0 penilaian0% menganggap dokumen ini bermanfaat (0 suara)
117 tayangan17 halaman
This document provides step-by-step instructions for installing an Enterprise Root Certificate Authority (CA) in an Active Directory domain on a Windows Server 2008 machine. It outlines selecting the Active Directory Certificate Services role, choosing a root CA type with a 2048-bit key, configuring the CA name and validity period, and confirming the installation. Once complete, the new CA is visible in the Certification Authority snap-in with default certificate templates ready for use. The next steps would be to request and configure certificates to secure communication in the domain.
This document provides step-by-step instructions for installing an Enterprise Root Certificate Authority (CA) in an Active Directory domain on a Windows Server 2008 machine. It outlines selecting the Active Directory Certificate Services role, choosing a root CA type with a 2048-bit key, configuring the CA name and validity period, and confirming the installation. Once complete, the new CA is visible in the Certification Authority snap-in with default certificate templates ready for use. The next steps would be to request and configure certificates to secure communication in the domain.
This document provides step-by-step instructions for installing an Enterprise Root Certificate Authority (CA) in an Active Directory domain on a Windows Server 2008 machine. It outlines selecting the Active Directory Certificate Services role, choosing a root CA type with a 2048-bit key, configuring the CA name and validity period, and confirming the installation. Once complete, the new CA is visible in the Certification Authority snap-in with default certificate templates ready for use. The next steps would be to request and configure certificates to secure communication in the domain.
I gave a good overview of what Active Directory Certificate Services (AD CS) are and what they do in
my last article: Server 2008: Active Directory Certificate Services.
or a short reca!" AD CS is the #ac$#one of %icrosoft&s '(#lic )ey Infrastr(ct(re (')I) im!lementation. It will allow yo( to iss(e certificates for SS*+,,* (ser on we#sites or digitally sign yo(r email. -ow let&s ta$e a loo$ at installing Active Directory Certificate Services. Certain versions of Server 2008 only allow certain AD CS com!onents to #e installed. !lease ta$e a loo$ at this ta#le for reference: CA / iss(es certificates to (sers" com!(ters and services while also managing their validity. comes in root and s(#ordinate Network Device Enrollment Service / allows networ$ devices (i.e. ro(ters) to re0(est and receive certificates #ased on Sim!le Certificate 1nrollment 'rotocol (SC1') Online Responder Service / im!lements 2nline Certificate Stat(s 'rotocol (2CS') #y eval(ating certificate stat(s" decoding revocation stat(s re0(ests" and sending #ac$ signed res!onses containing certificate stat(s information Install Enterprise Certificate Authority on a Windows !!" Server As I o(tlined in my earlier article" there are two varieties of root CA&s: the 1nter!rise and Stand3 Alone. 1ach has their advantages and config(ration" #(t in this case we are going to install an 1nter!rise CA. I am going to #e installing this root CA server in my test Active directory domain named AD14am!le.com on a 5indows Server 2008 1nter!rise version. ,he server is a mem#er of the domain" and is a domain controller. *et&s get started. #$ 2!en Server %anager. $ Select Roles" then clic$ Add Roles in the center !ane. %$ ,he &efore 'ou &e(in !age may show (! if yo( haven&t t(rned it off already. If yo( see it 6(st clic$ Ne)t. *$ In the Select Server Roles window go ahead and select Active Directory Certificate Services #y !lacing a chec$mar$ ne4t to it" then go ahead and clic$ Ne)t. +$ -ow yo( will see an Introduction to Active Directory Certificate Services" where yo( can read a#o(t the good things yo( can do with AD CS. ,he #iggest thing to note here is the following: Name & Domain settings of this computer cannot be changed after a CA has been installed. If you want to change the computer name, join a domain, or promote this server to a domain controller do so !"#$! install thing the CA. -ow with that warning o(t of the way" go ahead and clic$ on Ne)t. ,$ -e4t yo( get to Select Role Services" which can incl(de any of the following de!ending on what version of 5indows Server 2008 yo( are installing this on 7 refer to the ta#le a#ove for s!ecifics. or this install I am going to choose the Certification Authority only. -$ -ow comes the Specify Setup .ype" and for this I am going to select the Enterprise radio #(tton. "$ or the Specify CA .ype" I am going to choose the Root CA radio #(tton and then clic$ Ne)t. /$ In Set 0p 1rivate 2ey" I am going to choose Create a new private key radio #(tton and then select Ne)t. #!$ -ow yo( have to Confi(ure Crypto(raphy for CA in this window and there are 0(ite a few to choose from. -ow I am no e4!ert on cry!togra!hy" #(t some #asic r(les do a!!ly 8 the longer the $ey the harder it is to crac$. or o(r !(r!oses I am going to (se the following settings: RSA34icrosoft Software 2ey Stora(e 1rovider *!/, 2ey Character len(th md+ 5ash al(orithm -ow I am going to clic$ Ne)t. ##$ In Confi(ure CA Name yo( can choose to overwrite the defa(lt common name for this CA and also the Distin(uished name suffi) if yo( so choose. I am going to overwrite the defa(lt common name with .est6Enterprise6CA" #(t I will leave the rest alone. #$ -e4t we will Set 7alidity 1eriod for this CAs certificate. 9emem#er a root CA iss(es itself a certificate. ,he defa(lt is + 'ears so I will 6(st leave it at that. :o( can change this #ased on any need yo( might have in yo(r environment. Clic$ Ne)t. #%$ Confi(ure Certificate Data8ase will let yo( s!ecify where yo( want to !(t the data#ase and log files for the CA. I am going to leave the defa(lt in !lace. Clic$ Ne)t. #*$ 2n the Confirm Installation Selections yo( can see the answers yo( have chosen and yo( will again see a warning that yo( cannot change the com!(ter name or domain settings for this server after installing the CA. ;o ahead and clic$ Install9 yo( $now yo( want to< #+$ After a few min(tes yo( will see the Installation Results" and with any l(c$ yo( will have the message: Installation succeeded. After yo(r glow of certificate ha!!iness fades go ahead and clic$ Close. #,$ -ow let&s go in and ta$e a loo$ #y clic$ing on Certification Authority in Administrative .ools (if yo( get a =AC !o! (! 6(st clic$ 2$). #-$ -ow yo( can see the sna!3in is showing the CA named .est6Enterprise6CA in the left !ane with a #(nch of folders for certificates. #"$ :o( can also see that if yo( clic$ the Certificate .emplates folder" there are 0(ite a few defa(lt tem!lates that are already set(! and ready to go. Summary -ow that we have installed the Active Directory Certificate Services the ne4t ste! wo(ld #e to re0(est some certificates and config(re them. ,he installation for a stand3alone CA is very similar to this. In fact if yo( are not in a domain and if yo( are not installing as a domain admin yo( will not even get the o!tion for an 1nter!rise CA set(!" so if yo( see that grayed o(t yo( now $now why. In my ne4t article we will ta$e a loo$ at some of the (ses for certificates and how to re0(est and install them on servers and clients