Installation & Configuration of Active Directory Certificate Services of Windows Server 2012

From the Windows Server 2012 R2 Server Manager, 
click Add Roles and Features.
Select Active Directory Certificate Services.

·         Click the Add Features in the popup window to allow installation of the Certification Authority Management Tools

• Select the options you want to install. I recommend the following services

– Certification Authority (this is your main CA)
– Certification Enrollment Policy Web Service
– Certificate Enrollment Web Service (web portal to request certificates)
– Certification Web Enrollment

• Once installed, Select AD CS in your Server Manager. Notice the button warning that no configuration is done yet. Click on More.
• This will bring you to the All Servers Task Details and Notifications. Click on Configure Active Directory Certificates Services in the Action column. This will launch the AD CS configuration wizard.

Use the following parameters when going through the different steps in the wizard:

Role Services to configure          Certificate Authority + Certificate Authority Web Enrollment

Type of CA                          Enterprise CA (if Active Directory integrated; otherwise choose StandAlone CA

Type of CA                          Root CA (if 1^st one) or Subordinate CA (additional CA in existing authority)

Type of Private Key                 in most cases, <b>create a new private key</b> will be the best option

Cryptographic options               RSA#Microsoft Software Key Storage Provider

2048 as Key Length

SHA1 as hash algorithm

• Enter a descriptive name for your Certificate CA in the Common Name field. In my example, I named it 2012R2 domain CA. Click Next.
• Update the validity period to 5 years (or whatever fits your need).
• Accept the default database locations or modify according your own requirements.
• This completes the configuration of the first two CA components. Let’s continue with the other two. In the Select Role Services to configure, choose Certificate Enrollment Web Service and Certificate Enrollment Web Policy Service.

Use the following parameters when going through the configuration wizard:

Specify CA                                 Select CA Name (using Select…)

Type of Authentication                     Windows Integrated

Service Account                            use the built-in application pool identity

Authentication type for CEP         Windows Integrated

Specify Authentication Certificate  <select an existing SSL certificate from the list)

This completes the configuration of all required Certificate Authority services.

Difference between Internal CA and External  CA

Internal CA

Easy to manage

Can be configured as Active Directory integrated

No cost per certificate

Auto-enrollment feature makes configuration of clients/devices easier

Not really useful for internet-facing applications, as not trusted by external parties

External CA

No control of Certificate Authority itself, you can only “buy” SSL certificates

No administration overhead

SSL certificates can become expensive, depending on types and functionalities

Not advised for configuring internal devices authentication

Trusted by most browsers

Less flexible on SSL certificate properties

Thanks to all my dear friends