Windows 2. 00. 8 R2 Certification Authority installation guide. This step- by- step guide explains how to install and configure public key infrastructure, based on: Windows 2. R2 Server core – offline Root CA Windows 2. R2 domain controller Windows 2. R2 enterprise edition – Subordinate Enterprise CA server. Offline Root CA – OS installation phase Boot the server using Windows 2. R2 bootable DVD. Specify the product ID - > click Next. From the installation option, choose “Windows Server 2. Use IE for best view: http:// http:// page missing @. ![]() R2 (Server Core Installation)” - > click Next. Accept the license agreement - > click Next. Choose “Custom (Advanced)” installation type - > specify the hard drive to install the operating system - > click Next. As a part of preparation for monitoring our WIndows Server 2008 R2 using SNMP and Nagios we had to add SNMP Services to few systems which didn't have it yet.
Allow the installation phase to continue and restart the server automatically. To login to the server for the first time, press CTRL+ALT+DELETE Choose “Administrator” account - > click OK to replace the account password - > specify complex password and confirm it - > press Enter - > Press OK. From the command prompt window, run the command bellow: sconfig. Press “2” to replace the computer name - > specify new computer name - > click “Yes” to restart the server. To login to the server, press CTRL+ALT+DELETE - > specify the “Administrator” account credentials. From the command prompt window, run the command bellow: sconfig. Press “5” to configure “Windows Update Settings” - > select “A” for automatic - > click OK. Press “6” to download and install Windows Updates - > choose “A” to search for all updates - > Choose “A” to download and install all updates - > click “Yes” to restart the server. To login to the server, press CTRL+ALT+DELETE - > specify the “Administrator” account credentials. From the command prompt window, run the command bellow: sconfig. In- case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” - > choose “E” to enable - > choose either “1” or “2” according to your client settings - > Press OK. Press “8” to configure “Network settings” - > select the network adapter by its Index number - > press “1” to configure the IP settings - > choose “S” for static IP address - > specify the IP address, subnet mask and default gateway - > press “2” to configure the DNS servers - > click OK - > press “4” to return to the main menu. Press “9” to configure “Date and Time” - > choose the correct “date/time” and “time zone” - > click OK Press “1. Yes” to restart the server. Offline Root CA – Certificate Authority server installation phase To login to the server, press CTRL+ALT+DELETE - > specify the “Administrator” account credentials. Install Certificate services: start /w ocsetup. Certificate. Services /norestart /quiet To check that the installation completed, run the command: oclist find /i ! Passed Run the command bellow to enable remote management of the Root CA: netsh advfirewall firewall set rule group=. Run the command bellow to start the Cert. Svc service: Net start Cert. Svc. Enterprise Subordinate CA – OS installation phase. Pre- requirements: Active Directory (Forest functional level – Windows 2. R2) Add “A” record for the Root CA to the Active Directory DNS. Boot the server using Windows 2. R2 Enterprise Edition bootable DVD. Specify the product ID - > click Next. From the installation option, choose “Windows Server 2. R2 Enterprise Edition Full installation” - > click Next. Accept the license agreement - > click Next. Choose “Custom (Advanced)” installation type - > specify the hard drive to install the operating system - > click Next. Allow the installation phase to continue and restart the server automatically. To login to the server for the first time, press CTRL+ALT+DELETE Choose “Administrator” account - > click OK to replace the account password - > specify complex password and confirm it - > press Enter - > Press OK. From the “Initial Configuration Tasks” window, configure the following settings. Set time zone Configure networking – specify static IP address, netmask, gateway, DNS Provide computer name and domain – add the server to the domain Enable Remote Desktop In- order to be able to remotely manage the Root CA, run the command bellow: cmdkey /add: Root. CA. To login to the server, press CTRL+ALT+DELETE - > specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”. Start - > Administrative Tools - > Server Manager. From the left pane, right click on Roles - > Add Roles - > Next - > select “Web Server (IIS)” - > click Next twice - > select the following role services. Web Server Common HTTP Features. Static Content. Default Document. Directory Browsing. HTTP Errors. HTTP Redirection Application Development. NET Extensibility. ASPISAPI Extensions Health and Diagnostics. HTTP Logging. Logging Tools. Tracing. Request Monitor Security. Windows Authentication. Client Certificate Mapping Authentication. IIS Client Certificate Mapping Authentication. Request Filtering Performance. Static Content Compression Management Tools IIS Management Console IIS Management Scripts and Tools IIS 6 Management Compatibility. IIS 6 Metabase Compatibility Click Next - > click Install - > click Close. From the left pane, right click on Features - > Add Features - > Next - > expand “Windows Process Activation Service” - > select “. NET Environment” and “Configuration APIs” - > select the feature “. NET Framework 3. 5. Features” - > click Next - > click Install - > click Close. From the left pane, right click on Roles - > Add Roles - > Next - > select “Active Directory Certificate Services” - > click Next twice - > select the following role services. Certification Authority Certification Authority Web Enrollment Certificate Enrollment Policy Web Service Click Next. Configure the following settings. Specify Setup Type: Enterprise CA Type: Subordinate CA Private Key: Create a new private key Cryptography: Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider. Key length: 2. 04. Hash algorithm SHA2. CA Name: Common name: specify here the subordinate server Net. BIOS name. Distinguished name suffix: leave the default domain settings Certificate Request: Save a certificate to file and manually send it later Certificate Database: leave the default settings Authentication Type: Windows Integrated Authentication Server Authentication Certificate: Choose and assign a certificate for SSL later Click Next twice - > click Install - > click Close. Close the Server Manager. Start - > Administrative Tools - > Certification Authority From the left pane, right click on “Certification Authority (Local)” - > “Retarget Certification Authority” - > choose “Another computer” - > specify the Root. CA hostname - > click Finish. Right click on the Root. CA server name - > Properties - > - > Extensions tab - > extension type: CRL Distribution Point (CDP). Uncheck “Publish Delta CRLs to this location”. Mark the line begins with “LDAP”, and click remove. Mark the line begins with “HTTP”, and click remove. Mark the line begins with “file”, and click remove. Click on Add - > on the location, put: http: //wwwca/Cert. Enroll/Root. CA. Click on the line begins with “C: \Windows”, and make sure the only option checked is: “Publish CRLs to this location” Extensions tab - > extension type: Authority Information Access (AIA). Mark the line begins with “LDAP”, and click remove. Mark the line begins with “HTTP”, and click remove. Mark the line begins with “file”, and click remove. Click on Add - > on the location, put: http: //wwwca/Cert. Enroll/Root. CA. From the “Certification Authority” left pane, right click on “Revoked certificates”- > Properties. CRL publication interval: 1. Make sure “Publish Delta CRLs” is not checked Click OK Right click on the CA name - > All tasks - > Stop service Right click on the CA name - > All tasks - > Start service Run the commands bellow from command line, to configure the Offline Root CA to publish in the active- directory: certutil. DSConfig. DN . From the “Certification Authority” left pane, right click on “Revoked certificates”- > All tasks - > Publish - > click OK. Close the “Certification Authority” snap- in and logoff the subordinate CA server. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins. Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller: C: \Windows\System. Cert. Srv\Cert. Enroll\*. Start - > Administrative Tools - > Group Policy Management. From the left pane, expand the forest name - > expand Domains - > expand the relevant domain name - > right click on “Default domain policy” - > Edit. From the left pane, under “Computer Configuration” - > expand Policies - > expand “Windows Settings” - > expand “Security Settings” - > expand “Public Key Policies” - > right click on “Trusted Root Certification Authorities” - > Import - > click Next - > click Browse to locate the CRT file from the Root CA - > click Open - > click Next twice - > click Finish - > click OK. Logoff the domain controller. Return to the subordinate enterprise CA server. Start - > Administrative Tools - > Certification Authority. From the left pane, right click on “Certification Authority (Local)” - > “Retarget Certification Authority” - > choose “Another computer” - > specify the Root. CA hostname - > click Finish. Right click on the Root. CA server name - > All Tasks - > Submit new request - > locate the subordinate CA request file (. Open. Expand the Root. CA server name - > right click on “Pending Requests” - > locate the subordinate CA request ID according to the date - > right click on the request - > All Tasks - > Issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2017
Categories |