Lab:Configuring a Microsoft Server to be a Root Certificate Authority (CA)

From Iwan
Jump to: navigation, search

In this lab I am working with the following software and versions:

Software Version Filename
Windows Server 2019 en_windows_server_2019_updated_feb_2020_x64_dvd_de383770.iso
  1. Configure a Microsoft Server to be a Root Certificate Authority (CA) so it can be used to signed SSL certificates (from the NSX Manager for example)
  1. Prepare the Microsoft Certificate Services so it can sign NSX Manager Node certificates

The Steps

  • STEP 1: Configuring a Microsoft Server to be a Root Certificate Authority (CA)
  • STEP 2: Export the root certificate
  • STEP 3: Verification on the Microsoft CA Server
  • STEP 4: Preparing the Microsoft CA Server for NSX-T Certificate Signing

STEP 1: Configuring a Microsoft Server to be a Root Certificate Authority (CA)

Before I can start generating CSR's and signing these, I first need to have a CA server to sign the CSRs with. In this step, I am going to show you (one of many ways) how to set up a CA server that is based on Microsoft Windows 2019 Server.

⚠️ As a prerequisite I need to make sure that the Microsoft Windows 2019 Server is fully configured as an Active Directory Server.

⚠️ As a prerequisite I need to make sure that the Microsoft Windows 2019 Server is fully configured with the IIS (Web) Server.

First, I click on “Add roles and features".

Untitled.png

Leave the following settings default and click “Next >”.

Untitled%201.png

Leave the following settings default and click “Next >”.

Untitled%202.png

Leave the following settings default and click “Next >”.

Untitled%203.png

Make sure to select “Active Directory Certificate Services" and click “Next >”.

Untitled%204.png

When I have selected the “Active Directory Certificate Services" checkbox the installation will ask me to add some additional tools that are required as a prerequisite. Go ahead and add these features.

Untitled%205.png

The “Active Directory Certificate Services" role is now selected and I can go ahead and click on “Next >”.

Untitled%206.png

Leave the following settings default and click “Next >”.

Untitled%207.png

Leave the following settings default and click “Next >”.

Untitled%208.png

The “Certification Authority” Role will already be selected for me by default, but before I click on “Next >” I need to select additional role services.

Untitled%209.png

Select the following role services:

  • Certificate Enrolment Policy Web Service
  • Certificate Enrolment Web Service
  • Certification Authority Web Enrollment

And click “Next >”.

Untitled%2010.png

Check the box “Restart the destination server automatically if required" Click on “Install”.

Untitled%2011.png

The installation process will start and will finish and then I will be able to “Close” the window.

Untitled%2012.png

When the installation is done I need to do some additional "Post-deployment Configuration” so I need to look at the yellow exclamation mark in the upper right corner and click on “Configure Active Directory Certificate Services on this server”.

Untitled%2013.png

Leave the following settings default and click “Next >”.

Untitled%2014.png

Make sure the “Certification Authority” and "Certification Authority Web-Enrollment” Role Services are selected and click on “Next >”.

🤘🏻 These two Role Services needs to be configured first before the others can be configured in a later stage.

Untitled%2015.png

Leave the following settings default and click “Next >”.

Untitled%2016.png

Leave the following settings default and click “Next >”.

Untitled%2017.png

Leave the following settings default and click “Next >”.

It is important that I create a private key for this new Root Certificate Authority (CA) here.

Untitled%2018.png

Leave the following settings default and click “Next >”.

Untitled%2019.png

Leave the following settings default and click “Next >”.

Untitled%2020.png

Leave the following settings default and click “Next >”.

Untitled%2021.png

Leave the following settings default and click on “Next >”.

Untitled%2022.png

Leave the following settings default and click on “Configure”.

Untitled%2023.png

When the selected services are configured and the below messages are displaced that the Configuration is succeeded I can click on “Close”.

Untitled%2024.png

Now it’s time to configure the additional role services. SO click on “Yes” when I get the below question to configure additional role services.

Untitled%2025.png

Leave the following settings default and click on “Next >”.

Untitled%2026.png

Now select to configure the following additional "Role Services":

  • Certificate Enrolment Web Service
  • Certificate Enrolment Policy Web Service

Untitled%2027.png

Leave the following settings default and click on “Next >”.

Untitled%2028.png

Leave the following settings default and click on “Next >”.

Untitled%2029.png

I need to specify a service account here that is a member of the IIS_IUSRS group. I currently have no account (or user) that is part of this group so I need to add this group to an account.

Untitled%2030.png

In order to assign the group to the account, I need to open the "Active Directory Users and Computers” Management Console.

Untitled%2031.png

I need to select the account I want to use as a service account and go to the properties. In my case, I will select the "Administrator account".

Untitled%2032.png

Browse to the “Member of” tab.

Untitled%2033.png

Add the IIS_IUSRS group to the "Administrator" account.

Untitled%2034.png

Make sure the IIS_IUSRS is listed in the "Member Of" list of the account.

Untitled%2035.png

Now that the account has the proper rights I can click on select.

Untitled%2036.png

I need to type in the credentials of the service account (in my case the Administrator account) and click on “OK”.

Untitled%2037.png

Click on “Next >” when the service account is specified.

Untitled%2038.png

Leave the following settings default and click on “Next >”.

Untitled%2039.png

Make sure I select the “certificate" for SSL encryption first before I can click on “Next >”.

Untitled%2040.png

Click on “Configure”.

Untitled%2041.png

When I see the message “Configuration succeed" click on Close.

Untitled%2042.png

Now I have installed on configured the CA Server with its underlying Roles and Services completely.

Now I can verify is the “AD CS" option appears in the Server Manager menu. I can click on it.

Untitled%2043.png

When I click on it I can see that the AD server is online and activated.

Untitled%2044.png

STEP 2: Export the root certificate

I should also be able to open the "Certification Authority" Management Console.

I will need this later to do some additional preparation before I can start signing the CSRs for the NSX-T Manager Nodes.

Untitled%2045.png

When I have opened the “Certification Authority" Management Console I will see the following screen.

Untitled%2046.png

Select the name to right-click and go to the properties.

Untitled%2047.png

Make sure the hash algorithm is SHA256.

Untitled%2048.png

Click on “View Certificate”.

Untitled%2049.png

I will see the information on the Root Certificate of this CA Server.

Untitled%2050.png

Click on the details. And click on “Copy to File” in order to export the Root Certificate to my Computer.

I will need this later when I import the Root CA certificate and the signed NSX-T node certificates in NSX-T.

Untitled%2051.png

Click on “Next”.

Untitled%2052.png

Select the “Base-64 encoded X.509 (.CER)" File Format for the export and click “Next”.

Untitled%2053.png

Specify a valid path that I want to export the files.

Untitled%2054.png

Click on “Finish” to complete the export of the root certificate files.

Untitled%2055.png

A message should pop up with “that the export was successful”.

Click on OK to close the message.

Untitled%2056.png

It’s always good practice to browse to the file and make sure it is really there.

Untitled%2057.png

I can view the content as well, as I am doing here with Notepad++.

Untitled%2058.png

The content of the root certificate authority certificate is displayed below.

Untitled%2059.png

So now I have all the prerequisites in place to start with the next step.

STEP 3: Verification on the Microsoft CA Server

Now that the CA Server and its underlying role services I need to use the web browser and browse to the following URL https://localhost//certsrv (from the Microsoft CA itself):

Browse to the URL.

Untitled%2060.png

Do the additional actions to access the website, this is browser-specific, I am using Google Chrome here.

Untitled%2061.png

This confirms I can use this (web) server to sign our Certificates with.

Untitled%2062.png

STEP 4: Preparing the Microsoft CA Server for NSX-T Certificate Signing

Before I start I need to create a new Certificate Template with some specific settings for the NSX-T Node CA-signed certificates.

So let's open the Certification Authority Management Console again.

Select Certificate Templates and right-click this and select "Manage".

Untitled%2063.png

Select the “Web Server” Template and right-click and select "Duplicate Template”.

Untitled%2064.png

Go to the “Compatibility” tab and select "Windows Server 2008 R2" as the Certificate Authority Compatibility.

Untitled%2065.png

Just click “Ok” on the pop-up window.

Untitled%2066.png

Select “Windows 7/Windows 2008 R2" as the "Certificate Recipient".

Untitled%2067.png

Just click “Ok” on the pop-up window.

Untitled%2068.png

Go to the “Extensions” tab.

Untitled%2069.png

Select “Basic Constraints” and click on "Edit".

Untitled%2070.png

Make sure this extension is enabled by checking the box.

Untitled%2071.png

Go to the “General” tab and provide a new name for this cloned template.

My name is NSX-T-SSL-CERT. Close the window with “OK”.

Untitled%2072.png

In the list of the Certificates Templates, I now see the new Template.

Untitled%2073.png

Right-click the “Certificate Templates” and select “Manage”.

Untitled%2074.png

Select the Certificate Templates again and now select "New" and then "Certificate Template to Issue”.

Untitled%2075.png

Select the template I just created "NSX-T-SSL-CERT" and click ok "OK".

Untitled%2076.png

Now I see the new Template listed on the Certificate Templates list.

Untitled%2077.png

I need to make sure one more time that the hash algorithm is set to SHA256.

Select the CA server and right-click and select "Properties”

Untitled%2078.png

Validate that that the hash algorithm is set to SHA256.

Untitled%2079.png

Now I have created a Certificate Template with the correct settings that I can use to sign my CSRs.

Continue with >> Lab: Signing the NSX CSR with a Microsoft (root) CA Server