Tuesday 19 June 2012

Deploying Certificate Services

To avoid the costs of purchasing SSL certificates from a Certificate Authority, I'll be deploying my own Certificate Authority and using self-signed certificates to secure certain features.

Rather than deploy a dedicated server for this function, I decided to add it to one of the existing domain controllers, so first I logged onto one of the Domain Controllers, and loaded up Server Manager, then went into Add Roles.  I then selected Active Directory Certificate Services.
Under role Services I just added Web Enrolment (for now at least).
This required some additional IIS features, which I OK'd.
I configured the setup type as Enterprise to allow directory integration.
I then set it to be a Root CA - there is nothing higher up the chain to sign the certificate so it will need to self-sign it's own.
I'll be creating a new private key.
I opted for a 4096 key length, and SHA512 as the hash algorithm.
I modified the common name to CertSrv, and the distinguished name from the default of DC=msgeek,DC=local to DC=msgeek,DC=co,DC=uk.
I then upped the validity period for the root CA's certificate from 5 to 10 years.
I kept the certificate database at it's default location, and kept the IIS components at the default the installer had selected.  After that you get a summary of the options selected.
After clicking next the installer ran, and completed successfully.
Finally, I wanted to check the web enrolment site was up, so navigated to http://domaincontroller/certsrv. I was surprised to get a 403 error, so checked the IIS settings and found that the certsrv application had been pointed to system32\certsrv, rather than system32\certsrv\en-us. I corrected this in IIS, and the certificate enrolment website now worked as expected.

No comments:

Post a Comment