UEU-co logo


Previous Page Next Page

Adding the Active Directory Certificate Services

Microsoft’s Certificate Services enables you to issue, renew, and revoke digital certificates. Certificate Services is added to Windows Server 2008 via the Add Roles Wizard.

1. From the Initial Configuration Tasks window or the Server Manager (with the Roles node selected), click Add Roles. The Add Roles Wizard opens.

2. In the Roles list, select Active Directory Certificate Services (see Figure 22.5). Then click Next.

Figure 22.5. Add Active Directory Certificate Services to the server.

[View full size image]

3. On the next wizard page, a short description of Active Directory Certificate Services (AD CS) is provided. Links to additional information on AD CS are also included. After taking advantage of the links, click Next to continue.

4. On the next page, the services associated with AD CS are listed. Click the Certification Authority check box (other optional services are also available; see the By the Way that follows). Click Next to continue.

By the Way

AD CS has other services (other than the Certification Authority) associated with it. The Certification Authority Web Enrollment service provides a web interface where users can request and renew certificates. This service requires that you install the Internet Information Service (IIS) on the server (see Hour 23, “Using the Internet Information Services,” for more about IIS). The Online Responder allows users to access certificate revocation data. This service also requires IIS. The Network Device Enrollment Service allows you to assign certificates to network devices such as routers that are secured by domain accounts.

5. On the next screen (see Figure 22.6), you must specify the type of Certificate Authority (CA) that you want to set up: Enterprise or Standalone. An Enterprise CA requires the Active Directory (and Group Policy) and issues certificates based on domain membership. An Enterprise CA can be installed on a domain controller or a domain member server. A Standalone CA does not require the Active Directory and users are authenticated to the server based on other identifying information (other than a domain account). For sake of discussion, select Enterprise and then click Next.

Figure 22.6. Select the CA type: Enterprise or Standalone.

[View full size image]

6. On the next page, select one of the following:

  • Root CA— This CA becomes the root certificate server for your network. Active Directory is required to create an enterprise root because the CA serves your entire domain tree.
  • Subordinate CA— If you already have an enterprise root CA established, you can create subordinate CAs. A subordinate CA is actually verified by a certificate from the enterprise root CA.

Click Next to continue.

Did you Know?

When you create a Standalone CA, you must also specify whether the CA is to be a root or subordinate.

7. Each CA must be configured with a private key. You have the option of creating a new key for the CA or using an existing key. Again, for the sake of discussion, let’s create a new private key. Select the Create a New Private Key option and then click Next.

8. On the next wizard page, you must select the cryptographic service provider (CSP), the key character length, and the hash algorithm for the key (see Figure 22.7). Use the drop-down list to select a CSP (you can go with the default). Also select a hash and adjust the key character length if you wish. Then click Next.

Figure 22.7. Select the CSP, hash, and key character length.

[View full size image]

By the Way

The cryptographic service provider encrypts private key information associated with certificates. A hash algorithm or hash (also sometimes referred to as a message digest) is used to sign a certificate verifying that the certificate has not been tampered with (a portion of the sent information from the CA server is used to create the hash). You can also increase the key character length if you wish. Obviously, the greater the key character length the more secure the certificates.

9. On the next wizard page, you must configure the CA name. By default the name is provided and is in the following format: domain-server name-CA. CA names cannot be more than 64 characters. If you are going to deploy a root CA and additional subordinate CAs, you may want to establish your own hierarchical naming convention, taking into account that the subordinate CAs are dependent on the root CA. After entering the CA name (or going with the default), click Next.

By the Way

The name that you create on the CA server becomes the common name for the server and is included with every certificate that the CA issues. After you name the CA server, you can’t change the name unless you remove the AD CS role and then reinstall it.

10. On the next page, you set the validity period for the certificate that will be generated, which allows communication between this root CA and any other CAs you may deploy on the network. The validity period can be in years, months, weeks, or days. Specify a number (the default is 5) and the interval (the default is Years) and then click Next.

11. On the next page, you set the path for the certificate database (CertLog) and the certificate log location. By default the path for both is Windows System32CertLog. You can go with the default or use the Browse button to set the certificate data location and the certificate log location. Click Next.

12. The Confirmation page provides a list of the selections that you made to add the CA to the server. Click Install.

When the installation is completed, you can click Close (to close the Add Roles Wizard). After you have installed AD CS, you will find that the Active Directory Certificate Services role has been added to the Server Manager (see Figure 22.8). Clicking the role provides you with a quick look at any events that have been logged related to the service, and you can also view what services associated with the role are running.

Figure 22.8. The AD CS role is added to the Server Manager.

[View full size image]

When you expand the Active Directory Certificate Services node, you are provided access to the Certification Authority (by clicking the name of your CA server in the node tree) and other tools related to AD CS, such as the Certificate Templates snap-in.

You will also find that the Certification Authority (CA) snap-in has been added to the server’s administrative tools (Start, Administrative Tools, Certification Authority). So, you can configure and manage your CA server from either the Server Manager or the Certification Authority snap-in in the MMC.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_nowPepperstone Group Limited