How to setup a Microsoft CA on windows server 2016 – pictorial representation

We are going to setup a Microsft CA in windows server 2016, this is an article which will give you step by step pictorial representation on how to setup the CA. Yes, the article is pretty long with pictures which will make your work simpler.

Setup a Microsoft CA Authority:

The below are the three steps to setup the Microsoft CA authority

a. Install Certificate Authority on Windows Server 2016

b. Configuring certificate Authority in Windows Server 2016

c. Setting up OSCP.

Perquisites:

  1. The server must be joined to the domain.
  2. License the Server

Steps to setup Microsoft CA authority:

a. Install Certificate Authority on Windows Server 2016

  1. Open Server Manager

2. Select Add Roles and Features and Click Next

3. Select the installation type as Role based or feature based installation:

4. Select the server from the server pool:

5. Select Active Directory certificate services – Select and click Next -> Add Features

6. We are creating a Certificate Authority, Certificate authority Web Enrollment, Online responder as part of Role services.

what is Online Responder?

It’s a role that runs on the server whenever a cert is used by a client it checks if the certificate is valid or not so we can monitor the validity of the certificates in the environment:

Now in AD-CS click -> Next

7. Select the role services Certificate Authority, Certificate authority Web Enrollment, Online responder.

Certificate Authority, Certificate authority Web Enrollment, Online responder

7. We are enabling the Web Server Role (IIS):

8. Select the below Roles as per the Wen Server Role:

9. Click -> Next. We successfully installed the Certificate Authority Role on the machine.

We successfully installed the Certificate Authority Role on the machine.

b. Configuring certificate Authority in Windows Server 2016

1. Now we must do Post configuration after the install, click on the Falg Icon at the right side top corner of the page and select Configure AD Certificate services.

2. Select the Super user Administrator account as credentials.

3. Go to Role Services -> Select Certification Authority -> Next

4. Now select Setup Type -> Enterprise CA to make sure that it can isseu certificates

5. Select CA type -> Root CA – this will be the first and may be the only Certificate Authority.

6. Select Private Key -> Create a New private key (We are selecting this option because we do not have a private key).

7. In the Cryptography options

Cryptographic Provider : RSA#Microsoft Software Key Storage Provider

Key Length: 2048

Hash Algorithm for signing certificates: 2048

8. Create the CA Name -> Next

9. Select the validity period for the root certificate as 10 years.

10. Select the location to save the certificate Database,

11. Confirm all the details and click -> Configure

12. Certificate Authoirty configuration is successful.

13. Let’s continue to configure Certificate authority Web Enrollment, Online responder.

14. Confirm the Roles and click -> Conifgure

15. Configuration of Certificate authority Web Enrollment and Online responder is successful.

c. Setting up OSCP:

  1. Click on Start ->mmc (Microsoft Management Console)

2. Click on File -> Add/Remove snap-in or Press Ctrl + M.

3. Select -> Certificate templates, Click on Add to the console

4. Now click on Certificates, Click on Add

5. Select Certificates Snap-in -> Computer account

6. if the certificate Authority is installed use another computer, In our case we have the certificate Authority in the server so we select Local computer,

7. Select Certiifcate Authority Click -> Add and Click OK

8. Select -> Certification Authority – Expand and select Certificate Templates Right click on Manage

9. Select OSCP Response Signing -> properties

10. Select the security Tab -> click on ADD

11. Click on Object types and select Computers

12. Select the server AD machine and click on check name and then click -> OK

13. Select AD server and provide Full control

14. Select the gsslabs-CA, right click and select properties

15. Select -> Extensions tab

16. Select AIA (Authority Information Access):

17. Click on ADD -> Enter the location as https://ad.gsslabs.org/ocsp -> click OK

18. Click OK -> Click on yes to restart the services.

Now your Certificate Authority is completely configured. This CA can be used to provide certifcates to the machines and the website.

How to Create a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x&7.x

In this article we are going to learn how to configure Microsoft Certificate Authority (CA) templates for use with custom SSL certificate implementation in vSphere 6.x/7.x.

Connect to the CA server, where you will be generating the certificates from using an RDP session (mstsc).

Click Start > Run, type certtmpl.msc, and click OK.

In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.

In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.

Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

Click the General tab and In the Template display name field, enter VMware (anything you prefer) as the name of the new template.

Click on the Extensions tab.

  1. Select Application Policies and click Edit.
  2. Select Server Authentication and click Remove, then OK.Note: If Client Authentication exists, remove this from Application Policies as well.

Note: If Client Authentication exists, remove this from Application Policies as well.

Select Key Usage and click Edit.

  1. Select the Signature is proof of origin (non repudiation) option. Leave all other options as default.
  2. Click OK.

Click the Subject Name tab.

  1. Ensure that the Supply in the request option is selected.
  2. Click OK to save the template.

Click OK to save the template.

Now let’s proceed Proceed with Adding a new template to certificate templates section in the article to make the newly created certificate template available.

Click Start > Run, type certsrv.msc, and click OK.

In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon.

Right-click Certificate Templates and click New > Certificate Template to Issue.

Locate VMware under the Name column and Click OK.

Now we have successfully added the VMware CA template to the Certificate Templates.

Reference: https://kb.vmware.com/s/article/2112009