This is Video about 'Installing a Root CA on Windows Server 2012'
Youtube Images |
Download the PDF handout http://ITFreeTraining.com/handouts/certificates/rootca2012.pdf
What we will do in this video
This video will look at installing and configuring a root CA using Windows Server 2012 that is not connected to the network. Any certificates that are created on this server will be transported to other servers using a floppy disk or a USB flash drive. Having the root CA not connected to the network helps protect the private key installed on the server.
Demonstration
The installation of the Root CA is divided into 3 parts. Pre configuration is done before the Active Directory Certificate Service role is installed so that the certificate created during the install have the right settings. Once these settings are used to create the certificate, the settings in the certificate cannot be modified later on. The second part of the install of the role involves adding of the role through server manager and selecting some options. The last step is post configuration which is needed in order to ensure that certificates that are created by the Root CA have the right options. This needs to be done before the root CA issues any certificates.
The files used in the demonstration are available for download. See the references part of the video for the URL.
Pre configuration
When the Certificate Authority role is installed, a certificate for the root CA is created, unless you have a certificate from a previous install. In order to create this certificate, a number of options needed to be configured which cannot be configured using the wizard. These additional options are read from a file in
the Windows directory called CAPpolicy.inf. An example of this file is shown below.
[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://ITFreeTraining.com/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
AlternateSignatureAlgorithm=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
See below for a description for each part of the file.
[Version]
Signature="$Windows NT$"
This identifies the file as a setting file. This part simply needs to be copied and pasted to the top of the file and is always the same. There is no need to change any part of this file.
[PolicyStatementExtension]
Policies=InternalPolicy
This part indicates the policies that relate to the certificate. These policies do not affect the operation of the CA or how the certificates work. They define how the certificate can be used just like a license agreement would define how a piece of software can be used. The policies defined in the setting file are embed in each certificate so the person using the certificate is able to read them or can find where to look them up.
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://ITFreeTraining.com/cps.txt
This part is an example of a policy. The OID (Object Identifier) is a unique number. See the references for a link on where you can register your own OID. The notice setting is the text that is embedded in the certificate and the URL is a link to where the user of the certificate can download the policy text if they wish.
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
AlternateSignatureAlgorithm=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/certificates#rootca2012
See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.
References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 780
"Cryptographic Service Provider" http://en.wikipedia.org/wiki/Cryptographic_Service_Provider
"Cryptography Next Generation" http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx
"Windows Server 2008 PKI and Certificate Security" pg 89
Installing a Root CA on Windows Server 2012 |
No comments:
Post a Comment