zenworksb
asked on
setup a windows cert server
I have been asked to setup a windows cert server to distribute certs to local machines. this is a 2003 ad environment. i have never done this any help pointers steps. thanks guys
haa.here is the step by step with screenshots from petril,
http://www.petri.co.il/install_windows_server_2003_ca.htm
http://www.isaserver.org/img/upl/vpnkitbeta2/installenterpriseca.htm
http://www.petri.co.il/install_windows_server_2003_ca.htm
http://www.isaserver.org/img/upl/vpnkitbeta2/installenterpriseca.htm
ASKER
thanks guys will be doing this shortly. I will post back with questions
ok..
To prevent some problems further down the line, do yourself a favor now and plan on setting up at least a 2-tier PKI. Do not issue directly from your root, aside from the cert to validate the issuing subordinate CA. Trust me - in the long run you will thank me for this little bit of extra work now.
For the root, for best security plan to keep it offline - do not join it to a domain. Yes, you can still do an Enterprise Root CA this way - all you need is 2003 or 2008 standard edition for this. This way you can make another CA later in another domain, etc. and not have to reissue the root. There are a number of other benefits I won't get into at the moment. In a lower security environment, I suggest doing this on a VMware session that you can just copy to a couple flash drives (in case one goes bad) and take off the VM host, when you need to run it then just bring it online. Your root CA is the center of all things security in your network - protect it, lock it up. Another option is a laptop you can lock up.
For the issuing CA, join that to your domain, you probably want 2003 or 2008 Enterprise edition for that one for best management of the CA.
personally I would go for 2008 CA - better security, if you are a larger company then the OCSP function would be worth looking into, etc.
For the root, for best security plan to keep it offline - do not join it to a domain. Yes, you can still do an Enterprise Root CA this way - all you need is 2003 or 2008 standard edition for this. This way you can make another CA later in another domain, etc. and not have to reissue the root. There are a number of other benefits I won't get into at the moment. In a lower security environment, I suggest doing this on a VMware session that you can just copy to a couple flash drives (in case one goes bad) and take off the VM host, when you need to run it then just bring it online. Your root CA is the center of all things security in your network - protect it, lock it up. Another option is a laptop you can lock up.
For the issuing CA, join that to your domain, you probably want 2003 or 2008 Enterprise edition for that one for best management of the CA.
personally I would go for 2008 CA - better security, if you are a larger company then the OCSP function would be worth looking into, etc.
ASKER
hey giys I am doing this tonight can I get steps on teh following as well. Thank you
A requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS.
A requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS.
Technically you can set up a seperate web server to host the certsrv pages and uninstall IIS from the CA server after you move those files over. You have to have IIS enabled to install, but you can technically remove it from the CA server afterwards. I don't know how many environments beyond our own actually do this though as it adds another layer of complexity to things. However, this allows your CA to not be connected to the web and still have access to the web enrollment page from it, if desired (used in conjunction with the Cert Mgr approval so there is still some kind of vetting process).
ASKER
that is good for future, but just looking for steps to
this is the site i am using
http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx
and at teh bottom it says
CA requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS. Requests for certificates should be addressed to this site via the URL, such as: "http://theServer/CertSrv", where "theServer" is the URL of the Web server hosting the CA. After you install Certificate Services, the computer cannot be renamed and cannot join or be removed from a domain. If IIS is running on the server computer when you attempt to install Certificate Services, you will be prompted to stop IIS to complete the installation. If your Windows 2000 Server computer is running under a Service Pack update (such as SP1, SP2, or SP3), you should reapply the service packs after you install Certificate Services. You might also need to reinstall other services, such as IIS or Terminal Services.
my question is when I follow the steps it will create this automatically?
this is the site i am using
http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx
and at teh bottom it says
CA requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS. Requests for certificates should be addressed to this site via the URL, such as: "http://theServer/CertSrv", where "theServer" is the URL of the Web server hosting the CA. After you install Certificate Services, the computer cannot be renamed and cannot join or be removed from a domain. If IIS is running on the server computer when you attempt to install Certificate Services, you will be prompted to stop IIS to complete the installation. If your Windows 2000 Server computer is running under a Service Pack update (such as SP1, SP2, or SP3), you should reapply the service packs after you install Certificate Services. You might also need to reinstall other services, such as IIS or Terminal Services.
my question is when I follow the steps it will create this automatically?
Yes, when you install the Certificate Authentication role through add/remove programs it will set all of that up for you. On the remote machine that you request a certificate for you will go to the web address http://server/CertSrv and make your request. Once the request is made go back over to the Certification Authority server and you will see the request in the MMC console for the CA Service (under Administration Tools.) You can approve the request from there and then return to the above link from the remote server to pick the approved certificate up.
ASKER
so everytiome someone wants a cert they will have to be approbved is there a way to automate this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok thanks for the heads up I will move forward as above stated, and post back thank you for all your help i will be installing in about a hour
ASKER
i was bale to get it installed. what he is looking for is a machine cert that wil lbe authenticated to radius if they have the cert any ideas? this wil lbe for the wifi?
Do you have a radius server in house already? What kind of wireless system are you using? I'm getting ready to install Cisco's ACS radius server to handle the wifi security here.
The certificate manager approval stage is manually enabled when you configure the cert templates. Without doing this step, it would not be enabled and every request would just go through. As noted aschaef, it is generally a good idea to enable cert mgr approval.
Each template should be considered for this option, however it may not always fit the bill.
Cases where you might not want to do this is for standard workstation certs as these can be numerous and overwhelming. DC certs should be restricted by permissions, etc. and could likewise go without approval. CAExcahnge is not your exchange server - it is a cert used by the CA for certain types of communication.
Cases that would be typical to enable are for web server certs and most or all user certificates (EFS is a common exception).
Natively supported in 2008 CA, you might also consider adding the SCEP addon for 2003 CA to make things easier for your network devices such as routers:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9f306763-d036-41d8-8860-1636411b2d01
As for device authentication, RADIUS should work fine. here's a decent guide:
http://articles.techrepublic.com.com/5100-10878_11-6148579.html
Here's another guide for mobile devices (don't use wildcards on OWA if using windows mobile)
http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_a.mspx
Each template should be considered for this option, however it may not always fit the bill.
Cases where you might not want to do this is for standard workstation certs as these can be numerous and overwhelming. DC certs should be restricted by permissions, etc. and could likewise go without approval. CAExcahnge is not your exchange server - it is a cert used by the CA for certain types of communication.
Cases that would be typical to enable are for web server certs and most or all user certificates (EFS is a common exception).
Natively supported in 2008 CA, you might also consider adding the SCEP addon for 2003 CA to make things easier for your network devices such as routers:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9f306763-d036-41d8-8860-1636411b2d01
As for device authentication, RADIUS should work fine. here's a decent guide:
http://articles.techrepublic.com.com/5100-10878_11-6148579.html
Here's another guide for mobile devices (don't use wildcards on OWA if using windows mobile)
http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_a.mspx
http://msdn.microsoft.com/