It’s not long until we will start needing certificates.
Whether it will be for certificate authentication or management access to Prime, CMX, WLC, M&M, ISE or anything else we don’t know yet, but we know we need a CA.
We won’t be able to cover everything in a single post, so I expect we’ll have a series of CA related posts for each product.
But getting started is “easy”.
We’ve decided that we’ll use the Domain Controller as a root-CA.
So just start the Server Manager -> “Add roles and features” -> Next -> Next -> Next -> add a checkmark to “Active Directory Certificate Services” -> Add Features -> Next -> Next -> Next -> and.. oh
So, I know we’ll need to be able to go to the ca/certsrv to request a certificate manually, but I haven’t installed Microsoft CA for.. a few years.. and I’m not sure which service is required here.
Here’s a technet article from Microsoft on the subject that also describe the difference between the Certificate Enrollment Web Service and Certification Authority Web Enrollment.
For the purpose of this experiment I selected all lines that start with the character “C”
And we can continue with… Next -> Next -> Next -> Install
This took about 2-3 minutes.
Now I should be able to get to http://10.208.1.16/certsrv, but the page gives me a 404 error page.
Some browsing for the issue showed me a user that had similar issues because they installed the service using the local computer admin account and not the domain admin account.
I was logged in as the local computer admin.
So I logged out, logged in as domain admin, un-installed the certificate services and re-installed them.
This did not change anything.
Going into “AD CS” menu in the Server Manager, I noticed a yellow line stating that additional configuration is required.
I press “more”, make sure I’ve used the correct credentials, press “next”, select “Certification Authority” and “Certification Authority Web Enrollment” and Next, Next (Enterprise CA), Next (Root CA), Next (Create a new private-key), next, accepting default values for common name at this point, and next, next, next, configure, close.
I got a popup box asking if I wanted to configure additional role services, so while we’re at it, why not.
Now I can add checkmarks to “Certificate Enrollment Web Service” and “Certificate Enrollment Policy Web Service”
I proceeded with next-next configure close accepting default values.
And now both http://10.208.1.16/certsrv/ and https://10.208.1.16/certsrv/ work correctly and we can go into defining templates to use.
There’s a single template that we will use the most, so I want to enable it right away for use via the certsrv portal, that’s the Web Server template.
So opening up “Certification Authority” on the DC, I can right-click “Certificate Templates” and slect “Manage”, which opens up the Certificate Templats Console
Now some Microsoft gal someone said I should never use the default built-in templates, so I right click the “Web Server” template and select “Duplicate Template”
In the “General” tab I’ll call this template WebServer_Escort and in the “Security” tab I’ll allow “Authenticated Users” to have “Enroll” permissions.
Then in the Certification Authority console, Iright click “Certificate Templates”, New -> Certificate Template to Issue, find my WebServer_Escort and click OK.
And now I can use that template while requesting a certificate.