Saturday, November 13, 2021

Windows Server 2019 - LAB06 Deploy & using certificate services (AD CS)

Your org has decided to implement a public key infrastructure (PKI) by using the AD CS (Active Directory Certificate Services) role in Windows Server 2019. As a system administrator, you are responsible for implementing certificate enrollment. You also will be developing the procedures and process for managing certificate templates.


The main tasks for this exercise are as follows:

  • Create a new template based on the web server template.
  • Enroll the Web server certificate on DHVHCMWEB001
What is ADCS ?

Active Directory Certificate Services is use to create certification authorities & relate role services that allow you issue and manage certificates used in a variety of applications.
You can implement a PKI (Public Key Infrastructure) solution by using the AD CS Windows Server role. AD CS provides all PKI-related components as role services. Each role service is responsible for a specific portion of the certificate infrastructure while working together to form a complete solution.

The AD CS role includes the following role services:
  • Certification Authority.
  • Certification Authority Web Enrollment.
  • Online Responder.
  • Network Device Enrollment Service (NDES).
  • Certificate Enrollment Web Service (CES).
  • Certificate Enrollment Policy Web Service.
Lets start 

Step 1: Install AD CS on our server
  • At Server Manager, select Manage, select Add Roles & Features.
  • In the Before you begin page click next.
  • In the install type page click next.
  • In Select destination server select your server then click next .
  • In the Select server roles select checkbox Active Directory Certificate Services > Click Add Features then click Next.
  • In the Select features page, keep default then click Next.
  • In the Active Directory Certificate Services click Next.
  • At Select role services make sure both checkbox Certification Authority & Certificate Enrollment Policy Web Services is checked (You should click add features when you select Certificate Enrollment Policy Web Services check box) , then click Next.
  • In the Web Server Role (IIS) page click Next.
  • At Select role services page click Next.
  • In the Confirm Installation Selections page , click Install

Step 2: Once the installation is complete, you get a warning notice saying that you must perform post-deployment configuration
  • Select the warning sign & click Configure Active Directory Certificate Services on the destination server.
  • On the Credential page, click Next.
  • On the Role services page select Certification Authority & Certificate Enrollment Policy Web Services then click Next.
  • On the Setup type page, choose Enterprise CA, because i wanted to setup an Enterprise CA with fully integrated with ADDS , click Next .
  • On the CA type page, select Root CA then click Next. (As this is the first CA on dhv.local domain, its will be a root CA).
  • On the Private Key page, choose Create a new private key then click Next.
  • On the Cryptography for CA, select SHA512 then click Next.
  • On the CA Name page, input common name for this CA, for example: DHV-CA then click Next.
  • Validity period page, by default this is 5 years but I'm setting this to 20 years :) , click Next.
  • On the CA Database page, click Next.
  • On the Authentication Type for CEP  page select Windows integrated authentication option then click Next.
  • On Server Certificate page select option Choose & assign a certificate for SSL later, click Next.
  • On the confirmation page, I review settings that I have configured, and then I click "Configure".
Active Directory certificate services is then deployed on this particular server and is ready for utilization.



Step 3: Create a new template based on the Web Server template
  • On DHVHCMWEB001 server, in Server Manager, select Tools, and then select Certification Authority.
  • In the Microsoft Active Directory Certificate Services dialog box, select OK.
  • In the Certification Authority console, expand DHV-CA, right-click or access the context menu for Certificate Templates, and then select Manage.
  • In the Certificate Templates Console, locate the Web Server template in the list, right-click and then select Duplicate Template.
  • Select the General tab, in the Template display name text box, enter Production CRM, and then enter 3 in the Validity period text box.

  • Select the Request Handling tab, select Allow private key to be exported, and then select OK. Minimize the Certificate Templates Console.

  • In the Certification Authority console on DHVHCMWEB001, right-click on Revoked Certificates, select All Tasks, select Publish, and then select OK.

  • In the Publish CRL page, select New CRL then select OK.


Step 4: Configure templates so that they can be issued
  • On DHVHCMWEB001, in the Certification Authority console, right-click on Certificate Templates, point to New, and then select Certificate Template to Issue.

  • In the Enable Certificate Templates window, select Production CRM, and then select OK.

Step 5: Enroll the Web Server certificate on DHVHCMWEB001
  • Switch to Windows PowerShell and run the following command:
Install-WindowsFeature Web-Server -IncludeManagementTools


  • Right-click on DHV-CA > All Task > Stop service , then Start Service 
  • From Server Manager, select Tools, and then select Internet Information Services (IIS) Manager.
  • Select DHVHCMWEB001, and then in the central pane, double-click Server Certificates

  • In the Actions pane, select Create Domain Certificate.

  • On the Distinguished Name Properties page, complete the following fields, and then select Next:
Common name: dhvhcmweb001.dhv.local
Organization: DHViet
Organizational unit: IT Dept
City/locality: Da Nang
State/province: Da Nang
Country/region: VN

  • On the Online Certification Authority page, select Select, select DHVHCMWEB001.dhv.local, and then select OK.
  • In the Friendly name text box, enter DHVHCMWEB001, and then select Finish.

  • Ensure that the certificate displays in the Server Certificates console.

  • In the IIS console, expand DHVHCMWEB001, expand Sites, and then select Default Web Site.
  • In the Actions pane, select Bindings > in the Site Bindings window, select Add.
  • In the Add Site Binding window, select https from the Type drop-down list. In the SSL certificate drop-down list, select DHVHCMWEB001, select OK, select Yes, and then select Close.

  • Close Internet Information Services (IIS) Manager.
After completing this task, you should have configured certificate templates and managed certificates.

No comments:

Post a Comment

Windows Server 2019 - LAB08 Implementing storage solutions (Part3) Implement Storage Spaces Direct

Part 3:  Implement Storage Spaces Direct What is Storage Spaces Direct? Storage Spaces Direct is the evolution of Storage Spaces . It lever...