How to Install and Configure Active Directory Certificate Service on Windows Server 2012 R2

Installation and Configuration of Active Directory Certificate Service on Windows Server 2012 R2

Active Directory Certificate Service (ADCS) is use to create certificate for applications to secure it. For the installation of Active Directory Certificate Service, you must install active directory domain services. The Active Directory Certificate Service is also use to secure wireless networks, virtual private network, Internet Protocol Security (IPsec), Network Access Protection (NAP), encrypting file system (EFS) and smart card log on. In this lab environment, we will install and configure two feature of Active Directory Certificate Service that are mention below.

• ·         Certification Authority.
• ·         Certification Authority web Enrollment.

Certificate Authority:

In Active Directory Certificate Service, Certification Authority is a role service to bind cryptographic key pairs (Public and Private Key) with Digital Certificate. In other words, you can say the Certificate Authority is used to store, sign and issues a Digital Certificate. With the help of Certificate Authority critical transaction is manage through internet. Certificate Authority is provide a Public/Private Key pair by use of Public Key infrastructure.

Digital Certificate:

Digital Certificate is a verified file that is used to verify the identity of a remote computer, websites, people and devices by use of identity credentials. The digital certificate is authenticate by a Certificate Authority. Mostly Secure Socket Layer (SSL) is used in digital certificate for Microsoft Windows, Linux, etc.  

Cryptographic Key:

Cryptographic Key is a string that is use to encrypt and decrypt the data. Actually, Cryptography is a technique to secure the communication and data. Cryptographic key use a cryptographic algorithm. There are many cryptographic algorithms like RSA, SHA, mdc etc. There are two types of cryptographic algorithm, symmetric cryptography algorithm and asymmetric cryptography algorithm.

In Active Directory Certificate Service, mostly use Rivest, Shamir, Adleman (RSA) that is use as a cryptographic provider in which hash algorithm are uses for signing certificate SHA256, SHA384, SHA512, SHA1, MD5, etc.

Rivest, Shamir, Adleman (RSA):

Rivest, Shamir, Adleman (RSA) algorithm is an asymmetric cryptography algorithm that use public and private key. Rivest, Shamir, Adleman (RSA) algorithm is oldest algorithm to secure the data. RSA use a key length 1024 bit or 2048 bit. RSA is a public key cryptographic algorithm in which two keys are use, one key use for encryption and other key use for decryption. The keys are public and private keys.  Data Encrypt by private key and decrypt by public key.

SHA:

SHA stands for secure hashing algorithm and it is a modified version of md5. Secure Hashing Algorithm is provide security by use of hash and digital certificates. Hash is similar to encryption but the difference is it is only one-way, encryption is two way.

MD5:

MD5 is message digest algorithm and md5 is produce 128-bit hash functions. MD5 is an upgrade version of md4, it is cryptographic hash function algorithm therefore it is use for file authentication and provide security for web application.

Installation of Active Directory Certificate Service (ADCS):

Install the Active Directory Certificate Service (ADCS) on Windows Server 2012R2/2016/2019/2022 click on Add roles and features. This lab is perform on Windows Server 2012 R2 but the similar steps also can perform on latest version of windows servers.

On Before you Begin, click “Next” to continue.  Here you can also remove the roles and feature by click on “Start the Remove Roles and Feature Wizard”.

On Select Installation type, select “Role-based or feature-based installation” then click “Next” to continue. The Active Directory Certificate Service is role.

Select a Server from Server Pool, we have only single server on pool select it “WS2012R2.Pakistan.local1” then click “Next” to continue.

Select Server role “Active Directory Certificate Service” that is used to create certificates to assign certificates on machines, applications, etc.

On features, windows no need to select any feature for the installation of Active Directory Certificate Service just click “Next” to continue.

On Active Directory Certificate Service, click “Next” to continue. In the below image you can read the definition of Active Directory Certificate Service and note important points before the installation of Active Directory Certificate Service. 

On select the role services, select “Certificate Authority and Certificate Authority Web Enrollment”. Certificate Authority provide a Digital Certificate with public/private Key pair, while Certificate Authority Web Enrollment request and renew certificate, retrieve certificate revocation list, and enroll smart card certificates.

Check “Restart the destination server automatically if required” then click on “install”.

The Active Directory Certificate Service (ADCS) has been installed successfully, to configure Active Directory Certificate Service (ADCS) click on “Configure Active Directory Certificate Services on the destination server”.

Configuration of Active Directory Certificate Service (ADCS):

For the configuration of Active Directory Certificate Service “ADCS” provide administrative credentials. Here we use “Administrator” for the configuration process.

Role Services already selected that we have select during installation process that are Certificate Authority and Certificate Authority Web Enrollment. Click “Next” to Continue.

Select “Enterprise CA”, This Enterprise Certificate Authority should be a member of Active Directory Domain Services for manage and issue certificates with certificate policies.

This is first or primary Certificate Authority therefore select “Root CA”. Root CA is the top of PKI hierarchy that can issue own self-sign certificate.

This is the first Certificate Authority in an environment therefore select “Create a new private key”, click “Next” to continue.

Select cryptographic provider “RSA#Microsoft Software Key Storage Provider” with key Length”2048” and for hash algorithm for signing certificates issued by this CA select “SHA256” because SHA1 is not secure currently. Click “Next” to continue. 

Provide the common name for Certificate Authority “CA” and Leave the default configuration of distinguished name suffix and Preview of distinguished name.

Provide validity period of the certificate generated for this certificate authority “5 years”, you can provide validity period below and above years as per your organization policy. Click “Next” to continue.

Provide path for the certificate database location and certificate database log location or leave it default. Click “Next” to continue.

After review the Active Directory Certificate Service selections and settings click on “Configure”.

The Active Directory Certificate Service has successfully configured, click “Close”.

Close the “Installation progress” as well.

To open Certification Authority, go to the Server Manager Dashboard click on Tools then select Certification Authority.

In Certification Authority Web Enrollment, you can create the certificate for web server and application by use of CSR.

Thanks for Read this Article