The CA we are going to build is aimed solely at IT shops that need a CA but don't want to roll out an enterprise wide CA. Having an enterprise CA tied to Windows Active Directory is quite handy and Microsoft makes it pretty easy to install and manage. If your organization doesn't have a CA or you want one that you can manage yourself, follow along. Microsoft also has extensive documentation if you want to dig in deeper.
If you want to install a CA tied to Active Directory, stop reading this and go read Microsoft's documentation. You'll thank me later.
Note that I did skip simple steps like clicking next or taking the defaults. When in doubt, just click next. What can go wrong?
On Windows Server 2003 (I don't imagine this is any different in Windows Server 2008), go to Add/Remove programs->Add/Remove Windows Components and select Certificate Services. Select a stand-alone root CA. That will give you a CA independent of Active Directory.
I took the advanced path to show the options. The defaults are OK. Unless you are using an alternate cryptographic provider, just use Microsoft's. It does the hard work. Make sure you pick SHA-1 and a key length of 2048. The hash algorithm is what is used to sign certificates and the key length is for the public/private key length.
Enter a name of the CA. This will be used to identify the CA to others, so pick a meaningful name. Also, pick a reasonable validity period and remember to mark when it will expire because you will need to renew it prior to that.
Just take the defaults for the rest of the steps. When you finish, Windows will install certificate services, the MMC console, and configure IIS (make sure it is already installed). If you haven't installed Active Server Pages, it will ask to install and enable them. Say yes. You now have a shiny new CA.
If you point your browser to https://
/certserv (in my case https://example.example.com/certserv), you will get an error because we haven't installed a certificate nor enabled SSL on that website. The installation only puts the certificate pages on the site. We don't want that, so let's enable SSL. By the way, the steps from here on out are similar to what you will do when creating certificates for your IT appliances. Bonus.
We need to generate a certificate request. To do so, we'll open IIS Manager and find the website we are working with. In my case, the Default Web Site. Right click on the site and select Properties->Server Certificate->Create a new certificate
Creating a meaningful name. It's only used by you. Next set your organization (usually your company name) and Organizational Unit (your department). You can enter anything, but a meaningful name will be helpful.
Set the common name. For a SSL/TLS certificate, this must match the DNS name of the target site or you will get an error when you try to access the site because the SSL client should compare the DNS name entered in the browser against the common name in the certificate. You can use wildcard DNS names that match any hostname within a domain, but it's generally a bad practice unless you have a compelling reason. Let's not go there.
Fill in the country, state, and city fields. Just enter what ever is meaningful to you. It doesn't technically matter. Pick a file name and location to save your certificate request.
Review the request. You can see the informational fields in the request. The only critical field is Issued to: That is the common name in the previous step. Just click through the defaults.
The IIS Manager will create a public/private key pair; create the certificate request adding the public key to it, and sign it with the corresponding private key. The private key never leaves the IIS server at this point although you can export it later.
Now we are going to submit the request to the CA for signing. We are doing this ourselves, so it seems like a lot of steps, but you can assign people tasks such as reviewing and approving requests. Go to your certificate servers web page, by default http://
Select Request a Certificate->advanced certificate request->"Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
We are going to submit our request here. You can also create a certificate request by filling in the fields, but in most cases, you will generate the request on the device and submit that to the CA.
Open the certificate request you created in notepad or some other ASCII editor. Select all of the text making sure you include -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----. This is a signed, base64 encoded file. If you open it in a non-ASCII editor the characters could get munged. If you don't get the begin and end lines, the CA won't process it. Click submit.
Go to Certificate Authority under Administrative Tools. Microsoft's certificate manager is pretty bare bones. You can look at certificates, but finding them when you have hundreds or thousands is difficult, but we'll soldier on. Luckily we won't spend a lot of time in the MMC.
To find your current certificate request, go to Pending Certificates. Locate the request. You can review the data submitted (not shown due to format constraints) by scrolling side to side and if you right click, you can issue the certificate or deny the request. Click issue.
Click Issued Certificates and find the certificate you just issued. Right click and select Details and you can view the certificate or save it to a file. If you save it do a file, save it as a Base-64 encoded X.509 (.CER) file and give it a name. This is the most common format. Your appliance may require a DER encoded file, so you have that option as well.
See the information in the lower window? That's what I mean by meaningful. If I had devices all over the place, I could easily see the locations from the certificates.
Now we are going to retrieve the signed certificate. Go back to the web server where you submitted the certificate request and go to the Certificate Services web server. Click on "View the status of a pending certificate request" and select your certificate request. Select Base64 encoded and then download certificate.
I think I want a cookie. The eating kind, not the HTTP kind.
Finally, we will import the signed certificate we just downloaded. Back in IIS Manager on your Certificate Services web server,go to IIS-> Default Web Site->Properties->Server Certificate->Process the pending request. Find the certificate you just downloaded, when asked what SSL port to use, enter 443, and review the certificate. If it all checks out, finish the installation.
You have just enabled SSL for your certificate services web site.
Test it out. Using Firefox, which has a different certificate store than Windows, I get an untrusted message because Firefox doesn't have the root CA certificate installed.
I used Firefox on the certificate server to simulate a remote host and illustrate a point. When I installed Certificate Services on the server, it installed the CA certificate in the local certificate store, which Internet Explorer uses and Firefox does not. If I tested with IE on the same host as the Certificate Server, everything would work properly until I tried to use a browser on a host that didn't have the root CA certificate.
We need to distribute the root CA certificate.
In order for your browsers and hosts to trust the certificate issued by your CA, you need to install the root CA certificate into the host or browser key store. There are a number of ways that you can do it. One way is just point your browser at the Certificate Services web site and download the CA certificate. You want to do this from a trusted location in case those pesky hackers MITM you. In Firefox, I clicked "Download CA certificate" and selected "Trust this CA to identify web sites" and hit OK.
Now point Firefox to https://
/certsrv. Since the root CA is trusted, I don't get a certificate error and life is good. You can also manually import the CA certificate in to OS's and browsers.
One thing with Firefox is that it helpfully captures the CA certificate download and prompts you to store the certificate. Unfortunately, that means you can't actually save it. So fire up IE, hit your CA, and download the CA certificate as a base64 file.
All that is left to do is disable HTTP on the Certificate Server web site and I am done.
Now you are ready to generate certificate requests for your network appliances and sign them with your CA. How you do that will be vendor dependent and won't always be easy, but they should be able to walk you through generating the CSR and importing the signed certificate.
If you created a stand-alone CA, you can turn it off and put it into a safe place. You won't need it again until you need to issue a new certificate.
Honestly, you spent more time reading this than it takes doing it. Install Microsoft Certificate Services once, and it take no time after that. Once it is installed, signing CSR's is a breeze.