SolutionBase: Installing and configuring Certificate Services on Windows Server 2003

Certificates are essential to secure communications between client and server applications. Configuring Certificate Services in Windows Server 2003 may sound like an intimidating task, but these steps will help you get it done quickly.

With all of the security threats occurring on the Internet, it's important to be able to trust the resource you're connecting to and passing information. One way you can enable others to trust you, is by installing Certificate Services on your server. Here's how it's done using Windows Server 2003.

What is Certificate Services?

Certificate Services is included with Windows Server 2003 but not installed by default. The service is used to issue and manage certificates for a Public Key Infrastructure (PKI). ï¿?Certificate Services allows a computer running Windows Server 2003 to receive requests for certificates from users and computers, verify the identity of a requestor, issue and revoke certificates, and publish a Certificate Revocation List (CRL).

Author's note

In this daily drill down I will outline the steps you need to complete in order to install an Enterprise Certificate Authority. This article assumes you are familiar with the different types of certificate authorities and roles.

System requirements

Before you install Certificate Services, you should be aware of the system requirements. These will vary depending on the type of Certificate Authority (CA) you are installing. An Enterprise Root CA requires Active Directory, Domain Name Service (DNS), and Transmission Control Protocol / Internet Protocol (TCP/IP). The server on which you plan to install the Certificate Services must also be a member of a Windows Server 2003 domain where you are a member of the Enterprise Admins group.

Conversely if you are installing a Stand-alone CA, the system requirements change slightly. Active Directory is not required and administrative permissions are only needed on the server which you will install the service.


Installing an Enterprise Root Certificate Authority

Once you have met the system requirements, you are ready to install the Enterprise Root CA for your network. The Enterprise Root CA is at the top of the certificate authority hierarchy. This server is automatically registered in Active Directory and therefore trusted by all computers within the domain. The Enterprise Root CA for your organization is responsible for issuing certificates to Enterprise Subordinate CAs. These servers in turn issue certificates to users and computers within the domain. Every certificate issued within your domain can be traced back to the Enterprise Root CA.

In order to install and configure an Enterprise Root CA, you must log onto the server with a user account that belongs to the Domain Admins group. Click Start | Control Panel | Add or Remove Programs. From the Add or Remove Programs window, click Add/Remove Windows Components. When the Windows Components Wizard window appears as shown in Figure A, select the check box beside Certificate Services. ï¿?

Figure A

From the Windows Components window, select Certificate Services

Once you select Certificate Services, a warning message will appear indicating that the machine name and domain membership can not be changed after Certificate Services is installed. Click Yes to acknowledge the warning and click Next to continue with the installation.

From the CA Type window, you can choose the type of CA that you want to install. Since you are configuring an Enterprise root CA, you can leave the default option selected. If you want to configure custom settings, select Use custom settings to generate the key pair and CA certification. Custom settings include:

  • Cryptographic service provider (CSP) - The default CSP is Microsoft Strong Cryptographic Provider. You can also use a third party CSP.
  • Hash algorithm - The default value is SHA-1. You can change this value to any of the hash algorithms listed.
  • Key length - The default key length for Microsoft Strong Cryptographic Provider is 2048. This is the recommended value for a root CA. You can increase or decrease this value as required.
  • Existing keys - You can use an existing key pair instead of generating a new one. This is useful in situations where you have to restore or relocate an existing CA.

After you have selected the type of CA you want to create and optionally configured any custom settings, you can click Next to continue.

The next window, CA Identifying Information, is shown in Figure B. Here you are required to provide information that will be used to identify the CA and therefore, you should be as specific as possible. The common name for a CA is usually the same as its host name or computer name.

Figure B

Enter in the information that will identify the root CA

Keep in mind as well, that you will not be able to change any of the identifying information after the service is installed. The Validity period defines how long issued certificates remain valid. The default value for this field is 5 years. You can increase or decrease the number as necessary. Click Next after you have filled in the information.

From the Certificate Database Settings window, configure the location of the Certificate database, the Certificate database log, and the shared folder. The default location for the database and database log is C:\WINDOWS\system32\CertLog. You use the default value or use the Browse button to select a different location. Click Next. If Internet Information Services (IIS) is installed, a warning will appear indicating that IIS must be temporarily stopped. Click Yes to stop the service and continue.

Setup will configure the necessary components. If setup can not locate the necessary files, you will be prompted for the Windows Server 2003 CD-ROM to continue. If IIS is not installed, a warning will appear. IIS is required in order to use Certificate Services Web Enrollment Support. Click OK to acknowledge the message. Conversely, if IIS is installed a warning will appear stating that Active Server Pages (ASP) must be enabled in IIS for Certificate Services Web Enrollment Support. Click Yes if you want to enable ASP at this time.

Once the Completing the Windows Components Wizard appears, you can click Finish.

Installing a Subordinate Enterprise CA

An Enterprise Root CA is required before you can install a subordinate CA. Once you have completed the steps described above, you can install one or more Enterprise Subordinate CAs. This type of CA exists under the Enterprise Root CA in a certificate authority hierarchy. Enterprise Subordinate CAs can be created to issue specific types of certificates.

The process is slightly different for installing an Enterprise Subordinate CA. The first difference is the CA type that is selected. This time when you reach the CA type window, you will select Enterprise subordinate CA as shown in Figure C.

Figure C

You can install an Enterprise Subordinate CA after the Enterprise Root CA is in place

Secondly, after you specify the location of the database, database log, and Shared folder, the CA Certificate Request window will appear as shown in Figure D. From here you must specify what the Enterprise subordinate CA should do with certificate requests. Usually requests will be sent to a specific computer or to a Parent CA. Once you have provided the name of the parent CA or computer, click Next to continue through the rest of the installation process.

Figure D

Specify what the subordinate CA should do with certificate requests

Using the Certificate Authority Console

After Certificate Services is installed, you can manage it using the Certificate Authority mmc. The console allows you to perform a number of different tasks including:

  • Stop and start the service
  • Backup and restore a CA
  • Renew a CA certificate
  • Configure the policy and exit modules
  • Manage certificates that have been issued and revoked
  • Manage certificate requests
  • Configure event auditing
  • Set security permissions
  • Create and view CRLs
  • Set the publication interval for the CRL

On the CA, you can open the console by clicking Start | Administrative Tools | Certificate Authority. If you want to manage a CA from another computer, you must create the snap-in. Click Start | Run and type mmc.

When the console opens, click File | Add/Remove Snap-in. Click Add from the Add/Remove Snap-in window. Select Certificate Authority from the list of available snap-ins and click Add. Select the radio button beside Another computer. Type in the computer name of the CA on the network you want to manage or use the Browse button to locate it. Click Finish.

When you return to the Add Standalone Snap-in window, click Close. Finally, click OK to close the Add/Remove Snap-in window. You can save the console by clicking File | Save As. Type in an appropriate file name for the console so you can easily identify it and then click Save.

When you open the Certificate Authority console, you will see your CA listed as shown in Figure E. Expand the CA by clicking the plus sign beside it and the following containers will appear:

  • Revoked Certificates - Provides information about the certificates that have been revoked by the CA.
  • Issues Certificates - Provides information about the certificates that have been issued by the CA.
  • Pending Requests - Provides information about certificate requests for the CA that are still awaiting approval.
  • Failed Requests - Provides information about all failed certificate requests including why each request failed.
  • Certificate Templates - Lists the type of certificates that the CA can issue. This container is only available on Enterprise CAs.

Figure E

The Certificate Authority console is used to manage a CA
h1>Configuring a Certificate Authority

You can begin configuring a CA from its properties window. Within the Certificate Authority console, right click the CA and select Properties. A window similar to the one shown in Figure F will appear.

Figure F

Configure a CA through its Properties window

By default, the General tab should already be the active tab in the window. This tab just provides some basic information about the CA such as the common name and Cryptographic setting. If you recall, these settings were configured during the installation of Certificate Services.

Policy Modules determine whether certificate requests are issued, denied, or marked as pending. The Policy Module tab can be used by an Administrator to specify what the CA should do when a certificate request is received.

Conversely, you can use the Exit Module tab to specify what the CA should do after a certificate has been issued. A CA can be configured to publish issued certificates to Active Directory and/or a file system.

The Extensions tab is used to configure CRL settings. By clicking the Add button, you can specify a CRL distribution point. The Storage tab displays information about where the Certificate database and the Request log are stored. Configuration data can be stored in Active Directory or in a shared folder. On an Enterprise CA, configuration data is automatically stored within Active Directory.

The Security tab enables you to configure access privileges. By default, Authenticated Users are assigned the Request Certificates permission. This permission is enabled for all users who are logged onto the domain to request certificates allowing them to request certificates from the CA. The local Administrators group, Domain Admins, and Enterprise Admins group are assigned the Issue and Manage Certificates permission and the Manage CA permission which gives them full control of the CA. If the default permissions do not meet your requirements, you can use the Security tab to modify them.

The options available on the Recovery Agents tab are used to configure whether private keys are archived. In Windows Server 2003, private keys for specific certificates can be archived so they can be recovered in the event that they are lost. The CA will store the private key within its database. The process of recovering a private key includes two different phases: key archival and key recovery. Once a key has been archived, it can be recovered by a key recovery agent.

Certificate Services can be configured to log events to the Security log. From the Auditing tab you can pick which types of events you want to audit. When an event occurs it will be written to the Windows Server 2003 Security log and you can use the Windows Event Viewer to examine the contents of the log file.

Finally, the Certificate Managers Restrictions tab can be used to apply further restrictions to certificate managers. A certificate manager is any user that has been assigned the Issue and Manage certificates permission (you can use the Security tab to assign this permission). You can use the Certificate Managers Restrictions tab to then define which users, groups, or computers a certificate manager is allowed to manage.

That's all there is to it

Installing and configuring a Certificate Authority is not a difficult task, as long as you have some basic understanding of CAs. Setting up a CA without doing some pre-planning will more than likely result in a few problems. Having an idea of the steps involved in the setup process and how to configure the CA afterwards can help to ensure that you only have to complete the procedure once. In other words, do it properly the first time.