How to setup a Microsoft CA on windows server 2016 – pictorial representation

We are going to setup a Microsft CA in windows server 2016, this is an article which will give you step by step pictorial representation on how to setup the CA. Yes, the article is pretty long with pictures which will make your work simpler.

Setup a Microsoft CA Authority:

The below are the three steps to setup the Microsoft CA authority

a. Install Certificate Authority on Windows Server 2016

b. Configuring certificate Authority in Windows Server 2016

c. Setting up OSCP.

Perquisites:

  1. The server must be joined to the domain.
  2. License the Server

Steps to setup Microsoft CA authority:

a. Install Certificate Authority on Windows Server 2016

  1. Open Server Manager

2. Select Add Roles and Features and Click Next

3. Select the installation type as Role based or feature based installation:

4. Select the server from the server pool:

5. Select Active Directory certificate services – Select and click Next -> Add Features

6. We are creating a Certificate Authority, Certificate authority Web Enrollment, Online responder as part of Role services.

what is Online Responder?

It’s a role that runs on the server whenever a cert is used by a client it checks if the certificate is valid or not so we can monitor the validity of the certificates in the environment:

Now in AD-CS click -> Next

7. Select the role services Certificate Authority, Certificate authority Web Enrollment, Online responder.

Certificate Authority, Certificate authority Web Enrollment, Online responder

7. We are enabling the Web Server Role (IIS):

8. Select the below Roles as per the Wen Server Role:

9. Click -> Next. We successfully installed the Certificate Authority Role on the machine.

We successfully installed the Certificate Authority Role on the machine.

b. Configuring certificate Authority in Windows Server 2016

1. Now we must do Post configuration after the install, click on the Falg Icon at the right side top corner of the page and select Configure AD Certificate services.

2. Select the Super user Administrator account as credentials.

3. Go to Role Services -> Select Certification Authority -> Next

4. Now select Setup Type -> Enterprise CA to make sure that it can isseu certificates

5. Select CA type -> Root CA – this will be the first and may be the only Certificate Authority.

6. Select Private Key -> Create a New private key (We are selecting this option because we do not have a private key).

7. In the Cryptography options

Cryptographic Provider : RSA#Microsoft Software Key Storage Provider

Key Length: 2048

Hash Algorithm for signing certificates: 2048

8. Create the CA Name -> Next

9. Select the validity period for the root certificate as 10 years.

10. Select the location to save the certificate Database,

11. Confirm all the details and click -> Configure

12. Certificate Authoirty configuration is successful.

13. Let’s continue to configure Certificate authority Web Enrollment, Online responder.

14. Confirm the Roles and click -> Conifgure

15. Configuration of Certificate authority Web Enrollment and Online responder is successful.

c. Setting up OSCP:

  1. Click on Start ->mmc (Microsoft Management Console)

2. Click on File -> Add/Remove snap-in or Press Ctrl + M.

3. Select -> Certificate templates, Click on Add to the console

4. Now click on Certificates, Click on Add

5. Select Certificates Snap-in -> Computer account

6. if the certificate Authority is installed use another computer, In our case we have the certificate Authority in the server so we select Local computer,

7. Select Certiifcate Authority Click -> Add and Click OK

8. Select -> Certification Authority – Expand and select Certificate Templates Right click on Manage

9. Select OSCP Response Signing -> properties

10. Select the security Tab -> click on ADD

11. Click on Object types and select Computers

12. Select the server AD machine and click on check name and then click -> OK

13. Select AD server and provide Full control

14. Select the gsslabs-CA, right click and select properties

15. Select -> Extensions tab

16. Select AIA (Authority Information Access):

17. Click on ADD -> Enter the location as https://ad.gsslabs.org/ocsp -> click OK

18. Click OK -> Click on yes to restart the services.

Now your Certificate Authority is completely configured. This CA can be used to provide certifcates to the machines and the website.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s