Sunday , June 25 2017

Install and Configure Certificate Authority in Windows Server 2016

We will see below topics in this article

  • Install Certificate Authority on Windows Server 2016
  • Configuring Certificate Authority on Windows Server 2016
  • Assigning Certificate on Exchange Server 2016
  • Assigning on Test Machine to see Certificate authority is working for Outlook Web Access

Step 1:

You need to have this role installed to have a  Certificate Authority

Preferred to be on Dedicated Server or on a Domain Controller.

Open Server Manager – Manage – Add Roles and Features

image

Step 2:

Choose : Active Directory Certificate Services

Choose Next

And Choose : Certification Authority Web Enrollment

image

Choose :

  • Certification Authority
  • Certification Authority Web Enrollment

image

Choose Install and Close

image

Step 3:

To Configure Active Directory Certificate Services – Choose the Exclamation Mark on the Flag

Configure Active Directory Certificate Services on the Destination Server

image

Choose Next

image

Choose

  • Certificate Authority
  • Certification Authority Web Enrollment

image
Choose Enterprise CA

  • Enterprise CAs Must be domain members and are typically online to issue certificates or certificate policies.

image

Step 4:
Choose Root CA

Root CAs are the first and may be the only CAs Configured in a PKI Hierarchy.

image

Step 5:
Create a new Private key

image

Step 6:

  • Use SHA256
  • RSA#Microsoft Software Key Storage Provider
  • Key Length – 2048

image

Step 7:

Click Next

image

Step 8:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next

image

Step 9:

Specify Certificate Authority Default Database Locations

image

Click Configure

image

Choose Configure

image

We have successfully Installed and Configured – Certificate Authority on Windows Server 2016

Let us see how to Request a Create a Simple Cert from Internal Certificate Authority

Step 10:

Browse http://localhost/certsrv/

You would see a page below like this , Choose “Request a Certificate”

image

Step 11 –
Click on Advanced Certificate Request

image

Step 12:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMCimage

Step 13:

Now Copy the  Note pad Certificate Request Data – You have to generate a Certificate Request from the application. For example how we are doing in exchange server

http://www.careexchange.in/how-to-create-an-ssl-certificate-request-for-exchange-server-2013/

Or you can use https://www.digicert.com/util/

Example – Data Should be like below –

—–BEGIN NEW CERTIFICATE REQUEST—–
MIIEXDCCA0QCAQAwgYAxHTAbBgNVBAMMFGV4Y2gyMDE2LmNsb3VkaWQuYml6MRYw
FAYDVQQLDA1FeGNoYW5nZSBUZWFtMRUwEwYDVQQKDAxDYXJlRXhjaGFuZ2UxETAP
BgNVBAcMCE5ldyBZb3JrMRAwDgYDVQQIDAdOZXcgWW9yMQswCQYDVQQGEwJVUzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXVbwTkx4zhUobUvODoSwf1
8b0ti+dQ/WAoJPHlcSTW4weE5vVwQZbjtTqRhHOAOFEDYDnwZhuU1fOjjro+B2B3
zMTlvq0x7JJPsA9Zc611p+slYeTs/pI8hT9Ud2FgbwE3veF5u2uVw6/lbZdA20yU
ZizIsCJkq9Qo2hLpMji3MB4eFRtyvd1eQpCJPnqseUdRVzfdSwN2zf0U7UQCzzG+
q7bL1Pb2jfjFlhr5xb9/RfpaR/U3TmVHjf3/u49mK1JOBuJwJQVCK/HBYHfMPOp6
VEjt8IVApclOE7tZcR3DjjyF73tHYfxUJp2HuVWml/UVemKIcSfVYOcGofNrF88C
AwEAAaCCAZQwGgYKKwYBBAGCNw0CAzEMFgo2LjIuOTIwMC4yMF8GCSsGAQQBgjcV
FDFSMFACAQUMFEVYQ0gyMDE2LkNsb3VkaWQuYml6DBFDTE9VRElEXEVYQ0gyMDE2
JAwiTWljcm9zb2Z0LkV4Y2hhbmdlLlNlcnZpY2VIb3N0LmV4ZTByBgorBgEEAYI3
DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABh
AG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBp
AGQAZQByAwEAMIGgBgkqhkiG9w0BCQ4xgZIwgY8wDgYDVR0PAQH/BAQDAgWgMFAG
A1UdEQRJMEeCFGV4Y2gyMDE2LmNsb3VkaWQuYml6ghhBdXRvRGlzY292ZXIuQ2xv
dWRpZC5iaXqCCEVYQ0gyMDE2ggtDbG91ZGlkLmJpejAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQWEHXi+M7zoQZ3FlnOeRqsRscG0jANBgkqhkiG9w0BAQUFAAOCAQEA
FlYjkXO1rxadJmNB9g9KEqWU7NlxC3UdX2zyqWwK06cDB3/k+ThKBiYE7uoiaais
YqlE6yoT3T09Nf+rihH8DfS+of14oMYQTKo9By9VdisD6R/iztY05StbVoSambRk
jnOohs1z4v3itufuEzQaqf8Q0Qu8w2xsVVRZx2t0SKfktPASqOzJZEIRS6egqELH
h9dkQBjsdOaTSsqapJXiHpMN53wxXNoztO6mWSVtPzgbfML0+NLT41ZBiIAMjyIj
ztp61S/7O5dfoR9St0cwzaxWSZ5XPriJzKfYQ3dRvl+j/e1gi/rJmw9IUyWGQ2qz
27HqRbsEa/LqFharKDjeBw==
—–END NEW CERTIFICATE REQUEST—–

SavedReqest – (NEW CERTIFICATE REQUEST Data like above)
Choose Template : WebServer

Choose Submit

image

Step 14:
Choose “Base 64 encoded”

Download Certificate

image

Step 15:
Save the Certificate – should be .cer extension

image

Lets how we are applying on Exchange 2016 for Example

image

Copied my Request .CER File generated from CA to the Exchange and using it.

image

Shows Certificate Invalid.

image

Lets see why.

1 – Start – MMC –FILE – Add/Remove Snap-In

2 – choose certificates – Add

3 – Computer Account

4 – Local Computer

5 – Expand Personal – Certificates / Expand Trusted Root Authorities Certificates

image

Now Login to Root CA Server and Export the Root CA.

image

Now login to Exchange Server Import the export cert.

image

Now Certificates looking ok

Make sure you Assign the Certificate for IIS in Exchange Control Panel.

image

Now you can see things are fine locally on Exchange 2016 server –

image

– Lets see how we can use on Desktop

First Login to Exchange Server MMC and Export the Certificate with all the certificate path into a PFX file.

Note : The desktop doesn’t need the private keys from any certificate in the chain.

Having the private key gives the ability to decrypt all the traffic between the client and the server even if that traffic is coming from someone else. It also makes a man in the middle attack on this SSL connection possible.

On 2 : For End user desktops – Choose do no export private key and use that certificate for import.

 

image

 

image

Now we have the PFX File Exported.

Open MMC and Import or Install PFX Desktop.

image

image

Now browsing the URL –

image

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

SCCM Updates and Services Keep Downloading

Log Files Location – C:\Program Files\Microsoft Configuration Manager\Logs\dmpdownloader.log — Logs –  Failed to call Initialize. ...

3 comments

  1. You make one big mistake in this tutorial, you’re exporting the private key to the desktop. As the name “private” key says, you should never export this one outside of the server that uses the certificate and keep it private. Only export the public keys to deploy them on the desktop’s. The desktop doesn’t need the private keys from any certificate in the chain.

    Having the private key gives the ability to decrypt all the traffic between the client and the server even if that traffic is coming from someone else. It also makes a man in the middle attack on this SSL connection possible.

  2. Updated the text of the post, but your examples screenshots are still wrong in that area. Just for clarification

Leave a Reply

Your email address will not be published.