A lot of people don't realize it, but Windows Server 2003 has everything you need to build your own certificate authority, which you can use to do things like sign or encrypt e-mail messages, authenticate IPSec sessions or provide SSL encryption for a Web site. In this tip, I will show you how to deploy a certificate authority within your organization.l
Install Internet Information Services (IIS)
Before you even begin installing the certificate authority, you must install IIS. The certificate authority depends on IIS and its ability to process ASP code. Windows will allow you to install the certificate authority without IIS being installed first, but the certificate authority will not work if you do.
To install IIS, select the Add/Remove Programs option from the control panel. When the Add/Remove Programs applet launches, click the Add/Remove Windows Components button. You will now see a list of Windows components. Select the Application Server option from the list, and click the Details button. You will now see a list of application server components. Select the Internet Information Services (IIS) check box and then click Details. You will see that all of the default IIS components are selected for installation. However, the certificate authority requires IIS to process ASP code – and ASP is not installed by default.
To install support for ASP, select the World Wide Web Service from the list, and click the Details button. Select the Active Server Pages check box, and click OK. Click OK two more times to close the remaining dialog boxes, and then click Next. Windows will now install IIS. You may be prompted to insert your installation CD; if so, keep it handy because you will probably need it again. Click Finish to complete the installation process.
Install Certificate Services
Before I show you the installation procedure, I want to point out that installing the Certificate Services is a semi-permanent operation. Once they're installed, you will not be allowed to rename the server or remove it from the current domain unless you uninstall the Certificate Services first.
To begin the install, select the Add/Remove Programs option from the control panel. When the Add/Remove Programs applet launches, click the Add/Remove Windows Components button. You will now see a list of Windows components. Select the Certificate Services option, and click the Details button. You will see that there are two components to the Certificate Services: certificate authority and Web-enrollment support. Select both check boxes. You will see a message warning that you won't be able to rename your server or change domains after the installation. Click Yes to acknowledge the message. Then click OK and Next.
At this point, you will see a screen that asks what type of certificate authority you want to install. For the purposes of this article, choose the Stand-alone Root CA option, and click Next.
You must now enter a common name for the certificate authority that you are creating. You can call it anything you like, but use something descriptive because the name you choose will be used to locate the server through the Active Directory. Make sure that the certificate validity period is in line with your corporate security policy, and click Next.
You will now see a screen prompting you for locations that can be used to store the certificate database and the database log. It's fine to use the defaults. Whatever paths you use, be sure they are in a secure location and that they are backed up on a regular basis.
Click Next, and you will see a message indicating that the IIS services must be momentarily stopped. Click Yes. The installation wizard will now copy the necessary files from your Windows installation CD. When the copy process completes, click Finish.
Request a certificate
Now that the certificate authority is up and running, let's take a look at how to request a certificate. As you might already have figured out, the certificate authority's interface is Web-based. To access it, log onto a workstation and then open Internet Explorer. For the URL, enter HTTP:// followed by the server's IP address and certsrv. The URL would look something like this: http://192.168.0.1/certserv .
Assuming that you have done everything correctly, the Certificate Services Web page will come up. If not, it could be that IIS was not installed prior to installing Certificate Services. If IIS was installed, it may not have the correct virtual folders. To force IIS to make the necessary virtual folders, open a Command Prompt window on the server, and enter the following command: CERTUTIL –VROOT.
I'm assuming that the Web page came up OK for you. Click the Request a Certificate link. The Web page now presents you with a few different choices. You can request a Web browser certificate or an e-mail protection certificate. There is also an Advanced Certificate Request link that you can use to request other types of certificates, such as a server certificate.
For demonstration purposes, click the Web Browser Certificate link. You will see a screen that asks for some basic information such as your name, e-mail address, company, department and geographic location. Fill in this information, and click the Submit button.
Assuming that you have kept Internet Explorer up to date with all of the latest patches, you will see a message indicating that the Web site is requesting a certificate on your behalf. Click Yes, and you will see a message indicating that the request has been processed and that you should come back another day to retrieve your certificate. There is also a message indicating that you must retrieve your certificate within 10 days.
Authorize a certificate
The reason why this message was displayed is because your certificate authority does not automatically issue certificates. You can issue certificates automatically, but that wouldn't exactly make for good security. You'd be handing out certificates to any random person who happened to figure out the URL for your certificate authority.
To manually authorize the certificate request, go back to the certificate server and select the Certification Authority command from the Administrative Tools menu. When the Certification Authority console opens, navigate through the console tree to Certification Authority (Local) | your server | Pending Request. You should now see the request for the certificate in the column on the right. Right click on the request, and select the All Tasks | Issue command from the shortcut menu (you could also use the All Task | Deny option). The certificate request is now moved to the console's Issued Certificates container.
Retrieve a certificate
Now that a certificate has been issued, go to your workstation, and return to the certificate authority's Web page. This time, click on the View the Status of a Pending Certificate Request link. You will now see the request that you made earlier. Click on the request, and you will see a link that you can use to install the certificate.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com. Brien M. Posey is a regular contributor on SearchWindowsSecurity.com.