Solved

setup a windows cert server

Posted on 2008-10-23
16
959 Views
Last Modified: 2012-06-27
I have been asked to setup a windows cert server to distribute certs to local machines. this is a 2003 ad environment. i have never done this any help pointers steps. thanks guys
0
Comment
Question by:zenworksb
  • 6
  • 4
  • 4
  • +1
16 Comments
 
LVL 6

Expert Comment

by:aschaef217
Comment Utility
This microsoft link should be very helpful in explaining all of the steps you need to take to setup the Certification Authority server for your domain.
http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx
 
0
 
LVL 18

Expert Comment

by:sk_raja_raja
Comment Utility
0
 

Author Comment

by:zenworksb
Comment Utility
thanks guys will be doing this shortly. I will post back with questions
0
 
LVL 18

Expert Comment

by:sk_raja_raja
Comment Utility
ok..
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
To prevent some problems further down the line, do yourself a favor now and plan on setting up at least a 2-tier PKI.  Do not issue directly from your root, aside from the cert to validate the issuing subordinate CA.  Trust me - in the long run you will thank me for this little bit of extra work now.

For the root, for best security plan to keep it offline - do not join it to a domain.  Yes, you can still do an Enterprise Root CA this way - all you need is 2003 or 2008 standard edition for this.  This way you can make another CA later in another domain, etc. and not have to reissue the root.  There are a number of other benefits I won't get into at the moment.  In a lower security environment, I suggest doing this on a VMware session that you can just copy to a couple flash drives (in case one goes bad) and take off the VM host, when you need to run it then just bring it online.  Your root CA is the center of all things security in your network - protect it, lock it up.  Another option is a laptop you can lock up.

For the issuing CA, join that to your domain, you probably want 2003 or 2008 Enterprise edition for that one for best management of the CA.

personally I would go for 2008 CA - better security, if you are a larger company then the OCSP function would be worth looking into, etc.  
0
 

Author Comment

by:zenworksb
Comment Utility
hey giys I am doing this tonight can I get steps on teh following as well. Thank you

A requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Technically you can set up a seperate web server to host the certsrv pages and uninstall IIS from the CA server after you move those files over.  You have to have IIS enabled to install, but you can technically remove it from the CA server afterwards.  I don't know how many environments beyond our own actually do this though as it adds another layer of complexity to things.  However, this allows your CA to not be connected to the web and still have access to the web enrollment page from it, if desired (used in conjunction with the Cert Mgr approval so there is still some kind of vetting process).
0
 

Author Comment

by:zenworksb
Comment Utility
that is good for future, but just looking for steps to
this is the site i am using

http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx

and at teh bottom it says

CA requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS. Requests for certificates should be addressed to this site via the URL, such as: "http://theServer/CertSrv", where "theServer" is the URL of the Web server hosting the CA. After you install Certificate Services, the computer cannot be renamed and cannot join or be removed from a domain. If IIS is running on the server computer when you attempt to install Certificate Services, you will be prompted to stop IIS to complete the installation. If your Windows 2000 Server computer is running under a Service Pack update (such as SP1, SP2, or SP3), you should reapply the service packs after you install Certificate Services. You might also need to reinstall other services, such as IIS or Terminal Services.

my question is when I follow the steps it will create this automatically?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Expert Comment

by:aschaef217
Comment Utility
Yes, when you install the Certificate Authentication role through add/remove programs it will set all of that up for you.  On the remote machine that you request a certificate for you will go to the web address http://server/CertSrv and make your request.  Once the request is made go back over to the Certification Authority server and you will see the request in the MMC console for the CA Service (under Administration Tools.)  You can approve the request from there and then return to the above link from the remote server to pick the approved certificate up.
0
 

Author Comment

by:zenworksb
Comment Utility
so everytiome someone wants a cert they will have to be approbved is there a way to automate this?
0
 
LVL 6

Accepted Solution

by:
aschaef217 earned 500 total points
Comment Utility
The idea behind the approval is that the person in charge of the certification authority is checking to make sure that the certificate request is a valid one.  You wouldn't want to automate this process because anyone could request a certificate and misuse them.  I could be wrong, but I don't believe there is a way to automate this process due to the security risks.
0
 

Author Comment

by:zenworksb
Comment Utility
ok thanks for the heads up I will move forward as above stated, and post back thank you for all your help i will be installing in about a hour
0
 

Author Comment

by:zenworksb
Comment Utility
i was bale to get it installed. what he is looking for is a machine cert that wil lbe authenticated to radius if they have the cert any ideas? this wil lbe for the wifi?
0
 
LVL 6

Expert Comment

by:aschaef217
Comment Utility
Do you have a radius server in house already?  What kind of wireless system are you using?  I'm getting ready to install Cisco's ACS radius server to handle the wifi security here.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
The certificate manager approval stage is manually enabled when you configure the cert templates.  Without doing this step, it would not be enabled and every request would just go through.  As noted aschaef, it is generally a good idea to enable cert mgr approval.  

Each template should be considered for this option, however it may not always fit the bill.  

Cases where you might not want to do this is for standard workstation certs as these can be numerous and overwhelming.  DC certs should be restricted by permissions, etc. and could likewise go without approval.  CAExcahnge is not your exchange server - it is a cert used by the CA for certain types of communication.

Cases that would be typical to enable are for web server certs and most or all user certificates (EFS is a common exception).

Natively supported in 2008 CA, you might also consider adding the SCEP addon for 2003 CA to make things easier for your network devices such as routers:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9f306763-d036-41d8-8860-1636411b2d01

As for device authentication, RADIUS should work fine.  here's a decent guide:
http://articles.techrepublic.com.com/5100-10878_11-6148579.html

Here's another guide for mobile devices (don't use wildcards on OWA if using windows mobile)
http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_a.mspx
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now