No video
Windows Server 2016 - Setup Root Certificate Authority CA with OCSP Certificate Roles
Рет қаралды 61,276
Күн бұрынWindows Server - Setup Root Certificate Authority CA wish OCSP Certificate Roles
When we setup an internal LAN for a corporate environment we should need services like SSL, Encrypted VPN, Direct Access and a lot more. They depend on the use of a CA with root and other service certificates. One can buy such certificates or use our own that are created for free. This video shows you how to setup the CA with the OCSP role that enables client computers to check the validity i.e. not revoked of our certificates.
For more visit:
www.windows10.ninja
www.servers2016.com
Transcript (machine generated so it contains errors)
Hello were very good day to you. This video is gone off show you how to set up a certificate authority okay on your windows server am also ensure that basically the certificate checking to see whether the certificates are valid is also set up so basically, those ESP service okay role is also that there now. There are a number of steps okay.
However, they can be summarised into literally from about three. The first one. A setting up the certificate authority okay setting are the OCSP and also give a policies and the template. It's all become fairly straightforward. Here I get the first-ever is we've open server manager very simple. This is a domain joined computer, so a dial is help if it is that way again. The ServerManager is endlessly, you get the screen and then add roles and features. Next next next. Okay, so that the very first part, click next next next. We are creating a certificate authority now for future use. Like for example, when we VPNs et cetera we are all add this web enrolment. Okay, you don't really need to do that right now by registering it at the same time, and the online responder. This is the service a service. The role that actually runs on the server and whenever a certificate is used by a client computer. Another server, et cetera check to see that the media is still valid and the server's actually does the verification and say silly was valid. All good continue with what you wanted it back out next. Click next. Okay, because we click the web enrolment did those do a lot of IIS Internet information service server am better added as well, so we'll take a little bit longer to install okay once in, it has finished installing a will ask you to configure in click on your configure enclose here and then click over there and is the same thing. Okay, now it's out of with the main screen. It does a little bit nerve checking and then goes ahead, the first thing, because with.
The web enrolment will just installed that one first and then quickly come back and another to say and take a few seconds. Next, make sure is an enterprise CA, make sure it's a root CA. Next, we are creating a private key. Okay, and you can choose the defaults okay. You can create a common name. A good system that will use the past was lying the domain name. Okay, or the IP address, which makes it easy to find, however, it is the default will just go ahead with that. Click next. Okay, that's that again next and then configure and will happily create our spirit authority and allow us lose another two things were just click both of them, and click next...
@albertogsm4330 5 жыл бұрын
you are simple great!!! thank you so much man!! your video is perfect!!! you help me a lot!!
@andrewmabbett 4 жыл бұрын
Great tutorial, many thanks. Is it wise to install ADCS on a Domain Controller or a separate vm.?
@reginoletellis4675 5 жыл бұрын
That was FABULOUS!!! GREAT tutorial..
@Windows10NinjaWorld 5 жыл бұрын
Thanks!
@stevearnell 5 жыл бұрын
Great Guide, very clear thanks.
@Windows10NinjaWorld 5 жыл бұрын
Great it helped!
@taly48 3 жыл бұрын
Gracias por el tutorial... saludos
@alielhusseiny2620 4 жыл бұрын
Amazingg !! Thanks alot
@daveb8982 6 жыл бұрын
Great vid, thanks for your help! I can't get the OCSP service to recognize revoked certificates. I've tried adjusting the cache timeout, manually refreshing from the MMC, and various certutil commands but OCSP shows the revoked certs as "good" (via Wireshark). Any ideas?
@Windows10NinjaWorld 6 жыл бұрын
following this video what is the status of the certificate? kzbin.info/www/bejne/hoqzc6CglKeLa8k
@Martin-ot7xj Жыл бұрын
Hi there, in the first part at 01:25 we must have an active directory? or we can have it in the workgroup? because I have windows server 2019 and i want to have in a workgroup? thnx
@mksarav75 4 жыл бұрын
Thanks
@Atushe0 4 жыл бұрын
Hello. A quick question on this video. Is the instruction set for two different systems PKI and Remote access or is it all done on one system? Thanks
@Windows10NinjaWorld 4 жыл бұрын
Both - server and client.
@patelpatel5829 5 жыл бұрын
Is there any video for PKI(With or without OCSP) with 3 tier architecture like one offline root ca and 2 online subCA? I want to learn High Availability(or DR) for PKI. what if this primary server goes down?
@Windows10NinjaWorld 5 жыл бұрын
That is how most ssl certs are made - it is called a certificate chain from offline top to junior ca certs and other types of certs... The main ca cert needs to be installed on the other junior servers etc...
@patelpatel5829 5 жыл бұрын
@@Windows10NinjaWorldNinja thanks for soo fast response. But is there any video from where I can learn whole deployment and failover scenario?
@Windows10NinjaWorld 5 жыл бұрын
I have not made one, but that is a good idea! Just do a search for setup ca certificate chain server 2016 etc...
@patelpatel5829 5 жыл бұрын
@@Windows10NinjaWorld Thank you so much for the help.
@dontbeconcerned 2 жыл бұрын
OCPS isn't in the list when trying to add new cert can anyone help?
@SandrodePaula 2 жыл бұрын
thanks!
@MechaGriffin 6 жыл бұрын
Hi Windows Ninja, great tutorial, but one question... How do we test this on a client machine to see if it works?
@Windows10NinjaWorld 6 жыл бұрын
you watch the next video: kzbin.info/www/bejne/q37Xe5qEZdWlg6c
@bradjames8256 6 жыл бұрын
This works great for IE/Edge and Chrome but FireFox doesnt like it: The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. - Error code: SEC_ERROR_UNKNOWN_ISSUER. Any ideas how to satisfy FF?
@Windows10NinjaWorld 6 жыл бұрын
Firefox needs the CA root certificate installed in Firefox itself manually for steps: wiki.wmtransfer.com/projects/webmoney/wiki/Installing_root_certificate_in_Mozilla_Firefox
@Windows10NinjaWorld 6 жыл бұрын
Download and save the certificate to a folder first and then follow the website link.
@igornizambiev6836 5 жыл бұрын
Use this little manual for Firefox: "about:config" "security.enterprise_roots.enabled" "true" Now Firefox can accept all certificates issued corporate CA and trust Root CA (if Root CA is in Trusted Root Certificate Auth. on PC) I'm not sure (if Your error related to specific certificate type), but it might be usefull.
@AymanSartawi 6 жыл бұрын
Hello, Thanks a lot for the tutorial ! how to set it up without joining a domain ? Thanks
@Windows10NinjaWorld 6 жыл бұрын
Should be as the video but instead of using domains in the certificates you would just use IP addresses.
@stefannonchev3693 7 жыл бұрын
Hi, following the same steps, at the end I've run pkiview.msc and it's showing an error against the OCSP Location. Could you check in your environment if u are getting everything in OK status please?
@Windows10NinjaWorld 7 жыл бұрын
Yes all showed OK at the time. If there were issues when the VPN connected it would have shown cert revocation errors. Did you setup using your lan settings and verify within? Watch the VPN video and run verification on server authentication cert.
@Windows10NinjaWorld 7 жыл бұрын
Just ran it and it showed status as OK. Also ran certutil -url against the server authentication cert and came back as verified. Please do remember that this is done within the lan settings. At the end of the day for verification to work your CA, OCSP etc. must be locatable by your DNS and clients with such DNS too etc. As long as a root cert is installed on the computer and your vpn server, ocsp server etc are reachable then should be fine. If you do want clients and server setup to be easier then purchasing a trusted cert is usually the option.
@Windows10NinjaWorld 7 жыл бұрын
We created a video to show that it works. Hope it helps. kzbin.info/www/bejne/hoqzc6CglKeLa8k
@stefannonchev3693 7 жыл бұрын
Fair play to you. I just had a chance to watch it. Managed to fix the issue by revoking the CA Exchange cert as it was issued before the OCSP responder was configured and there wasn't infomartion about the OCSP location in it. After re-issueing it, everything is in OK status :)
@howtoparentsolo 4 жыл бұрын
love you tutorial all protocol work other than this ike authenications is unacceptable routing and remote access fix any ideas i follow your tutorial but for some unknown reason i getting this error both inside and outside of my lan
@Windows10NinjaWorld 4 жыл бұрын
more details please.
@Daniel-qo9uv 6 жыл бұрын
Hi did you know how to creat an EV ssl? if yes i would like to creat one fro my web sites Thank you.
@Windows10NinjaWorld 6 жыл бұрын
The methods shown here work for a company where the root CA certificate has to also be manually installed on each computer. For a public website you would need to buy one or use one of the free services e.g. letsencrypt.org/
@Daniel-qo9uv 6 жыл бұрын
Sorry, I don't understand really well, So I need to be manual, how.
@Windows10NinjaWorld 6 жыл бұрын
please contact the company you buy the ssl certificate from and they should advise.
@thomasthomas407 3 жыл бұрын
Am I the only one who cound't click on Enterprise CA?
@Windows10NinjaWorld 3 жыл бұрын
Maybe 😃
@thegamegifter01 2 жыл бұрын
i couldnt either
@senafr 4 жыл бұрын
this is not anymore a best practice to install a one tier pki. Also OCSP need to be install to a seperate server. This is not a good example
@Windows10NinjaWorld 4 жыл бұрын
It is an example from a few years back - and it depends on how many servers you have - the example shows how to use the certification system. Implementation is up to individuals.
QAZSPORT TV / ҚАЗСПОРТ TV
Рет қаралды 670 М.
NetworkConfigChris
Рет қаралды 2,2 М.