In this post we are going to install a private Certification Authority (CA), request a certificate from an Exchange server computer, create the certificate, deploy it to all domain joined computers and complete the pending request on the Exchange server computer.
Installing a private Certification Authority
To issue our own certificate we need what is called a Certification Authority (CA). These certificates issued by our own CA are great for testing purposes (internal applications, etc…), however for external applications public sites, etc. you will need a commercial certificate.
To install our private Certificate Authority we need to install the Active Directory Certificate Services (AD CS) role. Therefore, let us start by opening the server manager and select Add Roles. If you need help installing roles and features check here for Windows server 2012 and here for windows server 2008 R2.
On the Select Role Services page, Make sure the Certification Authority checkbox is checked and you will need to check the Certification Authority Web Enrollment checkbox as well. The Web Enrollment service will provide us with a web interface that will allow us to manage certificates (request, renew, etc.).
On the Specify Setup Type page, select between: Enterprise CA if your computer is member of a domain and can use AD services, and Standalone CA if your CA computer cannot use AD services. Note: you can still use the certificate issued by a Standalone CA on your domain (later in this post I’ll show how to deploy a certificate to all your domain computers). Click Next.
On the Specify CA Type page, select Root CA, a Root CA is the first CA that you install, so if you decide to install multiple CAs the Root CA will be the CA with highest authority, in other words the Root CA establishes the foundation and basic rules that govern certificate issuance and use for your entire Public Key Infrastructure. Click Next.
On the Configure Cryptography for CA page, select a Cryptographic Service Provider and select the hash algorithm for signing certificate (Wikipedia: Secure Hash Algorithm) and the Key character length. Click Next.
Note that the step shown above are for a Windows Server 2008 R2. If you are using Windows server 2012 or higher, first you will have to install the Active Directory Certificate Services (CA CS) Role, select the Role Services Certification Authority and Certification Authority Web Enrollment services.
The rest of the options are similar to the ones we set for the CA on the Windows server 2008 R2 computer. CA Name, Validity Period, Database Location, Confirmation, Progress and Results. Just click Next on each.
Requesting a Certificate in Exchange Server
However the fastest and easiest way to request a certificate is with the Exchange Management Shell and running the following command:
New-ExchangeCertificate -FriendlyName "Name for your Certificate" -IncludeServerFQDN -DomainName <name>.contoso.com,autodiscover.contoso.com,webmail.contoso.com -GenerateRequest -PrivateKeyExportable $true
Copy the output of the command from the line —–BEGIN NEW CERTIFICATE REQUEST—– until to the line —–END NEW CERTIFICATE REQUEST—–. Make sure you copy and keep it on your notepad as we need this to create the certificate.
On the Exchange Management Console you will notice that the new certificate request is listed as a pending certificate.
Create the Certificate for the Exchange Server
To create a new certificate on your CA computer open your web browser and open the following page:
http://server-ca/certsrv <server-ca> is the name of your CA server
Note: you can also access by opening Internet Information Services (IIS) Manager. There expand the ServerName, Sites, Default Web Site, right click on CertSrv select Manage Application and click on Browse.
On the Submit a Certificate Request or Renewal Request page, we need to do a few things. On Saved Request, paste the certificate request we got from our exchange server on the text block next to Base-64-encoded certificate request. On Certificate Template select Web Server. Leave Additional Attributes empty. Click the Submit > button.
Complete a Pending Certificate Request
Back on your exchange server computer open the Exchange Management Console and go to Server Configuration. There right-click the certificate request you created and select Complete Pending Request… (you can also click the right panel link Complete Pending Request…).
If your certificate comes from an Enterprise CA (joined to the domain) you might just need to speed up the process a bit (it takes a few hours for the DC to distribute the Trusted Toot CAs to all domain joined computers). To speed up this process, open the command prompt on your exchange server and run the following command:
If you have a Standalone CA you will need to deploy the Root certificate of your Standalone CA to all domain joined computers.
Deploy a Root Certificate to all Domain Computers using Group Policy
To deploy your Root certificate first you will need to export the certificate. Go to your Standalone CA computer and open the Microsoft Management Console (MMC). If you don’t know how click the Windows_button+r, write mmc and click OK.
On the Add or Remove Snap-in window the Certificates (Local-Computer) must be on the Selected Snap-ins side. Click Ok.
Now on MMC, expand Certificates (Local Computer) > Trusted Root Certification Authorities. There on the center panel select and right-click to the certificate that was created when installed your CA, select All Tasks and click Export….
On your DC open MMC > Certificates (Local Computer). Verify your Certificate in on the Trusted Root Certification Authorities folder. If you cannot find it there, Open the command prompt and run gpupdate /force to speed up the process as explained above.
Back on your Exchange computer, repeat the last few steps. Open MMC > Certificates (Local Computer). Verify the new certificate is there, if still not there open the command prompt and run gpupdate /force, refresh the Trusted Root Certification Authorities folder. The new certificate should be there.
However, we still need to assign some services to this certificate. To do this select the certificate, right-click on it and select Assign Services to Certificate…. Or click the lick with the same name on the right panel.
After you install Exchange server on your computer and access to Outlook Web App (OWA) now called (Outlook on the web), you might have notice that you get a certification error. Now with the out certificate installed this error won’t be there.
This concludes the Certification Authority Lab, I hope you liked it.