22019 Deploy a Windows Server 2012 R2 Certfiate Authority The Ultimate Guide To Records Management in the Cloud DOWNLOAD E-BOOK Ree About Advertise Forums Login Peiri IT Knowledgebase Deploying a Windows Server 2012 R2 Certificate Authority Posted on March 25, 2014 by Peter De Tender in Windows Server 2012 with 4 Comments share Tweet Share ‘As more services and device connections inside and outside of your network rely on certificate services, | thought it was a good idea to write an article about how to deploy such a Windows 2012 R2 Certificate Authority (CA). Popular features that require a certificate include secure HTTPS connections to your web applications, device authentication for both domain and non-domain joined clients, Server 2012 R2 Work Folders, DirectAccess, and more. Before | dive into the technical aspects of certificates, CA, and the various types of certificates, let me give you a high-level comparison between using an internal vs. public Certificate Authority. Internal CA\ External CA Easy to manage No control of Certificate Authority itself, you can only “buy” SSL certificates htps:wwn pot comideploy-windows-server-2012.2-certiicate-authorty ano22019 hitps:iwwn-petr comideploy-windows-ser Deploy a Windows Servar 2012 R2 Certificate Authority Can be configured as Active Directory No administration overhead integrated No cost per certificate SSL certificates can become expensive, depending on types and functionalities Auto-enrollment feature makes Not advised for configuring internal configuration of clients/devices easier devices authentication Not really useful for internet-facing Trusted by most browsers applications, as not trusted by external parties Often more complex to install/configure _Less flexible on SSL certificate properties than just buying a public SSL certificate Install Active Directory Certificate Authority ‘+ From the Windows Server 2012 R2 Server Manager, click Add Roles and Features. + Select Active Directory Certificate Services. z Install Active Directory Certificate Authority ‘+ Click the Add Features in the popup window to allow installation of the Certification ‘Authority Management Tools ‘Ad features that are required for Active Directory CCertifiate Services? 4. Acve Directory Cerca Services Toot 1) ince management ol (ppb) (raromes| [oe ‘Select the options you want to install, | recommend the following services - Certification Authority (this is your main CA) ~ Certification Enrollment Policy Web Service - Certificate Enrollment Web Service (web portal to request certificates) - Certification Web Enrollment ano22019 Deploy a Windows Servar 2012 R2 Certificate Authority ‘Once installed, Select AD CS in your Server Manager. Notice the button warning that no configuration is done yet. Click on More. S me = = A roar] fa 2 @®@ * — F os : as ETE Receipt» * ‘This will bring you to the All Servers Task Details and Notifications. Click on Configure Active Directory Certificates Se the AD CS configuration wizard. es in the Action column, This will launch Use the following parameters when going through the different steps in the wizard: PowerShet T Role Services to configure Certificate Authority + Certificate Authority Web Enro 2 5 type of ca Enterprise CA Cif Active Directory integrated; otherw 4 5 Type of cA Root CA Cif 1^st one) or Subordinate CA Cada 6 7 Type of Private Key in most cases, will be 5 3. Cryptographic options RSAIMi.crosort Software Key Storage Provider 2 31 2048 as Key Length 2 13 SHAL as hash algorithm 4 35 (or any other corbination for your situation: + Enter a descriptive name for your Certificate CA in the Common Name field. In my ‘example, | named it 2012R2 domain CA. Click Next. ‘© Update the validity period to S years (or whatever fits your need). ‘© Accept the default database locations or modify according your own requirements. ‘© This completes the configuration of the first two CA components. Let's continue with the other two. In the Select Role Services to configure, choose Certificate Enrollment Web Service and Certificate Enrollment Web Policy Service. hitps:iwwn-petr comideploy-windows-ser ana