425350913 Install and Configure Certificate Authority in Windows Server 2016 PDF

Preview

Summary

nội dung lý thuyết...

Description

Install and Configure Certificate Authority in Windows Server 2016 We will see below topics in this article •

Install Certificate Authority on Windows Server 2016

•

Configuring Certificate Authority on Windows Server 2016

•

Assigning Certificate on Exchange Server 2016

•

Assigning on Test Machine to see Certificate authority is working for Outlook Web Access Step 1: You need to have this role installed to have a Certificate Authority Preferred to be on Dedicated Server or on a Domain Controller. Open Server Manager – Manage – Add Roles and Features

Step 2: Choose : Active Directory Certificate Services Choose Next And Choose : Certification Authority Web Enrollment

Choose : •

Certification Authority

•

Certification Authority Web Enrollment

Choose Install and Close

Step 3: To Configure Active Directory Certificate Services – Choose the Exclamation Mark on the Flag Configure Active Directory Certificate Services on the Destination Server

Choose Next

Choose •

Certificate Authority

•

Certification Authority Web Enrollment

Choose Enterprise CA •

Enterprise CAs Must be domain members and are typically online to issue certificates or certificate policies.

Step 4: Choose Root CA Root CAs are the first and may be the only CAs Configured in a PKI Hierarchy.

Step 5: Create a new Private key

Step 6: •

Use SHA256

•

RSA#Microsoft Software Key Storage Provider

•

Key Length – 2048

Step 7: Click Next

Step 8: By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next

Step 9: Specify Certificate Authority Default Database Locations

Click Configure

Choose Configure

We have successfully Installed and Configured – Certificate Authority on Windows Server 2016 Let us see how to Request a Create a Simple Cert from Internal Certificate Authority Step 10: Browse http://localhost/certsrv/ You would see a page below like this , Choose “Request a Certificate”

Step 11 – Click on Advanced Certificate Request

Step 12: Choose the Second one Submit a certificate request by using a base-64-Encoded CMC

Step 13: Now Copy the Note pad Certificate Request Data – You have to generate a Certificate Request from the application. For example how we are doing in exchange server http://www.careexchange.in/how-to-create-an-ssl-certificate-request-for-exchange-server-2013/ Or you can use https://www.digicert.com/util/ Example – Data Should be like below – —–BEGIN NEW CERTIFICATE REQUEST —– MIIEXDCCA0QCAQAwgYAxHTAbBgNVBAMMFGV4Y2gyMDE2LmNsb3VkaWQuYml6MRYw FAYDVQQLDA1FeGNoYW5nZSBUZWFtMRUwEwYDVQQKDAxDYXJlRXhjaGFuZ2UxETAP BgNVBAcMCE5ldyBZb3JrMRAwDgYDVQQIDAdOZXcgWW9yMQswCQYDVQQGEwJVUzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXVbwTkx4zhUobUvODoSwf1 8b0ti+dQ/WAoJPHlcSTW4weE5vVwQZbjtTqRhHOAOFEDYDnwZhuU1fOjjro+B2B3 zMTlvq0x7JJPsA9Zc611p+slYeTs/pI8hT9Ud2FgbwE3veF5u2uVw6/lbZdA20yU ZizIsCJkq9Qo2hLpMji3MB4eFRtyvd1eQpCJPnqseUdRVzfdSwN2zf0U7UQCzzG+ q7bL1Pb2jfjFlhr5xb9/RfpaR/U3TmVHjf3/u49mK1JOBuJwJQVCK/HBYHfMPOp6 VEjt8IVApclOE7tZcR3DjjyF73tHYfxUJp2HuVWml/UVemKIcSfVYOcGofNrF88C AwEAAaCCAZQwGgYKKwYBBAGCNw0CAzEMFgo2LjIuOTIwMC4yMF8GCSsGAQQBgjcV FDFSMFACAQUMFEVYQ0gyMDE2LkNsb3VkaWQuYml6DBFDTE9VRElEXEVYQ0gyMDE2 JAwiTWljcm9zb2Z0LkV4Y2hhbmdlLlNlcnZpY2VIb3N0LmV4ZTByBgorBgEEAYI3

DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABh AG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBp AGQAZQByAwEAMIGgBgkqhkiG9w0BCQ4xgZIwgY8wDgYDVR0PAQH/BAQDAgWgMFAG A1UdEQRJMEeCFGV4Y2gyMDE2LmNsb3VkaWQuYml6ghhBdXRvRGlzY292ZXIuQ2xv dWRpZC5iaXqCCEVYQ0gyMDE2ggtDbG91ZGlkLmJpejAMBgNVHRMBAf8EAjAAMB0G A1UdDgQWBBQWEHXi+M7zoQZ3FlnOeRqsRscG0jANBgkqhkiG9w0BAQUFAAOCAQEA FlYjkXO1rxadJmNB9g9KEqWU7NlxC3UdX2zyqWwK06cDB3/k+ThKBiYE7uoiaais YqlE6yoT3T09Nf+rihH8DfS+of14oMYQTKo9By9VdisD6R/iztY05StbVoSambRk jnOohs1z4v3itufuEzQaqf8Q0Qu8w2xsVVRZx2t0SKfktPASqOzJZEIRS6egqELH h9dkQBjsdOaTSsqapJXiHpMN53wxXNoztO6mWSVtPzgbfML0+NLT41ZBiIAMjyIj ztp61S/7O5dfoR9St0cwzaxWSZ5XPriJzKfYQ3dRvl+j/e1gi/rJmw9IUyWGQ2qz 27HqRbsEa/LqFharKDjeBw== —–END NEW CERTIFICATE REQUEST —– SavedReqest – (NEW CERTIFICATE REQUEST Data like above) Choose Template : WebServer Choose Submit

Step 14: Choose “Base 64 encoded” Download Certificate

Step 15: Save the Certificate – should be .cer extension

– Lets how we are applying on Exchange 2016 for Example

Copied my Request .CER File generated from CA to the Exchange and using it.

Shows Certificate Invalid.

Lets see why.

1 – Start – MMC –FILE – Add/Remove Snap-In 2 – choose certificates – Add 3 – Computer Account 4 – Local Computer 5 – Expand Personal – Certificates / Expand Trusted Root Authorities Certificates

Now Login to Root CA Server and Export the Root CA.

Now login to Exchange Server Import the export cert.

Now Certificates looking ok Make sure you Assign the Certificate for IIS in Exchange Control Panel.

Now you can see things are fine locally on Exchange 2016 server –

– Lets see how we can use on Desktop First Login to Exchange Server MMC and Export the Certificate with all the certificate path into a PFX file. Note : The desktop doesn’t need the private keys from any certificate in the chain. Having the private key gives the ability to decrypt all the traffic between the client and the server even if that traffic is coming from someone else. It also makes a man in the middle attack on this SSL connection possible. On 2 : For End user desktops – Choose do no export private key and use that certificate for import.

Now we have the PFX File Exported. Open MMC and Import or Install PFX Desktop.

Now browsing the URL –

Share...