AD CS introduction
Active Directory Certificate Services (referred AD CS) is an Active Directory tool that lets administrators to secure any kind communication traffic through network [ NOT only for http ]
ADCS could be installed on any server , BUT most IT administrator prefer to install it on domain controller DC as part of Active Directory Components like : AD domain service ADDS , AD Federation Service ADFS .
AD CS components
AD Certificate Services has six components:
- CA Web enrollment – connects users to a CA with a Web browser
- Certification authorities (CAs) – manages certificate validation and issues certificates
- Certificate Enrollment Policy Web Service – allows computers and users to retrieve information about their certificate enrollment policy
- Certificate Enrollment Web Service – allows computers and users to enroll certificates using HTTPS
- Network Device Enrollment Service – lets network devices without domain accounts retrieve certificates.
- Online Responder – responds to requests about a certificate’s status
Why Need AD CS
ADCS could be used to secure any kind of network communication , including but NOT limited to :
- Multipurpose Internet Mail Extensions (S/MIME) like : POP3 ,IMAP , SMTP , which will be fully discussed in Exchange SSL articles
- web site HTTP
- secure wireless networks, virtual private networks (VPN),
- Internet Protocol security (IPsec),
- Encrypting File System (EFS),
- smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS) and digital signatures.
Local certificate Authority vs Public CA
When talking about securing network traffic: there are three types of SSL Certificates.
The first type is Self-Signed SSL Certificates :
- which is Generated by server its self [like web server or exchange server] :
- this certificate is NOT trusted at ALL , because it recognized by Only issuer server it self and each time you open browser , you will get alert
- please have a look to our exchange server [mail.pioneers.lab] below
- since SSL certificate is issued by Exchange Server it self , then it’s trusted by ONLY that server
The second type is Local CA SSL Certificates ;
- which generated by local ADCS server [ in our case DC101.pioneers.local ]
- this certificate is adopted locally in customer environment [ALL computers in pioneers.lab ]
- it’s NOT recommended to be published to the internet
- in this article we will talk about how to install local CA and how to deploy to secure network traffic
The third type is Public SSL Certificates ;
- which generated by public vendor
- Publicly trust SSL/TLS certificates are used for public website [internet]
- of course we can use public SSL certificate in local environment , but this approach is NOT recommended since it will be more costly as we have many many network traffic need to be secured and this SSL certificate will be hard to manage since it has been issued by external vendor
some external SSL certificate providers
- Symantec
- Comodo
- DigiCert
- GoDaddy
- SSL.com
how certificate Authority work
- Certificate Authority installed on DC101.pioneers.lab
- on DC101 : administrator create certificate template to secure web server
- web server web108.pioneers.lab] import template and configured on web site http://web108/hr
- now web site is secured by certificate https://web108/hr
- DC101.pioneers.lab publish certificate to ALL client computer in pioneerslab environment through group policy object GPO
- user on client computer [HR121 for example ] request web site https://web108/hr
- web server respond to request with encrypted connection
install ADCS locally
AD certificate service will be installed on our domain controller DC101.pioneers.lab
Prerequisites to install ADCS :
Internet Information Services – IIS is required before you install : please refer to article how to install IIS
let’s go
Configure Certificate Authority
When the installation is completed, we will see a link that says Configure Active Directory Certificate Services on the destination server. Click on it
Verify AD CS installation
On the Server Manager, click Tools, and then click Certification Authority
in the first part of this series, we’ve installed and configured Certificate Authority. In the Part 2 we will create Certificate Templates to be used for securing servers like web server , exchange servers …etc.
