About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2011/01/12

WS08R2 Standalone Root CA

High level instructions for installing a Standalone CA

NOTE:  If you have an Enterprise or Datacenter edition server, the preferred install will be an Enterprise Root.  If you have only Standard Edition WS08R2 Server, then you are not able to install an Enterprise CA and you will have to do a Standalone Root CA.

 

Start with a Windows 2008 R2 server. I used a DC, but there are some who think that is an issue. You should choose what you think works best for your environment or what matches your security model. If you choose to do a Standalone RootCA, then you will need this entire document to include the CLI work at the end.

1. Open servermanager

2. Add roles

3. Choose Active directory certificate services

clip_image001

4. Say next on the Intro screen…

5. Select as shown here:

clip_image002

6. Choose appropriately here. I recommend the Enterprise, it really is easier. However, you can choose Standalone also.

clip_image004

7. Choose Root

clip_image006

8. Choose new key

clip_image008

9. Setup like this:

clip_image010

10. You can rearrange the name as appropriate… take note of it though!

clip_image012

11. I choose to use a LONG period of time… I don’t like to have to renew certs more than I have to…your security paradigm may require you to keep this figure below the default of five years.

clip_image014

12. Accept these defaults… you can change them if you wish…if you change them, be sure to document the change from the default.

clip_image016

13. The webserver setup is so that you can get certs if you are authorized. Exchange UM,OCS, Lync, SQL, and SharePoint come to mind.

clip_image018

14. Because I let the wizard choose for me, these options were filled in for me and will support what I need for the aforementioned applications.

clip_image020

15. Install

clip_image022

Total install time was less than 15 minutes.

16. If you chose to use a standalone edition, then you will need to publish the resulting trusted root cert into Active Directory…

Microsoft Windows computers and some devices are automatically configured with some well-known third-party root certificates. However, if you are using your own PKI, you need to install the root certificate. There are various ways to achieve this, including the following methods:

  • If you are using a Microsoft Enterprise root certification authority, the root certificate is automatically installed on computers in the forest, using Active Directory Domain Services.
  • If you are not using a Microsoft Enterprise root certification authority but want all computers in the forest to automatically trust the root certification authority, you can publish the root certificate in the Enterprise Trust Store, using Group Policy or the Certutil command.
  • If you not using a Microsoft Enterprise root certification authority and want only groups of computers in the forest to automatically trust the root certification authority, you can publish the root certificate to domains or organizational units (OUs) using Group Policy. Only computers that have the Group Policy applied will automatically trust the root certification authority. Add the root certificate to the Group Policy object Trusted Root Certification Authorities under the Public Key Policies folder for the Computer Configuration container.
  • If you are using Microsoft Certificate Services with Internet Information Services (IIS), you can request and install the root certificate with the Web enrollment service.
  • You can request and retrieve the certificate using the Microsoft Certreq command-line utility.
  • You can export the certificate to a file and import it if exporting the public key is enabled within the certificate.

17. To accomplish this using certutil.exe:

Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory:

certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>

The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll

You don’t have to do the CRL but it does make things go smoothly when the host server starts looking for the CRL and can find it because you did publish it….

If you use a standard edition with Standalone Root CA, then you will need to do this command to allow the CA to issue SAN certs:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

One additional thing you can do is to change the certificate issue period from the default 1 year to something a little more lengthy. Using regedit, goto:

HKLM\system\currentcontrolset\services\certsvc\configuration\<CAname> – where CAname is whatever you called the CA in the previous steps.

What you want to do is modify the “ValidityPeriodUnits” as shown here.

image

 

If you followed things all the way through, you have a Standalone RootCA, with a trusted root cert for a period of 20 years, the trusted root is published into your AD DS (along with the CRL), individual certificates can be SAN/UCC, and the issued certificates will be for a two-year period.

No comments: