29 C
Dubai
Wednesday, December 11, 2024

Install and Configure Certificate Authority in Windows Server 2016

We will see below topics in this article

  • Install Certificate Authority on Windows Server 2016
  • Configuring Certificate Authority on Windows Server 2016
  • Assigning Certificate on Exchange Server 2016
  • Assigning on Test Machine to see Certificate authority is working for Outlook Web Access

Step 1:

You need to have this role installed to have a  Certificate Authority

Preferred to be on Dedicated Server or on a Domain Controller.

Open Server Manager – Manage – Add Roles and Features

image

Step 2:

Choose : Active Directory Certificate Services

Choose Next

And Choose : Certification Authority Web Enrollment

image

Choose :

  • Certification Authority
  • Certification Authority Web Enrollment

image

Choose Install and Close

image

Step 3:

To Configure Active Directory Certificate Services – Choose the Exclamation Mark on the Flag

Configure Active Directory Certificate Services on the Destination Server

image

Choose Next

image

Choose

  • Certificate Authority
  • Certification Authority Web Enrollment

image
Choose Enterprise CA

  • Enterprise CAs Must be domain members and are typically online to issue certificates or certificate policies.

image

Step 4:
Choose Root CA

Root CAs are the first and may be the only CAs Configured in a PKI Hierarchy.

image

Step 5:
Create a new Private key

image

Step 6:

  • Use SHA256
  • RSA#Microsoft Software Key Storage Provider
  • Key Length – 2048

image

Step 7:

Click Next

image

Step 8:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next

image

Step 9:

Specify Certificate Authority Default Database Locations

image

Click Configure

image

Choose Configure

image

We have successfully Installed and Configured – Certificate Authority on Windows Server 2016

Let us see how to Request a Create a Simple Cert from Internal Certificate Authority

Step 10:

Browse http://localhost/certsrv/

You would see a page below like this , Choose “Request a Certificate”

image

Step 11 –
Click on Advanced Certificate Request

image

Step 12:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMCimage

Step 13:

Now Copy the  Note pad Certificate Request Data – You have to generate a Certificate Request from the application. For example how we are doing in exchange server

https://www.azure365pro.com/how-to-create-an-ssl-certificate-request-for-exchange-server-2013/

Or you can use https://www.digicert.com/util/

Example – Data Should be like below –

—–BEGIN NEW CERTIFICATE REQUEST—–
MIIEXDCCA0QCAQAwgYAxHTAbBgNVBAMMFGV4Y2gyMDE2LmNsb3VkaWQuYml6MRYw
FAYDVQQLDA1FeGNoYW5nZSBUZWFtMRUwEwYDVQQKDAxDYXJlRXhjaGFuZ2UxETAP
BgNVBAcMCE5ldyBZb3JrMRAwDgYDVQQIDAdOZXcgWW9yMQswCQYDVQQGEwJVUzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXVbwTkx4zhUobUvODoSwf1
8b0ti+dQ/WAoJPHlcSTW4weE5vVwQZbjtTqRhHOAOFEDYDnwZhuU1fOjjro+B2B3
zMTlvq0x7JJPsA9Zc611p+slYeTs/pI8hT9Ud2FgbwE3veF5u2uVw6/lbZdA20yU
ZizIsCJkq9Qo2hLpMji3MB4eFRtyvd1eQpCJPnqseUdRVzfdSwN2zf0U7UQCzzG+
q7bL1Pb2jfjFlhr5xb9/RfpaR/U3TmVHjf3/u49mK1JOBuJwJQVCK/HBYHfMPOp6
VEjt8IVApclOE7tZcR3DjjyF73tHYfxUJp2HuVWml/UVemKIcSfVYOcGofNrF88C
AwEAAaCCAZQwGgYKKwYBBAGCNw0CAzEMFgo2LjIuOTIwMC4yMF8GCSsGAQQBgjcV
FDFSMFACAQUMFEVYQ0gyMDE2LkNsb3VkaWQuYml6DBFDTE9VRElEXEVYQ0gyMDE2
JAwiTWljcm9zb2Z0LkV4Y2hhbmdlLlNlcnZpY2VIb3N0LmV4ZTByBgorBgEEAYI3
DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABh
AG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBp
AGQAZQByAwEAMIGgBgkqhkiG9w0BCQ4xgZIwgY8wDgYDVR0PAQH/BAQDAgWgMFAG
A1UdEQRJMEeCFGV4Y2gyMDE2LmNsb3VkaWQuYml6ghhBdXRvRGlzY292ZXIuQ2xv
dWRpZC5iaXqCCEVYQ0gyMDE2ggtDbG91ZGlkLmJpejAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQWEHXi+M7zoQZ3FlnOeRqsRscG0jANBgkqhkiG9w0BAQUFAAOCAQEA
FlYjkXO1rxadJmNB9g9KEqWU7NlxC3UdX2zyqWwK06cDB3/k+ThKBiYE7uoiaais
YqlE6yoT3T09Nf+rihH8DfS+of14oMYQTKo9By9VdisD6R/iztY05StbVoSambRk
jnOohs1z4v3itufuEzQaqf8Q0Qu8w2xsVVRZx2t0SKfktPASqOzJZEIRS6egqELH
h9dkQBjsdOaTSsqapJXiHpMN53wxXNoztO6mWSVtPzgbfML0+NLT41ZBiIAMjyIj
ztp61S/7O5dfoR9St0cwzaxWSZ5XPriJzKfYQ3dRvl+j/e1gi/rJmw9IUyWGQ2qz
27HqRbsEa/LqFharKDjeBw==
—–END NEW CERTIFICATE REQUEST—–

SavedReqest – (NEW CERTIFICATE REQUEST Data like above)
Choose Template : WebServer

Choose Submit

image

Step 14:
Choose “Base 64 encoded”

Download Certificate

image

Step 15:
Save the Certificate – should be .cer extension

image

Lets how we are applying on Exchange 2016 for Example

image

Copied my Request .CER File generated from CA to the Exchange and using it.

image

Shows Certificate Invalid.

image

Lets see why.

1 – Start – MMC –FILE – Add/Remove Snap-In

2 – choose certificates – Add

3 – Computer Account

4 – Local Computer

5 – Expand Personal – Certificates / Expand Trusted Root Authorities Certificates

image

Now Login to Root CA Server and Export the Root CA.

image

Now login to Exchange Server Import the export cert.

image

Now Certificates looking ok

Make sure you Assign the Certificate for IIS in Exchange Control Panel.

image

Now you can see things are fine locally on Exchange 2016 server –

image

– Lets see how we can use on Desktop

First Login to Exchange Server MMC and Export the Certificate with all the certificate path into a PFX file.

Note : The desktop doesn’t need the private keys from any certificate in the chain.

Having the private key gives the ability to decrypt all the traffic between the client and the server even if that traffic is coming from someone else. It also makes a man in the middle attack on this SSL connection possible.

On 2 : For End user desktops – Choose do no export private key and use that certificate for import.

 

image

 

image

Now we have the PFX File Exported.

Open MMC and Import or Install PFX Desktop.

image

image

Now browsing the URL –

image

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

9 COMMENTS

  1. You make one big mistake in this tutorial, you’re exporting the private key to the desktop. As the name “private” key says, you should never export this one outside of the server that uses the certificate and keep it private. Only export the public keys to deploy them on the desktop’s. The desktop doesn’t need the private keys from any certificate in the chain.

    Having the private key gives the ability to decrypt all the traffic between the client and the server even if that traffic is coming from someone else. It also makes a man in the middle attack on this SSL connection possible.

  2. I read the comments and while they are valid, I personally appreciate the fact that someone has taken the time out and out in some effort to produce this document.

    This gives users who are not aware of the technology some perspective on its purpose.

  3. Great Tutorial. Keep up the good work
    I would like to know if this needs be configured in a standalone server, or it needs to be in the domain controller for example. Or it need to have any additional roles like DNS.

    Thanks and best Regards

    • Reply to JP:
      If you need the cert server to be online to issue certificate, it should be installed server which is a member of the domain. This does not have to be a DC.

  4. Sorry to be pickt, but you should never ever have you Root CA online and within your CA!
    The Root CA should always be offline and not in the domain.
    This would be the Job of an intermediate or issue CA.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?