Overview

The root CA server is the main CA server in any organization, and is the top of the PKI infrastructure. The root CA authenticates the subordinate CA server. This server is generally kept in offline mode to prevent any intrusion and to secure the private key.

To configure the root CA server, do the following:

1. Make sure that the root CA server is installed. For more information, see Installing the root CA server.

2. Configure the Certification Distribution Point and Authority Information Access settings. For more information, see Configuring the Certification Distribution Point and Authority Information Access settings.

3. Configure the CRL accessibility. For more information, see Configuring CRL accessibility.

Installing the root CA server

1. From Server Manager, click Manage > Add Roles and Feature.

2. Click Server Roles, select Active Directory Certificate Services and all its features, and then click Next.

3. From the AD CS Role Services section, select Certification Authority, and then click Next > Install.

4. After installation, click Configure Active Directory Certificate Services on the destination server.

5. From the Role Services section, select Certification Authority > Next.

6. From the Setup Type section, select Standalone CA, and then click Next.

7. From the CA Type section, select Root CA, and then click Next.

8. Select Create a new private key, and then click Next.

9. From the Select a cryptographer provider menu, select RSA#Microsoft Software Key Storage Provider.

10. From the Key length menu, select 4096.

11. In the hash algorithm list, select SHA512, and then click Next.

12. In the Common name for this CA field, type the hosting server name.

13. In the Distinguished name suffix field, type the domain component.

    Sample CA name configuration

    Machine Fully Qualified Domain Name (FQDN): test.dev.lexmark.com

    Common Name (CN): TEST

    Distinguished name suffix: DC=DEV,DC=LEXMARK,DC=COM

14. Click Next.

15. Specify the validity period, and then click Next.

    Note: Generally, the validity period is 10 years.

16. Do not change anything in the database locations window.

17. Complete the installation.

Overview

In the following deployment scenario, all permissions are based on permissions set on certificate templates that are published in the domain controller. The certificate requests sent to the CA are based on certificate templates.

For this setup, make sure that you have the following:

• A machine hosting the subordinate CA

• A machine hosting the NDES service

• A domain controller

Required users

Create the following users in the domain controller:

• Service Administrator

  • Named as SCEPAdmin

  • Must be a member of the local admin and Enterprise Admin groups

  • Must be logged locally when the installation of NDES role is triggered

  • Has Enroll permission for the certificate templates

  • Has Add template permission on CA

• Service Account

  • Named as SCEPSvc

  • Must be member of the local IIS_IUSRS group

  • Must be a domain user and has read and enroll permissions on the configured templates

  • Has request permission on CA

Overview

The subordinate CA server is the intermediate CA server and is always online. It generally handles the management of certificates.

To configure the subordinate CA server, do the following:

1. Make sure that the subordinate CA server is installed. For more information, see Installing the subordinate CA server.

2. Configure the Certification Distribution Point and Authority Information Access settings. For more information, see Configuring the Certification Distribution Point and Authority Information Access settings.

3. Configure the CRL accessibility. For more information, see Configuring CRL accessibility.

Installing the subordinate CA server

1. From the server, log in as a CAAdmin domain user.

2. From Server Manager, click Manage > Add Roles and Feature.

3. Click Server Roles, select Active Directory Certificate Services and all its features, and then click Next.

4. From the AD CS Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.

   Note: Make sure that all the features of Certificate Authority Web Enrollment are added.

5. From the Web Server Role (IIS) Role Services section, retain the default settings.

6. After installation, click Configure Active Directory Certificate Services on the destination server.

7. From the Role Services section, select Certification Authority and Certificate Authority Web Enrollment, and then click Next.

8. From the Setup Type section, select Enterprise CA, and then click Next.

9. From the CA Type section, select Subordinate CA, and then click Next.

10. Select Create a new private key, and then click Next.

11. From the Select a cryptographer provider menu, select RSA#Microsoft Software Key Storage Provider.

12. From the Key length menu, select 4096.

13. In the hash algorithm list, select SHA512, and then click Next.

14. In the Common name for this CA field, type the host server name.

15. In the Distinguished name suffix field, type the domain component.

    Sample CA name configuration

    Machine Fully Qualified Domain Name (FQDN): test.dev.lexmark.com

    Common Name (CN): TEST

    Distinguished name suffix: DC=DEV,DC=LEXMARK,DC=COM

16. In the Certificate Request dialog box, save the request file, and then click Next.

17. Do not change anything in the database locations window.

18. Complete the installation.

19. Sign the CA request of the root CA, and then export the signed certificate in PKCS7 format.

20. From the subordinate CA, open Certification Authority.

21. From the left panel, right-click the CA, and then click All Tasks > Install CA Certificate.

22. Select the signed certificate, and then start the CA service.

Configuring the Certification Distribution Point and Authority Information Access settings

1. From Server Manager, click Tools > Certification Authority.

2. From the left panel, right-click the CA, and then click Properties > Extensions.

3. In the Select extension menu, select CRL Distribution Point (CDP).

4. In the certificate revocation list, select the C:\Windows\system32\ entry, and then do the following:

   1. Select Publish CRLs to this location.

   2. Clear Publish Delta CRLs to this location.

5. Delete all other entries except for C:\Windows\system32\.

6. Click Add.

7. In the Location field, add http://serverIP/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl, where serverIP is the IP address of the server.

   Note: If your server is reachable by using the FQDN, then use the <ServerDNSName> instead of the server IP address.

8. Click OK.

9. Select Include in the CDP extension of issued certificates for the created entry.

10. In the Select extension menu, select Authority Information Access (AIA).

11. Delete all other entries except for C:\Windows\system32\.

12. Click Add.

13. In the Location field, add http://serverIP/CertEnroll/<ServerDNSName>_<CAName><CertificateName>.crt, where serverIP is the IP address of the server.

    Note: If your server is reachable by using the FQDN, then use the <ServerDNSName> instead of the server IP address.

14. Click OK.

15. Select Include in the AIA extension of issued certificates for the created entry.

16. Click Apply > OK.

    Note: If necessary, restart the certification service.

17. From the left panel, expand the CA, right-click Revoked Certificates, and then click Properties.

18. Specify the value for CRL publication interval and for Publish Delta CRLs Publication interval, and then click Apply > OK.

19. From the left panel, right-click Revoked Certificates, click All Tasks, and then publish the New CRL.

Configuring CRL accessibility

1. From IIS Manager, expand the CA, and then expand Sites.

2. Right-click Default Web Site, and then click Add Virtual Directory.

3. In the Alias field, type CertEnroll.

4. In the Physical path field, type C:\Windows\System32\CertSrv\CertEnroll.

5. Click OK.

6. Right-click CertEnroll, and then click Edit Permissions.

7. From the Security tab, remove any write access except for the system.

8. Click OK.

Configuring the NDES server

1. From the server, log in as an SCEPAdmin domain user.

2. From Server Manager, click Manage > Add Roles and Feature.

3. Click Server Roles, select Active Directory Certificate Services and all its features, and then click Next.

4. From the AD CS Role Services section, clear Certification Authority.

5. Select Network Device Enrollment Service and all its features, and then click Next.

6. From the Web Server Role (IIS) Role Services section, retain the default settings.

7. After installation, click Configure Active Directory Certificate Services on the destination server.

8. From the Role Services section, select Network Device Enrollment Service, and then click Next.

9. Select the SCEPSvc service account.

10. From the CA for NDES section, select either CA name or Computer name, and then click Next.

11. From the RA Information section, specify the information, and then click Next.

12. From the Cryptography for NDES section, do the following:

    • Select the appropriate signature and encryption key providers.

    • From the Key length menu, select the same key length as the CA server.

13. Click Next.

14. Complete the installation.

You can now access the NDES server from a web browser as an SCEPSvc user. From the NDES server, you can view the CA certificate thumbprint, the enrollment challenge password, and the validity period of the challenge password.

Accessing the NDES server

Open a web browser, and then type http://NDESserverIP/certsrv/mscep_admin, where NDESserverIP is the IP address of the NDES server.

Creating a certificate template

1. From the subordinate CA (certserv), open Certification Authority.

2. From the left panel, expand the CA, right-click Certificate Templates, and then click Manage.

3. In Certificate Templates Console, create a copy of Web Server.

4. From the General tab, type MVEWebServer as the template name.

5. From the Security tab, give the SCEPAdmin and SCEPSvc users the appropriate permissions.

   Note: For more information, see Required users.

6. From the Subject Name tab, select Supply in the request.

7. From the subordinate CA (certserv), open Certification Authority.

8. From the Extensions tab, select Application Policies > Edit.

9. Click Add >Client Authentication > OK.

10. From the left panel, expand the CA, right-click Certificate Templates, and then click New > Certificate Template to Issue.

11. Select the newly created certificates, and then click OK.

You can now access the templates using the CA web enrollment portal.

Accessing the templates

1. Open a web browser, and then type http://CAserverIP/certsrv/certrqxt.asp, where CAserverIP is the IP address of the CA server.

2. In the Certificate template menu, view the templates.

Setting certificate templates for NDES

1. From your computer, launch the registry editor.

2. Navigate to HKEY_LOCAL_MACHINE >SOFTWARE >Microsoft > Cryptography > MSCEP.

3. Configure the following, and then set them to MVEWebServer:

   • EncryptionTemplate

   • GeneralPurposeTemplate

   • SignatureTemplate

4. Give the SCEPSvc user full permission to MSCEP.

5. From IIS Manager, expand the CA, and then click Application Pools.

6. From the right panel, click Recycle to restart the SCEP application pool.

7. From IIS Manager, expand the CA, and then expand Sites > Default Web Site.

8. From the right panel, click Restart.

Disabling Challenge Password in Microsoft CA server

1. From your computer, launch the registry editor.

2. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP.

3. Set EnforcePassword to 0.

4. From IIS Manager, expand the CA, click Application Pools, and then select SCEP.

5. From the right panel, click Advanced Settings.

6. Set Load User Profile to True, and then click OK.

7. From the right panel, click Recycle to restart the SCEP application pool.

8. From IIS Manager, expand the CA, and then expand Sites > Default Web Site.

9. From the right panel, click Restart.

When opening the NDES from web browser, you can now only view the CA thumbprint.