Virtual Geek

Tales from real IT system administrators world and non-production environment

Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy

Recently VMWare has released a new feature vCenter identity federation to vSphere 7 version. I was testing that feature and it required CA signed certificates, so wanted to install and configure certificate authority (CA) server, for my lab as I didn't have it one in the lab, when installing and configuring CA server for production, plan and architect design carefully. Due to infrastructure constraints and limited resources, I am installing CS on AD, You can also distribute/separate role services on different servers with proper planning. There is a feature on Microsoft windows server Active Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and mange certificates used in a variety of applications. To start open Server Manager and go to either in Manage >> click Add Roles and Features or choose same option from Dashboard.

Part 1: Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy
Part 2: Configuring Secure LDAPs on Domain Controller
                       ldp.exe LDAPS Cannot open connection Error 81
Part 3: Install and Configure Active Directory Federation Service (ADFS)

Once the Add Roles and Feautres Wizard pops up all the settings I am using default for Before You Begin, Installation Type, Server Selection, Features, Web Server Role (IIS), Confirmation. and clicking next to proceed. Only specific settings I am choosing for Server Roles and AD CS / Role Services.

In the Select server roles click checkbox on Active Directory Certificate Services and on AD CS / Select Role services click check box Certification Authority and Certification Authority Web Enrollment.

Install and configure certificate authority (CA) on Microsoft Windows server add roles and features server manager activie directory certificate services adcs certification authority web enrollment.png

On the last page of Results on Add Roles and Features Wizard, once the Feature Installation is completed click link Configure Active Directory Certificate Services on the destination server. It opens the actual configuration of AD CS server, Specify credentials to configure role services. I am using the current logged in user which is a part of Enterprise Admin Group and local Administrators.

To install the following role services you must belong to the local Administrators group:

  • Standalone certification authority
  • Certification Authority Web Enrollment
  • Online Responder

To install the following role services you must belong to the Enterprise Admin Group.

  • Enterprise certification authority
  • Certificate Enrollment Policy Web Service
  • Certificate Enrollment Web Service
  • Network Device Enrollment Service

Add roles and features wizard ca Certificate authority server windows server 2019 2016 certification authority web enrollment active directory certificate services management tools credentials services .png

On the Role Services, Select Certification Authority (CA) is used to isse and manage certificates. Multiple CAs can be linked to form a public key infrastructure.  and Certification Authority web Enrollment. Certification Authority Web Enrollment provides a simple web interface that allows users to perform tasks such as request and renew certificates, retrieve certificate revocation lists (CRLs), and enroll for smart card certificates. Click next.

Specify the setup type of the CA, Enterprise certification authorities (CAs) can use Active Directory Domain Services (AD DS) to simplify the management of certificates,. Standalone CAs do not use AD DS to issue or manage certificates. I am keeping default Enterprise CA, Enterprise CAs must be domain members and are typically online to issue certificates or certificate polices.

Next specify the type of the CA, When you install Active Directory Certificate Services (AD CS), you are creating or extending a public key infrastructre (PKI) hierarchy. A root CA is a at the top of the PKI hierarchy and issues its own self-signed certificate. A subordinate CA receives a certificate from the CA above it in the PKI hierarchy.
Root CA:  Root CAs are the first and may be the only CAs configured in a PKI hierarchy.

Specify the type of the private key, to generate and issue certificates to clients, a certification authority (CA) must have a private key. Keep default option Create a new private key, it use this option if you do not have a private key or want to create a new private key. 

server manager ad cs configuration role services certificate authority web enrollment root CA subordinate Ca enterprise CA standalone CA create a new private key ca type ssl certificate.png

All the options I will use keep default, and keep pressing next without edit.

I will specify the cryptographic options for CA, by keeping/selecting a cryptographic provider as RSA#Microsoft Software Key Storage Provider with Key length of 2048. Hash algorithm for signing certificates issues by this CA is SHA256

On AD CS configuration Next is specify name of the CA  (CA Name), Type a common name to identify this certification authority (CA). This name is added to all certificates issued by the CA. Distinguished name suffix values are automatically generated but can modified. All the information I am keeping as generated by default, Names include computer hostname.

In the Specify the validity period for the certificate generated for this certification authority (CA): default value is 5 years, with shows CA expiration date. Note: the validity period configured for this CA certificate should exceed the validity period for the certificates it will issue.

In the 4th screenshot, Specify the CA database locations, with certificate database log location, I am keeping default.

Cryptography for CA cryptographic provider Common name for this CA  install and configurre certificate authority server on microsoft windows ssl ca server specify the validity period CA database certificate ssl.png

Configuration is in the last phase, on the Confirmation page verify settings for Active Directory Certificate Services, if anything is mis-configured you can go back to correct the settings, Press Configure button, In the Result if everything is good it shows all configuration succeeded.

In the last verify CA server website is working and functioning with url http://fqdn_or_ip/certsrv/Default.asp. It asks for admin username and password for CA server.

install and configuration active directory certificate services certificate authority web enrollment request a ssl certificate, download a CA certificate ssl for adfs federation services.png

Next is to distribute deploy CA root chain certificate on computer clients in the domain, for this first procedure is on the CA server webpage click Download a CA certificate, certificate chain, or CRL link. if you are seeing error An unexpected error has occurred: The Certification Authority Service has not been started, Go to Internet Options on Settings, Under Security tab select Trusted sites and click Sites button. In the last Add CA server base url to trusted zone, uncheck Require server varification (https:) for all sites in this zone. In the end click OK twice. this will resolved the issue, Refresh page.

Microsoft Active directory Certificate services error an unexpected error has occurred the certification authority service has not been started download a CA certificate, certificate chain, or CRL.png

Once problem is resolved, click on Download a CA certificate, certificate chain, or CRL and click Download CA certificate. Save the certnew.cer file.

Install and configuration certificate authority server windows download a CA certificate, certificate chain, or CRL trust ssl certificate microsoft active directory certificate services.png

I am using downloaded certificate on Active Directory Group Policy server, search for Group Policy Management and open it. Collapse domain name and go to Group Policy Objects and right click on it press New. Type a name to a New GPO and press OK.

Group Policy Management group policy Object new GPO back up All gpupdate source starter GPO manage backups open migration table editor ssl certificate ad cs active directory certificate services certification authority.png

Right click on the new created GPO and press Edit. It opens Group Policy Management Editor.

Group Policy Management group policy object ca ssl certificate root chain deployment certificate authority active directory certificate services ca server install and configure.png

In the GPO Editor collapse and go the path Computer Configuration >>  Policies >> Windows Settings >> Security Settings >> Public Key Policies >> Right click on Trusted Root Certification Authorities and press Import which opens Certificate import wizard.

Group Policy Management Editor Computer Configuration Windows Settings Security settings public key policies trusted root certificate authority import root ca certificate certificate authority ad certificate services .png

Certificate will be reflect in the Local Machines on the client computer once deployed, In the File to import choose downloaded CA certificate file. Verify configuration and click finish.

Certificate import wizard local machine and Current User active directory certificate services deploy CA certificate authority windows server ssl certificate ldap.png

Once certificate is imported, it shows with a successful pop up box and will show the certificate on Group Policy Management Editor. Close editor.

Completing the certificate import wizard successfull trusted root certification authorities deploiy activie directory certificate services ssl certificate group policy management ldap vmware federation fs.png

On the domain right click and press Link an Existing GPO, This shows the Group Policy Objects list and select the GPO configured for SSL certificate deployment, click OK.

domain group policy object link an existing GPO select gpo ssl certificate CA certificate authority adfs active directory certificate services.png

GPO is linked to the domain now. It will take around 90 minutes to get updated group policy on Client.

Link group policy object gpo group policy management linking policy ssl certificate authority ca server windows active directory certificate services root chain certificate cer crt key private deployment.png

Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

Go Back


Blog Search

Page Views


Follow me on Blogarama