Certificate Authority (building)

Steve Harris
Steve Harris used Ask the Experts™
on
I am going to be building a CA on a VM and the Microsoft documentation I have found seems out-dated.

What is the recommended platform for this, I have found having an offline one that is the root and then subordinates to issue the certificates as the idea. This seems really intensive.

I really just need one to issue certificates to devices/users for VPN items and HTTPS certificates for SCCM later. Nothing to intensive.

Does anyone have a good method to get one up and running quickly?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
If you're not transferring a CA to a new server but rather building a brand new one, just follow this:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority

That's current and will get you up and running
Steve HarrisIT Analyst

Author

Commented:
@Coolie Ok that is a document I found and tried. I have a VM up and running off that one, but I am not sure it is working properly.

Commented:
You can search AD and see what it says is your Certification Authority.  This lets you know that you installed it correctly:

https://support.microsoft.com/en-us/help/555529

And if you want to test it out, you can follow the steps below to see if its working correctly.

https://www.wikihow.com/Install,-Configure,-and-Test-Certificate-Services-in-a-Windows-Server-2012-R2-Domain
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Steve HarrisIT Analyst

Author

Commented:
OK, so I did Option 1 & 2 and I don't see it on there: yet I followed the guide. Any ideas or should I just try to rebuild again?

Option 1:
 Name:                         "IFM-CA"
  Organizational Unit:          ""
  Organization:                 ""
  Locality:                     ""
  State:                        ""
  Country/region:               ""
  Config:                       "CA.IFM\IFM-CA"
  Exchange Certificate:         ""
  Signature Certificate:        "CA.IFM_IFM-CA.crt"
  Description:                  ""
  Server:                       "CA.IFM"
  Authority:                    "IFM-CA"
  Sanitized Name:               "IFM-CA"
  Short Name:                   "IFM-CA"
  Sanitized Short Name:         "IFM-CA"
  Flags:                        "13"
  Web Enrollment Servers:       ""
CertUtil: -dump command completed successfully.

Option 2:
 
 
1. Logon by using domain administrator to computer that connect to the
       domain.

2. Install Windows Support Tools.
 
3. Go to "Start" -> "Run" -> Write "adsiedit.msc" and press on "Enter" button.
 
4. Navigate to:
 
CN=Certification Authorities,CN=Public Key

Services,CN=Services,CN=Configuration,DC=ntdomain,DC=com
 
Under "Certification Authorities" you will find your Enterprise Root Certificate Autority server.
Senior Systems Admin
Top Expert 2010
Commented:
Go to a system on the network. Open MMC > Add Snapin > Certificates > Choose Computer > Open Trusted Third Party > If the CA Certificate for the server is there, the CA is working.
Steve HarrisIT Analyst

Author

Commented:
@Adam I do see it there, so that is a plus. Though I dont see it in ADSI

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial