For most businesses, employee participation within a network requires authentication, encryption and digital signatures to ensure security is not compromised.
Windows 2008 Server comes equipped with Active Directory Certificate Services (AD CS) which is an Identify and Access Control security technology that employs customizable services to create and manage Certificate Authorities (or public key certificates). For example, when an employee wants to access their business network a certificate is automatically requested. The Certificate Authority (CA) verifies the employee’s information according to the relevant CA policies, and issues a digital signature to the certificate by using its private key. The CA then issues the certificate as a security credential in a Public Key Infrastructure (PKI). In other words, the certificate generated by the CA implies that it ‘trusts’ the user and allows them access to the network. In some cases, if the user’s details do not fulfill the CA criteria, the certificate is revoked and deemed invalid and this is published on a Certification Revocation List (CRL). AD CS can be used on a connected domain or stand alone Windows 2008 Server.
How to install a root CA in AD CS
Click Start – Administrative Tools – Server Manager
Select the ‘Roles’ node, in the Roles pane, click the Add Roles link. The ‘Add Roles Wizard’ opens.
The Select Server Roles page lists the roles you can choose to install.
Select the Active Directory Certificate Services check box and click Next.
The Introduction to Active Directory Certificate Services page appears. Click Next to continue.
The Select Role Services page appears. Check that the Certification Authority box is ticked then click Next.
The Specify Setup Type page requests that you specify whether you want to set up an Enterprise CA or Standalone CA. For this example, we select the Enterprise option and click Next.
Note: To install an enterprise CA, a network connection to a domain controller is required.
The Introduction to Active Directory Certificate Services page requests that you specify whether you want to set up a root CA or subordinate CA. Since you are installing a CA for the first time in a public key infrastructure, you select the Root CA option and click Next.
Note: A Root CA is the most trusted type of CA in the enterprise PKI of an organization.
On the Set up Private Key page, choose the Create a new private key option as you are creating the first CA in your organization. Click Next.
The Configure Cryptography for CA page displays. You need to select the settings for the new private key. For our example, we decide to have the highest level of security so we choose the 4096 key character length. For the hash algorithm, we keep the default selection of sha1 and click Next to continue.
Note: Selecting a higher value for key length will result in stronger security, however the time required to complete signing procedures increases.
The next page, Configure CA Name, requests that you type in a common name to identify this CA. A name for the CA has autoamtically been created and specifies its distinguished name suffix values. You can either accept the default settings or amend the name and suffix if you prefer. Click Next to continue.
On the Set Validity Period page, select validity period for which the certificate created for the CA must remain valid. For example, you could set it to 8 months (as shown below). Click Next.
On the Configure Certificate Database page, you can either accept the default locations or browse to your preferred folder locations for the certificate database and the certificate database log. Click Next.
Click Install on the Confirm Installation Selections page. The Installation Results pages confirms that the role has been installed and you click the Close button to close the wizard.