Windows Server Certificate Authority

Procedure Manual: Setting Up Active Directory Certificate Services (AD CS) with HTTPS Configuration

1. Installing Active Directory Certificate Services (AD CS)

Open Server Manager:
- Click Manage > Add Roles and Features.
Select Role-based Installation:
- Choose the appropriate server from the list.
Add the AD CS Role:
- Select Active Directory Certificate Services.
- Add the following role services:
  - Certification Authority (Required)
  - Certification Authority Web Enrollment (Recommended for web-based requests)
  - Optionally: Online Responder, Certificate Enrollment Web Service, or Certificate Enrollment Policy Web Service as per your needs.
Complete Installation:
- Confirm selections and click Install.
- Restart the server if prompted.

2. Configuring AD CS

Post-Installation Configuration:
- In Server Manager, click the yellow notification flag and choose Configure Active Directory Certificate Services on the destination server.
Configure the Roles:
- Select:
  - Certification Authority.
  - Optionally: Web Enrollment and other roles if chosen.
Setup Details:
- Deployment Type: Select Standalone CA (or Enterprise CA for AD integration).
- CA Type: Choose Root CA.
- Private Key: Select Create a new private key.
- Key Settings: Use a minimum key length of 2048 bits and SHA256 hash algorithm.
- CA Name: Assign a descriptive name (e.g., HomeLab-RootCA).
- Validity Period: Set to 5-10 years.
- Database Locations: Leave as default or specify custom paths.
Finalize Setup:
- Confirm and apply the configuration.

3. Managing Certificates in AD CS

Launch Certification Authority Console:
- Press Win + R, type certsrv.msc, and press Enter.
Create Certificate Templates:
- Navigate to Certificate Templates > Manage.
- Clone a default template, such as Web Server, and customize for your needs.
Issue Templates:
- In the CA console, right-click Certificate Templates > New > Certificate Template to Issue.
- Select the customized template.

4. Enabling HTTPS in IIS with Certificate

Import the Certificate into IIS:
- Open IIS Manager (inetmgr).
- In the Server Certificates section, import the certificate.
Bind HTTPS to the Site:
- In IIS Manager, select Default Web Site > Bindings.
- Add or edit a binding for https:
  - Select the imported certificate.
  - Confirm the binding is set to port 443.
Test HTTPS Access:
- Access the site using https://<your-site> to verify connectivity.

5. Troubleshooting HTTPS Issues

Issue: HTTPS Not Working

Resolution:
- In IIS Manager:
  1. Navigate to Default Web Site > Bindings.
  2. Select the HTTPS binding and click Edit.
  3. Disable TLS 1.3:
    - Open the server's SSL Settings and adjust protocols to exclude TLS 1.3.
  4. Restart IIS using iisreset.
Why Disabling TLS 1.3 Works:
- Some clients or configurations may not fully support TLS 1.3, causing connection failures. Disabling it can resolve these compatibility issues.

Risks of Disabling TLS 1.3:

Reduced Security:
- TLS 1.3 offers better performance and security than TLS 1.2. Disabling it may expose you to older vulnerabilities.
Fix:
- Upgrade clients and servers to ensure compatibility with TLS 1.3.
- Enable TLS 1.3 once the environment supports it.
Reference:
- For official guidance, see Microsoft's documentation on TLS Cipher Suite Configuration (opens in a new tab).

6. Extending Certificate Trust Across Devices

To ensure secure communication with the certificates issued by your AD CS, you will need to import your Root CA certificate into various devices, including Windows, Linux, and network devices (e.g., routers, firewalls). This will establish trust for certificates issued by your CA. Below are the steps for each platform:

1. Import Root CA Certificate into Windows

Export the Root CA Certificate:
- On your Certificate Authority server, open Certification Authority (certsrv.msc).
- In the left pane, right-click [Your CA Name] > All Tasks > Export.
- Choose DER encoded binary X.509 (.CER) format and save the file.
Import the Certificate:
- On the Windows client machine, press Win + R, type certmgr.msc, and hit Enter to open the Certificates Manager.
- In the left pane, expand Trusted Root Certification Authorities and right-click Certificates.
- Select Import, then browse to the .cer file you exported from the CA and import it.
Verify the Installation:
- After importing, check that the root certificate appears under Trusted Root Certification Authorities > Certificates.
- This ensures the system trusts any certificates issued by your CA.

2. Import Root CA Certificate into Linux

Export the Root CA Certificate:
- On your Certificate Authority server, export the root certificate as a .cer file using the steps above for Windows.
Copy the Certificate to Linux:
- Use scp, rsync, or another file transfer method to copy the .cer file to the target Linux machine.
Install the Certificate on Linux:
- For most Linux distributions (Debian, Ubuntu, CentOS, etc.), the root certificate must be placed in the appropriate directory.
  
  For Debian/Ubuntu:
  - Copy the .cer file to /usr/local/share/ca-certificates/.
  - Run sudo cp /path/to/rootCA.cer /usr/local/share/ca-certificates/.
  - Update the CA certificates by running sudo update-ca-certificates.
  For RedHat/CentOS:
  - Copy the .cer file to /etc/pki/ca-trust/source/anchors/.
  - Run sudo cp /path/to/rootCA.cer /etc/pki/ca-trust/source/anchors/.
  - Update the CA certificates with sudo update-ca-trust.
Verify Installation:
- After updating, verify the certificate was added successfully by checking the system’s CA certificates.
  - Run openssl x509 -in /path/to/rootCA.cer -noout -text to ensure the certificate is correctly installed.

3. Import Root CA Certificate into Network Devices (Routers, Firewalls, etc.)

Export the Root CA Certificate:
- Similar to the steps above, export the root certificate from your CA as a .cer file.
Transfer the Certificate to the Network Device:
- Depending on the device, you can upload the .cer file via the device’s web interface, CLI, or through an API.
- For example, with Cisco devices (routers or firewalls), you can use SCP or TFTP to transfer the .cer file to the device.

Import the Root CA Certificate on Network Devices:

Cisco Devices (e.g., ISR, ASA):

Use the command-line interface (CLI) to import the root CA certificate:

ciscoasa# copy tftp://<server_ip>/rootCA.cer disk0:/rootCA.cer
ciscoasa# crypto ca trustpoint MyRootCA
ciscoasa(ca-trustpoint)# enrollment terminal
ciscoasa(ca-trustpoint)# import certificate disk0:/rootCA.cer
ciscoasa# write memory

Fortigate Firewall:
- Navigate to System > Certificates > Local Certificates.
- Click Import, select CA Certificate, and upload the .cer file.

Juniper Devices:

In the Junos OS CLI, use the following commands to import the root certificate:

root@device# file copy tftp://<server_ip>/rootCA.cer /var/tmp/rootCA.cer
root@device# cli
root@device> set security ca-certificates add trusted file /var/tmp/rootCA.cer

Verify the Installation:
- After importing, test connectivity or check logs on the device to verify it trusts certificates issued by your CA. This can be done by observing secure connections or testing SSL/TLS communication.

Why This Is Important:

Security: By installing the root CA certificate across all devices, you ensure they trust the certificates issued by your AD CS, enabling secure communication like HTTPS for websites, VPNs, and other services.
Interoperability: If you have multiple devices (e.g., Windows, Linux, network devices), this process ensures they can all verify and trust each other’s certificates, ensuring seamless operations across platforms and services.

7. Maintenance and Best Practices

Monitor Certificates:
- Regularly check for expiration and renew as needed.
Backup CA Configuration:
- Use the Certification Authority console to back up the CA and issued certificates.
Document Changes:
- Maintain a log of issued certificates, expiration dates, and changes to the CA setup.

Lag between Juniper Switch and Fortigate 1.installing Netbox