This post picks up where the last post left off. In the last post, we created a Windows Server 2008 R2 Active Directory Domain Controller and stopped short of going on to add Certificate Services into the mix.
If you’re not sure if you need certificate services for your environment, it never hurts to have it available. It does not add much overhead so for development environments and small businesses you can consider adding the role to a DC (domain controller) as we are here. Certificate Services will allow you to issue certificates to your internal resources, use client/server certificates for authentication, and set up SSL enabled websites.
I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s. You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA. In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.
Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.
In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane. Place a check mark in the checkbox for Active Directory Certificate Services. Then click Next.
On the ‘Introduction to Active Directory Certificate Services’ window, you can read up on the certificate services technology, how to manage a CA, and naming. Click Next.
On the ‘Select Role Services’ page, make sure Certification Authority is selected, then select Certification Authority Web Enrollment, when the ‘Add Roles Wizard’ window appears click the Add Required Role Services button. Click Next.
On the ‘Specify Setup Type’ page, leave Enterprise selected. Click Next. On the ‘Specify CA Type’ page, leave Root CA selected and click Next. On the ‘Set Up Private Key’ page, leave Create a new private key selected and click Next.
On the Configure Cryptography for CA page, you can leave the defaults selected or adjust as necessary for your needs. You can also pause here and research the providers and hashes as necessary, but for this tutorial and most environments, the default will suffice. Click Next.
On the ‘Configure CA Name’ page, set the common name to the same as the server name since this server is a domain controller. This is an acceptable practice. Leave the ‘Distinguished name suffix’ alone. Click Next.
On the ‘Set Validity Period’ page, feel free to adjust the validity period or leave the default. This should be adjusted based on your needs. Click Next. On the ‘Configure Certificate Database’ page, you can adjust the paths or leave the defaults set. Click Next.
Next we see the ‘Web Server (IIS)’ page. You can read the description and check out the links listed on the page if you’d like. Click Next.
On the ‘Select Role Services’ page, leave the defaults selected. Click Next. On the ‘Confirm Installation Selections’ page, you can review your choices, go back and make changes, or click Install. After the ‘Installation Progress’ page finishes, you can view your ‘Results’.
You’ve now got a domain controller that is capable of issuing certificates to your servers and users. You can go back through the wizard and install additional CA components, for example, that will allow you to issue certificates to users and computers that are not part of your domain. That option is called ‘Certificate Enrollment Web Service’.