Wednesday, March 7, 2018

[How-to] Installing Microsoft Certificate Server in your Lab

So you've built your Control Center AD controller in your lab, now you want to have unified certificate services for all the VMware bits you are going to install in your lab, well this guide will help you get a basic lab configuration of Microsoft Certificate Server with all the bells and whistles to meet your future lab Certificate needs.

Before we get started

This post is based off VMware Workstation 14 Pro and Windows Server Standard 2016 - but the concepts should be pretty similar across other versions (including a Lab ESXi host).

This guide assumes basic understanding of Windows Server OS, networking services, and the like, and as usual these instructions are provided as-is, no support or warranty is provided or implied. Consider thyself warned.

What do I need?

To begin you will need the following:
  1. A Windows 2016 AD Controller - such as the one we built here.


Installing the Certificate Server Role

1. From the Server Manager > Dashboard, click add roles and features, when the wizard loads jump ahead to the screen below - check the following:


  • Active Directory Certificate Services
    • Certificate Authority
    • Certificate Enrollment Policy Web Service
    • Certificate Enrollment Web Service
    • Certificate Authority Web Enrollment
    • Network Device Enrollment Service
    • Online Responder
Be sure and click Yes/OK to any supporting components that need installing (IIS and features), then complete the install.



Configuring Certificate Server

2. After Installation you will find a Post Deployment Wizard for Certificate Services under the Flag on the Server Manager. When the wizard opens up your credentials should be pre-filled in, click Next >
3. On the Role Services screen, click everything except Network Device Enrollment Service and Certificate Enrollment Web Service (these need to be configured after the others), click Next >
4. Leave Enterprise CA selected, click Next >
5. Leave Root CA selected, click Next >
6. Leave Create a new private key checked, click Next >
7. On the Cryptography screen you can leave the defaults, I prefer larger keys so I changed mine to Key length: 4096 - click Next > once you have it configured as you prefer.
The "Allow administrator interaction..." checkbox is more for using a hardware cryptography so you can leave it unchecked.
8. By default the wizard will fill in these fields for you, you can change it as you see fit, or just leave it as is - the common name will be your RootCA name - click Next >
9. For the Validity you can leave it, I went ahead and changed mine to 25 Years - though if I still have the same lab running for 25 years I'm likely going to be in bad shape - click Next >
10. Very likely you will want to leave the database and log location default, change if you feel the need - click Next >
11. Windows integrated authentication should be all you need, don't worry from non-domain connected machines you will still get prompted for username and password - click Next >
12. For now you will need to select Choose and assign a certificate for SSL later (chicken and the egg problem here - you don't have a cert server up yet, so you can't get a certificate to assign to the web server that cert server is about to use, don't worry I'll cover how fix this at the end) - click Next >
13. Verify everything looks good and click Configure
14. Once complete everything should have green check marks like shown below, don't worry about the info warnings below it we will fix that later - Click Close
15. You will be prompted afterwards to finish the other services we skipped, go ahead and click Yes

Configuring Remaining Services

16. Same as before your credentials should be pre-filled in, click Next >
17. Check the remaining two options - Network Device Enrollment Service and Certificate Enrollment Web Service - click Next >
18. For the Service Account you can use your admin account, or do like I did and create a service account - just make sure the Service account is in the IIS_USRS group and has login rights to this server (domain admins or change the user rights assignment) - click Select... and enter your user account details then click Next >
19. The RA Name will be pre-filled-in - feel free to leave it our change it as you see fit, then fill in your details to match your environment - click Next > 
20. For Cryptography for NDES you can leave defaults, or change it to 4096 like I did, your choice - Click Next >
21. By default the Target CA should be filled in for you (this server) if not click Select... and select this server - click Next >
22. Windows integrated authentication should be all you need, don't worry from non-domain connected machines you will still get prompted for username and password - click Next >
23. Like NDES, the Service Account you can use your admin account, or do like I did and create a service account (same rules from above apply) - click Select... and enter your user account details then click Next >
24. We still aren't ready for the server certificate (the cert you see here is your root CA), select Choose and assign a certificate for SSL later - click Next >
25. Verify everything looks good and click Configure
26. Once complete everything should have green check marks like shown below, don't worry about the info warnings below it we will fix that next - Click Close


Server Certificate and IIS Post Configuration 

27. Open the Internet Information Services (IIS) Manager - click on the server in the left side navigation window, in the middle scroll down under IIS and double click Server Certificates
28. Once the certificates are opened, on the right hand of the screen in the Actions pane click Create Domain Certificate...
29. Fill in the details - Common name should match the FQDN of your server (servername.subdomain.maindomain.tld for example mine is ad01.lab.dhcollier.com) - the rest are your choice - when complete click Next
30. Your newly built CA should be pre-filled-in, if it isn't click Select... and find it in the list - the Friendly name is just for the admin to see (makes finding it easy in admin tools) - I usually just make it match the common name of the certificate - click Finish
31. Under the Server in the Connections pane on the left, expand Sites then click the Default Web Site - in the right hand Actions pane, under Edit Site, click Bindings...
32. In the Site Bindings window, select https then click Edit...
33. Select the newly issued SSL certificate from the list (pull down the menu - if it's not in the list click the Select... button and see if you can find it there). I also fill in the FQDN that matches the certificate here in Host name - but that's optional - click OK
34. Right Click the Default Web Site - left click Manage Website > Restart
35. Let us confirm all is working, open a web browser (IE shown) - browse to https://server.sub.domain.tld/certsrv such as https://ad01.lab.dhcollier.com/certsrv - click the padlock to validate the site is using your newly assigned SSL certificate (and not the root CA).
Optionally you can view the certificate and should show valid and subordinate to the Root CA

Congratulations, you have successfully added a working Certificate Server to your lab domain - if you have done things right you have a Enterprise CA that will auto distribute the Root Certificate to every domain connected machine at the next update.

No comments:

Post a Comment