Installing and Configuring a Windows Server 2003 Enterprise Certification Authority

 

Certification Authorities can issue certificates to users and computers for a variety of purposes. In the context of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit, certificates can be used for:

 

  • Client authentication by the Web Proxy service on the ISA Server firewall
  • User authentication by an OWA user on a remote network
  • Creating an SSL link between the OWA client and Incoming Web Requests listener
  • Creating an SSL link between the internal interface of the ISA Server firewall and the OWA site on the internal network
  • Allowing certificate authentication for an IPSec transport mode connection between a front-end and back-end Exchange Server
  • Secure SMTP/POP3/IMAP4/NNTP connections to the Exchange Server

 

A Microsoft Certificate Server can take on one of four roles:

 

  • Enterprise Root CA
  • Enterprise Subordinate CA
  • Stand-alone Root CA
  • Stand-alone Subordinate CA

 

A Microsoft Enterprise CA has the following characteristics:

 

  • The enterprise CA must be a member of a Windows 2000 or Windows Server 2003 Active Directory domain
  • The enterprise Root CA certificate is automatically added to the Trusted Root Certification Authorities node for all users and computers in the domain
  • User certificates can be issued that allow users to log on to the Active Directory domain using computer-stored certificates or certificates installed on Smart Cards
  • User certificates and the Certificate Revocation List (CRL) are stored in the Active Directory
  • In contrast to stand-alone CAs, an enterprise CA issues certificates via certificate templates that can be added and customized by the CA administrator
  • In contrast to the stand-alone CA, the enterprise CA confirms the credentials of the user requesting a certificate
  • The subject name (the name of the user or computer) on the certificate can be entered manually or automatically

 

We recommend that you install an Enterprise CA if:

 

  • You have an Active Directory domain, and/or
  • You require automatic deployment of certificates to users and computers

 

The enterprise CA is the ideal solution for any network with a Windows 2000 or Windows Server 2003 domain. All domain members can be assigned certificates via Group Policy based certificate autoenrollment. You can limit the scope of autoenrollment by assigning permissions to the certificate template used for autoenrollment. Users and computers that are not domain members can use the Web enrollment site to obtain certificates.

 

If you want to support certificate enrollment via Web enrollment site, then you must install the Internet Information Services World Wide Web service before installing Microsoft Certificate Services.

 

In this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document we cover the following procedures:

 

  • Installing the Internet Information Services 6.0 World Wide Web service (W3SVC) to support the enterprise CA Web enrollment site
  • Installing the Windows Server 2003 Certificate Services on a domain controller. The CA is installed as an enterprise CA.

 

Note:
You can install an enterprise CA on any domain member. The machine does not need to be a domain controller.

Installing Microsoft Internet Information Services World Wide Web Service

 

Perform the following steps to install IIS 6.0 on the Windows Server 2003 member server or domain controller computer that will be the enterprise CA:

 

  1. Click Start, point to Control Panel and click Add or Remove Programs.
  2. Click the Add/Remove Windows Components button in the Add or Remove Programs window (figure 1).

 

Figure 1

 

 

  1. On the Windows Components window, click on the Application Server entry and click the Details button (figure 2).

 

Figure 2

 


  1. On the Application Server page, click on the Internet Information Services (IIS) entry and click the Details button (figure 3).

 

Figure 3

 


  1. In the Internet Information Service (IIS) dialog box, put a checkmark in the World Wide Web Service checkbox and click OK (figure 4).

 

Figure 4

 


  1. Click OK on the Application Server dialog box (figure 5).

 

Figure 5

 


  1. Click Next on the Windows Components dialog box (figure 6).

 

Figure 6

 


  1. Click Finish on the Completing the Windows Components Wizard page (figure 7).

 

Figure 7

 

 

Installing Microsoft Certificate Services

 

Perform the following steps to install and configure an enterprise CA on a Windows Server 2003 computer:

 

Note:
You must install the enterprise CA on a member server or domain controller on your internal network.

 

  1. At a member server or domain controller in your internal network, log on as a domain administrator. Click Start, point to Control Panel and click Add/Remove Programs.
  2. In the Add or Remove Programs window (figure 8), click the Add/Remove Windows Components button.

 

Figure 8

 


  1. In the Windows Components dialog box (figure 9), click on the Certificate Services entry and click the Details button.

 

Figure 9

 


  1. In the Certificate Services dialog box, put a checkmark in the Certificate Services CA checkbox (figure 10). A Microsoft Certificate Services dialog box appears and informs you that you can not change the machine name or the domain membership of the machine while it acts as a certificate server. Read the information in the dialog box and click Yes.

 

Figure 10

 


  1. Both the Certificate Services CA and Certificate Services Web Enrollment Support checkboxes are checked (figure 11). Click OK in the Certificate Services dialog box.

 

Figure 11

 


  1. Click Next in the Windows Components dialog box (figure 12).

 

Figure 12

 


  1. Select the Enterprise root CA option on the CA Type page (figure 13). Click Next.

 

Figure 13

 


  1. On the CA Identifying Information page (figure 14), type in a Common name for this CA. The common name of the CA is typically the DNS host name or NetBIOS name (computer name) of the machine running Certificate Services. In this example, the name of the machine is WIN2003DC, so we enter WIN2003DC in the Common name for this CA text box. The default Validity Period of the CA’s self-signed certificate is 5 years. Accept this default value unless you have a reason to change it. Click Next.

 

Figure 14

 


  1. On the Certificate Database Settings page (figure 15), use the default locations for the Certificate Database and Certificate Database Log. You do not need to specify a shared folder to store configuration information because this information will be stored in the Active Directory. Click Next.

 

Figure 15

 


  1. Click Yes on the Microsoft Certificate Services dialog box (figure 16) informing you Internet Information Services must be temporarily stopped.

 

Figure 16

 


  1. Click Yes on the Microsoft Certificate Services dialog box (figure 17) informing you Active Server Pages must be enabled on IIS if you wish to use the Certificate Services Web enrollment site.

 

Figure 17

 


  1. Click Finish on the Completing the Windows Components Wizard page (figure 18).

 

Figure 18

 

  1. Close the Add or Remove Programs window.

 

The Enterprise Certificate Authority is now installed and can issue certificates without requiring a machine restart.