Windows-Server-2022
Certificate Auhority Setup

Enterprise CA Overview

An Enterprise CA is integrated into Active Directory (AD), providing these key benefits:

  1. Certificates are automatically issued and managed for domain-joined devices using Group Policy.
  2. Centralized control for managing certificate templates.
  3. Seamless integration with AD for client authentication, encryption, and secure communication.

  • Since the Enterprise CA is AD-integrated, it requires that:

  • The server hosting the CA is domain-joined.

  • Domain functional levels are compatible with Windows Server 2022.

CA Use Case: Hybrid Cloud PKI

Your CA will:

  • Issue certificates for cloud-based workloads (Azure VMs, web applications, etc.).
  • Secure on-premises devices and services (like RADIUS, Wi-Fi authentication, or internal web servers).
  • Be accessible across your hybrid cloud environment.

1. Prerequisites

Hardware and Software

  1. Windows Server 2022 running as a domain member.
  2. Assign a static IP address to the server to ensure consistent network communication.
  3. Sufficient storage for certificate logs and the CA database:
    • Minimum: 10 GB (increase based on issued certificates).

Network Configuration

  • Verify DNS settings and connectivity between Azure and on-prem devices.
  • Configure any firewalls (e.g., Azure NSGs or on-premises firewalls) to allow the following CA-related traffic:
    • RPC (TCP 135).
    • Kerberos (TCP/UDP 88).
    • SMB (TCP 445).
    • HTTP (TCP 80/443 for web enrollment).

2. Install AD CS Role

GUI Instructions

  1. Log in to your Azure-hosted Windows Server:

    • Use Remote Desktop with your admin credentials.

  2. Open Server Manager:

    • Click Start → Search for Server Manager → Open it.

  3. Add Roles and Features Wizard:

    • From the Dashboard, click Add roles and features.
    • Click Next in the Before You Begin window.

  4. Installation Type:

    • Select Role-based or feature-based installation → Click Next.

  5. Server Selection:

    • Choose your local server (already selected by default) → Click Next.

  6. Select Roles:

    • Scroll down and check Active Directory Certificate Services.
    • Click Add Features when prompted.
    • Click Next.

  7. Features:

    • Leave the defaults and click Next.

  8. AD CS Role Services:

    • Select the following:
      • Certification Authority (mandatory).
      • Certification Authority Web Enrollment (optional; needed if web-based certificate requests will be used).
    • Click Next.

  9. Confirmation:

    • Review your selections → Click Install.
    • Wait for the installation to complete.

  10. Post-Installation:

    • You will see a prompt for post-deployment configuration. Click Close for now; configuration will be handled in the next step.

PowerShell Alternative

Run the following commands to install the AD CS role:

Install-WindowsFeature ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools

3. Configure AD CS

GUI Instructions

  1. Access the Post-Deployment Configuration Wizard:

    • In Server Manager, click the notification flag at the top-right.
    • Select Configure Active Directory Certificate Services.

  2. Credentials:

    • Ensure your domain admin account is selected for the setup → Click Next.

  3. Role Services:

    • Select:
      • Certification Authority.
      • Certification Authority Web Enrollment (if installed earlier).
    • Click Next.

  4. Setup Type:

    • Select Enterprise CA → Click Next.

  5. CA Type:

    • Choose Root CA (since this will be your first CA) → Click Next.

  6. Private Key:

    • Select Create a new private key → Click Next.

  7. Cryptographic Settings:

    • Set the following:
      • Cryptographic provider: RSA#Microsoft Software Key Storage Provider.
      • Key length: 2048 (or higher for enhanced security).
      • Hash algorithm: SHA256.
    • Click Next.

  8. CA Name:

    • Enter a friendly name for your CA (e.g., HWTechEnterpriseCA).
    • Click Next.

  9. Validity Period:

    • Specify the duration of the CA certificate validity:
      • Recommendation: 10 years for root CAs.
    • Click Next.

  10. CA Database:

    • Specify the storage locations for the database and log files (use defaults or a dedicated volume).
    • Click Next.

  11. Confirmation:

    • Review the settings and click Configure.

  12. Completion:

    • Once configuration completes, click Close.

PowerShell Alternative

To configure the CA, use the following PowerShell commands:

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -KeyLength 2048 -HashAlgorithmName SHA256 `
    -ValidityPeriod Years -ValidityPeriodUnits 10 `
    -CACommonName "HWTechEnterpriseCA"

4. Configure Certificate Templates

Certificate templates allow you to define specific settings for different certificate types (e.g., web servers, client authentication).

GUI Instructions

  1. Open the Certification Authority Console:

    • Open Server Manager → Tools → Certification Authority.

  2. Access Templates:

    • Expand your CA name in the left pane.
    • Right-click Certificate Templates → Click Manage.

  3. Duplicate a Template:

    • Right-click a built-in template (e.g., Web Server) → Click Duplicate Template.

  4. Edit Template Settings:

    • Under the General tab:
      • Template display name: HWTech Web Server.
    • Under Compatibility:
      • Set Certification Authority to Windows Server 2016/2022.
      • Set Certificate recipient to Windows 10/Server 2016 or later.
    • Under Request Handling:
      • Check Allow private key to be exported (if needed).
    • Under Subject Name:
      • Select Supply in the request or Build from Active Directory (depending on your need).
    • Under Extensions:
      • Add or remove key usages and enhanced key usages (e.g., Digital Signature, Key Encipherment).

  5. Save and Publish Template:

    • Save the template, return to the CA console.
    • Right-click Certificate TemplatesNewCertificate Template to Issue.
    • Select your template and click OK.

PowerShell Alternative

# Create a new certificate template
$template = Get-CATemplate | Where-Object {$_.Name -eq "Web Server"}
$template | New-CATemplate -Name "HWTech Web Server"
 
# Set properties
$template.EnrollmentSettings.SubjectNameFormat = "CommonName"
$template.KeyUsage = "DigitalSignature, KeyEncipherment"
$template.ValidityPeriod = "Years"
$template.ValidityPeriodUnits = 5
 
# Publish the template
$template | Publish-CATemplate

5. Configure Auto-Enrollment for Domain-Joined Devices

Auto-enrollment simplifies certificate deployment to domain-joined machines.

GUI Instructions

  1. Open Group Policy Management:

    • Open Server Manager → Tools → Group Policy Management.

  2. Edit a GPO:

    • Right-click an existing GPO (e.g., Default Domain Policy) → Click Edit.

  3. Enable Auto-Enrollment:

    • Navigate to:
      Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key PoliciesCertificate Services Client – Auto-Enrollment.
    • Enable:
      • Renew expired certificates, update pending certificates, and remove revoked certificates.
      • Update certificates that use certificate templates.

  4. Apply the Policy:

    • Close the editor and run gpupdate /force on the target devices.

Documentation and Cheat Sheet

  1. Default CA Ports:

    • TCP 135: RPC.
    • TCP 445: SMB.
    • TCP 80/443: HTTP/HTTPS for web enrollment.

  2. Common Commands:

    • List CA templates: 
      Get-CATemplate
    • Revoke a certificate: 
      Revoke-Certificate -SerialNumber <SerialNumber>
Oh My PoshChanging Ports for Services