Microsoft Windows Server 2016 CA – Setup

Welcome to my Microsoft Tips & Tricks section. In this session I will describe how I setup MS CA in my domain.

As more and more of my LAB servers require certificate’s, I see the need for a CA. This CA will provide certificate’s for my Horizon-servers, among other. In preparation for this setup, I have deployed a virtual MS Windows 2016 server, given it an appropriate IP-address and joined it to my domain.

I log in to my server and add the Certificate Authority Role to the server. In the Server Manager I select Add Roles and Features.

SetupCaSrv-01

 

I click Next on the information page.

SetupCaSrv-02

 

I keep role-based or feature-based installation selected, Next.

SetupCaSrv-03

 

I choose my CA-server, Next.

SetupCaSrv-04

 

In the Server Roles selection, I tick the Active Directory Certificate Services and wait for the pop-up for the additional features that are required for ADCS.

SetupCaSrv-05

 

I click “Add Features”

SetupCaSrv-06

 

I verify that “Active Directory Certificate Services” is selected, Next.

SetupCaSrv-07

 

I won’t add any feature, Next

SetupCaSrv-08

 

On the ADCS information page, I click Next.

SetupCaSrv-09

 

I select Certification Authority in the Role Services, Next.

SetupCaSrv-10

 

I select “Restart the destination server automatically if required” and click Yes in the pop-up. Install.

SetupCaSrv-11

 

Once installation is done, I click on «Configure Active Directory Certificate Services on the destination server”

SetupCaSrv-12

 

I use my default credentials, Next.

SetupCaSrv-13

 

Check “Certification Authority” and click Next.

SetupCaSrv-14

 

I Select Enterprise CA, Next

SetupCaSrv-15

 

I want to deploy a Root CA, Next.

SetupCaSrv-16

 

I leave “Create new private key” selected, Next.

SetupCaSrv-17

 

The default Key Length and algorithm is sufficient for my lab, Next

SetupCaSrv-18

 

I give the CA a descriptive name, Next.

SetupCaSrv-19

 

I change the validity period to 10 years, Next

SetupCaSrv-20

 

I leave the default database locations as is, Next

SetupCaSrv-21

 

I click Configure on the summary page.

SetupCaSrv-22

 

After successful configuration, Close

SetupCaSrv-23

 

Back in Server Manager Dashboard, from the Tools Menu, I open Certification Authority.

SetupCaSrv-24

 

My newly created CA opens in MMC

SetupCaSrv-25

 

I right-click my FreLab-CA, Properties. Certificate #0 is the public certificate for the CA itself

SetupCaSrv-26

 

I click “View Certificate”.

SetupCaSrv-27

 

On the summary page for the certificate, I verify the Validity period. (10 years in this case)

SetupCaSrv-28

 

This certificate must be trusted by my domain servers/clients. Therefore, I need to publish this certificate to the servers/clients “Trusted CAs store”. I click the Details tab and click “Copy to File”.

SetupCaSrv-29

 

In the «Certificate Export Wizard”, I click Next.

SetupCaSrv-30

 

I export the certificate in Base-64 Encoded format, as I will use the contents for various VMware solutions. Next.

SetupCaSrv-31

 

I choose a location and name for the file and click Next.

SetupCaSrv-32

 

On the summary page, I click Finish.

SetupCaSrv-33

 

When I now open the file with Notepad, it looks like this.

SetupCaSrv-34

 

Next, I create a GPO that will deploy the certificate to all servers/clients in my domain. This will deploy the certificate to Trusted Root Certification store on the servers and clients

SetupCaSrv-35

 

I choose Import on the “Trusted Root Certification Authorities”-store

SetupCaSrv-36

 

In the «Certificate Import Wizard”, Next.

SetupCaSrv-37

 

I click “Browse” to choose my certificate-file

SetupCaSrv-38

 

I select my certificate and click Open

SetupCaSrv-39

 

Back in the «Certificate Import Wizard”, Next.

SetupCaSrv-40

 

I verify my selected Certificate Store, “Trusted Root Certification Authorities”, Next.

SetupCaSrv-41

 

I complete the «Certificate Import Wizard”, Finish.

SetupCaSrv-42

SetupCaSrv-43

 

My Root Certificate will now be deployed to servers and client with my new GPO

SetupCaSrv-44

 

 

Recommended reading:

 

Microsoft Tips & Tricks section

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.