This is the first part of a series of articles on deploying and managing a Linux agent where the certificates are managed by an Enterprise CA PKI infrastructure.
This is going to be a quick and dirty install on my one and only Domain Controller in my lab which isn’t best practice but will work fine for testing. I’ll also install Web Enrollment capability.
At hopefully I shouldn’t need to state this but please only do in a home lab or isolated test environment as you will be installing and configuring domain wide capabilities onto Domain Controllers.
Step 1 is to install the Roles and Features Required
- From Server Manager on the Domain Controller; Select Manage, Add Roles and Features
- On the “Before You begin” window, click Next
- On the “Select installation type window”, select “Role-based or feature-based installation” and click Next
- I’m installing locally on the Domain Controller, so on the “Select destination server” window I just need to make sure my local server is selected and click Next
- On the “Select server roles” window, select the check box “Active Directory Certificate Services” and a pop up window will appear asking if you want to add additional features
- Click “Add Features” on the pop up window
- Make sure the “Active Directory Certificate Services” check box is now selected and click Next
- On the “Select features” window, click Next
- On the “Active Directory Certificate Services” window, click Next
- On the “Select role services window”, ensure Certificate Authority is checked and also check “Certification Authority Web Enrollment“. A pop up window will appear which lists the additional features which need to be installed (IIS functionality for web enrollment).
- Click Add Features in the pop up window
- Make sure the “Certificate Authority” and “Certification Authority Web Enrollment” check boxes are checked.
- Click Next
- On the “Web Server Role (IIS)” window, click Next
- On the “Select role services” window, click Next
- On the “Confirm installation selections” window, click Install
- Wait for the installation to complete and click Close
At this stage, I’d schedule \ carry out a reboot and then start on the configuration.
Step 2 is to configure the Certificate Authority
Now that the Roles and Features have been installed, they need to be configured. You’ll see a Yellow warning triangle at the top of the Service Manager window; click on that and start the configuration.
- Click “Configure Active Directory Serivces on this server” from the screenshot above.
- On the “Credentials” window; ensure you have a suitable account selected (requirements are in the screenshot below). Click Next
- On the “Role Services” window; ensure the “Certifcation Authority” and “Certification Authority Web Enrollment” check boxes are selected and click Next.
- On the “Setup Type” window, select “Enterprise CA” and Click Next
- On the “CA Type” window, select “Root CA” and click Next
- On the “Private Key” window, select “Create a new private key” and click Next
- On the “Cryptography for CA” window, I have changed the Key Length to 4096 and left the other default settings in place (see screenshot below). Click Next.
- On the “CA Name” window, I have accepted the defaults (as per the screenshot below). Click Next.
- On the “Validity Period” window, I have left this on 5 years. I would set it for much less in a production environment. Click Next.
- On the “CA Database” window, I have left the default locations for the database and logs (C:\Windows\system32\CertLog). Click Next.
- On the “Confirmation” window, click Configure.
- On the “Results” window, click Close
Once again; I do a restart before looking to validate everything is working as expected.
Step 3 is to validate the install
- On the Domain Controller with the CA installed, I can validate the install and configuration through:
- Server Manager, Tools, Certificate authority and make sure everything is healthy
- Via a web browser to http://servername/certsrv (in my case http://dc1/certsrv)
- I’ll need to secure the IIS server to use https but that is for another day.
Configure https
- In IIS Manager, go to the website bindings and add https and remove http
- And using Microsoft Edge I can now connect using https
- However, Firefox isn’t so accomodating
- This error is explained here – https://support.mozilla.org/en-US/questions/1197635
- And the fixes listed here – https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
- In a Production Environment I would use policies
- In my lab I just updated Firefox locally:
- Enter “about:config” in the address bar and continue to the list of preferences.
- Set the preference “security.enterprise_roots.enabled” to true.
- Restart Firefox.
