Recently VMWare has released a new feature vCenter identity federation to vSphere 7 version. I was testing that feature and it required CA signed certificates, so wanted to install and configure certificate authority (CA) server, for my lab as I didn't have it one in the lab, when installing and configuring CA server for production, plan and architect design carefully. Due to infrastructure constraints and limited resources, I am installing CS on AD, You can also distribute/separate role services on different servers with proper planning. There is a feature on Microsoft windows server Active Directory Certificate Services (AD CS) is used to create certification authorities and related role services that allow you to issue and mange certificates used in a variety of applications. To start open Server Manager and go to either in Manage >> click Add Roles and Features or choose same option from Dashboard.
Part 1: Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy
Part 2: Configuring Secure LDAPs on Domain Controller
ldp.exe LDAPS Cannot open connection Error 81
Part 3: Install and Configure Active Directory Federation Service (ADFS)
Once the Add Roles and Feautres Wizard pops up all the settings I am using default for Before You Begin, Installation Type, Server Selection, Features, Web Server Role (IIS), Confirmation. and clicking next to proceed. Only specific settings I am choosing for Server Roles and AD CS / Role Services.
In the Select server roles click checkbox on Active Directory Certificate Services and on AD CS / Select Role services click check box Certification Authority and Certification Authority Web Enrollment.
On the last page of Results on Add Roles and Features Wizard, once the Feature Installation is completed click link Configure Active Directory Certificate Services on the destination server. It opens the actual configuration of AD CS server, Specify credentials to configure role services. I am using the current logged in user which is a part of Enterprise Admin Group and local Administrators.
To install the following role services you must belong to the local Administrators group:
- Standalone certification authority
- Certification Authority Web Enrollment
- Online Responder
To install the following role services you must belong to the Enterprise Admin Group.
- Enterprise certification authority
- Certificate Enrollment Policy Web Service
- Certificate Enrollment Web Service
- Network Device Enrollment Service
On the Role Services, Select Certification Authority (CA) is used to isse and manage certificates. Multiple CAs can be linked to form a public key infrastructure. and Certification Authority web Enrollment. Certification Authority Web Enrollment provides a simple web interface that allows users to perform tasks such as request and renew certificates, retrieve certificate revocation lists (CRLs), and enroll for smart card certificates. Click next.
Specify the setup type of the CA, Enterprise certification authorities (CAs) can use Active Directory Domain Services (AD DS) to simplify the management of certificates,. Standalone CAs do not use AD DS to issue or manage certificates. I am keeping default Enterprise CA, Enterprise CAs must be domain members and are typically online to issue certificates or certificate polices.
Next specify the type of the CA, When you install Active Directory Certificate Services (AD CS), you are creating or extending a public key infrastructre (PKI) hierarchy. A root CA is a at the top of the PKI hierarchy and issues its own self-signed certificate. A subordinate CA receives a certificate from the CA above it in the PKI hierarchy.
Root CA: Root CAs are the first and may be the only CAs configured in a PKI hierarchy.
Specify the type of the private key, to generate and issue certificates to clients, a certification authority (CA) must have a private key. Keep default option Create a new private key, it use this option if you do not have a private key or want to create a new private key.
All the options I will use keep default, and keep pressing next without edit.
I will specify the cryptographic options for CA, by keeping/selecting a cryptographic provider as RSA#Microsoft Software Key Storage Provider with Key length of 2048. Hash algorithm for signing certificates issues by this CA is SHA256.
On AD CS configuration Next is specify name of the CA (CA Name), Type a common name to identify this certification authority (CA). This name is added to all certificates issued by the CA. Distinguished name suffix values are automatically generated but can modified. All the information I am keeping as generated by default, Names include computer hostname.
In the Specify the validity period for the certificate generated for this certification authority (CA): default value is 5 years, with shows CA expiration date. Note: the validity period configured for this CA certificate should exceed the validity period for the certificates it will issue.
In the 4th screenshot, Specify the CA database locations, with certificate database log location, I am keeping default.
Configuration is in the last phase, on the Confirmation page verify settings for Active Directory Certificate Services, if anything is mis-configured you can go back to correct the settings, Press Configure button, In the Result if everything is good it shows all configuration succeeded.
In the last verify CA server website is working and functioning with url http://fqdn_or_ip/certsrv/Default.asp. It asks for admin username and password for CA server.
Next is to distribute deploy CA root chain certificate on computer clients in the domain, for this first procedure is on the CA server webpage click Download a CA certificate, certificate chain, or CRL link. if you are seeing error An unexpected error has occurred: The Certification Authority Service has not been started, Go to Internet Options on Settings, Under Security tab select Trusted sites and click Sites button. In the last Add CA server base url to trusted zone, uncheck Require server varification (https:) for all sites in this zone. In the end click OK twice. this will resolved the issue, Refresh page.
Once problem is resolved, click on Download a CA certificate, certificate chain, or CRL and click Download CA certificate. Save the certnew.cer file.
I am using downloaded certificate on Active Directory Group Policy server, search for Group Policy Management and open it. Collapse domain name and go to Group Policy Objects and right click on it press New. Type a name to a New GPO and press OK.
Right click on the new created GPO and press Edit. It opens Group Policy Management Editor.
In the GPO Editor collapse and go the path Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Public Key Policies >> Right click on Trusted Root Certification Authorities and press Import which opens Certificate import wizard.
Certificate will be reflect in the Local Machines on the client computer once deployed, In the File to import choose downloaded CA certificate file. Verify configuration and click finish.
Once certificate is imported, it shows with a successful pop up box and will show the certificate on Group Policy Management Editor. Close editor.
On the domain right click and press Link an Existing GPO, This shows the Group Policy Objects list and select the GPO configured for SSL certificate deployment, click OK.
GPO is linked to the domain now. It will take around 90 minutes to get updated group policy on Client.
Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate