This post describes how to install Active Directory Certificate Services (ADCS) onto a domain controller. It’s for labbing purposes which means I’m going to run this all on a single server instead of a more realistic setup with offline root, issuing CA, and possibly intermediate CA. Don’t use this post for anything designed to go into production!
To add the ADCS role. Go to Server Manager, click Add roles and features. Click Next until you get to Server Roles. Select Active Directory Certificate Series:
Click Add Features. Click Next. Click Next. Then a warning is displayed that it’s not possible to change the computer name or domain settings:
Click Next. Select Certification Authority and Certification Authority Web Enrollment:
Selecting Certification Authority Web Enrollment will install IIS and a small web site will be built to provide certificate services.
Click Add Features. Click Next. Click Next. Select Restart the destination server automatically if required:
Click Install. The installation starts:
When the installation has finished, click Close. Click AD CS in Server Manager. Click More… where it says Configuration required for Active Directory Certificate Services:
Click Configure Active Directory Certificate Services on the destination server:
Select an account with permissions to configure the role services:
Click Next. Select Certification Authority and Certification Authority Web Enrollment:
Click Next. Select Enterprise CA:
Select Root CA:
Click Next and then Select Create a new private key:
Click Next. This is a lab so we’ll use the default cryptographic provider (RSA) with a 2048-bit key length and SHA256:
Click Next. Then it’s time to name the CA. Note that the server name can be different from the common name used for the CA. The name used here is what you will see in the certificates issued by the CA:
Click Next. I’ll go with the default validity period of five years:
Click Next. I’m using the default location to store certs and cert logs:
Click Next. A summary is shown on the Confirmation page:
Click Configure. The services are configured:
Click Close. Now open the CA app:
It should look similar to the one below:
Look for the green check mark symbol.
That’s all that’s needed to setup a basic CA! In another post we’ll look at setting up certification templates. Once again, this setup is for labbing only. Don’t use it for production! You shouldn’t run a CA on your domain controller. See you in the next one!
Maureen Farrell, writing for The New York Times:
In May 2022, the chief financial officer of Boar’s Head, the processed meat company, was asked a simple question under oath.
“Who is the C.E.O. of Boar’s Head?”
“I’m not sure,” he replied.
“Who do you believe to be the C.E.O. of Boar’s Head?” the lawyer persisted.
The executive, Steve Kourelakos, who had worked at the company for more than two decades and was being deposed in a lawsuit between owners, repeated his answer: “I’m not sure.”
It is odd, to say the least, when a top executive of a company claims not to know who his boss is. And Boar’s Head is no fly-by-night enterprise. The company is one of the country’s most recognizable deli-meat brands; it generates what employees and others estimate as roughly $3 billion in annual revenue and employs thousands of people.
There’s secretive, and then there’s secretive.