Skip to content

Step by Step : Deploying an Enterprise Subordinate CA in Server 2012 R2 (Part 2)

August 31, 2013

Hi guyz…

As promised in my last post on Standalone Root CA https://mizitechinfo.wordpress.com/2013/08/29/step-by-step-deploying-a-standalone-root-ca-in-server-2012-r2-part-1/, today I’m glad to continue our journey on the Enterprise Subordinate CA deployment…
 
As usual, let me start by explaining a little bit about Enterprise CA ;, 

– An enterprise CA is typically used to issue certificates to users, computers, and services, and is not typically used as an offline CA

– An enterprise CA requires AD DS, which can be used as a configuration and registration database. An enterprise CA also provides a publication point for certificates issued to users and computers.

 – Users can request certificates from an enterprise CA using the following methods:

> Manual Enrollment
> Web Enrollment
> Autoenrollment
> Enrollment agent

For more information on CA, please log in to : http://technet.microsoft.com/en-us/library/cc756989(v=ws.10).aspx 

Orait, let get started, for this Enterprise Subordinate CA deployment demo, I will use my new Virtual Server which is ComSys-ADCS.comsys.local, DC01.comsys.local and SVR01.comsys.local.

I will deploy Enterprise Subordinate CA on this ComSys-ADCS.comsys.local server :

1

1- 1st, let me log in to my ComSys-ADCS.comsys.local server, and then open Server Manager, then on the Dashboard click Add roles and features…

2

2 – On the Before you begin box click Next to proceed…

3

3 – On the Select installation type box (verify that Role-based or feature-based installation is selected) then click Next

4

4 – On the Select destination server box (check on my Server, – Comsys-ADCS.comsys.local), click Next…

5

5 – On the Select server roles box, click Active Directory Certificate Services, then click Add Features and proceed with next

6

7

6 – On the Select features box, click Next

8

7 – On the Active Directory Certificate Services box, click Next

9

8 – On the Select role services box, verify that Certification Authority is selected and then select Certificate Authority Web Enrollment, then click Add Features, and click Next to proceed…

10

11

9 – Next, on the Web Server Role (IIS) box, proceed with next

12

10 – On the Select role services box, click next

13

11 – On the Confirm installation selections box, click Install

14

12 – After installation is successful, click Configure Active Directory Certificate Services on the destination server link…

15

13 – On the Credentials box, click Next

16

14 – On the Role Services box, select both Certification Authority and Certification Authority Web Enrollment, and then click Next

17

15 – On the Setup Type box, select Enterprise CA, and then click Next

18

16 – On the CA Type box, click Subordinate CA, and then click Next

19

17 – On the Private Key box, verify that Create a new private key is selected, and then click Next

20

18 – On the Cryptography for CA box,I did not change any configuration, I leave it as default and then click Next

21

19 – On the CA Name box, in the Common name for this CA text box, type Comsys-IssuingCA, and then click Next

22

20 – On the Certificate Request box, verify that Save a certificate request to file on the target machine is selected, and then click Next (you can change the file name if you wish to…)

23

21 – On the CA Database box, click Next

24

22 – On the Confirmation box, click Configure

25

23 – On the Results box, click Close (verify that Configuration succeeded) …

26

24 – Next, access to your Domain Server from Comsys-ADCS server (DC01.comsys.local), open Run and I type \\dc01\c$…

27

25 – Once you successfully access to domain server, copy the RootCA file (you should notice this RootCA file was created from my previous Demo “step by step on how to Deploy a Standalone Root CA in Server 2012 R2 Part 1)…

28

26 – Then paste the RootCA file in Comsys-ADCS C: drive…

29

27 – Right-click RootCA, and then click Install Certificate…

30

28 – In the Certificate Import Wizard, click Local Machine, and then click Next

31

29 – On the Certificate Store box, click Place all certificates in the following store, and then click Browse, then you need to click Trusted Root Certification Authorities, and then click OK…

32

30 – Click Next, and then click Finish

33

34

31 – When the Certificate Import Wizard window pops up, click OK

35

32 – Next, from the Comsys-ADCS server, access to DC01 domain server and copy both Certification Revocation List and Security Certificate (both of this file was created from previous Demo)…

36

33 – Next, on the Comsys-ADCS server, browse to your C drive and open inetpub folder and then open wwwroot folder, then create a new folder, and name it CertData…

37

34 – Paste the two copied files into that folder…

38

35 – Next, In the Certificate Authority console, right-click Comsys-IssuingCA, point to All Tasks, and then click Submit new request…

39

36 – In the Open Request File box, browse to (C:), click file Comsys-ADCS.comsys.local_Comsys- Comsys-IssuingCA.req, and then click Open…

40

37 – In the Certificate Authority console, right-click Comsys-IssuingCA, point to All Tasks, and then click Submit new request…

41

38 – In the Open Request File window, browse to \\comsys-adcs\c$, click file Comsys-ADCS.comsys.local_Comsys- Comsys-IssuingCA.req, and then click Open…

42

39 – In the right pane, right-click the request (with ID 2), point to All Tasks, and then click Issue…

43

40 – Next, click the Issued Certificates container then double-click the certificate, and then click the Details tab and click Copy to File…

** In the Certificate Export Wizard, on the Welcome page, click Next…

44

41 – On the Export File Format box, click Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), click Include all certificates in the certification path if possible, and then click Next…

45

42 – On the File to Export box, click Browse (comsys-adcs server), then in the File name text box, type SubCA, and then press Enter.

46

43 – Then click Next to proceed…

47

44 – Click Finish, and then click OK

48

49

45 – Next, still in the Comsys-ADCS Server, in the Certification Authority console, right-click Comsys-IssuingCA, point to All Tasks, and then click Install CA Certificate…

50

46 – Navigate to (C:), click the SubCA.p7b file, and then click Open

51

47 – Wait for few second, then right click Comsys-IssuingCA, click All Tasks and click Start Service…

52

48 – Verify that the CA starts successfully…

53

49 – Next, you can start publish the root CA certificate to your infrastructure using Group Policy…

** On DC01 server, open Group Policy Management, then right-click Default Domain Policy, and then click Edit…

54

50 – In the Computer Configuration node, expand Policies, expand Windows Settings, expand Security Settings, expand Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import…

55

 

51 – In the Certificate Import Wizard, click Next…

56

 

52 – On the File to Import page, click Browse, in the file name text field, type \\comsys-adcs\c$, and then press Enter, then choose RootCA.cer, and then click Open…

57

53 – Click Next two times, and then click Finish

58

 

59

60

 

54 – When the Certificate Import Wizard window pops up, click OK

61

 

62

 

Finally, we done for now and at this moment, we have deployed and configured an enterprise subordinate CA…

We still have long to go on this CS, next round I will show you all on how to configure Certificate Templates.. wait for my Part 3…

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: