Microsoft Windows Server 2016 CA – Setup

Release date: April 14th 2019

Welcome to my Microsoft Tips & Tricks section. In this session I will describe how I setup MS CA in my domain.

As more and more of my LAB servers require certificate’s, I see the need for a CA. This CA will provide certificate’s for my Horizon-servers, among other. In preparation for this setup, I have deployed a virtual MS Windows 2016 server, given it an appropriate IP-address and joined it to my domain.

I log in to my server and add the Certificate Authority Role to the server. In the Server Manager I select Add Roles and Features.

SetupCaSrv-01

I click Next on the information page.

SetupCaSrv-02

I keep role-based or feature-based installation selected, Next.

SetupCaSrv-03

I choose my CA-server, Next.

SetupCaSrv-04

In the Server Roles selection, I tick the Active Directory Certificate Services and wait for the pop-up for the additional features that are required for ADCS.

SetupCaSrv-05

I click “Add Features”

SetupCaSrv-06

I verify that “Active Directory Certificate Services” is selected, Next.

SetupCaSrv-07

I won’t add any feature, Next

SetupCaSrv-08

On the ADCS information page, I click Next.

SetupCaSrv-09

I select Certification Authority in the Role Services, Next.

SetupCaSrv-10

I select “Restart the destination server automatically if required” and click Yes in the pop-up. Install.

SetupCaSrv-11

Once installation is done, I click on «Configure Active Directory Certificate Services on the destination server”

SetupCaSrv-12

I use my default credentials, Next.

SetupCaSrv-13

Check “Certification Authority” and click Next.

SetupCaSrv-14

I Select Enterprise CA, Next

SetupCaSrv-15

I want to deploy a Root CA, Next.

SetupCaSrv-16

I leave “Create new private key” selected, Next.

SetupCaSrv-17

The default Key Length and algorithm is sufficient for my lab, Next

SetupCaSrv-18

I give the CA a descriptive name, Next.

SetupCaSrv-19

I change the validity period to 10 years, Next

SetupCaSrv-20

I leave the default database locations as is, Next

SetupCaSrv-21

I click Configure on the summary page.

SetupCaSrv-22

After successful configuration, Close

SetupCaSrv-23

Back in Server Manager Dashboard, from the Tools Menu, I open Certification Authority.

SetupCaSrv-24

My newly created CA opens in MMC

SetupCaSrv-25

I right-click my FreLab-CA, Properties. Certificate #0 is the public certificate for the CA itself

SetupCaSrv-26

I click “View Certificate”.

SetupCaSrv-27

On the summary page for the certificate, I verify the Validity period. (10 years in this case)

SetupCaSrv-28

This certificate must be trusted by my domain servers/clients. Therefore, I need to publish this certificate to the servers/clients “Trusted CAs store”. I click the Details tab and click “Copy to File”.

SetupCaSrv-29

In the «Certificate Export Wizard”, I click Next.

SetupCaSrv-30

I export the certificate in Base-64 Encoded format, as I will use the contents for various VMware solutions. Next.

SetupCaSrv-31

I choose a location and name for the file and click Next.

SetupCaSrv-32

On the summary page, I click Finish.

SetupCaSrv-33

When I now open the file with Notepad, it looks like this.

SetupCaSrv-34

Next, I create a GPO that will deploy the certificate to all servers/clients in my domain. This will deploy the certificate to Trusted Root Certification store on the servers and clients

SetupCaSrv-35

I choose Import on the “Trusted Root Certification Authorities”-store

SetupCaSrv-36

In the «Certificate Import Wizard”, Next.

SetupCaSrv-37

I click “Browse” to choose my certificate-file

SetupCaSrv-38

I select my certificate and click Open

SetupCaSrv-39

Back in the «Certificate Import Wizard”, Next.

SetupCaSrv-40

I verify my selected Certificate Store, “Trusted Root Certification Authorities”, Next.

SetupCaSrv-41

I complete the «Certificate Import Wizard”, Finish.

SetupCaSrv-42
SetupCaSrv-43

My Root Certificate will now be deployed to servers and client with my new GPO

SetupCaSrv-44

Recommended reading:

Microsoft Tips & Tricks section

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

<span>%d</span> bloggers like this: