setup a windows cert server

I have been asked to setup a windows cert server to distribute certs to local machines. this is a 2003 ad environment. i have never done this any help pointers steps. thanks guys
zenworksbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

aschaef217Commented:
This microsoft link should be very helpful in explaining all of the steps you need to take to setup the Certification Authority server for your domain.
http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx
 
0
sk_raja_rajaCommented:
0
zenworksbAuthor Commented:
thanks guys will be doing this shortly. I will post back with questions
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

sk_raja_rajaCommented:
ok..
0
ParanormasticCryptographic EngineerCommented:
To prevent some problems further down the line, do yourself a favor now and plan on setting up at least a 2-tier PKI.  Do not issue directly from your root, aside from the cert to validate the issuing subordinate CA.  Trust me - in the long run you will thank me for this little bit of extra work now.

For the root, for best security plan to keep it offline - do not join it to a domain.  Yes, you can still do an Enterprise Root CA this way - all you need is 2003 or 2008 standard edition for this.  This way you can make another CA later in another domain, etc. and not have to reissue the root.  There are a number of other benefits I won't get into at the moment.  In a lower security environment, I suggest doing this on a VMware session that you can just copy to a couple flash drives (in case one goes bad) and take off the VM host, when you need to run it then just bring it online.  Your root CA is the center of all things security in your network - protect it, lock it up.  Another option is a laptop you can lock up.

For the issuing CA, join that to your domain, you probably want 2003 or 2008 Enterprise edition for that one for best management of the CA.

personally I would go for 2008 CA - better security, if you are a larger company then the OCSP function would be worth looking into, etc.  
0
zenworksbAuthor Commented:
hey giys I am doing this tonight can I get steps on teh following as well. Thank you

A requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS.
0
ParanormasticCryptographic EngineerCommented:
Technically you can set up a seperate web server to host the certsrv pages and uninstall IIS from the CA server after you move those files over.  You have to have IIS enabled to install, but you can technically remove it from the CA server afterwards.  I don't know how many environments beyond our own actually do this though as it adds another layer of complexity to things.  However, this allows your CA to not be connected to the web and still have access to the web enrollment page from it, if desired (used in conjunction with the Cert Mgr approval so there is still some kind of vetting process).
0
zenworksbAuthor Commented:
that is good for future, but just looking for steps to
this is the site i am using

http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx

and at teh bottom it says

CA requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS. Requests for certificates should be addressed to this site via the URL, such as: "http://theServer/CertSrv", where "theServer" is the URL of the Web server hosting the CA. After you install Certificate Services, the computer cannot be renamed and cannot join or be removed from a domain. If IIS is running on the server computer when you attempt to install Certificate Services, you will be prompted to stop IIS to complete the installation. If your Windows 2000 Server computer is running under a Service Pack update (such as SP1, SP2, or SP3), you should reapply the service packs after you install Certificate Services. You might also need to reinstall other services, such as IIS or Terminal Services.

my question is when I follow the steps it will create this automatically?
0
aschaef217Commented:
Yes, when you install the Certificate Authentication role through add/remove programs it will set all of that up for you.  On the remote machine that you request a certificate for you will go to the web address http://server/CertSrv and make your request.  Once the request is made go back over to the Certification Authority server and you will see the request in the MMC console for the CA Service (under Administration Tools.)  You can approve the request from there and then return to the above link from the remote server to pick the approved certificate up.
0
zenworksbAuthor Commented:
so everytiome someone wants a cert they will have to be approbved is there a way to automate this?
0
aschaef217Commented:
The idea behind the approval is that the person in charge of the certification authority is checking to make sure that the certificate request is a valid one.  You wouldn't want to automate this process because anyone could request a certificate and misuse them.  I could be wrong, but I don't believe there is a way to automate this process due to the security risks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zenworksbAuthor Commented:
ok thanks for the heads up I will move forward as above stated, and post back thank you for all your help i will be installing in about a hour
0
zenworksbAuthor Commented:
i was bale to get it installed. what he is looking for is a machine cert that wil lbe authenticated to radius if they have the cert any ideas? this wil lbe for the wifi?
0
aschaef217Commented:
Do you have a radius server in house already?  What kind of wireless system are you using?  I'm getting ready to install Cisco's ACS radius server to handle the wifi security here.
0
ParanormasticCryptographic EngineerCommented:
The certificate manager approval stage is manually enabled when you configure the cert templates.  Without doing this step, it would not be enabled and every request would just go through.  As noted aschaef, it is generally a good idea to enable cert mgr approval.  

Each template should be considered for this option, however it may not always fit the bill.  

Cases where you might not want to do this is for standard workstation certs as these can be numerous and overwhelming.  DC certs should be restricted by permissions, etc. and could likewise go without approval.  CAExcahnge is not your exchange server - it is a cert used by the CA for certain types of communication.

Cases that would be typical to enable are for web server certs and most or all user certificates (EFS is a common exception).

Natively supported in 2008 CA, you might also consider adding the SCEP addon for 2003 CA to make things easier for your network devices such as routers:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9f306763-d036-41d8-8860-1636411b2d01

As for device authentication, RADIUS should work fine.  here's a decent guide:
http://articles.techrepublic.com.com/5100-10878_11-6148579.html

Here's another guide for mobile devices (don't use wildcards on OWA if using windows mobile)
http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_a.mspx
0
ParanormasticCryptographic EngineerCommented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.