Windows Server 2022: Active Directory Certificate Services (AD CS) Discussion and Install Guide
Рет қаралды 31,317
2 жыл бұрынSkip straight to the demo at 04:39
See more info by clicking SHOW MORE below!
Blog Post: www.stephenwagner.com/2021/10...
Check out my full Windows Server 2022 playlist at • Windows Server 2022: H...
In this video we'll discuss Active Directory Certificate Services, and then demonstrate and install Active Directory Certificate Services on a Windows Server 2022 Server.
Timecodes:
00:09 - Discussion
04:39 - Demonstration
In this video:
1. Discussion
-SSL Certificates (Host verification)
-Internal Root Certification Authorities (Root CAs)
-Internal Root CA vs Public Trusted Root CAs
-HTTPS Scanning (Web Filtering) and SSL Certificates
-Intermediate Certificate Authorities
-Why ADCS?
-AD CS Certificate Templates
-Encryption
-Certificate Issuance
2. Demonstration
-Server Manager Role Installation
-MMC Snap-in for Certificates (Local Computer)
--Root CAs
-Install Active Directory Certificate Services (AD CS)
--Add Server Role
--Root CA Trust Discussion
--AD CS Installation on Domain Controller Installation
--AD CS Prerequisites
--Web Enrollment Discussion
--AD CS and IIS Discussion
-Install Internet Information Services (IIS) as pre-requisite
-Configure Active Directory Certificate Services (AD CS)
--Credentials
--Role Configuration
--Enterprise CA vs Standalone CA
--Root CA vs Subordinate CA
--Private Key Creation and Cryptographic options
--Root CA Naming
--Validity Period
-Certification Authority MMC Usage
-Root CA Replication to Domain ("gpupdate /force" and restart)
-AD CS Certificate Templates Overview
--Certificate Templates MMC
--Duplicate and Customize Web Server Certificate Template
--Enable Auto-Enrollment for Certificate Template
-Use IIS to request certificate from Active Directory Certification Authority
--Create Domain Certificate
-Enable SSL on WSUS Server using Active Directory Certificate Services Certificate
--Bind new certificate to IIS Web Server
--Update GPO to reflect SSL URL and port number
--Run "iisreset" on elevated command prompt
-Demonstration Summary
This video is part of a multi-video playlist containing howto's on deploying various technologies with Microsoft Windows Server 2022.
Hardware/Software used in this demonstration
-VMware vSphere
-HPE DL360p Gen8 Server
-Microsoft Windows Server 2022
-pfSense Firewall
For more content visit my blogs at www.stephenwagner.com
To hire me and my company, visit:
www.stephenwagner.com/hire-st...
www.digitallyaccurate.com/con...
#Windows #WindowsServer #WindowsServer2022 #WSUS #WindowsServiceUpdateServices #Guide #HowTo #VMware #ESXi #VirtualMachine #Demo #Demonstration #ADCS #Certificates #SSL
@vcp93 11 ай бұрын
Your point regarding installing CA Services on an AD DC are true.... for now. However at some point you'll be replacing both the DCs and the CA servers. You may not want to do both upgrades at the same time. In addition, if that DC has a problem, then you now have "two problems". Since most shops use some sort of virtualization for their server infrastructure, keeping your CA servers running on their own VM is probably a better choice. For a testing lab, I'm with you 100%. Good job on your tutorial. Cheers! 👽✌️
@TechMedia-it 8 ай бұрын
I was about to comment on this...in an enterprise environment, you should never do that. All critical services should have their own VM
@mcdonamw 7 ай бұрын
@@TechMedia-it Correct. Also at least a two tier PKI is recommended with the root CA being offline for security (also not domain joined). Hard to do that if ADCS is installed on a domain controller.
@alirezapourranjbar7652 10 күн бұрын
i have been looking for a video like this all over. Thanks. this made my day.
@Red1Wollip Жыл бұрын
This is a great series of videos. Please keep them coming.
@StephenWagner Жыл бұрын
Thanks Dennis, I appreciate the compliment and feedback!
@wyc2462 Жыл бұрын
Yes Great oh..and Handsome guy..........(It's important.)
@FTABoyNavid 7 ай бұрын
thanks for the great explanation with example of the usage of certificates.
@weneedheros 5 ай бұрын
Really good content. Clear and concise explanations.
@estebangomez1823 5 ай бұрын
man, this video was really well elaborated, i thank you for this my friend!
@StephenWagner 5 ай бұрын
Glad it helped! My pleasure!
@OscarFaustoPelosi 8 ай бұрын
Very well explained and easy to understand. Thank you, much apreciated
@StephenWagner 8 ай бұрын
Glad it was helpful!
@rasoulvahid7297 Жыл бұрын
Great Video on a very complex topic.
@StephenWagner Жыл бұрын
Happy if it helped!
@tomrutherforrd Жыл бұрын
Man youre awesome, thanks so much!!
@StephenWagner Жыл бұрын
Glad to help!
@rodrigouricoechea3751 2 жыл бұрын
I I like it. Good detail
@StephenWagner 2 жыл бұрын
Thank you! Cheers!
@kevinkirk529 2 жыл бұрын
Thank you!
@kevinkirk529 2 жыл бұрын
Got threw into the wolves as they say and Im learning everything about out companies infrastructure and how to keep it running with no hiccups (SSL expirations, udpates etc) Any pointers would be appreciated!
@StephenWagner 2 жыл бұрын
You're most certainly welcome!
@StephenWagner 2 жыл бұрын
Read and learn everything you can! Monitor the servers, google/learn what the various events mean in the event log viewer, learn about versions, identify "End of Life" and unsupported versions of software, etc... There's a lot, but I'm hoping that gets you started! :D
@kevinkirk529 2 жыл бұрын
@@StephenWagner Yeah, thats all in my book. Combing through it slowly.
@demann7847 Жыл бұрын
@@kevinkirk529 For SSL Cert Expirations, set yourself Reoccurring Outlook Calendar Reminders for each Certificate that you know will end up requiring manual steps (even for Steven's Auto Enroll example in IIS, as it would simply require you to just click Enroll again, but still a manual process) for Renewals. For Updates, you can use GPO to set Updates to be scheduled to automatically download and install on a regular schedule (whether from WSUS or directly from MS if you don't use/have WSUS). The default is daily at 3am, but make sure you schedule Backups around whatever time you schedule updates so your not causing Backups to fail when Servers Auto Update and Auto Reboot. Hope this helps!
@kijkhier6298 2 жыл бұрын
I dont fully agree with the rootCA on the domain controller. I think you build a separate RootCA and a subordinateCA. Then take the RootCA offline. Then use the Subordinate to sign the requests. Now your RootCA is allways online and can be compromised.
@StephenWagner 2 жыл бұрын
Good point, and that is a very good and valid configuration that is often seen! :) I just did this video to show people how to install it (for learning purposes).
@ilyashick3178 Жыл бұрын
IIS and Issuing servers need to be under AD as two- tier configuration.As an exampe issuing (sub) servers is configured for CDP and AI and issuing certificates. Domain controller can be be part of CA but it is better not to run CA.
@Mr_Sh1tcoin Жыл бұрын
This is a lab mate it's not Production; sharing services is fine. He is kindly showing a 101 on how to install the roles and functions, not giving us a 303.
@mcdonamw 7 ай бұрын
@@Mr_Sh1tcoin It's a lab, sure, but many newbies are using videos like this to base their production environments on. IMO, if deploying in a lab, I'd still follow best practices. In fact, I came across this video searching for installing a two tier PKI with "best practices" as I'm not an expert in this arena atm. All videos and documentation I find are usually based around a lab environment, which has not been helpful to me, at all.
@Mr_Sh1tcoin 7 ай бұрын
@@mcdonamw if you're basing prod on videos from the internet then I'd say you're in a job that's a bridge too far.
@fbifido2 11 ай бұрын
@22:48 - you need to tell the CA to make that new template available or to enable it.
@Albert-North 3 ай бұрын
Thanks for video. Used it to setup the CA on our domain - but did not see comments about not setting up on a DC in the domain (as those who argued that it should be on a non-domain server that is eventually disconnected from the network): 1) how big of a hassle would it be to move the CA now that it is integrated with (and on) a DC? I see that it has now issued domain certs to all four DC's in our domain. 2) do we need to manually keep track of the certs issued to the DCs or do they auto-renew in 2 years (since they were auto-created); likewise, do I need to keep track of the expiry for the CA - 5 years out - to have the certificate for the CA itself renewed? 3) what happens if the CA server goes down? I guess the certificate must be "self-contained" enough that even if the CA is down, it can continue to function (up until its expiry date). Thanks. Albert (from Kincardine, ON - on the shores of Lake Huron)
@fbifido2 11 ай бұрын
@23:22 - you could have check what certificate was under Personal in the MMC to see which cert was issue to that member machine if any.
@Minerva___ 2 ай бұрын
I’ve seen it mentioned that CAWE was designed with Server 2003-2006 in mind and that is now insecure to use it, with people recommending other methods but I just can’t find more detailed information. For internal only SSL certificates, would the CAWE role still be safe to use for Server 2016 and newer?
@matthijsleenhouts4827 Жыл бұрын
question can i setup a pdc domain a controller en install Active Directory Certificate Services end ras to it end install a ssl certificaat for openvpn server so that clients get a ssl certificaat from the domain if cliens connect on the open vpn server?
@thedonfranz 2 жыл бұрын
question, how would you utilize the newly created web server template? i saw that the one requested on WSUS-IIS is the default web server template. and how would it handle if the certificate expires?
@StephenWagner 2 жыл бұрын
Hi Francis, If the cert expires, you'd just need to renew it. For the templates, you use them to generate certifices for IIS, Web servers, etc... I hope that answers your question!
@nxu5107 2 жыл бұрын
Can you show how a windows CA could issue a full certificate chain to an internal third party non windows service please?
@Mr_Sh1tcoin Жыл бұрын
It's the same as a Windows machine: provide the CA with a CSR and it will issue a certificate. Make sure the certificate chain is present on this non Windows service and that's it. The main difference is formatting for this service you speak of; if it's BSD or Linux you'll likely need to convert the issued certificate from .CER to a .PEM
@maruwing4280 2 жыл бұрын
Thanks for the video step. Do Windows Server 2022 CA backward compatible to Windows Server 2016 DC ?
@StephenWagner 2 жыл бұрын
Hi Maru, I'm not sure I understand your question... I think every version of Windows Server has the AD CS role available. If you're asking if earlier versions of Windows Servers can request certificates as a client from it, yes they can.
@maruwing4280 2 жыл бұрын
@@StephenWagner Thanks for the answer.
@buweloitacademy1195 Жыл бұрын
Hi Steve, I need some input from you regarding AD CS. Is it safe to deploy AD CS in an existing domain enviroment that doesn't have that? What are the recommendations or safety before deploying on a production? Thanks in advance
@StephenWagner Жыл бұрын
Hey there! Actually if it's never been deployed, that's probably the safest and easiest because you're not competing against any old configuration... Technically, in a large enterprise deployment, your main Root CA isn't supposed to be joined to the domain (it's supposed to be standalone, isolated, and you're supposed to have a Subordinate CA in the domain), but for small deployments it's common to see the CA on the network if you're not doing anything crazy or highly top secret, etc...
@buweloitacademy1195 Жыл бұрын
@@StephenWagner Thanks Steve. You answer my question. 🍻🍻
@waynesouza9328 Жыл бұрын
I have a root CA on my domain and the server OS is aging out. Can I add a second root CA on the domain and have them both run simultaneously until I can remove the old CA server?
@Mr_Sh1tcoin Жыл бұрын
Yes 100%; they are completely different CAs and clients will treat certificates issued by both separately and can use both simultaneously for various services. Once your new CA is setup, remove certificate templates from the old CA so it can't renew or issue new certificates to clients and add those templates to the new CA. Clients will auto enrol as and when, for servers go through a process of issuing new certificates from the new CA and update bindings accordingly. It will be a staged cutover. Once the last certificate's expiry date issued from the old CA has passed then look to decom it from the domain so it no longer is advertised as a CA and then blow it away! The most important thing is to check before you stand a new CA up is the compatibility matrix of the new CA to Domain Functional level as there will be a cap on this if you're not running 2016 Domain Functional level.
@Hax0rZ1 Жыл бұрын
I've set mine up the same as your video but all pages are showing net::ERR_CERT_COMMON_NAME_INVALID .. I'm wondering if the issue is related to it being a .com domain without the server name in the prefix.
@StephenWagner Жыл бұрын
Hi Mikestilly, Did you set the common name to the FQDN you're using to access the service?
@Hax0rZ1 Жыл бұрын
@@StephenWagner Yes I did. Dev tools says Subject Alternative Name missing. This site is missing a valid, trusted certificate net::Err_Cert_Common_Name_Invalid
@StephenWagner Жыл бұрын
I'm not sure what "Dev Tools" are, but if the subject alternative name is missing the FQDN, then you'll need to populate it with the hostnames that the certificate was issued for.
@Mr_Sh1tcoin Жыл бұрын
Your Common Name (Subject) has to match exactly the URL you're using and a matching SAN otherwise you will spring errors in any browser...bar IE11 probably 😂
@mn26826 2 жыл бұрын
Useful video, thanks for that. I would appreciate a video showing how to bring up pfSense doing HTTPS-filtering using Squid Guard (as Intermediate CA).
@StephenWagner 2 жыл бұрын
Great suggestion! I'll see what I can do!
@martinyable Жыл бұрын
Thank you. I am using a newly built 2019 Domain Controller. An Enterprise CA will make more sense for me. However, when I come to the configuration, the enterprise CA option is greyed out. Does anyone know what the cause of that could be?
@StephenWagner Жыл бұрын
Hi Martin, if my memory serves me right, this is a symptom commonly associated with attempting to install the role/service using a local administrator account on the server, and not a domain admin. Try logging in with domain administrative credentials, and it should work.
@martinyable Жыл бұрын
@@StephenWagner thank you, i will try it with a domain admin account again.
@martinyable Жыл бұрын
so, originally I was trying it with the account called "Administrator". I created a new Domain account, called it "CertAdmin", and added to the groups, "DOMAIN\Enterprise Admins DOMAIN\Domain Admins". I logon to the DC with this new account, and I can now select "Enterprise CA". Thanks you !
@StephenWagner Жыл бұрын
Happy it worked! When using "Administrator" on member servers, it'll always try logging in with the local admin instead of the domain admin, resulting in admin access to the server, but not to the domain (stopping any changes to AD). While you shouldn't be using the "Administrator" account, if you do need to, you can use the username format "Domain\Administrator" or "Administrator@domain" to log in with the domain account vs the local Administrator account.
@martinyatesBlackBerry Жыл бұрын
@@StephenWagner Thank you. Is it best practice to, in a new domain, make a new account with admin rights, that is not the default "administrator" account?
@fbifido2 11 ай бұрын
@17:46 - why is there 2x TN-SRV01-CA Cert in the TRCA section?
@StephenWagner 11 ай бұрын
I recorded this video multiple times and I think it may have been from a previous attempt.
@lopar4ever Жыл бұрын
Hi Stephen. I installed CA on my servers years ago and never looked back, because everything worked. But now I found that my root CA is going to expire in a couple of months. Can you help me, what should I do in such situation? Root CA is not that type of certificate, that can simply be revoked and made new one - all certificate chains will be lost. Am I missing something?
@StephenWagner Жыл бұрын
Hi Ivor, There should be some procedures available online, however it's actually pretty simple. If your Root CA is about to expire, you can simply go in to AD CS, and then right click on the CA and renew Root CA. The CRTICAL thing you MUST pay ATTENTION to, is when you renew the root CA, you do NOT want to generate a new public and private key pair. Make sure you select "No" because you do NOT want to generate the new keys.
@Mr_Sh1tcoin Жыл бұрын
@@StephenWagner 100% incorrect. You always want to generate new keys for CAs and clients, as the longer time goes on the more likely keys and certificates can be exploited/stolen, meaning a new key pair nulls any prior exploits and allows only a short window for new exploits to take place before the key pair is completely changed again, nulling current/prior attempts...and so on. Please tell me the reason please why NOT to renew a CA key pair? Ivor B, don't revoke the old CA cert as it's not required, just leave it expire and renew the CA certificate with a NEW key pair. Make sure the new CRL is updated accordingly and copy both new CA cert and CRL to your AIA and CDP locations marked within your domain, leave the old ones in situ.
@kyand920 9 ай бұрын
I'm having an issue. I did the whole setup with a default IIS webserver, but when in domain users (or any in domain machine) browse the site I get a red cert error saying NET:ERR_CERT_COMMON_NAME_INVALID Is that normal?
@StephenWagner 9 ай бұрын
It sounds like you need to generate a certifciate for your IIS virtualhost if you want it to be able to pass certificate checks.
@kyand920 9 ай бұрын
@@StephenWagner Quick update, it seems to only work with IE. Any other browsers reject it. I also tried with a unvalid cert and IE does reject that one... So its not a case where IE simply accepts all certs
@kyand920 9 ай бұрын
Alright so I ended up fixing it! Issue was that DNS in CN is deprecated for a while now, browsers check SANs to valdiate certificate. Since IIS's request certificate option does not allow us to input SANs, I had to manually create a request, but after that was done it worked fine :)
@jamesdanielelliott 2 ай бұрын
You never issued a certificate using the new template, it was issued with the original template.
@sfx1672 Жыл бұрын
How can I create a certificate for an apache internal server?
@StephenWagner Жыл бұрын
Hi SFX 1, you should be able to generate a CSR (Certificate Signing Request) from Apache, then upload it to your CA and generate the certificate, which you can then install on your Apache webserver.
@kevinkirk3156 2 ай бұрын
I hate ssl's.
@Bill_CBR Жыл бұрын
A root CA should never be domain joined and CA's should not be on DC's.
@martinyable Жыл бұрын
Thanks Bill. Useful info for sure.
Super Italiano
Рет қаралды 5 МЛН
Troy Berg
Рет қаралды 51 М.
NetworkConfigChris
Рет қаралды 4 М.