Welcome to my Microsoft Tips & Tricks section. In this session I will describe how I setup MS CA in my domain.
As more and more of my LAB servers require certificate’s, I see the need for a CA. This CA will provide certificate’s for my Horizon-servers, among other. In preparation for this setup, I have deployed a virtual MS Windows 2016 server, given it an appropriate IP-address and joined it to my domain.
I log in to my server and add the Certificate Authority Role to the server. In the Server Manager I select Add Roles and Features.
I click Next on the information page.
I keep role-based or feature-based installation selected, Next.
I choose my CA-server, Next.
In the Server Roles selection, I tick the Active Directory Certificate Services and wait for the pop-up for the additional features that are required for ADCS.
I click “Add Features”
I verify that “Active Directory Certificate Services” is selected, Next.
I won’t add any feature, Next
On the ADCS information page, I click Next.
I select Certification Authority in the Role Services, Next.
I select “Restart the destination server automatically if required” and click Yes in the pop-up. Install.
Once installation is done, I click on «Configure Active Directory Certificate Services on the destination server”
I use my default credentials, Next.
Check “Certification Authority” and click Next.
I Select Enterprise CA, Next
I want to deploy a Root CA, Next.
I leave “Create new private key” selected, Next.
The default Key Length and algorithm is sufficient for my lab, Next
I give the CA a descriptive name, Next.
I change the validity period to 10 years, Next
I leave the default database locations as is, Next
I click Configure on the summary page.
After successful configuration, Close
Back in Server Manager Dashboard, from the Tools Menu, I open Certification Authority.
My newly created CA opens in MMC
I right-click my FreLab-CA, Properties. Certificate #0 is the public certificate for the CA itself
I click “View Certificate”.
On the summary page for the certificate, I verify the Validity period. (10 years in this case)
This certificate must be trusted by my domain servers/clients. Therefore, I need to publish this certificate to the servers/clients “Trusted CAs store”. I click the Details tab and click “Copy to File”.
In the «Certificate Export Wizard”, I click Next.
I export the certificate in Base-64 Encoded format, as I will use the contents for various VMware solutions. Next.
I choose a location and name for the file and click Next.
On the summary page, I click Finish.
When I now open the file with Notepad, it looks like this.
Next, I create a GPO that will deploy the certificate to all servers/clients in my domain. This will deploy the certificate to Trusted Root Certification store on the servers and clients
I choose Import on the “Trusted Root Certification Authorities”-store
In the «Certificate Import Wizard”, Next.
I click “Browse” to choose my certificate-file
I select my certificate and click Open
Back in the «Certificate Import Wizard”, Next.
I verify my selected Certificate Store, “Trusted Root Certification Authorities”, Next.
I complete the «Certificate Import Wizard”, Finish.
My Root Certificate will now be deployed to servers and client with my new GPO
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.