Server Series – Windows 2022 Certificate Authority

Download Windows Server 2022 from: https://www.microsoft.com/en-us/evalcenter/
– Install Windows Server 2022
* Windows Server 2019 System Requirements:
Processor: 1.4 GHz 64-bit processor
RAM: 512 MB
Disk Space: 32 GB
Network – Gigabit (10/100/1000baseT) Ethernet adapter
Optical Storage – DVD drive (if installing the OS from DVD media)
Video – Super VGA (1024 x 768) or higher-resolution (optional)
Input Devices – Keyboard and mouse (optional)
Internet – Broadband access (optional)

In cryptography, a certificate authority or certification authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. — Wikipedia

In this guide, we will go through the process of creating a Certificate Authority on our domain. We will go through the process using Server Manager in the GUI on our computer, then we will see how we can do this using PowerShell.


USING THE GUI

1. Set the DNS address on our computer to our domain controller from the previous guide. Press Start and search for View Network Connections.
2. Right-click on the Ethernet adapter, and select Properties
3. Choose Internet Protocol Version 4 (TCP/IPv4), and open Properties
4. Under the General tab, select the radio button for Use the following DNS server addresses:
5. Enter the IP address of your domain controller, click OK, then click Close

6. Now we need to rename and join this computer to our domain. Press Start and search for About your PC
7. Scroll down on the ‘About’ section and find Rename this PC (advanced)
8. Under the Computer Name tab, select Change…
9. Change the Computer name: value and choose the radio button for Domain, then enter the value for your domain (ex. newDomain.ad), then click OK


10. You will be prompted for a domain administrator password. Close the About window, you should see a message that says Wecome to the newDomain.ad domain, click OK, then click OK on the next pop up. Click Close on the system properties, and restart the computer.


11. Install Active Directory Certificate Services. Open Server Manager > Manage > Add Roles and Features
12. Click Next, and make sure Role-based or feature-based installation is selected, click Next


13. Make sure Select a server from the server pool is selected and that our CA server is selected, click Next


14. Check Active Directory Certificate Services, choose Add Features on the pop-up window, click Next


15. In Features section, click Next. In AD CS section, click Next. In Role Services, click Next, then click Install


18. Do not close the wizard during the installation process. When installation is complete, click Configure Active Directory Certificate Services on the destination server. The AD CS Configuration wizard opens. Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. Click Next


19. In Role Services, click Certification Authority, and then click Next


20. On the Setup Type page, verify that Enterprise CA is selected, and then click Next


21. On the Specify the type of the CA page, verify that Root CA is selected, and then click Next


22. On the Specify the type of the private key page, verify that Create a new private key is selected, and then click Next


23. On the Cryptography for CA page, keep the default settings for CSP (RSA#Microsoft Software Key Storage Provider) and hash algorithm (SHA2), and determine the best key character length for your deployment. Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. It is recommended that you keep the default setting of 2048. Click Next


24. On the CA Name page, keep the suggested common name for the CA or change the name according to your requirements. Ensure that you are certain the CA name is compatible with your naming conventions and purposes, because you cannot change the CA name after you have installed AD CS. Click Next


25. On the Validity Period page, in Specify the validity period, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next


26. On the CA Database page, in Specify the database locations, specify the folder location for the certificate database and the certificate database log. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. Click Next


27. In Confirmation, click Configure to apply your selections, and then click Close

USING POWERSHELL

1. Rename Computer:

Rename-Computer -NewName "CA-01" -LocalCredential localhostAdministrator -Restart


You will be prompted for your Administrator password, and the computer will restart

2. Join the computer to the Windows Domain, you will be prompted for your local admin credentials and your domain admin credentials:

Add-Computer -ComputerName CA-01 -LocalCredential localhost\Administrator -DomainName newdomain.ad -Credential newdomain.ad\DomainAdmin -Restart -Force

3. Install Active Directory Certificate Services:

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Install-AdcsCertificateAuthority -CAType EnterpriseRootCA

4. Open Certification Authority and verify that the CA looks good.

Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: