Certificate Security has lately become a major topic in today’s tech world. Indeed, compromising with it will be a huge risk to take as a system administrator.

As every computer found on the internet is part of a particular computer network, I have decided to create this step-by-step tutorial, which also comes with a video, to help reduce the risk of losing data to intruders, hackers, or attackers.

The tutorial is based on the Windows Server 2016 operating system.

Prerequisite

Before you continue, you must have:

A running domain, with the necessary IP address configuration and basic server role operation skill.

Content

• Installing ADCS on ROOTCA-VTB Server
• Configuring the ADCS on ROOTCA-VTB Server
• Configuring ISSUINGCA-VTB as a Web Server
• Publishing CRL and AIA Locations from ROOTCA-VTB
• Putting the Certificates on a Central Storage for Use
• Installing the CA and CA Web Enrollment on ISSUINGCA-VTB
• Configuring ISSUINGCA-VTB
• Applying the New Certificate on the Issuing CA
• Viewing Your Certificate

Or Watch Video

Configuring the Offline Root Certificate Authority

<h2 id=”installing-adcs-on-rootca-vtb-server”><strong>Section 1: Installing ADCS on ROOTCA-VTB Server</strong></h2>

Step 1 – Open Server Manager. From the Manage dropdown menu on the top-left, select Add Roles and Features.

Step 2 – On the Before You Begin screen, select Next. When the Installation Type screen appears, select Role-based or feature-based installation, then select Next.

Step 3 – On the Destination Server screen, select the server and click Next.

Step 4 – On the Select Server Roles screen, choose Active Directory Certificate Services. On the pop-up, select Add Features, and click Next.

Step 5 – On the Select Features screen, do not select any feature. Just click Next, and then on the Active Directory Certificate Services screen, click Next.

Step 6 – On the Select Role Services screen, select Certificate Authority, click Next, and then select Install.

<h2 id=”configuring-adcs-on-rootca-vtb-server”><strong>Section 2: Configuring the ADCS on ROOTCA-VTB Server</strong></h2>

After the installation is complete, continue with the configuration.

Step 1 – On the Installation Progress screen, click Configure Active Directory Certificate Services on the destination server.

The ADCS Configuration console will pop up.

Step 2 – On the Credentials screen, click Next.

Step 3 – On the Role Services screen, select Certificate Authority and click Next.

Step 4 – On the Setup Type screen, select Standalone CA and click Next.

Step 5 – On the CA Type screen, select Root CA and click Next.

Step 6 – On the Private Key screen, select Create a new private key.

Step 7 – On the Cryptography for CA screen, we will use the default 2048 key length, then click Next.

Step 8 – On the CA Name screen, give a realistic name to the CA.

Example:

ROOT-CA-VTB

Then click Next.

Step 9 – On the Validity Period screen, specify the number of years you prefer. I typed 10 years, then clicked Next.

Step 10 – On the CA Database screen, do not change the path, and click Next.

Step 11 – On the Confirmation screen, click Configure.

<h2 id=”configuring-issuingca-vtb-as-web-server”><strong>Section 3: Configuring ISSUINGCA-VTB as a Web Server</strong></h2>

Switch to the ISSUINGCA-VTB Server.

Log in as the Domain Administrator. My username is:

VincentTechBlog\Administrator

Then enter your password.

Step 1 – Open Server Manager. From the Manage dropdown menu on the top-right, select Add Roles and Features.

Step 2 – On the Before You Begin screen, select Next.

Step 3 – When the Installation Type screen appears, select Role-based or feature-based installation, then select Next.

Step 4 – On the Select Server Roles screen, choose Web Server (IIS).

Step 5 – On the pop-up, select Add Features, and click Next.

Step 6 – On the Select Features screen, do not select any feature. Just click Next.

Step 7 – On the Web Server (IIS) screen, click Next.

Step 8 – On the Confirm Installation Selection screen, click Install.

Now we will create a folder called CertData in the web root location:

C:\inetpub\wwwroot\CertData

This folder will be used to store the certificate files.

<h2 id=”publishing-crl-and-aia-locations”><strong>Section 4: Publishing CRL and AIA Locations from ROOTCA-VTB</strong></h2>

Switch back to the ROOTCA-VTB server to continue the configuration.

Step 1 – On Server Manager, click Tools from the dropdown options and select Certificate Authority.

Step 2 – On the Certificate Authority console, right-click ROOTCA-VTB-CA and select Properties.

Step 3 – Select the Extensions tab.

Step 4 – In the Select extension dropdown, select CRL Distribution Point (CDP), and click Add.

NOTE: Ensure the following options are checked:

Publish CRLs to this location
Publish Delta CRLs to this location

Step 5 – On the Add Location pop-up console, add the location and click OK.

Mine is:

http://issuingca-vtb.vincenttechblog.com/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Step 6 – Back on the Extensions list, you will realize that your new location is now part of the list and it is selected.

NOTE: Ensure the following options are checked:

Include in CRLs. Clients use this to find Delta CRL locations
Include in the CDP extension of issued certificates

Step 7 – Now, on the Select extension dropdown, select Authority Information Access (AIA) and click Add.

Step 8 – On the Add Location pop-up console, add the location and click OK.

Mine is:

http://issuingca-vtb.vincenttechblog.com/CertData/<ServerDNSName>_<CaName><CertificateName>.crt

Step 9 – Back on the Extensions list, you will realize that your new location is now part of the list and it is selected.

NOTE: Ensure the following option is checked:

Include in the AIA extension of issued certificates

Step 10 – Click Apply. The AD services will restart automatically.

Publishing the CRLs

Step 11 – Right-click Revoked Certificates, select All Tasks, and then select Publish.

Step 12 – On the Publish CRL console, under the Type of CRL to publish section, ensure the New CRL radio button is selected and click OK.

Now our CRL Distribution Point Certificates are published locally. We need to copy them to the Issuing CA.

Step 13 – Go to:

C:\Windows\System32\CertSrv\CertEnroll

You will find our CRL Distribution Point and AIA Certificates.

Note: We need to add the CA certificate there as well.

Step 14 – Switch to the Certificate Authority Console.

Right-click ROOTCA-VTB-CA, select Properties, then click View Certificate.

Step 15 – On the pop-up, switch to the Details tab and click Copy to File.

Step 16 – On the Certificate Export Wizard, click Next.

Step 17 – Under Export File Format, select:

DER encoded binary X.509 (.CER)

Then click Next.

Step 18 – On the File to Export screen, click Browse and specify the CertEnroll location:

C:\Windows\System32\CertSrv\CertEnroll

Save the certificate there.

I called mine:

rootca_Certificate

Then click Next and Finish.

Now we have three certificates in the CertEnroll folder.

<h2 id=”putting-certificates-on-central-storage”><strong>Section 5: Putting the Certificates on a Central Storage for Use</strong></h2>

Step 1 – Create a folder on the *C:* drive of the ISSUINGCA-VTB server called:

Certs

Step 2 – Right-click the Certs folder and click Properties.

Step 3 – Click the Security tab, then click Share.

Step 4 – On the File Sharing screen, click the dropdown and select Find People.

Step 5 – Type:

Authenticated Users

Then click Check Names.

Step 6 – Set the permission level for Authenticated Users to:

Read/Write

Step 7 – Click Share and then click Done.

Now that your drive is shared, switch back to ROOTCA-VTB.

<h2 id=”copying-certificates-to-shared-location”><strong>Section 6: Copying the Certificates to the Shared Location</strong></h2>

Step 1 – Open the CertEnroll folder on ROOTCA-VTB:

C:\Windows\System32\CertSrv\CertEnroll

Step 2 – Copy all three certificates to the shared location:

\\Issuingca-vtb\Certs

Step 3 – Go to DC1-VTB.

Step 4 – On Server Manager, from the Tools dropdown menu, select Group Policy Management.

Step 5 – Expand the Forest node, then expand Domains, then select:

vincenttechblog.com

Step 6 – Right-click Default Domain Policy and select Edit.

Step 7 – On the Group Policy Management Editor, expand:

Computer Configuration
Policies
Windows Settings
Security Settings
Public Key Policies

Step 8 – Right-click Trusted Root Certification Authorities and select Import.

Step 9 – On the Certificate Import Wizard, click Next.

Step 10 – Browse for the CA certificate.

In the address bar, type:

\\issuingca-vtb\certs

Step 11 – Select:

rootca_Certificate

Click Open, then click Next.

Step 12 – Click Next again, and then click Finish.

Your import should be successful.

Step 13 – Go to Command Prompt and type:

gpupdate /force

 

<h2 id=”installing-ca-and-ca-web-enrollment”><strong>Section 7: Installing the CA and CA Web Enrollment on ISSUINGCA-VTB</strong></h2>

Step 1 – Go to ISSUINGCA-VTB.

Step 2 – Switch to Server Manager.

Step 3 – From the Manage dropdown, select Add Roles and Features.

Step 4 – From the pop-up wizard, click Next.

Step 5 – Select Role-based or feature-based installation, and click Next.

Step 6 – Select your destination server and click Next.

Step 7 – Choose the Active Directory Certificate Services role and click Next.

Step 8 – Select Add Features from the feature pop-up screen and click Next.

Step 9 – On the Select Features screen, click Next.

Step 10 – On the Active Directory Certificate Services screen, click Next.

Step 11 – On the Select Role Services screen, select:

Certificate Authority
Certificate Authority Web Enrollment

Step 12 – On the Add Roles and Features Wizard pop-up screen, click Add Features and click Next.

Step 13 – On the Confirm Installation Selections screen, click Install.

<h2 id=”configuring-issuingca-vtb”><strong>Section 8: Configuring ISSUINGCA-VTB</strong></h2>

Step 1 – On the Installation Progress screen, after the installation succeeds, click:

Configure Active Directory Certificate Services on the Destination Server

Step 2 – On the Credentials screen, ensure you are logged in with the domain admin.

Example:

VINCENTTECHBLOG\Administrator

Then click Next.

Step 3 – On the Role Services screen, select:

Certificate Authority
Certificate Authority Web Enrollment

Then click Next.

Step 4 – On the Setup Type screen, choose Enterprise CA and click Next.

Step 5 – On the CA Type screen, choose Subordinate CA and click Next.

Step 6 – On the Private Key screen, choose Create a new private key and click Next.

Step 7 – On the Cryptography for CA screen, leave the default values and click Next.

Step 8 – On the CA Name screen, enter a friendly common name.

Mine is:

ISSUING-VTB-CA

Then click Next.

Step 9 – On the Certificate Request screen, choose:

Save a certificate request to file on the target machine

My location is:

C:\

on the ISSUINGCA-VTB server.

Step 10 – On the CA Database screen, leave the certificate database location as default and click Next.

Step 11 – On the Confirmation screen, click Configure.

Step 12 – When configured, go to the *C:* drive and find the request file.

Step 13 – Copy the request file to ROOTCA-VTB.

<h2 id=”issuing-and-applying-subordinate-ca-certificate”><strong>Section 9: Issuing and Applying the Subordinate CA Certificate</strong></h2>

Step 1 – On ROOTCA-VTB, open the Certificate Authority Console.

Step 2 – Right-click the ROOTCA-VTB-CA node and select:

All Tasks > Submit New Request

Step 3 – On the Open Request File pop-up, select the request file you copied from ISSUINGCA-VTB.

Step 4 – Switch to the Pending Requests node.

The new request will be pending.

Step 5 – Right-click the pending request, select All Tasks, and click Issue.

Step 6 – Switch to Issued Certificates.

You will find the Subordinate CA certificate.

Step 7 – Open the certificate, switch to the Details tab, and click Copy to File.

Step 8 – On the Certificate Export Wizard, click Next.

Step 9 – On the Export File Format screen, choose:

Cryptographic Message Syntax Standard — PKCS #7 Certificates (.P7B)

Then select:

Include all certificates in the certification path if possible

Click Next.

Step 10 – Click Browse, specify a name for it, and save it in:

C:\Windows\System32\CertSrv\CertEnroll

on the ROOTCA-VTB server.

Mine is:

IssuingCACertificate

Then click Next and Finish.

Step 11 – Copy the IssuingCACertificate.p7b certificate and paste it into:

\\Issuingca-vtb\C$\Certs

The Certs folder is located in the *C:* drive of the Issuing CA.

Now go to the ISSUING CA to apply the new certificate.

Step 12 – Go to:

C:\Certs

Step 13 – Copy the CRL and CRT files and paste them into:

C:\inetpub\wwwroot\CertData

Step 14 – Open the Certificate Authority Console.

Step 15 – Right-click the ISSUINGCA-VTB-CA node, select All Tasks, and choose Install CA Certificate.

Step 16 – Find the certificate in the:

C:\Certs

folder and click Open.

Step 17 – Right-click ISSUINGCA-VTB-CA, select All Tasks, and choose Start Service.

<h2 id=”viewing-your-certificate”><strong>Section 10: Viewing Your Certificate</strong></h2>

Now to see your certificate:

Step 1 – Open the Run dialog box.

Step 2 – Type:

certmgr.msc

Step 3 – Open the Intermediate Certification Authorities node.

Step 4 – Select Certificates.

You will find the certificate issued to:

ISSUINGCA-VTB-CA

Watch Video

Continue to part 2…