In this blogpost I will explain how you can install the role and use it to issue certificates to your servers and clients.
Log in to the server (Windows Server 2008 R2 Server Core server) that you're going to install the Certification Authority on. You need Domain Admin or equivalent permissions on a single forest, single domain infrastructure or Enterprise Admins on a multi-domain infrastructure to be able to install AD Certificate Services correctly. The following command has to be issued on the commandline:
Dism /online /enable-feature /featurename:CertificateServicesDon't forget, the DISM command is Case-Sensitive, so you should keep the Capitcal C and S in mind.
Instead, if you have powershell installed on your Windows Server 2008 R2 Core machine you can also use the following commands to install the role:
First, fire up powershell by typing powershell in the cmd screen. When Powershell is fired up type:
Import-Module ServerManager
At the top of the screen you'll see the module being imported, when it's complete you have the possibility to use the CMDLets Add-WindowsFeature,Get-WindowsFeature and Remove-WindowsFeature. Install AD Certificate Services using the following command:
Add-WindowsFeature ADCS-Cert-Authority
Restart the server when the installation is completed to be sure that all needed information is correctly populated and login to the server again.
Now, the nice folks over at the PKI blog published a nice article on how to use a VBScript to install a Certificate Authority. Check out:
http://blogs.technet.com/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
Download the script from above link and place it somewhere you are able to access it from the machine the CA is running on. Browse to the directory you placed the script in and execute the following command to install an Enterprise Root Certification Authority:
Cscript setupca.vbs /ie /sn NameOfYourCA /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
When you've issued above script and it completed succesfully (it'll take about a minute or so) you will be able to start your CA. Go to the Windows 7 workstation with RSAT installed and open up Computer Management. Browse to the machine your CA is running on and fire up the service Active Directory Certificate Services. When running this from the commandline you issue the name CertSvc.
On the RSAT machine, open up the Certification Authority shortcut in the Administrative Tools folder. When you open this shortcut you'll receive the following error:
This is no problem. Click on OK and when in the MMC right click Certification Authority (Local). In the submenu you choose Retarget Certification Authority. Choose Another Computer in the wizard and fill in the hostname of the machine that is running your CA. From now on you can manage your Certification Authority from your machine with RSAT installed.
Geen opmerkingen:
Een reactie posten