Comments

Latest Posts

Install AD & CS (Certification Service) on Windows Server 2016 to Deploy Enterprise PKI

This is an example deployment of AD DS / AD FS  and AD CS for Enterprise PKI to integrate with AD.



Install AD 

You will need to have your Active Directory Server installed first. If not, here is a post to follow:

Notes: Windows Server 2016 How to Configure AD DS (Domain Controller)
https://pc-addicts.com/setup-active-directory-server-2016/

Two step:
1. Install Active Directory Dmain Services
DNS server will be installed in step 2, during promoting server to a DC.

2. After installation completed, promote the server to a domain controller.


If there is requirement to resolve external dns, you can add following two public DNS servers into forwarders list:


Do not forget to install IIS web server:



Install AD DS and AD FS








Follow the instruction , next , next, until complete the installation.


Configure AD DS and AD FS

After installation completed, before you install AD CS, complete the configuration of AD DS and AD FS. Start with AD DS.

Add a new forest : 51sectest.dev

Keep your netbios domain name and path as default, next


Reboot machine then you can continue configuring AD FS. (It is optional)

To configure AD FS, you will need a pfx/pkcs12 format SSLcertificate.




Install AD CS




You will need to add CA Web Enrollment role into CS. It will prompt you to add more IIS services in.




That's it for installation. 


Configure AD CS

Choose following four roles one by one to configure.
You can choose more roles. But basically, two roles are enough: CA, and CA Web Enrollment.


Make sure you are using administrator account, else you only can choose standalone CA, not enterprise CA.



Choose Enterprise CA




Choose Root CA

Create a private key

Choose cryptographic provider: Microsoft software cryptographic program. , SHA256, Key length, 4096

Other option will be default.


Create a new user : NDES



Add it into IIS_IUSRS and Domain Admins Groups


For following two roles, you will need to use this NDES account to configure them:




Generate Certificate Request & Submit to MS CA to Sign, Install and Replace existing Web Cert






References



















No comments