Building a CM Lab - Certificate Authority [3]

Series Post 3, adding a Certificate Authority into your lab (Requires you setup a DC first), completely optional for your environment.

This is a bonus, you can do everything you want in your lab without this feature, but guess what, if you're going to do anything that needs HTTPS, having your own Certificate Authority (CA) makes this so much slicker.

Creating a CA is straight forward, you pick the role and click next a few times. I'm adding it to my DC, as it's an easy place to put it.

Add roles and features server roles
You'll check the box "Active Directory Certificate Services, which will then pop up this dialog, click "Add Features"
Add Roles and Features wizard
This is default
Add Roles and Features Wizard
Add Roles and Features Wizard
At this point, click "Configure AD CS on the destination server.
AD CS Configuration
Defaults
AD CS Configuration
AD CS Configuration
AD CS Configuration
AD CS Confiuration Private Key
AD CS Configuration Cryptography
I left the defaults here
AD CS Configuration CA Name
AD CS Configuration Validity Period
AD CA Configuration Certificate Database
AD CS Configuration Confirmation
AD CS Configuration

Ok, so now we have setup our CA & had it configured. Nothing too special, now lets create a Cert Template. In this example I'll be creating a certificate template to be used with our Recast Management Server Web Server, which will basically be the same for any web server.

Launch Certification Authority
Launch Certification Authority from the Tools Menu
Certification Authority Template
Right Click on Certificate Templates and choose Manage
Certificate Template Console
We're going to make a duplicate of the Web Server Template to use
Properties of New Template
I'm going to name it Recast Web Server
Recast web Server Properties
Under Security I added an AD Group "Web Server Cert Enrollment" and checked the boxes "Enroll & Autoenroll"
Web Server Cert Enrollment Properties
In AD, this is the group, and the members.  I've added several servers that might need the cert and one that I know does for sure. Eventually all of these servers will automatically get the certificated because they are set to auto enroll.
Recast Web Server Properties
I also added Certificate Admins and checked the box for Enroll.
Certificate Admins Properties
The Certificate Admins Group, anyone in this group has the ability to enroll this new certificate.
REcast Web Server Properties

Now that this is done, you'll have to Add these certs to "Certificate Templates" - Otherwise you might get this error:
"The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

This drove me crazy for a bit then realized I forgot a step. Any Templates you've duplicated and created that you want this CA to be able to give out, you'll need to add here: [More Info]

Sorry, the Names Changed, I noticed this after the original post, and am appending this from my personal lab.

Now, on the server, you can enroll and add the certificate.

In this example I'll be having the certificate enrolled on the Recast Management Server which hosts our Recast Enterprise Server Web Service.

Currently it's using it's self-issued certificate which causes clients to get a warning when you try to connect.

HTTPS Not secure Warning
You can see here that while it's HTTPS, it gives a "Not Secure" Warning
Manage Computer Certificates
Go to "Manage Computer Certificates". On Personal, right click and choose "All Tasks", then "Request New Certficate"
Certificate Enrollement
Certificate Enrollement
Certificate Enrollment
At this point you should see the "Recast Web Server" cert available.
Certificate Enrollment
It enrolled successfully
Certificate Enrollment
Now in the Certificates, you'll see the cert that was issued by our CA
Internet Information Services Manager IIS
Now that we have the Cert available, Lets tell our Recast Server's Site to use our new cert
Open up IIS, choose the Recast Management Server, click Bindings, then click "Edit" and choose the cert that was issued.
Recast Server
And now, from the client, you can see the error is gone and no more prompts.


So now we have a CA setup and used it to improve the experience on our Recast Management Server. Long term plan is to use it to enable HTTPS only on our CM Server.  We'll get to that in a future post.

Blog Post List

Series Introduction - Building a CM Lab from Scratch

  1. Domain Controller - Setting up your Domain Controller
  2. Gateway Virtual Machine - Creating a Router for your Lab using Windows Server
  3. Certificate Authority - On Domain Controller [Optional]
  4. ConfigMgr Server Pre-Reqs (Windows Features)
  5. Configuration Settings (AD & GPOs)
  6. Source Server (File Share)
  7. ConfigMgr SQL Install
  8. ConfigMgr Install
  9. ConfigMgr Basic Settings
  10. ConfigMgr Collections & App Deployment
  11. ConfigMgr OSD
  12. ConfigMgr Reporting Services