Windows Server 2022: Active Directory Certificate Services (AD CS) Discussion and Install Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone it's stephen wagner with the tech journal at www.stevenwegner.com we're doing another video today covering windows server 2022 today we'll be talking about microsoft's certificate services now what i'm going to do in this video is i'm going to install a certification authority on the active directory domain controller that we installed in one of the previous videos now some of you want might be asking me why would we want to do this and one of the purposes of this video is to actually go into microsoft certificate services and i want to explain why you might want to implement this on a corporate network the purpose of it what you can accomplish with it and then after that actually show you how to install it so to get started a this is perfect for a home lab user or someone that wants to get familiar with ssl certificates or microsoft's certification authorities and certificate services um now when it comes to real world usage this is where it actually becomes very important a lot of you are very familiar with ssl certificates when you surf a website they use a certificate when you access web applications it uses ssl certificates for encryption and host verification now when you get into business environments particularly domains internal corporate networks might want to be able to issue certificates on their own so for example they don't want to go to network solutions or godaddy on a regular basis and pay 500 for a certificate that can only verify you know maybe four or five host names now on an internal network corporations want to have the ability to issue these certificates for web services for intranet websites a lot of applications require these certificates used and another big one too is that corporations that have https scanning or firewalls that scan secured web traffic in order to do the interception you have to be able to issue trusted certificate services so for example what you would need to do is on a domain you'd install microsoft you'd install a certification authority which would allow you to issue certificates and then you would actually put in a request from your firewall for an intermediate certification authority so your firewall could actually issue certificates for your web users to view websites and have that ssl scanning which would all be under that chain so at the top you'd have your domains root ca that's covered with that's provided by microsoft's certificate services and your certification authority and then you'd have your intermediate ca certificate authority which would be your firewall and then underneath that you'd have the certificates for every website you go to so if you're doing that scanning you know if you went to www.google.com your firewall would issue a certificate under that chain and it would fall under that and one of the reasons why you would want to have your microsoft certification authority at the top of that chain is because because it's part of the the domain all member servers and member computers get that root ca and so that means that you don't have to install certificates on any of the computers as long as it's joined to the domain that's okay and at the same time too this is very very handy because when you need certificates on your internal network you can configure microsoft certificate templates so that your it staff let's say that they're configuring an iis website or something like that you know you can just open up iis go to certificates right click and request it directly from the domain controller so you're not throwing around these requests and certificate files it's all handled under microsoft's certificate services so you can see where where it comes into play and where it's important there's a lot of software that when you integrate it with other software there has to be encryption which is is handled by these ssl certificates and so like i said before you wouldn't want to buy a certificate from godaddy or network solutions for this type of communication especially since it's on your internal domain however you would want to use microsoft certificate services and a microsoft certification authority to issue these certificates because your internal network will trust them and you can build those trust communication links without any problems so with all that being said this video is part of the windows server 2022 series so i figured it would be a great time to talk about the certificates and it would also be really good to show you how to actually implement this and so for the demonstration purpose of this video we're actually going to be installing it on our domain controller so just jumping on my desktop here if you've seen the previous videos you'll know that tn-srv-01 is our windows server 2022 domain controller we have a member server tn srv02 which is a member server running wsus and then we have our documentation here so you can see that we're running testnet1 activedirectory the domain is stevenwagner.com we have our router our two servers and so today with what we're going to be doing we want to update our documentation because now tnsrv01 is going to be a certification authority and so now that we've added that to the documentation it's pretty simple it's just like any other role or feature based installation on windows server technically all we do is just go to start fire up the good old server manager and we just need to let this load then we'll go to manage add roles and features and i guess we didn't let it load long enough and actually while we wait for this to load i'm just going to show you something here so we're just going to open up an mmc blank window here we're going to add a snap in we're going to open up the certificates on the domain controller and we're going to view the computer certificates so these certificates are pre-loaded by microsoft and we have our trusted root certification authorities and so these are the main certificates that come pre-loaded with microsoft windows and you'll notice that there's nothing in here pertaining to the stephenwagner.com domain so technically we trust all the regular certificates but we don't have our own root ca and we don't trust any third party which is which is going to be our future root ca and we have nothing inside of personal so what we're going to do is we're going to go to to install this we're going to go to manage add roles and features we're going to do a role based or feature-based installation we're going to confirm that we're installing this to tn-srv01 and if we scroll through here you'll actually we don't even need to scroll it's right at the very top list active directory certificate services and it's used to create a certification authorities and related role services that allow you to issue and manage certificates used in a variety of applications so we're going to enable this and it's just going to tell us that we need to install some extra features so we're going to go ahead and hit ok we're going to go next we don't need to touch these features and then as soon as we go to next you'll notice on the left hand side of the window that the next configuration item is active directory certificate services and so just to recap here adcs provides the certificate infrastructure to enable scenarios such as secure wireless networks virtual private networks internet protocol security ipsec vpns nap and encrypting file systems and smart card logins now keep in mind that we are creating our own root ca so any certificates issued from this will not be trusted by any computer in the world they will only be trusted by computers on the domain or computers that we manually install the root ca2 and that root ca will be created after we finish this installation process and again you know it just came up with some more examples vpn services you know let's say that you have domain-based computers that want to connect to a vpn all of that is secured with these certificate services and that's why you would actually want to use an internal root ca as opposed to purchasing these certificates now some people might argue with me that installing the root ca isn't the best practice on a domain controller now once you install a root ca you don't want to have that computer name change you don't want to have the ip change it's just like active directory domain services on a domain controller you don't want to change anything so technically if you were to provision a domain controller and you installed the certificate services in my eyes that's okay because you're never gonna manipulate or change those domain controllers because essentially all you do is you keep them up to date and you don't touch them and so that's why in my eyes it's actually a a domain controller is a good candidate to install a certification authority on and so it just warns that the name and domain settings of this computer cannot be changed after a certification authority has been installed so here it just asks us to select the role and services to install now it's been some time since i've done this manually in previous versions of windows server like microsoft small business server it would automatically install this it's been a long long time since i've done this manually and so i'm just going to scroll through these options and we're going to figure out which one we actually need now i always install the certificate enrollment web service because it gives you a web-based portal that allows you to submit certificate requests too so even if your computer is not on the domain you can open up an iis-based website log into it with your domain control domain credentials and for example if you had a firewall or an external service a linux box or something like that and you generated a certificate request you could use that iis web-based interface to submit the request and approve and generate a certificate that you then could feed back into that service and so i'm just for the purpose of this video i'm just going to install that and so we're going to do the certificate enrollment web service and we're also going to do the certification authority web enrollment service and again you'll notice that when we enable these the ad roles and features wizard pops up because since these are web-based services we need to have iis and we currently don't have iis installed so this is just warning us telling us that we cannot install the certif certification authority web enrollment unless the following role services and features are also installed so we're just hitting yes we're confirming we're all good to go and that's all we need to install and then there's just some generic information about uh now that we've installed those web services we're going to be prompted for the web server role iis internet information service services or server to be installed and again we're just going to go off of the default settings here we don't need to manipulate or change any of these and here's just the final confirmation on how to install this so what i'm going to do is i'm just going to turn off the camera we'll let this run and i'll come back when we're ready to take the next steps okay so the fee the roles and features have been installed now and they were done successfully configuration is required so we'll just take a look at the list here it's got everything that was installed and we have to configure active directory certificate services on the destination server now one thing i want to show you quickly is that i already showed you the cert the existing certificates that are installed on the domain controller but i want to jump over to tn-srv-02 we're going to open up mmc and i'm also going to load up these certificates on there because i want to show you what's in there and what's not so when we add the computer account and take a look at the computer certificates we expand the list and open up the trusted root certification authorities you'll notice that we don't have a stephenwagner.com domain root ca inside of here as of yet so we'll jump back here and we'll continue on with the installation so we'll configure active directory certificate services on the destination server and we're going to use the domain administrator account and the role that we want to configure today is the certification authority and i think for now we can leave it at that so there's a couple different things here so specify the setup type of the ca so enterprise certification authorities can use active directory domain services to simplify the management of certificates standalone cas do not use addds to issue or manage certificates so if you choose enterprise ca it will be integrated with active directory whereas if you choose standalone ca it will not be integrated with active directory and this is important because you may actually in very very complicated scenarios or in very very large environments you might actually have a standalone ca that is separate from the domain as your root ca and then you might actually set up another ca inside the domain which is actually an intermediate route ca on that standalone just for security purposes we are starting to get in some really complex network design and infrastructure design so we're going to stay away from that but that's just an example of one of the things that would happen but in most cases if you had this on a domain controller and this was going to be your routes a you would choose enterprise ca and so this is our very first one so when we choose the type we're going to be choosing a root ca instead of a subordinate and we're going to create a new private key since this is a brand new certification authority we have to create a new key that's just the essentially the master key that uh encrypts the uh the root ca certificate and so i think we're pretty good here with uh choosing the default setting so it's just going to use uh rsa sha-256 and we're using 2048 encryption you could crank this up higher if you wanted to and so specify the name of the ca so just to give you an idea here so these are root ca's that are issued by internet authorities so like you know we've got issue 2 we've got issued by and we have various information about the name and what it does sha 256 rsa and so what we're doing here is we're specifying the name of the new root ca and so we're typing a common name to identify this certification authority and this name is added to all the certificates that are issued by the root ca so now this isn't too big of a deal typically in the past when i've done this i always leave it as default so the common name will be stephen wagner which is the domain so think of it as domain computer name dash ca which is completely fine you could change this if you wanted to the distinguished name suffix is just a dc stephen wagner dc.com which is steven wagner.com and then there's just a preview of the full uh distinguished name here so we're just going to leave everything at default and so here we have the validity period and again you can customize this but do not change unless you know what you're doing for the purpose of this video we're going to leave it at default because that's the safe thing to do so the root ca will be valid for a total of five years and then we just specify our certificate database and then it just pretty much confirms everything that we just went through and we'll go ahead and hit configure and the configuration succeeded so we can close this window do we want to configure additional role services we'll choose no and then i think we can close out of this window actually i'm just gonna go through here we do not need to do that so now that we've installed this if we go to start and go to windows administrative tools we should now see certification authority and so this is what we just installed here so you'll notice that under the certification authority we have stephen wagner dash tn-srv01ca and when we expand this you'll notice that we have a few different folders we have revoked certificates issued certificates pending requests failed requests and certificate templates so what i want you to note is that we have no issued certificates and we have no pending requests now i'm not too sure how long this takes to take effect but if we jump over to tns rv-02 and we refresh this list we still do not have the certificate so i'm actually going to do a gp update force and restart the server and i'm wondering if it'll grab the certificate so we'll we'll let that do that but now if we go to the domain controller and go to mmc and then add a snap in for certificates and go to computer account finish and remember we looked at this at the beginning and it only had the root internet authorities when we go to trusted root certification authorities and certificates you'll now notice that we have two certificates here stephen wagner dash tn-srv01 and so what that means is that any certificate that is issued by this new root ca that we just set up will be trusted by this system and so it was created october 10 2021 and it's valid until october 10 2026 and since it's trusted this is marking the certificate as valid and okay and we're using sha-256 2048 key and that's all good and it's also installed inside of personal certificates as well just because this is the domain controller that's running as a certification authority so now with this machine i'm just going to restart it and so while we wait for that to restart there's a couple other things that i want to cover here so while we're looking at the certification authority you'll notice that they're certificate templates these are templates for ssl certificates that you can request from the domain so for example if you had iis and you wanted to request a certificate you'd you would use one of these templates to request it by default i don't think that you can actually request until you change the permission so for example here we have web servers so if you wanted to request a certificate from the domains root ca you could use this for an apache web server you could use this for an iis web server you know you're installing uh vmware horizon and you need a certificate for the horizon web service you could request it from here this is the template that you would use the web server template however off of a default installation i don't believe it's available for auto enrollment and to do that i think we actually have to go to mmc been a long time since i've done this so cut me a little bit of slack if this isn't correct but you'll see certificate templates here as a snap in for mmc so we're going to add that and when we expand this box you're going to see all of the different certificate templates that we can use on the domain controller so here's web server and if we right click on this and go to properties you'll notice that a lot of the stuff is pre-configured so it's a web server template validity period is two years renewal is six weeks request handling all of that is is already configured and set up subject name extensions and security so now what you can do is uh like if we take a look at this authenticated users they can read but notice how that the enroll is not enabled that means that a typical user could not enroll so now let's say for a second that you wanted to have a template that your system administrators or your domain administrators could use to request a certificate and get it um approved and issued from the domain so what i would do in that case is the web server template is a good way to go but i would right click on this and we're going to hit duplicate duplicate template and so what i'm going to do here is so it's right now it's called copy of web server we're going to call this sw web server template and so now we have full you'll notice that all of these values were not we couldn't change them in the existing um template but now since we've duplicated it we can so you know if we wanted to we could change the validity period to four years um you know we're going to publish the certificate in active directory uh we have compatibility settings request handling and i think for the most part we can leave everything as default however what we want to do is under security we have domain admins and you'll notice that now it automatically pre-populated this but let's just pretend for a second it didn't we could have added domain admins here and all we would have had to have done is just give them enroll and auto enroll permissions and so when a domain administrator would request a certificate from the active directory certificate certificate services um they could actually auto enroll certificates and it would just as soon as they throw the request in bam it would spit out a valid certificate that they could use so enroll was already configured we're going to add auto enroll and then we're just going to hit apply okay and now you'll notice that sw web server template is available in the in there and if we refresh this list it's still not but it is available trust me so now that we've received restarted tnsrv02 i'm gonna be embarrassed this doesn't work but technically the root ca since this is a member server on the domain should now be available in here and so just after doing a gp update and restarting tnsrv02 now when we go to mmc and add the certificates for the computer uh under trusted root certification authorities we now have stephen wagner-tn-srv01-ca so that means that any certificate that is issued is now trusted on the system which is absolutely fantastic and so what i want to do here is i just want to show you how easy it is to actually request a certificate from active directory certificate services and how the whole process works so you'll notice so as i mentioned before srv 01 is the root ca and tnsrv02 is just a member server on the domain now from a previous video we actually installed wsus on this box so technically we should have iis installed so i'm going to go to start and we're going to go to administrative tools and we're going to fire up internet information services and i want to show you how cool this integration is with the active directory certificate services so if we open up the computer in iis um you'll see here that we've got server certificates and if my memory serves me right what we can do here is you'll notice that there's no server certificates on the right hand side we can click on i'm not too sure one second so i don't remember there being two but i'm going to click on create domain certificate and so we're going to come up with a common name of tn-srv02.steve and we're just going to fill out this information hit next and so online certification authority now this is this is where it gets cool i think we should just be able to hit select and here is our new active directory certification authority it's inside the list we hit ok and then a friendly name this is gonna be the friendly name for the certificate we're just gonna call it tnsrv02.stephenwagner.com [Music] and just before i click on this we'll jump back to the root ca we'll go to issued certificates so since we've done this this is unrelated to anything we've done but since we've done this it's actually issued a certificate and you'll notice that this is a domain controller certificate so there's a whole bunch of automated processes that run in the background and so this is actually issued to tn-srv-01 and it's used for active directory encryption but you'll notice that there's just that one certificate so now if we jump back to tnsrv-02 we have all this finished we'll hit finish and you'll notice that without even doing anything we now have an ssl certificate in here tnsrv02 and it was issued by stephen wagner tnsrv01 and it expires october 10 2023 and so if we jump back to the domain controller that runs the certification authority if we just do a quick little refresh bam there we go you'll see that a web server certificate was issued we'll just double click on this to tn-srv02.stephenwagner.com and it was issued by our new root ca so you can see how powerful and cool this is everything's automated and it's all integrated and so now if we click go over and click on the certification path you'll see the hierarchy of here's the root ca and here's the certificate that we actually just requested and generated and so what ended up happening is that since it's all integrated and since we have auto enroll turned on and we're a domain administrator it was automatically approved and now it's in iis so it's available so if we wanted to we could jump into default website right click on it go to edit bindings create a new https binding and you'll notice that inside of the ssl certificate list we now have tnsr v02 so technically you know for example if we jump over to wsus you'll notice that wsus can either use http which has no encryption or you can use https which is encrypted over ssl since we have a certificate for that specific hostname on the internal network the one that we actually just requested we can now click on https click on edit and then under the certificate we can actually bind it to this tnsrv02.stevenwagner.com and this is a perfect example of why you would actually implement a root ca on an internal network as opposed to using uh an internet authority and again if we go to view we have all the details here and we can see the hierarchy of the uh the certificate being issued from the root ca and the deep and the details of this certificate so we choose it we select it and that's it so up until this point we have added the active directories certificate services certification authority role to the domain controller we now have a member server that can do auto enrollment with certificates we fired up iis and we requested a certificate from the new root ca that we created the root ca automatically approved it and issued it to iis and then we just jumped inside of iis and we just actually uh went to edit bindings and we attached that ssl certificate to the wsus website so technically we could go into group policy right now and and let's do that just for the sake of it so we'll go to the domain controller and we'll go to group policy management and so we'll just go to the wsus gpo that we created in a previous video and what we want to do now is now that we can use ssl on wsus we need to update the policies and now i should have these remembered but i don't so i'm just going to generate a report to find out where this is stored so we have to go to computer configuration policies administrative templates windows components and so here's where we have the configuration for wsus so now that we're using ssl we would just go to specify intranet microsoft update services location and you'll see that it's using the old url of http colon slash tnsrv02 and with the old non-ssl port now keep in mind that the certificate that we generated it you can create configure something called a san an ascen not in storage but a san with certificate stands for subject alternative name and so what you can do is you can actually have a single certificate with multiple sans so you can have a couple fully qualified domain names you can have a couple computer names and you can put everything under one certificate we did not do that in that specific certificate request but it is possible so because this certificate if we jump back here is only issued for a single host name that means that any service that wants to connect to it has to validate against that tn-srv02.stephenwagner.com and because of that we can no longer use just the computer name so we have to update this to include the fully qualified internal domain name so first we're going to change it to https tnsrv02 dot stevenwagner.com and then we're also going to change it for the intranet statistics servers so again we're going to add h the s after the p and we're going to type in the fully qualified domain now one thing that we forgot to do not really forgot but i just wanted to put an emphasis on this is that since we're using ssl now it runs on a different port so you'll notice that http runs on 8530 and now we're using 8531 for https so we'll just update that as well and then we'll just go ahead and close the window i'm just going to open that back up make sure to see no it did not save okay so just to save you some pain here i'm going to do this quickly that's good and the reason why that didn't save is because we have to hit apply and okay we're going to close that close that and so now whenever you do any type of configuration change on iis technically a lot of it does happen in real time but you should always restart iis so you can do that either by clicking on restart on the side here or what i like to do is just fire open a command prompt run it as administrator and you just type in iis reset and voila that's how you configure wsus to use an ssl certificate generated from an active directory certificate services route certification authority uh thanks for watching if you haven't already make sure you like the video subscribe to the channel please leave a comment ask me any question you like i'll do my best to get back to them if not i hope you enjoy the video have a fantastic day

Info

Channel: SW The Tech Journal

Views: 906

Rating: undefined out of 5

Keywords: Windows, WindowsServer, WindowsServer2022, WSUS, Windows Server Update Services, Guide, HowTo, VMware, ESXi, VirtualMachine, Demo, Demonstration, ADCS, Active Directory Certificate Services, Certification Authority

Id: 5Wk1OdBl9iE

Channel Id: undefined

Length: 33min 26sec (2006 seconds)

Published: Mon Oct 11 2021