Deploying a Windows Server 2012 R2 Certificate Authority

As more services and device connections inside and outside of your network rely on certificate services, I thought it was a good idea to write an article about how to deploy such a Windows 2012 R2 Certificate Authority (CA).

Popular features that require a certificate include secure HTTPS connections to your web applications, device authentication for both domain and non-domain joined clients, Server 2012 R2 Work Folders, DirectAccess, and more.

Before I dive into the technical aspects of certificates, CA, and the various types of certificates, let me give you a high-level comparison between using an internal vs. public Certificate Authority.

Internal CA

External CA

Easy to manage No control of Certificate Authority itself, you can only “buy” SSL certificates
Can be configured as Active Directory integrated No administration overhead
No cost per certificate SSL certificates can become expensive, depending on types and functionalities
Auto-enrollment feature makes configuration of clients/devices easier Not advised for configuring internal devices authentication
Not really useful for internet-facing applications, as not trusted by external parties Trusted by most browsers
Often more complex to install/configure than just buying a public SSL certificate Less flexible on SSL certificate properties

 

Install Active Directory Certificate Authority

  • From the Windows Server 2012 R2 Server Manager, click Add Roles and Features.
  • Select Active Directory Certificate Services.

Install Active Directory Certificate Authority

  • Click the Add Features in the popup window to allow installation of the Certification Authority Management Tools

Install Active Directory Certificate Authority add roles

  • Select the options you want to install. I recommend the following services:

– Certification Authority (this is your main CA)
– Certification Enrollment Policy Web Service
– Certificate Enrollment Web Service (web portal to request certificates)
– Certification Web Enrollment

Install Active Directory Certificate Authority

  • Once installed, Select AD CS in your Server Manager. Notice the button warning that no configuration is done yet. Click on More.

Install Active Directory Certificate Authority AD CS

  • This will bring you to the All Servers Task Details and Notifications. Click on Configure Active Directory Certificates Services in the Action column. This will launch the AD CS configuration wizard.

Use the following parameters when going through the different steps in the wizard:

​ Role Services to configure          Certificate Authority + Certificate Authority Web Enrollment

Type of CA                          Enterprise CA (if Active Directory integrated; otherwise choose StandAlone CA

Type of CA                          Root CA (if 1st one) or Subordinate CA (additional CA in existing authority)

Type of Private Key                 in most cases, create a new private key will be the best option

Cryptographic options               RSA#Microsoft Software Key Storage Provider

2048 as Key Length

SHA1 as hash algorithm

(or any other combination for your situation)
  • Enter a descriptive name for your Certificate CA in the Common Name field. In my example, I named it 2012R2 domain CA. Click Next.
  • Update the validity period to 5 years (or whatever fits your need).
  • Accept the default database locations or modify according your own requirements.
  • This completes the configuration of the first two CA components. Let’s continue with the other two. In the Select Role Services to configure, choose Certificate Enrollment Web Service and Certificate Enrollment Web Policy Service.

image6

Use the following parameters when going through the configuration wizard:

​ Specify CA                                 Select CA Name (using Select…)

Type of Authentication                     Windows Integrated

Service Account                            use the built-in application pool identity

Authentication type for CEP         Windows Integrated

Specify Authentication Certificate  <select an existing SSL certificate from the list)

AD CS configuration

This completes the configuration of all required Certificate Authority services.

AD CS configuration complete

Verify Certificate Authority Functionality

To verify that the CA server is operational, we can check both from within our browser as well as by checking the Certificate Authority management console.

Using the Browser: Certificate Authority Web Services

From any server in the domain, you can connect to http:<CA-Server>/certsrv. This will launch the Certificate Authority Web Enrollment portal.

Certificate Authority Web Enrollment portal

We will use this portal later on to complete a certificate request…

Using the Certificate Authority Management Tool

  • From the CA server, start the Certificate Authority Management tool. If all is well, this will show your CA server with a green icon, meaning the different CA services are up and running.

Certificate Authority Management Tool

Complete an Internal Certificate Request

In this last step, we will walk through the process on how to request an internal SSL certificate from an IIS web server in the domain, against our internal deployed CA.

  • From within IIS, select your server. Click on Server Certificates in the middle pane.
  • On the right, click on Create Certificate Request.
  • Enter the different fields in the request template. Most important field here is the common name, which should be set to the same name as the URL you want to use (eg. Workfolders.pdtit.be in my situation)

Internal Certificate Request

  • Complete the wizard with the default settings and save your request file as text file on your system.

In previous Windows Server versions it was sufficient to logon to your CA Web Enrollment portal again and copy/paste the details of the certificate request file. Alas, it won’t work in Windows Server 2012 R2. If you perform the same steps, you are faced with the following error message.

image12

I could have explained the different steps on how to solve this matter, but there is already a great Microsoft Technet Wiki article that explains the different configuration steps that need to be taken in order to publish your CertSRV certificate Enrollment portal using HTTPS.

Once you have done all these steps, it should be possible to complete the certificate request steps from within the portal.

  • Logon to your CA server using your browser (http://<CAserver>/certsrv).
  • Select Request a Certificate.
  • Select Advanced Certificate Request.
  • Select Create and Submit a Request to This CA.
  • In the Certificate Template select Web Server.
  • Copy/paste the contents from your certificate request file (the “garbage text,” including the first and last line “— beginning of new request file —” and “— end of new request file —“).
  • Save your certificate output as a CER-file.
  • Copy this CER-file over to your web server.
  • From within IIS, select Complete Certificate Request.

 

That’s all for this article folks! As always, do not hesitate to contact me in case of any questions regarding this article.