Installing
and Configuring a Windows Server 2003 Enterprise Certification Authority
Certification
Authorities (CAs) issue certificates for a number of different purposes. In the
context of your ISA Server firewall/VPN server, a CA can provide a certificate
that allows:
- L2TP/IPSec VPN connections from VPN clients
VPN clients can establish L2TP/IPSec connections to the ISA
Server firewall/VPN server. A machine certificate is required to create the
IPSec encrypted tunnel.
- L2TP/IPSec VPN connections from VPN gateways (VPN
routers)
Remote VPN gateways can call the ISA Server firewall/VPN
server and establish a gateway to gateway link. VPN gateways act as VPN routers
and allow packets to be routed between networks through a the VPN tunnel
established between the VPN gateways.
- L2TP/IPSec VPN connections to VPN servers
The ISA Server firewall/VPN server may need to establish a
VPN client connection to a VPN server. For example, some Internet Service
Providers require machines to establish a VPN connection with their own VPN
server to obtain a public address for the ISA Server firewall/VPN server’s
external interface. In this case. the ISA Server firewall/VPN server is a VPN
client to the ISP’s VPN server.
- Certificate-based user authentication using a
certificate stored on the user machine
Users can obtain certificates and use those certificates to
authenticate with the VPN server. The user certificate is stored on the user’s
computer and a VPN connectoid (dial-up connection) can be configured to present
this certificate during the PPP (in this case, EAP-TLS) user authentication
process.
- Certificate-based user authentication using a
certificate stored on a Smart Card
A user certificate can be stored on a Smart Card. The user
certificate is stored on a Smart Card and the VPN connectoid is configured to
present the Smart Card certificate during the PPP (in this case, EAP-TLS) user
authentication process.
A Microsoft
Certificate Server can take on one of four roles:
-
Enterprise Root CA
-
Enterprise Subordinate CA
- Stand-alone
Root CA
- Stand-alone Subordinate CA
A Microsoft
Enterprise CA has the following characteristics:
- The enterprise CA must be a
member of a Windows 2000 or Windows Server 2003 Active Directory domain
- The enterprise
Root CA certificate is automatically
added to the Trusted Root
Certification Authorities node for all users and computers in the
domain
- User certificates can be issued
that allow users to log on to the Active Directory domain using
computer-stored certificates or certificates installed on Smart Cards
- User certificates and the
Certificate Revocation List (CRL) are stored in the Active Directory
- In contrast to stand-alone CAs,
an enterprise CA issues certificates via certificate templates that can be added and customized by the
CA administrator
- In contrast to the stand-alone
CA, the enterprise CA confirms the credentials of the user requesting a
certificate
- The subject name (the name of the user or computer) on the
certificate can be entered manually or automatically
We
recommend that you install an Enterprise CA if:
- You have an Active Directory
domain, and/or
- You require automatic
deployment of certificates to users and computers
The
enterprise CA is the ideal solution for any network with a Windows 2000 or
Windows Server 2003 domain. All domain members can be assigned certificates via
Group Policy based certificate autoenrollment. You can limit the scope of
autoenrollment by assigning permissions to the certificate template used for
autoenrollment. Users and computers that are not domain members can use the Web
enrollment site to obtain certificates.
If you want
to support certificate enrollment via Web enrollment site, then you must
install the Internet Information Services World Wide Web service before
installing Microsoft Certificate Services.
In this ISA Server 2000 VPN Deployment Kit document
we cover the following procedures:
- Installing the Internet
Information Services 6.0 World Wide Web service (W3SVC) to support the
enterprise CA Web enrollment site
- Installing the Windows Server
2003 Certificate Services on a domain controller. The CA is installed as
an enterprise CA.
Note:
You can install an enterprise CA on any domain member. The machine does not
need to be a domain controller.
Installing Microsoft Internet
Information Services World Wide Web Service
Perform the
following steps to install IIS 6.0 on the Windows Server 2003 member server or
domain controller computer that will be the enterprise CA:
- Click Start, point to Control
Panel and click Add or Remove
Programs.
- Click the Add/Remove Windows Components button in the Add or Remove Programs window
(figure 1).
Figure 1
(fig111)

- On the Windows Components window, click on the Application Server entry and click the Details button (figure 2).
Figure 2
(fig112)

- On the Application Server page, click on the Internet Information Services (IIS) entry and click the Details button (figure 3).
Figure 3
(fig113)

- IN the Internet Information Service (IIS) dialog box, put a checkmark
in the World Wide Web Service
checkbox and click OK (figure
4).
Figure 4
(fig114)

- Click OK on the Application
Server dialog box (figure 5).
Figure 5
(fig115)

- Click Next on the Windows
Components dialog box (figure 6).
Figure 6
(fig116)

- Click Finish on the Completing
the Windows Components Wizard page (figure 7).
Figure 7
(fig117)

Installing Microsoft Certificate
Services
Perform the
following steps to install and configure an enterprise CA on a Windows Server
2003 computer:
Note:
You must install the enterprise CA on a member server or domain controller on
your internal network.
- At a member server or domain
controller in your internal network, log on as a domain administrator.
Click Start, point to Control Panel and click Add/Remove Programs.
- In the Add or Remove Programs window (figure 8), click the Add/Remove Windows Components
button.
Figure 8
(fig100)

- In the Windows Components dialog box (figure 9), click on the Certificate Services entry and
click the Details button.
Figure 9
(fig101)

- In the Certificate Services dialog box, put a checkmark in the Certificate Services CA checkbox
(figure 10). A Microsoft
Certificate Services dialog box appears and informs you that you can
not change the machine name or the domain membership of the machine while
it acts as a certificate server. Read the information in the dialog box
and click Yes.
Figure 10
(fig102)

- Both the Certificate Services CA and Certificate Services Web Enrollment Support checkboxes are
checked (figure 11). Click OK
in the Certificate Services dialog
box.
Figure 11
(fig103)

- Click Next in the Windows
Components dialog box (figure 12).
Figure 12
(fig104)

- Select the Enterprise root CA option on the CA
Type page (figure 13). Click Next.
Figure 13
(fig118)

- On the CA Identifying Information page (figure 14), type in a Common name for this CA. The
common name of the CA is typically the DNS host name or NetBIOS name
(computer name) of the machine running Certificate Services. In this
example, the name of the machine is WIN2003DC,
so we enter WIN2003DC in the Common name for this CA text box.
The default Validity Period of
the CA’s self-signed certificate is 5 years. Accept this default value
unless you have a reason to change it. Click Next.
Figure 14
(fig106)

- On the Certificate Database Settings page (figure 15), use the
default locations for the Certificate
Database and Certificate
Database Log. You do not need to specify a shared folder to store
configuration information because this information will be stored in the
Active Directory. Click Next.
Figure 15
(fig107)

- Click Yes on the Microsoft
Certificate Services dialog box (figure 16) informing you Internet
Information Services must be temporarily stopped.
Figure 16
(fig108)

- Click Yes on the Microsoft
Certificate Services dialog box (figure 17) informing you Active
Server Pages must be enabled on IIS if you wish to use the Certificate
Services Web enrollment site.
Figure 17
(fig109)

- Click Finish on the Completing
the Windows Components Wizard page (figure 18).
Figure 18
(fig110)

- Close the Add or Remove Programs window.
The
Enterprise Certificate Authority is now installed and can issue certificates
without requiring a machine restart.