🌐 CYBEREDU • LAB 80

Installing Active Directory Certificate Services
Step by Step

To Provide Digital Certificates to Users using AD Certificate Services

Prerequisites

  • Before working on this lab, You must have
  • A computer running windows server 2022 Domain Controller.
  • A Member Server running windows server 2022 or Client Running Windows 10.

Network Topology

Lab 80 Topology

Step-by-Step Instructions

Step 1

In Server Manager Dashboard, click Add roles and features.

Step 1 Screenshot

Step 2

In Before you begin page, click Next.

Step 2 Screenshot

Step 3

In Select installation type, select Role-based or feature-based installation, click Next.

Step 3 Screenshot

Step 4

In Select destination server, from Server Pool select SYS1, click Next.

Step 4 Screenshot

Step 5

Check the box Active Directory Certificate Services

Step 5 Screenshot

Step 6

Click Add Features, to install the required Features for Active Directory Certificate Services à Click Next.

Step 6 Screenshot

Step 7

Click Next.

Step 7 Screenshot

Step 8

Click Next.

Step 8 Screenshot

Step 9

Click Next

Step 9 Screenshot

Step 10

Check the boxes Certificate Authority, Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, Certification Authority Wen Enrollment, Network Device Enrollment Service & Online Responder à click Next

Step 10 Screenshot

Step 11

Click Next

Step 11 Screenshot

Step 12

Click Next

Step 12 Screenshot

Step 13

Check the box restart the destination server automatically if required à click Next

Step 13 Screenshot

Step 14

Click Configure Active Directory Services on the destination server

Step 14 Screenshot

Step 15

In Credentials ,Click Next

Step 15 Screenshot

Step 16

Check the boxes Certificate Authority, Certification Authority Web Enrollment & Online Responder à click Next

Step 16 Screenshot

Step 17

In Setup Type Select Enterprise CA and Click Next

Step 17 Screenshot

Step 18

In CA Type Page Select Root CA and Click Next

Step 18 Screenshot

Step 19

In Private Key Select Create a New Private Key and Click Next

Step 19 Screenshot

Step 20

Select SHA1 à click Next

Step 20 Screenshot

Step 21

In CA Name, Click Next

Step 21 Screenshot

Step 22

In Validity Period, Click Next

Step 22 Screenshot

Step 23

In CA Database, Click Next

Step 23 Screenshot

Step 24

Click Configure

Step 24 Screenshot

Step 25

Click Close

Step 25 Screenshot

Step 26

Click No

Step 26 Screenshot

Step 27

Click Start à click Certification Authority

Step 28

Expand Domain (Ex:Microsoft-SYS1-CA) à right click on Certificate Templates à click Manage

Step 28 Screenshot

Step 29

Right click on User à click Duplicate Template

Step 29 Screenshot

Step 30

Click General à Enter template display name (Ex: User Certificate) à check the box Do not automatically reenroll if a duplicate certificate exists in Active Directory.

Step 30 Screenshot

Step 31

Click Request Handling à Expand Purpose à Select Signature and Encryption

Step 31 Screenshot

Step 32

Click Cryptography à check the box Microsoft Enhanced Cryptographic Provider v

Step 1

0 Microsoft Enhanced RSA and AES Cryptographic Provider & Microsoft RSA SChannel Cryptographic Provider

Step 1 Screenshot

Step 33

Click Subject Name à uncheck the box Email Name

Step 33 Screenshot

Step 34

Click Security à select Domain Users à check the box Read, Enroll & Auto enroll àclick Apply à click Ok

Step 34 Screenshot

Step 35

Right click on Certificate Templates à click New à click Certificate Template to Issue

Step 35 Screenshot

Step 36

Select User Certificate à click Ok

Step 36 Screenshot

Step 37

Go to Group Policy à expand Forest à expand Domains à right click on Domain Name (Ex:Microsoft.com) à create a GPO (Ex:User Certificate) à right click on GPO (Ex:User Certificate) à click Edit

Step 37 Screenshot

Step 38

Expand User Configuration à expand Policies à expand Windows Settings à expand Security Settings à select Public Key Policies à right click on Certificate Services Client-Auto Enrollment à click Properties

Step 38 Screenshot

Step 39

Expand Configuration Model à click Enabled à check the box Renew expired certificates à check the box Update certificates that use certificate templates à click Apply à click Ok

Step 39 Screenshot

Step 40

Open Command Prompt à type gpupdate

Step 40 Screenshot

Step 41

In Command Prompt à type certutil -pulse

Step 41 Screenshot

Verification

  • 1. Logon to Member Server as User (EX:User1)
  • 2. Go to MMC Console
  • 3. Click File à click Add/Remove Snap
  • 4. Select Certificates à select Certificates-Current User à click Ok
  • 5. Expand Certificates à expand Personal à select Certificates & verify the certificate
  • issued to User1