Windows Server Certification Authority

In this post we are going to install a private Certification Authority (CA), request a certificate from an Exchange server computer, create the certificate, deploy it to all domain joined computers and complete the pending request on the Exchange server computer.

Installing a private Certification Authority

To issue our own certificate we need what is called a Certification Authority (CA). These certificates issued by our own CA are great for testing purposes (internal applications, etc…), however for external applications public sites, etc. you will need a commercial certificate.

To install our private Certificate Authority we need to install the Active Directory Certificate Services (AD CS) role. Therefore, let us start by opening the server manager and select Add Roles. If you need help installing roles and features check here for Windows server 2012 and here for windows server 2008 R2.

On Select Server Roles page, click on the Active Directory Certificate Services checkbox. If you are prompt to add required features, add them. Click Next.
CA_01

On the Introduction to Active Directory Certificate Services page, read the information provided and click Next.
CA_02

On the Select Role Services page, Make sure the Certification Authority checkbox is checked and you will need to check the Certification Authority Web Enrollment checkbox as well. The Web Enrollment service will provide us with a web interface that will allow us to manage certificates (request, renew, etc.).
CA_03

After checking the web enrollment service you will be prompt to add some required role services and features. Click the Add Required Role Services button.
CA_04

Back on the Select Role Services page, click Next.
CA_05

On the Specify Setup Type page, select between: Enterprise CA if your computer is member of a domain and can use AD services, and Standalone CA if your CA computer cannot use AD services. Note: you can still use the certificate issued by a Standalone CA on your domain (later in this post I’ll show how to deploy a certificate to all your domain computers). Click Next.
CA_06

On the Specify CA Type page, select Root CA, a Root CA is the first CA that you install, so if you decide to install multiple CAs the Root CA will be the CA with highest authority, in other words the Root CA establishes the foundation and basic rules that govern certificate issuance and use for your entire Public Key Infrastructure. Click Next.
CA_07

On the Set Up Private Key page, click on Create a new private key. Click Next.
CA_08

On the Configure Cryptography for CA page, select a Cryptographic Service Provider and select the hash algorithm for signing certificate (Wikipedia:  Secure Hash Algorithm) and the Key character length. Click Next.
CA_09

On the Configure CA Name page, change the Common name for the CA if you wish to, I would recommend you to leave it with the default name. Click Next.
CA_10

On the Set Validity Period page, select the time you wish for your certificate to be valid. Click Next.
CA_11

On the Configure Certificate Database page, leave the default location and click Next.
CA_12

On the Introduction to Web Server (IIS) page, read the information provided and click Next.
CA_13

On the Select Role Services page, click Next.
CA_14

On the Confirmation page, review your settings and click Install.
CA_15

On the Installation Progress page you can see the progress of the Installation.
CA_16

On the Installation Results page, verify that the installation finished successfully and click Close.
CA_17

 

Note that the step shown above are for a Windows Server 2008 R2. If you are using Windows server 2012 or higher, first you will have to install the Active Directory Certificate Services (CA CS) Role, select the Role Services Certification Authority and Certification Authority Web Enrollment services.
CA12_00

Then, after the CA CS Installation is completed, you will need to configure AD CS. You can do this by clicking the Link Configure Active Directory Certificate Services on the destination server.
CA12_01

Or by click the link with the same name on the Server Manager Notifications.
CA12_02

The AD CS configuration windows will open. On the Credential pages change the credentials according to the role service you want to install. Click Next.
CA12_03

On the Role Services page, check on the Certification Authority and Certification Authority Web Enrollment checkboxes. Click Next.
CA12_04

On the Setup Type page, select between: Enterprise CA and Standalone CA, in my case this server is not a member of any domain therefore I can only install the Standalone CA. Click Next.
CA12_05

On the CA Type page, select Root CA. Click Next.
CA12_06

On the Private Key page, click on Create a new private key. Click Next.
CA12_07

On the Configure Cryptography for CA page, select a Cryptographic Service, the hash algorithm for signing certificate and the Key character length. Click Next.
CA12_08

The rest of the options are similar to the ones we set for the CA on the Windows server 2008 R2 computer. CA Name, Validity Period, Database Location, Confirmation, Progress and Results. Just click Next on each.
CA12_08-1

 Requesting a Certificate in Exchange Server

To request a certificate in Exchange server you can do it through the Exchange Management Console, On Server Configuration. Click the link New Exchange Certificate… on the right pane.
CA_18-1

However the fastest and easiest way to request a certificate is with the Exchange Management Shell and running the following command:

New-ExchangeCertificate -FriendlyName "Name for your Certificate" -IncludeServerFQDN -DomainName <name>.contoso.com,autodiscover.contoso.com,webmail.contoso.com -GenerateRequest -PrivateKeyExportable $true

CA_19

Copy the output of the command from the line —–BEGIN NEW CERTIFICATE REQUEST—– until to the line —–END NEW CERTIFICATE REQUEST—–. Make sure you copy and keep it on your notepad as we need this to create the certificate.
CA_20

On the Exchange Management Console you will notice that the new certificate request is listed as a pending certificate.

Create the Certificate for the Exchange Server

To create a new certificate on your CA computer open your web browser and open the following page:

http://server-ca/certsrv

<server-ca> is the name of your CA server

CA_21

Note: you can also access by opening Internet Information Services (IIS) Manager. There expand the ServerName, Sites, Default Web Site, right click on CertSrv select Manage Application and click on Browse.
CA_22

On the CertSrv Web page of your AD CS, click on the Request a Certificate link.
CA_22-1

On the Request a Certificate page click on the link advance certificate request.
CA_23

On the Submit a Certificate Request or Renewal Request page, we need to do a few things. On Saved Request, paste the certificate request we got from our exchange server on the text block next to Base-64-encoded certificate request. On Certificate Template select Web Server. Leave Additional Attributes empty. Click the Submit > button.
CA_24

On the Certificate Issued page. Click on the link Download Certificate.
CA_25

You got your certificate.
CA_26

 Complete a Pending Certificate Request

Back on your exchange server computer open the Exchange Management Console and go to Server Configuration. There right-click the certificate request you created and select Complete Pending Request… (you can also click the right panel link Complete Pending Request…).
CA_27

On the Complete Pending Request windows, Introduction page, browse for the Certificate you downloaded from your Certification Authority. Click Complete.
CA_28

On the Completion page, verify that the certificate was installed successfully. Click Finish.
CA_29

Now that you certificate is installed, you might notice that your certificate appears to be invalid.
CA_30

If your certificate comes from an Enterprise CA (joined to the domain) you might just need to speed up the process a bit (it takes a few hours for the DC to distribute the Trusted Toot CAs to all domain joined computers). To speed up this process, open the command prompt on your exchange server and run the following command:

gpupdate /force

If you have a Standalone CA you will need to deploy the Root certificate of your Standalone CA to all domain joined computers.

Deploy a Root Certificate to all Domain Computers using Group Policy

To deploy your Root certificate first you will need to export the certificate. Go to your Standalone CA computer and open the Microsoft Management Console (MMC). If you don’t know how click the Windows_button+r, write mmc and click OK.
CA12_09-00

On the MMC console click on File and select Add/Remove Snap-in…. There select Certificates and click Add>>.
CA12_09-01

On the Certificate Snap-in window select Compute account. Click Next.
CA12_09-02

On the Select Computer window select Local computer. Click Finish.
CA12_09-03

On the Add or Remove Snap-in window the Certificates (Local-Computer) must be on the Selected Snap-ins side. Click Ok.

CA12_09-04

Now on MMC, expand Certificates (Local Computer) > Trusted Root Certification Authorities. There on the center panel select and right-click to the certificate that was created when installed your CA, select All Tasks and click Export….
CA12_09-05

On the Certificate Export Wizard, Welcome page click Next.
CA12_10_00

On the Export File Format page click Next.
CA12_10_01

On the File to Export page, write a path and a name for your Root Certificate.
CA12_11

On the Completing the Certificate Export Wizard page, click Finish.
CA12_12

You will get a pop-up indicating that the export was successful.
CA12_13

 

Now let’s go back to the DC computer. Open Group Policy Management.
CA_45

Expand Group Policy Objects, right-click Default Domain Policy and click Edit….
CA_46

On the Group Policy Management Editor, expand Computer Configuration > PoliciesWindows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
CA_47

Right-click on Trusted Root Certification Authorities or to the right pane and select Import….
CA_48

On the Certificate Import Wizard’s Welcome page click Next.
CA_49

On the File to Import page browse to the file we export from our Standalone Root CA. Click Next.
CA_50

On the Certificate Store page, click Next.
CA_51

Finally on the last page click Finish.
CA_52

Click OK on the successful import notification.
CA_53

Your Certificate should be on the Trusted Root Certification Authorities folder, of your Group Policy Manager Editor.
CA_54

On your DC open MMC > Certificates (Local Computer). Verify your Certificate in on the Trusted Root Certification Authorities folder. If you cannot find it there, Open the command prompt and run gpupdate /force to speed up the process as explained above.
CA_55

Refresh the Trusted Root Certification Authorities folder of your MMC. The new certificate should be there.
CA_56

Back on your Exchange computer, repeat the last few steps. Open MMC > Certificates (Local Computer). Verify the new certificate is there, if still not there open the command prompt and run gpupdate /force, refresh the Trusted Root Certification Authorities folder. The new certificate should be there.

Now if you open Exchange Management Console > Server Configurations, you will see the new Certificate is Valid.
CA_58

However, we still need to assign some services to this certificate. To do this select the certificate, right-click on it and select Assign Services to Certificate…. Or click the lick with the same name on the right panel.
CA_60

On the Assign Services to Certificate window, Select Server page, select the server you wish to assign the services and click Next.
CA_61

On the Select Services page, select the services you wish to assign and click Next.
CA_62

On the Assign Services page click Assign.
CA_63

On the Completion page click Finish.
CA_64

After you install Exchange server on your computer and access to Outlook Web App (OWA) now called (Outlook on the web), you might have notice that you get a certification error. Now with the out certificate installed this error won’t be there.
CA_65

This concludes the Certification Authority Lab, I hope you liked it.

Advertisements

One thought on “Windows Server Certification Authority

  1. […] I had tested Paul’s script in Exchange Server 2010 and 2013, unfortunately in Exchange 2010 we will need to install a certificate for the script to work. To install a certificate for our test lab the best is to use a self-signed certificate from our own private Certification Authority (CA). First we will need to install Active Directory Certificate Services (AD CS), request a certificate in Exchange server, and create our certificate with the newly installed CA, here you can find the steps to install AD CS, create a certificate and deploy it. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s