With all of the security threats occurring on the Internet, it’s important to be able to trust the resource you’re connecting to and through which you’re passing information. One way you can enable others to trust you, is by installing Certificate Services on your server. Here’s how it’s done using Windows Server 2008.

What is Certificate Services?

Certificate Services is included with Windows Server 2008 but not installed by default. The service is used to issue and manage certificates for a Public Key Infrastructure (PKI). Certificate Services allows a computer running Windows Server 2008 to receive requests for certificates from users and computers, verify the identity of a requestor, issue and revoke certificates, and publish a Certificate Revocation List (CRL).

In this series, I will outline the steps you need to complete in order to install an Enterprise Certificate Authority. The article assumes you are familiar with the different types of certificate authorities and roles.

System Requirements

Before you install Certificate Services, you should be aware of the system requirements. These will vary depending on the type of Certificate Authority (CA) you are installing. An Enterprise Root CA requires Active Directory, Domain Name Service (DNS), and Transmission Control Protocol / Internet Protocol (TCP/IP). The server on which you plan to install the Certificate Services must also be a member of a Windows Server 2008 domain in which you are a domain administrator.

Conversely if you are installing a stand-alone CA, the system requirements change slightly. Active Directory is not required and administrative permissions are only needed on the server which you will install the service.

Once you have met the system requirements, you are ready to install the Enterprise Root CA for your network. The Enterprise Root CA is at the top of the certificate authority hierarchy. This server is automatically registered in Active Directory and therefore trusted by all computers within the domain. The Enterprise Root CA for your organization is responsible for issuing certificates to Enterprise Subordinate CAs. These servers in turn issue certificates to users and computers within the domain. Every certificate issued within your domain can be traced back to the Enterprise Root CA.

Installing an Enterprise Root Certificate Authority

In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group.

To set up an enterprise root CA in Windows Server 2008:

1. Click Start, point to Administrative Tools, and then click Server Manager.
2. In the Roles Summary section, click Add roles.
3. On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
4. On the Select Role Services page, select the Certification Authority check box, and then click Next.
5. On the Specify Setup Type page, click Enterprise, and then click Next.
6. On the Specify CA Type page, click Root CA, and then click Next.
7. On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. Click Next twice.
8. In the Common name for this CA box, type the common name of the CA. The common name for a CA is usually the same as its host name or computer name. Keep in mind as well, that you will not be able to change any of the identifying information after the service is installed.
9. Click Next.
10. On the Set the Certificate Validity Period page, configure the default validity duration for the root CA. The Validity period defines how long issued certificates remain valid. The default value for this field is 5 years. You can increase or decrease the number as necessary. Click Next after you have filled in the information.
11. On the Configure Certificate Database page, configure the location of the Certificate database, the Certificate database log, and the shared folder. The default location for the database and database log is C:WINDOWSsystem32CertLog. You use the default value or use the Browse button to select a different location. Click Next.
12. After verifying the information on the Confirm Installation Options page, click Install.

Setup will configure the necessary components. If setup cannot locate the necessary files, you will be prompted for the Windows Server 2008 CD-ROM to continue. If IIS is not installed, a warning will appear. IIS is required in order to use Certificate Services Web Enrollment Support. Click OK to acknowledge the message.

Review the information on the confirmation screen to verify that the installation was successful.

An Enterprise Root CA is required before you can install a subordinate CA. Once you have completed the steps described in the previous section, you can install one or more Enterprise Subordinate CAs. This type of CA exists under the Enterprise Root CA in a certificate authority hierarchy. Enterprise Subordinate CAs can be created to issue specific types of certificates.

Installing a Subordinate Enterprise CA

The process is slightly different for installing an Enterprise Subordinate CA.

To install an enterprise subordinate CA:

1. Open Server Manager, click Add Roles, and click Next.
2. Click Active Directory Certificate Services and click Next two times.
3. On the Select Role Services page, click Certification Authority, and then click Next.
4. On the Specify Setup Type page, click Enterprise, and then click Next.
5. On the Specify CA Type page, click Subordinate CA, and then click Next.
6. On the Set Up Private Key page, click Create a new private key, and then click Next.
7. On the Configure Cryptography page, select a cryptographic service provider, key length, and hash algorithm. Click Next.
8. On the Request Certificate page, browse to locate the root CA, or if the root CA is not connected to the network, save the certificate request to a file so that it can be processed later. Click Next.
9. On the Configure CA Name page, create a unique name to identify the CA. Click Next.
10. On the Set Validity Period page, specify the number of years or months that the CA certificate will be valid. Click Next.
11. On the Configure Certificate Database page, accept the default locations or specify a custom location for the certificate database and certificate database log. Click Next.
12. On the Confirm Installation Options page, review all of the configuration settings that you have selected. If you want to accept all of these options, click Install and wait until the setup process has finished.

After Certificate Services is installed, you can manage it using the Certificate Authority snap-in. The console allows you to perform a number of different tasks including:

• Stop and start the service
• Backup and restore a CA
• Renew a CA certificate
• Configure the policy and exit modules
• Manage certificates that have been issued and revoked
• Manage certificate requests
• Configure event auditing
• Set security permissions
• Create and view CRLs
• Set the publication interval for the Certificate Revocation List

To open the Certificate Authority snap-in on the local computer:

1. If this is the first time you are using the Certification Authority snap-in on this computer, click Start, click Run, type mmc, and then press Enter.
2. On the File menu, click Add/Remove Snap-in.
3. Add the Certification Authority snap-in to the list on the right.
4. Select the computer hosting the CA that you want to administer, and then click OK.

You can save the console by clicking File | Save As. Type in an appropriate file name for the console so you can easily identify it and then click Save.

The Certificate Authority snap-in can also be used to administer a CA on another computer. Within the snap-in, click Retarget Certification Authority from the Action menu. Click Another Computer and type the name of the computer.

When you open the Certificate Authority console, you will see your CA. Expand the CA by clicking the plus sign beside it and the following containers will appear:

• Revoked Certificates – Provides information about the certificates that have been revoked by the CA.
• Issued Certificates – Provides information about the certificates that have been issued by the CA.
• Pending Requests – Provides information about certificate requests for the CA that are still awaiting approval.
• Failed Requests – Provides information about all failed certificate requests including why each request failed.
• Certificate Templates – Lists the type of certificates that the CA can issue. This container is only available on Enterprise CAs.

You can begin configuring a CA from its properties window. Within the Certificate Authority console, right click the CA and select Properties.

By default, the General tab should already be the active tab in the window. This tab just provides some basic information about the CA such as the common name and Cryptographic setting. If you recall, these settings were configured during the installation of Certificate Services.

Policy Modules determine whether certificate requests are issued, denied, or marked as pending. The Policy Module tab can be used by an Administrator to specify what the CA should do when a certificate request is received.

Conversely, you can use the Exit Module tab to specify what the CA should do after a certificate has been issued. A CA can be configured to publish issued certificates to Active Directory and/or a file system.

The Extensions tab is used to configure CRL settings. By clicking the Add button, you can specify a CRL distribution point. The Storage tab displays information about where the Certificate database and the Request log are stored. Configuration data can be stored in Active Directory or in a shared folder. On an Enterprise CA, configuration data is automatically stored within Active Directory.

The Security tab enables you to configure access privileges and implement role based administration. The roles include:

• CA administrator – Assigned the Manage CA permission
• Certificate Manager – Assigned the Issue and Manage Certificates permission
• Backup Operator – Assigned the Back up file and directories and the Restore file and directories permissions
• Auditor – Assigned the Manage auditing and security log permission
• Enrollees – Assigned the Read and Enroll permissions

The options available on the Recovery Agents tab are used to configure whether private keys are archived. In Windows Server 2008, private keys for specific certificates can be archived so they can be recovered in the event that they are lost. The CA will store the private key within its database. The process of recovering a private key includes two different phases: key archival and key recovery. Once a key has been archived, it can be recovered by a key recovery agent.

Certificate Services can be configured to log events to the Security log. From the Auditing tab you can pick which types of events you want to audit. When an event occurs it will be written to the Windows Server Security log and you can use the Windows Event Viewer to examine the contents of the log file.

Finally, the Certificate Managers Restrictions tab can be used to apply further restrictions to certificate managers. A certificate manager is any user that has been assigned the Issue and Manage certificates permission (you can use the Security tab to assign this permission). You can use the Certificate Managers Restrictions tab to then define which users, groups, or computers a certificate manager is allowed to manage.

That’s all there is to it.

Installing and configuring a Certificate Authority is not a difficult task, as long as you have some basic understanding of CAs. Setting up a CA without doing some pre-planning will more than likely result in a few problems. Having an idea of the steps involved in the setup process and how to configure the CA afterwards can help to ensure that you only have to complete the procedure once. In other words, do it properly the first time.