Solved

setup a windows cert server

Posted on 2008-10-23
16
968 Views
Last Modified: 2012-06-27
I have been asked to setup a windows cert server to distribute certs to local machines. this is a 2003 ad environment. i have never done this any help pointers steps. thanks guys
0
Comment
Question by:zenworksb
  • 6
  • 4
  • 4
  • +1
16 Comments
 
LVL 6

Expert Comment

by:aschaef217
ID: 22791188
This microsoft link should be very helpful in explaining all of the steps you need to take to setup the Certification Authority server for your domain.
http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx
 
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22791228
0
 

Author Comment

by:zenworksb
ID: 22796427
thanks guys will be doing this shortly. I will post back with questions
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22796494
ok..
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22799043
To prevent some problems further down the line, do yourself a favor now and plan on setting up at least a 2-tier PKI.  Do not issue directly from your root, aside from the cert to validate the issuing subordinate CA.  Trust me - in the long run you will thank me for this little bit of extra work now.

For the root, for best security plan to keep it offline - do not join it to a domain.  Yes, you can still do an Enterprise Root CA this way - all you need is 2003 or 2008 standard edition for this.  This way you can make another CA later in another domain, etc. and not have to reissue the root.  There are a number of other benefits I won't get into at the moment.  In a lower security environment, I suggest doing this on a VMware session that you can just copy to a couple flash drives (in case one goes bad) and take off the VM host, when you need to run it then just bring it online.  Your root CA is the center of all things security in your network - protect it, lock it up.  Another option is a laptop you can lock up.

For the issuing CA, join that to your domain, you probably want 2003 or 2008 Enterprise edition for that one for best management of the CA.

personally I would go for 2008 CA - better security, if you are a larger company then the OCSP function would be worth looking into, etc.  
0
 

Author Comment

by:zenworksb
ID: 22816109
hey giys I am doing this tonight can I get steps on teh following as well. Thank you

A requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22816877
Technically you can set up a seperate web server to host the certsrv pages and uninstall IIS from the CA server after you move those files over.  You have to have IIS enabled to install, but you can technically remove it from the CA server afterwards.  I don't know how many environments beyond our own actually do this though as it adds another layer of complexity to things.  However, this allows your CA to not be connected to the web and still have access to the web enrollment page from it, if desired (used in conjunction with the Cert Mgr approval so there is still some kind of vetting process).
0
 

Author Comment

by:zenworksb
ID: 22817038
that is good for future, but just looking for steps to
this is the site i am using

http://msdn.microsoft.com/en-us/library/ms755466(VS.85).aspx

and at teh bottom it says

CA requires IIS to be running. The Setup creates a "CertSrv" virtual directory under the default Web site under IIS. Requests for certificates should be addressed to this site via the URL, such as: "http://theServer/CertSrv", where "theServer" is the URL of the Web server hosting the CA. After you install Certificate Services, the computer cannot be renamed and cannot join or be removed from a domain. If IIS is running on the server computer when you attempt to install Certificate Services, you will be prompted to stop IIS to complete the installation. If your Windows 2000 Server computer is running under a Service Pack update (such as SP1, SP2, or SP3), you should reapply the service packs after you install Certificate Services. You might also need to reinstall other services, such as IIS or Terminal Services.

my question is when I follow the steps it will create this automatically?
0
 
LVL 6

Expert Comment

by:aschaef217
ID: 22817560
Yes, when you install the Certificate Authentication role through add/remove programs it will set all of that up for you.  On the remote machine that you request a certificate for you will go to the web address http://server/CertSrv and make your request.  Once the request is made go back over to the Certification Authority server and you will see the request in the MMC console for the CA Service (under Administration Tools.)  You can approve the request from there and then return to the above link from the remote server to pick the approved certificate up.
0
 

Author Comment

by:zenworksb
ID: 22817650
so everytiome someone wants a cert they will have to be approbved is there a way to automate this?
0
 
LVL 6

Accepted Solution

by:
aschaef217 earned 500 total points
ID: 22817713
The idea behind the approval is that the person in charge of the certification authority is checking to make sure that the certificate request is a valid one.  You wouldn't want to automate this process because anyone could request a certificate and misuse them.  I could be wrong, but I don't believe there is a way to automate this process due to the security risks.
0
 

Author Comment

by:zenworksb
ID: 22817756
ok thanks for the heads up I will move forward as above stated, and post back thank you for all your help i will be installing in about a hour
0
 

Author Comment

by:zenworksb
ID: 22818422
i was bale to get it installed. what he is looking for is a machine cert that wil lbe authenticated to radius if they have the cert any ideas? this wil lbe for the wifi?
0
 
LVL 6

Expert Comment

by:aschaef217
ID: 22821532
Do you have a radius server in house already?  What kind of wireless system are you using?  I'm getting ready to install Cisco's ACS radius server to handle the wifi security here.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22830147
The certificate manager approval stage is manually enabled when you configure the cert templates.  Without doing this step, it would not be enabled and every request would just go through.  As noted aschaef, it is generally a good idea to enable cert mgr approval.  

Each template should be considered for this option, however it may not always fit the bill.  

Cases where you might not want to do this is for standard workstation certs as these can be numerous and overwhelming.  DC certs should be restricted by permissions, etc. and could likewise go without approval.  CAExcahnge is not your exchange server - it is a cert used by the CA for certain types of communication.

Cases that would be typical to enable are for web server certs and most or all user certificates (EFS is a common exception).

Natively supported in 2008 CA, you might also consider adding the SCEP addon for 2003 CA to make things easier for your network devices such as routers:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9f306763-d036-41d8-8860-1636411b2d01

As for device authentication, RADIUS should work fine.  here's a decent guide:
http://articles.techrepublic.com.com/5100-10878_11-6148579.html

Here's another guide for mobile devices (don't use wildcards on OWA if using windows mobile)
http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_a.mspx
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22830167
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question