Windows Server 2008 Multi-level Active Directory Certificate Services Step-By-Step Guide

Transcription

1 Windows Server 2008 Multi-level Active Directory Certificate Services Step-By-Step Guide Author: Bhanu Prakash Dixit 1

2 Contents Abstract... 3 Pre-requisites... 3 VM-1: Parent AD and Enterprise Root CA VM-2: Child AD-1 and Intermediate CA VM-3: Child AD-2 and Intermediate CA VM-4: Child AD-3 and Intermediate CA VM-5: Child AD-4 and Issuing CA Configuring IIS Manager for issuing certificates Export the Certificate in.pfx format Export the Certificate in.p7b (PKCS # 7 ) format Export the Certificate in.cer format

3 Abstract This step-by-step guide describes the steps needed to set up multi-level configuration of Active Directory Certificate Services (AD CS) in a lab environment. Pre-requisites Create five Virtual Machines. o Even Physical Servers can be used. Install Windows 2008 R2 on all the five Virtual Machines. o Note: Do not clone the VMs. Install Windows separately on all the five VMs. Disable Firewall and Disable IPv6 on all the VMs. 3

4 VM-1: Parent AD and Enterprise Root CA. This VM should be configured as the Parent AD and the Enterprise Root CA. 1.1 Log into the machine as local administrator. 1.2 Change the computer name to a suitable one. Ex. PARENTAD. 1.3 Assign a Static IP and Preferred DNS server. Let the Preferred DNS server be Run dcpromo command on windows command prompt 1.5 The Active Directory Domain Services Installation Wizard will start as shown in the figure below. 1.6 Enable Use advanced mode installation and click Next. 1.7 On the Operating system compatibility dialog box click Next. 4

5 1.8 Next screen will allow you to choose Deployment Configuration 1.9 Select Create a new domain in a new forest. Click Next to proceed Enter the FQDN of the forest root domain. Ex. mav.com 5

6 1.11 Domain NetBIOS Name screen will appear. Leave the NetBIOS name to default and click Next to proceed. Ex. mav 6

7 1.12 Next screen will allow you to select Forest functional level Select Windows Server 2003 as Domain functional level and click Next In the Additional Domain Controller Options screen, check DNS Server checkbox and clicked Next to proceed. 7

8 1.15 This error is due to DNS setup. A DNS forwarder must be configured in the DNS Server and the DNS entries should be made correspondingly in the entire child AD machines. This is a basic requirement for the chain, else this will break loose on AD communication at levels If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you can create the delegation manually. Click YES to proceed. Now you will have the location where the domain controller database, log files and SYSVOL are stored on the server Leave default values and click Next. 8

9 1.17 In the Directory Services Restore Mode Administrator Password (DSRM) screen, enter the Directory Services Restore Mode Administrator Password and click Next On the Summary Window click Next Setting up this server to host Domain Controller is completed. Click Finish Restart the server and this server will become a domain controller After the reboot, you can log into your server using the administrator account and password that was previously assigned as the local administrator account. i.e MAV\Administrator 1.22 Open Server Manager and select Add Roles. 9

10 1.23 Select Active Directory Certificate Services and click Next Select roles window opens up 1.25 Select Certification Authority and Certification Authority Web Enrollment and click Next to proceed. 10

11 1.26 Select Enterprise on the Setup type and click Next On the CA type windows Select Root CA and click Next. 11

12 1.28 On the Set up Private Key select Create a new private key and click Next In the Configure Cryptography for CA select defaults and click Next Now set up your common name for your CA, Click Next. Note this is the Certificate for the CA Select Validity as 5 years and click Next Leave the Certificate Database as default and then click Next Click Next on the webserver (IIS) window In the Role Services section click next Finally review the configuration changes and click Install 12

13 1.36 Once installation is complete click Close. VM-2: Child AD-1 and Intermediate CA-1 This VM should be configured as the Child AD and the Enterprise Subordinate CA. 2.1 Log into the machine as local administrator. 2.2 Change the computer name to a suitable one. Ex. CHILDAD Assign a Static IP, Preferred DNS server and Secondary DNS server. Note: The Preferred DNS server should be the IP address of its immediate one up parent domain i.e In this case it is the IP address of the computer named PARENTAD. Let the Secondary IP be Add this computer to its immediate one up parent domain controller and restart the machine. i.e Add this computer to the MAV domain. 2.5 Login as local administrator. i.e CHILDAD1\Administrator 2.6 Run dcpromo from the command prompt. 2.7 Enable advanced mode installation and click Next. 13

14 2.8 On the Operating system compatibility dialog box click Next. 2.9 On the Deployment Configuration, Select Existing Forest and then Create a new domain in an existing forest and click Next. Note: Do not check create a new domain tree root instead of a new child domain Enter the root parent domain name and credentials Ex mav.com and Alternate Credentials as MAV\Administrator 14

15 2.11 Name the new domain and click Next. Ex: vis1. The FQDN of the child domain will be vis1.mav.com 2.12 Let the default NetBIOS Name as it is and click Next Select the Default-first-Site-Name and click Next On the Domain Controller options windows leave Global Catalog unchecked and click Next. 15

16 2.15 On the Source Domain controller window select Let the wizard choose an appropriate domain controller. Click Next Use default values on the Location for Database, Log files and SYSVOL.Click Next Enter Password and Click Next 2.18 Click Next on Summary page Click Finish and restart the computer on request Login as root Domain Controller administrator i.e MAV\Administrator 2.21 Open Server Manager and select Add Roles. 16

17 2.22 Select Active Directory Certificate Services and click Next Select roles window opens up 2.24 Select Certification Authority and Certification Authority Web Enrollment and click Next to proceed. 17

18 2.25 Select Enterprise on the Setup type and click Next Select Subordinate CA. Click Next. 18

19 2.27 On the Set up Private Key Select Create a new private key and click Next Click Next on the Configure Cryptography for CA Click Next on the Configure CA Name On Request Certificate from Parent CA, select the option Send a certificate request to parent CA and click Browse 19

20 2.31 Select the Parent CA server from the list and click OK Click Next on the configure certificate database Select default values and follow onscreen instructions Click Install. VM-3: Child AD-2 and Intermediate CA-2 This VM should be configured as the Child AD and the Enterprise Subordinate CA. 3.1 Log into the machine as local administrator. 3.2 Change the computer name to a suitable one. Ex. CHILDAD Assign a Static IP, Preferred DNS server and Secondary DNS server. 20

21 Note: The Preferred DNS server should be the IP address of its immediate one up parent domain. i.e In this case it is the IP address of the computer named CHILDAD1. Let the Secondary IP be Add this computer to its immediate one up parent domain controller and restart the machine. i.e Add this computer to the vis1.mav.com. 3.5 Login as local administrator. i.e CHILDAD2\Administrator 3.6 Run dcpromo from the command prompt. 3.7 Enable advanced mode installation and click Next. 3.8 On the Operating system compatibility dialog box click Next. 3.9 On the Deployment Configuration, Select Existing Forest and then select Create a new domain in an existing forest and click Next. Note: Do not check create a new domain tree root instead of a new child domain. 21

22 3.10 Enter the root parent domain name and credentials Ex mav.com and Alternate Credentials as MAV\Administrator Do not enter immediate one up parent domain credentials Name the new domain and click Next Ex: vis2. The FQDN of the child domain will be vis2.vis1.mav.com 3.12 Let the default NetBIOS Name as it is and click Next Select the Default-first-Site-Name and click Next On the Domain Controller options windows leave Global Catalog unchecked and click Next. 22

23 3.15 On the Source Domain controller window select Let the wizard choose an appropriate domain controller. Click Next Use default values on the Location for Database, Log files and SYSVOL.Click Next Enter Password and Click Next 3.18 Click Next on Summary page Click Finish and restart the computer on request Login as root Domain Controller administrator 23

24 i.e MAV\Administrator 3.21 Open Server Manager and select Add Roles Select Active Directory Certificate Services and click Next Select roles window opens up 3.24 Select Certification Authority and Certification Authority Web Enrollment and click Next to proceed. 24

25 3.25 Select Enterprise on the Setup type and click Next Select Subordinate CA. Click Next. 25

26 3.27 On the Set up Private Key Select Create a new private key and click Next Click Next on the Configure Cryptography for CA Click Next on the Configure CA Name On Request Certificate from Parent CA, select the option Send a certificate request to parent CA and click Browse 26

27 3.31 Select the Immediate one up Parent CA server from the list and click OK. Ex: In this case it is one the with vis1 -CHILDAD1-CA 3.32 Click Next on the configure certificate database Select default values and follow onscreen instructions Click Install. 27

28 VM-4: Child AD-3 and Intermediate CA-3 Same as VM-3 VM-5: Child AD-4 and Issuing CA-4 Same as VM-3 Configuring IIS Manager for issuing certificates. Please do the following steps on the Issuing CA where certificates will be issued. 1. Login to the Issuing CA with the Parent AD domain credentials. i.e MAV\Administrator 2. Open IIS Manager from Program -> Administrative tools. 3. Select login credentials of Parent AD ( i.e Mav\Administrator) and then open Server Certificates listed under that 4. In the IIS Manager window expand Sites and select Default Web Site. 5. Click on Bindings. 6. On the pop-up window click on Add 28

29 7. Select type as https and select the certificate from the drop down list. i.e In this example : Select the SSL certificate named CHILDAD4.vis4.vis3.vis2.vis1.mav.com. 8. Expand Default Web Site and select SSL Settings 29

30 9. Check Require SSL and Select Ignore for Client Certificates. 10. Expand Default Web site and select CertSrv. 13) Click on Browse *:443(https) under CertSrv. 11. A webpage opens with URL as Open Certification Authority (Start -> Programs -> Administrative tools -> Certification Authority) 13. Expand the Issuing CA name listed ( i.e For ex : vis4-childad2-ca ) 14. Click on Certificate Templates 30

31 15. On the Right pane of the window, right click and select Manage. 16. Certificate Templates console window opens 31

32 17. Right click on Webserver and click Duplicate template. 18. Select Windows 2003 and click OK. 32

33 19. On the General tab, mention a Template display name and check the option Publish Certificate in Active Directory For Ex: Let the Template display name be WebServer_PFX. 33

34 20. On the Request handling tab, check the option Allow private key to be exported 34

35 21. On the Security tab, Select Domain Admins and check all permissions for Domain Admins. Note: You may repeat step 24 for Administrator and Enterprise Admins if required. 22. Make sure you are logged in as Parent AD domain Administrator i.e Mav\Administrator 23. Click on Certificate Templates from certification authority. 35

36 24. On the Right pane of the window, right click and select New -> Certificate Template to issue. 36

37 25. Select the newly created template and click OK. Ex : Select Web Server_PFX 37

38 26. The newly created template gets published. 27. Open a webpage with URL as Click on Request a certificate -> advanced certificate request -> Create and submit a request to this CA. 38

39 29. Select the newly created Certificate template and enter all the required information and click submit. 30. On the next page click install this certificate. 31. Open certmgr.msc 39

40 (Start -> run -> certmgr.msc) 32. Expand Certificates -> Personal -> Certificates. 33. You should find the certificate that you requested. For ex : Here it is the certificate named visservicemanager. Export the Certificate in.pfx format 1. Open certmgr.msc (Start -> run -> certmgr.msc) 2. Expand Certificates -> Personal -> Certificates 3. Right click on the certificate you just created and select Export from All tasks. 4. Click Next and Select the option Yes, Export the private key. 40

41 5. Select the option Personal Information Exchange PKCS # 12(.PFX) and check the option Include all certificates in the certification path if possible. 6. Provide a password and a filename for the certificate to be exported. 7. Copy the certificate to your server where you want it to be imported. 8. After the copying is complete, right click on the certificate and click Install PFX. 9. Open certmgr.msc and under Personal -> Certificate, verify that the certificate is installed. 41

42 10. The certification path is as shown above. Export the Certificate in.p7b (PKCS # 7 ) format 1. Open certmgr.msc (Start -> run -> certmgr.msc) 2. Expand Certificates -> Personal -> Certificates 3. Right click on the certificate you just created and select Export from All tasks. 4. Select the option No, do not export the private key. 42

43 5. Select the option Cryptographic Message Syntax Standard PKCS # 7 certificate (.P7B) format and check the option Include all certificates in the certification path if possible. 6. Provide a filename for the certificate to be exported. 7. Copy the certificate to your server where you want it to be imported. 8. After the copying is complete, right click on the certificate and click Install Certificate. Note: User need to provide the same password provided in Step 6 to install 9. Open certmgr.msc and under Personal -> Certificate, verify that the certificate is installed. 43

44 Export the Certificate in.cer format 1. Open certmgr.msc (Start -> run -> certmgr.msc) 2. Expand Certificates -> Personal -> Certificates 3. Right click on the certificate you just created and select Export from All tasks. 4. Select the option No, do not export the private key. 44

45 5. Select the option DER encoded binary X.509 (.CER) OR Select the option Base-64 encoded X.509 (.CER) 6. Provide a filename for the certificate to be exported. 7. Copy the certificate to your server where you want it to be imported. 8. After the copying is complete, right click on the certificate and click Install Certificate. 9. Open certmgr.msc and under Personal -> Certificate, verify that the certificate is installed. 45

46 46