Tendo

Introduction

Committed Index Certificate Services (AD CS) is the Microsoft implementation of public key infrastructure (PKI). PKI deals with the components and processes for issuing and managing digital certificates that are used for encryption and certification. It is not mandatory to
apply AD CS as part of a Windows Server 2008 Committed Index structure. Even if, many organizations find it useful to deploy this service internally rather than relying on an external provider.
AD CS is the component of Windows Server 2008 that can be used to issue and manage digital certificates. The digital certificates issued by AD CS can be used for encrypting file system (EFS), e-mail encryption, secure sockets layer (SSL), and certification. A server with AD CS installed is referred to as a certification authority (CA).
Digital certificates are used for lop-sided encryption, which requires two keys. The first key is the private key, which is securely stored by the user or computer that a digital certificate has been issued to. The second key is the public key that is distributed to other users and
computers. The data encrypted by one key can only be decrypted by the other key. This relationship ensures safeguard of the encrypted data. Each key is sufficiently generous to preclude computation of the private key via possession of the public key.

How to apply AD CS

AD CS is a complex product with various options for implementations. The implementation options for root and subordinate CAs vary, and you need to be aware of the process for each. Web enrollment is commonly used in many environments and must be configured. You must also manage certificate revocation by using either certificate revocation lists or OCSP. Finally, you must be aware of how to go key archival and recovery.
I believe best practice is, and I’m sure a name will right me if I’m ill-treat, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s.  You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without dread of compromising your Root CA.  In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.
Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.
In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane.  Place a check mark in the checkbox for Committed Index Certificate Services.  Then click Next.

On the ‘Introduction to Committed Index Certificate Services’ window, you can read up on the certificate services technology, how to manage a CA, and naming.  Click Next.
On the ‘Select Role Services’ page, make sure Certification Authority is selected, then selectCertification Authority Web Enrollment, when the ‘Add Roles Wizard’ window appears click the Add Vital Role Services button.  Click Next.




On the ‘Specify Setup Type’ page, leave Enterprise selected.  Click Next.  On the ‘Specify CA Type’ page, leave Root CA selected and click Next.  On the ‘Set Up Private Key’ page, leaveInitiation a new private key selected and click Next.
On the Configure Cryptography for CA page, you can leave the defaults selected or adjust as necessary for your needs.  You can also pause here and research the providers and hashes as necessary, but for this tutorial and most environments, the default will be enough.  ClickNext.


On the ‘Configure CA Name’ page, set the common name to the same as the server name since this server is a domain controller.  This is an acceptable practice.  Leave the ‘Distinguished name suffix’ alone.  Click Next.


On the ‘Set Validity Period’ page, feel free to adjust the validity period or leave the default.  This must be adjusted based on your needs.  Click Next.  On the ‘Configure Certificate Database’ page, you can adjust the paths or leave the defaults set.  Click Next.
Next we see the ‘Web Server (IIS)’ page.  You can read the description and check out the associations listed on the page if you’d like.  Click Next.


On the ‘Select Role Services’ page, leave the defaults selected.  Click Next.  On the ‘Confirm Installation Selections’ page, you can review your choices, go back and make changes, or clickInstall.  After the ‘Installation Progress’ page finishes, you can view your ‘Results’.

You’ve now got a domain controller that is capable of issuing certificates to your servers and users.  You can go back owing to the wizard and install additional CA components, for example, that will allow you to issue certificates to users and computers that are not part of your domain.  That choice is called ‘Certificate Enrollment Web Service’.