on Windows 2000 or Windows 2003 Server, it has to be installed on Windows Server 2008 R2 to take advantage of all its new features.
The table below summarizes the AD CS components that can be configured on different editions of Windows Server 2008 R2:
| Components | Web | Standard | Enterprise | Datacenter |
| Certificate Authority | No | Yes | Yes | Yes |
| Network Device Enrollment Service | No | No | Yes | Yes |
| Online Responder Service | No | No | Yes | Yes |
So what these components are doing? Let me introduce them briefly:
Certification authorities (CAs): Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage their validity.
Online Responder service: The Online Responder service implements the Online Certificate Status Protocol (OCSP) by decoding revocation status requests for specific certificates, evaluating the status of these certificates, and sending back a signed response containing the requested certificate status information.
Network Device Enrollment Service: The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Cisco Systems Inc.
The following table shows the features which are available on servers running Windows Server 2008 that have been configured as CAs:
| AD CS feature | Web | Standard | Enterprise | Datacenter |
| Version 2 and 3 certificate templates | No | No | Yes | Yes |
| Key Archival | No | No | Yes | Yes |
| Role separation | No | No | Yes | Yes |
| Certificate manager restrictions | No | No | Yes | Yes |
| Delegated Enrollment Agent Restriction | No | No | Yes | Yes |
As I mentioned before, we can create a certificate services infrastructure only on two servers (one for DC and one for CA). If we separate the roles, it could be build on five servers as well (one for DC, One for stand-alone root CA, one for sub-CA, one for online responder and one for Network Device Enrollment Service server). We are going to explain the creation of certificate services infrastructure by following the basic scenario (which is consisted of two servers).
For the infrastructure, we have to have one domain controller (DC) in our environment. The installation and configuration of Active Directory DC is explained in Mail Infrastructure with Exchange Server 2010 (from scratch) article (http://www.ipsure.com/blog/2010/exchange-2010-organization-from-scratch/ ). As a summary, after the installation and configuration, we have a domain controller named mstipdc01.mstip.com. Its IP address is 192.168.2.22. To configure a certificate services infrastructure over this domain, we join the server named mstipca01 to our mstip.com domain, which has an IP address of 192.168.2.25. I have to remind that Enterprise CA and Online Responder Server can be installed on Windows Server 2008 R2 Enterprise or Datacenter operating systems. Lets start with the installations.
For CA installation, we logon to mstipca01 server as a domain administrator and open the Server Manager interface by following Start -> Administrative Tools -> Server Manager menus. We click on the link Add Roles in Roles Summary field (Figure 1). We fill the Active Directory Certificate Services checkbox on Select Server Roles page (Figure 2) and press the Next button for two times.
Figure 1: Add Roles link
Figure 2: Selection of the desired roles
We fill the Certification Authority checkbox on Select Role Services page and press Next (Figure 3). At the next Specify Setup Type page, we select Enterprise (Figure 4) and by pressing Next, Specify CA Type page is shown. We press Next after we select Root CA here (Figure 5).
Figure 3: Selection of the desired role services
Figure 4: Setup type selection
Figure 5: CA type selection
We pass the following two pages (Set up private key and Configure Cyrptography for CA) with their defaults (Figure 6 and 7). We write a common name MstipRootCA01 on Common name for this CA page and press Next (Figure 8).
Figure 6: Generating private key
Figure 7: Cryptography selection
Figure 8: Common name for the CA
The next two pages (Set Validity Period and Configure Certificate Database )are passed with their default values by pressing Next button (Figure 9 and 10) and we press the Install button on the last Confirm Installation Options page (Figure 11). This ends the CA installation.
Figure 9: Validity period decision
Figure 10: Location where the CA database will be hosted
Figure 11: Confirmation page
After the installation, I come across a warning message in Active Directory Certificate Services logs (Figure 12). In the warning message, it says that we have to check whether CA certificate is published in Active Directory or not. It also gives the command to do this. When we run the command, the certificate is shown (Figure 13). This means that our new certificate is published in AD successfully.
Figure 12: Warning message
Figure 13: Control of the certificate
As we finalized the installation of Enterprise root CA, we can start to install Online Responder Services. We are going to use the same server for the installation. As a matter of fact, IIS services also has to be installed on the server but during the installation of our new certificate service, the wizard automatically install IIS services to the server. We open the Server Manager interface and come to Roles field. We click on the Add Role Services link (Figure 14). We select Online Responder checkbox on Select Role Services page. An additional page is opened which warns us for IIS and RSAT installation (Figure 15). After selecting Add Required Role Services, we press Next button for three times. At the last Confirm Installation Options page, we press the Install button and finalize the installation ( Figure 16 ).
Figure 14: Installation of Online Responder service
Figure 15: “Add required Role Services” warning screen
Figure 16: Confirmation page
That is all for now. We explained the general purposes of certificate services usage and the improvements that come with Windows Server 2008 R2. In addition to these, we installed Certificate Authority and Online Responder services. In the second part of this article, we will associate the two services with each other and create certificate templates. We will also generate certificates for computers/users and revoke them as well. Bye for now.
RSS feed for comments on this post.
