In your company, it's important to secure the connection to your various servers and services to prevent a malicious person from being able to recover or alter sensitive information passing through the network.
To do this, you will need to create a certification authority (CA) to be able to secure these free of charge thanks to the certificates that you will issue (deliver) via it.
A certification authority allows you to enroll (issue) certificates which will be valid in your company and which will allow you to secure the connection to your various servers and services : website, mail server, hypervisor, ...
Once your certificates have been enrolled (issued) and installed on your various servers or services, the data can no longer be intercepted or even modified by a third party without an error occurring. This will warn you if there is a problem with the certificate used or with the data received.
In addition, this will also allow you to authenticate the server, computer or user concerned. This way, you will be sure to connect to the right server or service or talk to the right person.
Otherwise, a warning will be displayed. Which, in business, should put you on the alert.
When you install a new service that can be secured with an SSL certificate, a self-signed certificate may already be installed to secure the connection to this service.
However, using a self-signed certificate will always cause a default warning since it's never from a CA your computer trusts. Indeed, a self-signed certificate is a certificate that the server has issued to itself.
A self-signed certificate is therefore never valid and you will always have to add an exception (in your web browser, for example) to ignore this problem.
It's therefore important to replace it with a certificate from your certification authority so that you can really trust it and also benefit from the possibility of revoking this certificate in the event of a problem.
Thus, access to the service concerned is blocked, because the administrator considers that this certificate has been stolen or that the server protected with it has been compromised by a hacker.
Important : the use of a valid certificate (from an internal or commercial certificate authority) may be required by different services.
Indeed, the use of self-signed certificates will, for example, pose a problem with Microsoft's RDS (Remote Desktop Services) technology and with Citrix's virtualization technologies.
When you install your CA, you will see that the wizard will offer you to create a standalone or enterprise CA.
A standalone CA can be installed on a server that is in a workgroup (therefore NOT linked to an Active Directory domain) and is usually taken offline afterwards for security reasons.
Warning : although a standalone certification authority can be linked to an Active Directory domain (even if it doesn't add any feature to it), it is strongly discouraged to do so if you plan to keep this certification authority offline too long.
Indeed, if you do so, the secure channel linked to the functioning of Active Directory which allowed this server to communicate with your Active Directory infrastructure will be broken. This is because the password used internally for this secure channel will be different on your server acting as a standalone CA and on your Active Directory domain controller.
If necessary, refer to our tutorial : WS 2016 - AD DS - Reset a computer account.
An enterprise CA should be installed only on an Active Directory domain-joined server.
Indeed, a company certification authority can use the trust relationships of your Active Directory infrastructure to, for example, obtain information on a client (server, computer or user) automatically or manually requesting a certificate. It can also automatically distribute its certification authority certificate to the various servers and computers in your company so that they automatically trust the certificates it issues.
Using an enterprise certificate authority also allows you to use certificate templates, automatically enroll certificates (for example, via group policies (GPOs)), as well as archive keys.
Which is not possible with a standalone CA.
Additionally, everyone in your domain will automatically trust your enterprise CA.
You will also notice that your CA and its certificate templates will be stored in the "Configuration" partition of your Active Directory infrastructure.
For this tutorial, you will need 3 servers :
Note that in the case of a test environment, you could install the CA on the server already acting as an Active Directory domain controller to save a server (or virtual machine). Although this is not recommended.
Important : in production, it's strongly discouraged to install a certification authority on the same server as your domain controller to avoid various problems:
Although optional, you can pre-configure many options that will be used when installing your CA on Windows Server.
The advantage of this file is that it allows you to configure many options, some of which are not configurable from your certification authority's configuration wizard.
To do this, open Notepad as an administrator.
If you want to use this "CAPolicy.inf" configuration file, be aware that the only mandatory section (to be indicated first in this file) is the "Version" section with the "Signature" attribute, the value of which will always be "$Windows NT$".
For the example, we have defined the "certsrv_server" section which allows you to define :
To know all the settings available for this "CAPolicy.inf" configuration file, refer to the "CAPolicy.inf Syntax" page of the official Microsoft documentation.
In our case, it looks like this:
[Version] Signature="$Windows NT$" [certsrv_server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=5
Then, click "File -> Save As" and navigate to the "%systemroot%" folder (which corresponds to the "C:\Windows" folder).
Provide "CAPolicy.inf" as the filename and make sure to select these options for the file to be created correctly :
Now, click Save.
To install the "Active Directory Certificate Services" role (and therefore your certification authority), you must first log in with an account that is part of the "Enterprise Admins" and "Domain Admins" groups (for the root Active Directory domain).
In our case, we will use the "Administrator" account of the domain.
Launch the server manager and click on the link : Add roles and features.
Select "Role-based or feature-based installation".
Install the "Active Directory Certificate Services" role (which corresponds to "AD CS" as you can see in its description).
No feature to install for this role.
A description of the "Active Directory Certificate Services" (AD CS) role appears.
As you can see, the certificates will allow you to :
Warning : as indicated in this description, the name of this server, as well as its connection to your Active Directory domain, can't be modified once the certification authority is installed.
Indeed, its name will be part of the link allowing clients to consult your revocation lists and its binding to the Active Directory domain allows it to store different information (such as the certificate templates created by default and its certification authority certificate for that your client trust him).
To install a certification authority, the mandatory role service is : Certification Authority.
The other services offered allow you to add different features to it, but are not mandatory.
Click on : Install.
Wait while Active Directory Certificate Services (AD CS) installs.
Wait while Active Directory Certificate Services (AD CS) installs.
Windows Server 8/15/2014
Windows Server 9/22/2023
Windows Server 9/29/2023
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.