Scribd
Upload
28 views14 pages

ADCS Manual - Copy (2)

This document provides a step-by-step guide to set up an Enterprise Root Certificate Authority (CA) on Windows Server by installing Active Directory Certificate Services (ADCS) and configuring the CA role. It includes instructions for modifying certificate request templates and installing a PFX certificate on an ESXi host using OpenSSL. The process involves several configuration steps and commands to ensure proper setup and functionality of the CA and certificates.

Uploaded by

tech.enthusiast873
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views14 pages

ADCS Manual - Copy (2)

This document provides a step-by-step guide to set up an Enterprise Root Certificate Authority (CA) on Windows Server by installing Active Directory Certificate Services (ADCS) and configuring the CA role. It includes instructions for modifying certificate request templates and installing a PFX certificate on an ESXi host using OpenSSL. The process involves several configuration steps and commands to ensure proper setup and functionality of the CA and certificates.

Uploaded by

tech.enthusiast873
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Set Up an Enterprise Root CA On Windows Server

Install ADCS and CA role


To set up an enterprise root certificate authority, you must first install ADCS and the CA role.
To install ADCS and CA role
1. Log on to VM as a Domain Administrator.
2. From the Start menu, select Administrative Tools and Server Manager.

3. In the Server Manager Dashboard (in the right pane of the window),
select Manage and Add Roles and Features.
4. In the Add Roles and Features Wizard, select Next.
5. On the Installation Type page, select the Role-based or feature-based
installation check box and Next.

6. On the Server Selection screen, select a server from the server pool, the listed server,
and Next.
7. Select Active Directory Certificate Services > Add Features > Next.

8. On the Features page, select Next.


9. On the ADCS page, select Next.
10. On the Role Services page, select the Certificate Authority and Certificate
Authority Web Enrollment check boxes in the Role Services list. The Add Features
dialog displays.
11. Select Add Features and Next.
12. On the Web Server Role (IIS) page, select Next.

13. On the Role Services page, select Next.

14. Select the Restart the destination server automatically if required check box. A
confirmation message displays, select Yes.
15. Select Install on the Confirmation page and wait to finish the installation.
Configure ADCS and CA role
After installing ADCS and the CA role, you must configure them.
To configure ADCS and CA role
1. If continuing from the last procedure, select Configure Active Directory Certificate
Server on the destination server.
2. Alternatively, you can open the ADCS configuration wizard by clicking
the Notification Flag and configuring the server role. The ADCS Configuration Wizard
will be displayed.
3. On the Credentials page, select Next.
4. On the Role services page select the Certificate Authority and Certification
Authority Web Enrollment check boxes. Select Next.

5. On the Setup Type page, select Enterprise CA . Select Next.

6. On the CA Type page, select the Root CA radio button and select Next. Select Next.
7. On the Private Key page, select the Create a new private key check box. Select Next.

8. In the Cryptography for CA window, select and set up the provider you wish to use
for the CA.
9. After selecting and setting up the Cryptographic Provider, select Next.
10. On the Configure CA Name page enter the CA Name or accept the default CA name.
Select Next.

11. On the Validity Period page specify the certificate validity period to 15 to 20 years.
Select Next.
12. Specify the database location or accept the default location on the Certificate
Database page and select Next.

13. Verify that the CA you are about to configure is appropriate. Select Configure and
wait for the confirmation message. If everything is correct, the Configuration
succeeded message will display when the configuration completes.
14. Select Close to exit the ADCS Configuration wizard.
Open Certificate Authority Console
Server Manager -> Tools -> Certificate Authority
1. Open Certificate Authority on the console and select the Properties. Where you see
many options to configure your Enterprise Root CA.

Modifying the Certificate Request Templates


1. On the CA server, open the CA console (certsrv), right-click Certificate Templates and
select Manage.
2. Choose your target template, right-click and select Duplicate Template. Modify the
definitions according your needs (Compatibility, General settings, Cryptography).
Make private key exportable and in security assign permissions to CA server to enroll.

3. Then publish the modified templates for issuing certificates. This is done from
Certificate Templates folder of CA console. Right-click Certificate Templates,
click Certificate Template to Issue and select the templates to publish, then
click OK. The steps are depicted below:
4. Open certlm.msc and request new certificate using the template created above.
Export the certificate in pfx format.
Install PFX certificate on ESXi host
• Install latest version of OpenSSL for windows.

• Run command line as administrator, and go to folder C:\xxx\xxx\openssl\bin

• Use below command to covert the certificate:

➢ Generate crypt key file for the certificate via below command:

openssl pkcs12 -in server.pfx -nocerts -out server_tmp.key -nodes

During this step, it will ask for pfx certificate password.


Convert the key in rsa format.
openssl rsa -in server_tmp.key -out server.key
➢ Generate crt file for the certificate via below command:

openssl pkcs12 -in server.pfx -clcerts -nokeys -out server.crt


• 6. Rename the server.key to rui.key and server.crt to rui.cert.

• Enable ssh on esxi host and make a sftp connection to esxi host, navigate to
/etc/vmware/ssl. Rename the existing rui.key and rui.crt. Place the newly generated
certs at this location.

• Connect to esxi host using ssh, and run the following command to apply the newly
placed certificates.

➢ /etc/init.d/hostd restart
➢ /etc/init.d/vpxa restart
➢ /etc/init.d/proxy restart
➢ /etc/init.d/rhttpproxy restart

You might also like