SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


adcs2016
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

adcs2016 [2017/02/08 15:50] (current)
sjoerd created
Line 1: Line 1:
 += Active Directory Certificate Services on Windows Server 2016 =
 +
 +This is a follow up on [[addcinazure]]. My next project is to create a [[pointtositevpnazure|PointToSite VPN]] towards the same azure environment but that requires certificates. And that brings in Certificate Services. Now remember, installing the Root CA in the same server that is a Domain Controller is not considered best practice. Reasons (among others) are:
 +* Root CAs are best kept offline for security reasons which is not possible if you install it on a Domain Controller
 +* You can't demote the Domain Controller without first having to remove the CA
 +* The more services you host on one system, the more services you have to recover if that server goes down
 +
 +But there are also benefits. Since you need less servers you pay less for OS, (virtual) hardware and licenses. This is especially a benefit if you are running a lab environment that is limited on budget. ​
 +
 +Note that this kind of CA setup is also known as "​Enterprise root CA on a Domain Controller online"​ and is only considered acceptable for lab environments. ​
 +
 += Install Active Directory Certificate Services (AD CS) =
 +
 +Follow these instructions to install and configure the AD CS:
 +* Once logged in on the server start server manager -> Manage -> Add Roles and Features
 +* Select the Role-based or feature-based installation type
 +* Select the server from the server pool, which is in my case, the DC I installed in [[addcinazure]]:​ \\
 +{{adcs201601.jpg}} \\
 +* Select "​Active Directory Certificate Services"​ from the Roles list, which will popup a new window. Make sure everything including the management tools is selected and click Add Features to continue: \\
 +{{adcs201602.jpg}} \\
 +* Click next on both the Roles as the Features window as no additional features are needed
 +* Read the information and click next on the Active Directory Certificate Services information window: \\
 +{{adcs201603.jpg}} \\
 +* Select the Certificate Authority (selected by default) in the Select Role Services window: \\
 +{{adcs201604.jpg}} \\
 +* Select the "​Restart the destination server automatically if required"​ checkbox, review your settings and click Install to start the installation
 +
 +When the installation is done could use the link provided after the installation to start the configuration,​ but as we already used that method to start the configuration in [[addcinazure]] we'll use another way this time. Click Close to close the installation window. ​
 +
 += Configure Active Directory Certificate Services (AD CS) =
 +
 +* Again, start Server Manager and click AD CS. This will show you a warning that configuration is required for Active Directory Certificate Services: \\
 +{{adcs201605.jpg}} \\
 +* Click on the yellow notification triangle and click the "​Configure Active Directory Certificate Services on th..." link: \\
 +{{adcs201606.jpg}} \\
 +* Now specify the credentials to configure the Certificate Services. I only have one account so far, and it is up for the task: \\
 +{{adcs201607.jpg}} \\
 +* Select the Certificate Authority role to configure: \\
 +{{adcs201608.jpg}} \\
 +* Select Enterprise CA as your CA type: \\
 +{{adcs201609.jpg}} \\
 +* As we are installing the first CA select Root CA: \\
 +{{adcs201610.jpg}} \\
 +* As we are creating a whole new PKI we choose to Create a new private key: \\
 +{{adcs201611.jpg}} \\
 +* Select the cryptographic options. The default is set to SHA256 with 2048 key length which is fine (do not select SHA1 as it is being deprecated by the entire industry): \\
 +{{adcs201612.jpg}} \\
 +* Even though you can change the Common Name it is advised to keep the defaults: \\
 +{{adcs201613.jpg}} \\
 +* Specify the validity period for the CA certificate. Read the information careful, if you need client certificates that will be longer valid than the default of 5 years, you should change the default here. As I want to create client certificates for 10 years for my lab I will set the validity period to 20 years: \\
 +{{adcs201614.jpg}} \\
 +* As this server was made in Azure you need to keep some configuration in mind. I never want logfiles and or databases on my C-drive and on Azure the first data disk (as configured [[addcinazure#​add_data_disk|here]] is on F so specify the file locations accordingly:​ \\
 +{{adcs201615.jpg}} \\
 +* Review all your settings and click Configure to start the configuration
 +* Click close to close the window once the configuration is finished
 +
 += Verify the Installation =
 +
 +* Go to Server Manager -> Tools -> Certificate Authority
 +* Right-Click the CA and click properties
 +* Check for the settings you've configured: \\
 +{{adcs201616.jpg}} \\
 +
 +Note that we will actually issue certificates in [[pointtositevpnazure]] so further steps will be explained there. ​
 +
 += Resources =
 +PKI design options: https://​social.technet.microsoft.com/​wiki/​contents/​articles/​2901.public-key-infrastructure-design-guidance.aspx ​ \\
 +https://​www.virtuallyboring.com/​setup-microsoft-active-directory-certificate-services-ad-cs/​ \\
 +
 +{{tag>​security windows ad}}
  
adcs2016.txt ยท Last modified: 2017/02/08 15:50 by sjoerd