Install AD & CS (Certification Service) on Windows Server 2016 to Deploy Enterprise PKI - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, May 31, 2020

Install AD & CS (Certification Service) on Windows Server 2016 to Deploy Enterprise PKI

This is an example deployment of AD DS / AD FS  and AD CS for Enterprise PKI to integrate with AD.

Install AD 

You will need to have your Active Directory Server installed first. If not, here is a post to follow:

Notes: Windows Server 2016 How to Configure AD DS (Domain Controller)

Two step:
1. Install Active Directory Dmain Services
DNS server will be installed in step 2, during promoting server to a DC.

2. After installation completed, promote the server to a domain controller.

If there is requirement to resolve external dns, you can add following two public DNS servers into forwarders list:

Do not forget to install IIS web server:

Install AD DS and AD FS

Follow the instruction , next , next, until complete the installation.

Configure AD DS and AD FS

After installation completed, before you install AD CS, complete the configuration of AD DS and AD FS. Start with AD DS.

Add a new forest :

Keep your netbios domain name and path as default, next

Reboot machine then you can continue configuring AD FS. (It is optional). To configure AD FS, you will need a pfx/pkcs12 format SSLcertificate.

For install AD FS, please check the post "Active Directory Federation Services in Windows Server 2016" - ""

Install AD CS

You will need to add CA Web Enrollment role into CS. It will prompt you to add more IIS services in.

That's it for installation. 

Configure AD CS

Choose following four roles one by one to configure.
You can choose more roles. But basically, two roles are enough: CA, and CA Web Enrollment.

Make sure you are using administrator account, else you only can choose standalone CA, not enterprise CA.

Choose Enterprise CA

Choose Root CA

Create a private key

Choose cryptographic provider: Microsoft software cryptographic program. , SHA256, Key length, 4096

Other option will be default.

To configure other role, you will need a new user for those steps (Option):

Create a new user : NDES

Add it into IIS_IUSRS and Domain Admins Groups

For following two roles, you will need to use this NDES account to configure them:

Generate Certificate Request & Submit to MS CA to Sign, Install and Replace existing Web Cert


No comments:

Post a Comment