Windows Server – Setup Root Certificate Authority CA with OCSP Certificate Roles VIDEO TUTORIAL

Windows Server - Setup Root Certificate Authority CA wish OCSP Certificate Roles

  When we setup an internal LAN for a corporate environment will should need services like SSL, Encrypted VPN, Direct Access and a lot more. They depend on the use of a CA with root and other service certificates. One can buy such certificates or use our own that are created for free. This video shows you how to setup the CA with the OCSP role that enables client computers to check the validity i.e. not revoked of our certificates.    
Transcript (machine generated so it contains errors)
1. 00:00:00:06 / 00:00:08:17 - hello a very good day to you this video
2. 00:00:03:35 / 00:00:11:45 - is going to show you how to set up a
3. 00:00:08:17 / 00:00:16:78 - certificate authority okay on your
4. 00:00:11:46 / 00:00:20:07 - Windows server and also ensure that
5. 00:00:16:78 / 00:00:22:73 - basically certificate checking to see
6. 00:00:20:07 / 00:00:26:30 - whether the certificates are valid is
7. 00:00:22:73 / 00:00:30:98 - also set up so basically those ESP
8. 00:00:26:30 / 00:00:35:13 - service ok role is also set up there now
9. 00:00:30:98 / 00:00:38:30 - there are a number of steps ok however
10. 00:00:35:13 / 00:00:40:71 - they can be summarized into literally
11. 00:00:38:30 / 00:00:44:48 - probably about three the first one is
12. 00:00:40:71 / 00:00:49:64 - setting up the certificate authority ok
13. 00:00:44:48 / 00:00:53:81 - setting up the OCSP and also giving
14. 00:00:49:64 / 00:00:57:89 - policies and the template it should all
15. 00:00:53:82 / 00:01:00:29 - become fairly straightforward here ok so
16. 00:00:57:89 / 00:01:03:14 - the first step is we've opened up server
17. 00:01:00:29 / 00:01:09:11 - manager very simple this is a domain
18. 00:01:03:14 / 00:01:10:85 - join computer so it does help if it is
19. 00:01:09:11 / 00:01:12:32 - that way ok so server manager is there
20. 00:01:10:85 / 00:01:16:28 - just click on that you get to the screen
21. 00:01:12:32 / 00:01:21:92 - and then add roles and features next
22. 00:01:16:29 / 00:01:30:21 - next next ok so this is the very first
23. 00:01:21:93 / 00:01:33:21 - part click Next Next Next we are
24. 00:01:30:20 / 00:01:36:14 - creating a certificate authority now for
25. 00:01:33:20 / 00:01:40:79 - future use like for example when we sort
26. 00:01:36:15 / 00:01:43:74 - of beat the end etc we'll add this web
27. 00:01:40:79 / 00:01:46:43 - intent ok you don't really need to do
28. 00:01:43:73 / 00:01:48:82 - that right now but we're just doing it
29. 00:01:46:43 / 00:01:54:35 - at the same time and the online
30. 00:01:48:82 / 00:01:58:19 - responder this is the sub-site service
31. 00:01:54:35 / 00:02:02:68 - the role that actually runs on this
32. 00:01:58:20 / 00:02:06:03 - server and whenever a certificate is
33. 00:02:02:68 / 00:02:08:21 - used by a client computer another server
34. 00:02:06:03 / 00:02:12:56 - etc it checks to see if that's the
35. 00:02:08:21 / 00:02:16:59 - widget is still valid and this service
36. 00:02:12:56 / 00:02:18:68 - actually does do the verification and
37. 00:02:16:59 / 00:02:20:87 - say yep so the video is valid all good
38. 00:02:18:68 / 00:02:24:43 - continue with what you want to do okay
39. 00:02:20:87 / 00:02:28:73 - so next click Next
40. 00:02:24:43 / 00:02:34:96 - okay because we click the web enrollment
41. 00:02:28:73 / 00:02:42:26 - it does do a lot of I is Internet
42. 00:02:34:96 / 00:02:45:18 - Information Service server bits are
43. 00:02:42:26 / 00:02:52:01 - added as well so we'll take a little bit
44. 00:02:45:18 / 00:02:54:51 - longer to install ok once isn't it has
45. 00:02:52:01 / 00:02:56:31 - finished installing it will ask you to
46. 00:02:54:50 / 00:02:59:18 - configure you can click on here and
47. 00:02:56:31 / 00:03:03:98 - configure or you can close here and then
48. 00:02:59:18 / 00:03:07:07 - click over there and the same thing ok
49. 00:03:03:98 / 00:03:09:98 - now it starts off with this main screen
50. 00:03:07:07 / 00:03:14:63 - it does a little bit of checking and
51. 00:03:09:98 / 00:03:17:66 - then it goes ahead the first thing
52. 00:03:14:63 / 00:03:20:51 - because we've got the web enrollment
53. 00:03:17:66 / 00:03:22:25 - we'll just install that one first and
54. 00:03:20:51 / 00:03:28:87 - then couldn t come back into the other
55. 00:03:22:25 / 00:03:28:87 - day so that'll take a few seconds
56. 00:03:36:12 / 00:03:40:95 - next make sure it's an enterprise CA
57. 00:03:43:95 / 00:04:01:21 - make sure it's a root CA next we're
58. 00:03:54:70 / 00:04:06:07 - creating a private key okay and you can
59. 00:04:01:21 / 00:04:09:68 - choose the defaults okay you can create
60. 00:04:06:07 / 00:04:11:84 - a common name a good system that we've
61. 00:04:09:68 / 00:04:15:82 - used in the past was like the domain
62. 00:04:11:84 / 00:04:18:10 - name okay or the IP address which makes
63. 00:04:15:82 / 00:04:19:03 - it easy define however this is the
64. 00:04:18:10 / 00:04:22:77 - default
65. 00:04:19:03 / 00:04:27:86 - we'll just go ahead with that click Next
66. 00:04:22:77 / 00:04:33:03 - okay that's that again next and then
67. 00:04:27:86 / 00:04:35:99 - configure that'll happily create our
68. 00:04:33:03 / 00:04:39:13 - certificate authority it'll now ask a
69. 00:04:35:99 / 00:04:42:90 - new set of other two things will just
70. 00:04:39:13 / 00:04:51:91 - click both of them and click Next
71. 00:04:42:90 / 00:04:56:20 - configure and that's all done now you
72. 00:04:51:91 / 00:05:03:90 - will think that is everything needed but
73. 00:04:56:20 / 00:05:03:90 - now we need to open up basically MMC and
74. 00:05:06:25 / 00:05:15:19 - we will use this for quite a bit of time
75. 00:05:10:61 / 00:05:18:34 - so we need to add into it okay all the
76. 00:05:15:19 / 00:05:21:91 - certificate ones Soviet template and
77. 00:05:18:33 / 00:05:25:12 - certificates and make sure it's computer
78. 00:05:21:91 / 00:05:28:43 - account next and then local computer
79. 00:05:25:12 / 00:05:36:16 - that's fine certificate authority add
80. 00:05:28:43 / 00:05:40:75 - the local computer and okey dokey now we
81. 00:05:36:16 / 00:05:43:27 - start off with basically going to our
82. 00:05:40:75 / 00:05:48:38 - certificate templates
83. 00:05:43:27 / 00:05:53:42 - which is over here right-click on that
84. 00:05:48:38 / 00:06:03:36 - and we're then going to basically go
85. 00:05:53:43 / 00:06:08:81 - down to click over here and then
86. 00:06:03:36 / 00:06:18:53 - certificate templates we basically are
87. 00:06:08:81 / 00:06:23:21 - going to click on manage and then we're
88. 00:06:18:53 / 00:06:28:64 - going to go for the OCSP response
89. 00:06:23:21 / 00:06:35:61 - signing and the key over here is to
90. 00:06:28:64 / 00:06:39:98 - basically in security add this server
91. 00:06:35:61 / 00:06:46:55 - and give it the enroll of enroll etc
92. 00:06:39:99 / 00:06:51:75 - features so add now you will need to
93. 00:06:46:55 / 00:06:53:96 - whoops ensure that computers are
94. 00:06:51:75 / 00:06:57:50 - selected just for the fun of it I'm
95. 00:06:53:96 / 00:07:01:52 - clicking service accounts as well ok and
96. 00:06:57:50 / 00:07:07:19 - this computer as you probably seen is
97. 00:07:01:52 / 00:07:14:93 - called VPN server ok check names it
98. 00:07:07:19 / 00:07:18:05 - could be anything you want it does help
99. 00:07:14:93 / 00:07:20:75 - if you spell it correct there we go now
100. 00:07:18:05 / 00:07:21:99 - enroll Auto enroll is you're feeling
101. 00:07:20:75 / 00:07:24:90 - generous you can give up full
102. 00:07:21:99 / 00:07:30:71 - permissions not a major issue at this
103. 00:07:24:89 / 00:07:36:71 - point ok click apply.click ok that's
104. 00:07:30:71 / 00:07:41:69 - done close this one down and now what we
105. 00:07:36:71 / 00:07:47:49 - are going to do is move on to the next
106. 00:07:41:69 / 00:07:53:55 - step which is basically right over here
107. 00:07:47:49 / 00:07:56:84 - and we need to ensure that some certain
108. 00:07:53:55 / 00:08:01:06 - extensions are added to our certificates
109. 00:07:56:84 / 00:08:06:25 - that give it this server's address as
110. 00:08:01:06 / 00:08:10:62 - the checking server okay though CSP
111. 00:08:06:25 / 00:08:12:83 - checking server ok so properties and
112. 00:08:10:62 / 00:08:18:74 - [Music]
113. 00:08:12:82 / 00:08:21:30 - there we go extensions ok we are using
114. 00:08:18:74 / 00:08:26:21 - AIA ok
115. 00:08:21:30 / 00:08:32:31 - and we're clicking add this certificate
116. 00:08:26:21 / 00:08:37:66 - arm server as location is HTTP four
117. 00:08:32:30 / 00:08:43:64 - slash four slash VP and server dot
118. 00:08:37:66 / 00:08:45:72 - Windows and ninja okay let's see if you
119. 00:08:43:64 / 00:08:46:64 - just know that all correct yep all
120. 00:08:45:72 / 00:08:51:02 - goody-goody
121. 00:08:46:64 / 00:08:53:57 - all right click OK make sure you take
122. 00:08:51:02 / 00:08:56:39 - the last box which is including the
123. 00:08:53:57 / 00:09:05:66 - online certificate status protocol OCSP
124. 00:08:56:39 / 00:09:12:62 - extension click o key dokey click yes if
125. 00:09:05:66 / 00:09:17:57 - we were doing shall we say CRL as well
126. 00:09:12:62 / 00:09:18:91 - ok this is a good revocation list it
127. 00:09:17:57 / 00:09:25:58 - would be the same thing basically
128. 00:09:18:91 / 00:09:28:31 - extensions and then CDP it be add add
129. 00:09:25:58 / 00:09:33:81 - the location on your web server where
130. 00:09:28:31 / 00:09:37:19 - the list of all the revoke certificates
131. 00:09:33:80 / 00:09:42:77 - are ok but we're happy to deal with just
132. 00:09:37:19 / 00:09:46:62 - OCSP it's the happy new modern version
133. 00:09:42:77 / 00:09:50:22 - that seems to work quite happy ok so I
134. 00:09:46:62 / 00:09:54:81 - will just cancel that now what we need
135. 00:09:50:22 / 00:10:01:68 - today is think about ok
136. 00:09:54:80 / 00:10:03:77 - whoops I made a mistake we just need to
137. 00:10:01:67 / 00:10:09:19 - go back to properties because I forgot
138. 00:10:03:77 / 00:10:09:19 - to add on the extension
139. 00:10:09:95 / 00:10:20:87 - this one the OCSP at the end my mistake
140. 00:10:22:03 / 00:10:37:34 - Nashville / okay VPN server the Windows
141. 00:10:29:49 / 00:10:41:46 - 10 but ninja ford slash OCSP make sure
142. 00:10:37:35 / 00:10:47:10 - you do have this added in and once again
143. 00:10:41:46 / 00:10:54:41 - click the box click apply it'll ask to
144. 00:10:47:10 / 00:11:02:10 - restart that ok and that is now set up
145. 00:10:54:40 / 00:11:06:02 - now what we need to do is create an OCS
146. 00:11:02:10 / 00:11:14:34 - be signing request ok so we go here and
147. 00:11:06:02 / 00:11:32:57 - we go to new certificate template to
148. 00:11:14:34 / 00:11:36:57 - issue and a CSV remote signing and that
149. 00:11:32:58 / 00:11:38:75 - should be there okay just check to make
150. 00:11:36:57 / 00:11:41:64 - sure everything is fine with that
151. 00:11:38:75 / 00:11:48:48 - ok so far so good
152. 00:11:41:63 / 00:11:52:64 - and all we now need to do is the group
153. 00:11:48:48 / 00:11:57:50 - policy management issue ok to basically
154. 00:11:52:64 / 00:12:07:31 - give this server the authority to
155. 00:11:57:50 / 00:12:14:81 - basically Auto enrollment policy so if
156. 00:12:07:32 / 00:12:17:64 - you have not got the group policy
157. 00:12:14:82 / 00:12:21:35 - management role
158. 00:12:17:63 / 00:12:28:93 - sorry feature installed click Next
159. 00:12:21:35 / 00:12:34:27 - next next group policy management
160. 00:12:28:94 / 00:12:34:27 - next install
161. 00:12:34:66 / 00:12:48:68 - okay so we've installed group policy
162. 00:12:37:86 / 00:12:53:24 - management okay we now need to GP will
163. 00:12:48:69 / 00:12:55:14 - actually just do it the MMC way okay
164. 00:12:53:24 / 00:12:59:18 - that's fine
165. 00:12:55:13 / 00:13:15:29 - add add will snap in group policy
166. 00:12:59:17 / 00:13:19:64 - management and click OK and then let's
167. 00:13:15:29 / 00:13:25:01 - go into group policy for that we
168. 00:13:19:64 / 00:13:30:82 - basically need the domain default domain
169. 00:13:25:01 / 00:13:35:49 - policy okay
170. 00:13:30:82 / 00:13:38:44 - that'll show you the basic info
171. 00:13:35:49 / 00:13:42:70 - regarding it but we need to edit it so
172. 00:13:38:45 / 00:13:42:70 - we'll click on edit
173. 00:13:42:88 / 00:13:55:15 - and now we're coming into computer
174. 00:13:48:99 / 00:14:00:18 - configurations policies okay okay and
175. 00:13:55:15 / 00:14:09:87 - then it's window settings security
176. 00:14:00:17 / 00:14:12:98 - settings and then it is basically public
177. 00:14:09:87 / 00:14:19:07 - key policies should be somewhere over
178. 00:14:12:99 / 00:14:24:12 - here there we go and now certificate
179. 00:14:19:07 / 00:14:30:80 - services client auto enrolment we need
180. 00:14:24:12 / 00:14:33:62 - to enable it but yes click yes ok
181. 00:14:30:80 / 00:14:38:95 - and that
182. 00:14:33:62 / 00:14:43:22 - is pretty much done for what we needed
183. 00:14:38:96 / 00:14:45:92 - to do in terms of the major work you can
184. 00:14:43:22 / 00:14:51:25 - close that down let's just go to
185. 00:14:45:91 / 00:14:56:28 - powershell and update our group policies
186. 00:14:51:25 / 00:15:03:86 - rather than restarting the server ok GP
187. 00:14:56:28 / 00:15:05:87 - update and then force ok that's done
188. 00:15:03:86 / 00:15:09:01 - it'll take a little bit of time to
189. 00:15:05:87 / 00:15:14:96 - update all the bulky policies on the
190. 00:15:09:01 / 00:15:21:88 - server ok still not done there we go
191. 00:15:14:96 / 00:15:26:30 - we're finished ok now is where I'm just
192. 00:15:21:88 / 00:15:29:52 - gonna just for tidiness cut down these
193. 00:15:26:29 / 00:15:33:28 - things these things these things just
194. 00:15:29:52 / 00:15:38:00 - for peace of mind ok there's nothing in
195. 00:15:33:28 / 00:15:42:46 - there ok we need to go to tools and find
196. 00:15:38:00 / 00:15:46:66 - our online responder management if we
197. 00:15:42:47 / 00:15:49:85 - click our array configuration you will
198. 00:15:46:66 / 00:15:53:02 - see it hasn't gone green does all the
199. 00:15:49:85 / 00:16:01:58 - details missing so revocation
200. 00:15:53:02 / 00:16:08:62 - configuration click on add next give it
201. 00:16:01:58 / 00:16:12:83 - a name ok the TN server or whatever you
202. 00:16:08:62 / 00:16:15:40 - would like ok select a certificate from
203. 00:16:12:83 / 00:16:18:35 - an existing enterprise CA don't forget
204. 00:16:15:40 / 00:16:22:00 - we did set up an enterprise CA so that's
205. 00:16:18:35 / 00:16:24:74 - more going ok certificates publishing
206. 00:16:22:00 / 00:16:26:99 - active directory or it was on a
207. 00:16:24:74 / 00:16:32:62 - different could be your name that's fine
208. 00:16:26:99 / 00:16:36:32 - but ours is there this is an old CA that
209. 00:16:32:62 / 00:16:38:92 - we will delete but for now let's just
210. 00:16:36:32 / 00:16:44:42 - keep this because this is the one we set
211. 00:16:38:92 / 00:16:47:41 - up today ok that one's ok click Next ok
212. 00:16:44:41 / 00:16:49:25 - make sure these two are set up
213. 00:16:47:41 / 00:16:53:75 - make sure you're having your OCSP
214. 00:16:49:25 / 00:16:55:85 - response signing everything looking the
215. 00:16:53:75 / 00:17:00:32 - way it is this will be obviously
216. 00:16:55:85 / 00:17:02:72 - different for you okay but you should
217. 00:17:00:32 / 00:17:06:41 - have your certificate there and that
218. 00:17:02:72 / 00:17:10:16 - should be there okay click Next click
219. 00:17:06:41 / 00:17:12:92 - finish and now once this thing is set up
220. 00:17:10:16 / 00:17:18:85 - the good thing is we have a green tick
221. 00:17:12:92 / 00:17:23:24 - so lovely we now have our online
222. 00:17:18:84 / 00:17:26:48 - responder working the service is working
223. 00:17:23:24 / 00:17:32:68 - that role is working and basically it
224. 00:17:26:48 / 00:17:37:67 - can check certificates what we shall do
225. 00:17:32:68 / 00:17:41:79 - in our next video hopefully is to show
226. 00:17:37:67 / 00:17:46:36 - you how to then now using this
227. 00:17:41:79 / 00:17:50:65 - configured setting to create
228. 00:17:46:35 / 00:17:59:67 - certificates to shall we say set up a
229. 00:17:50:66 / 00:18:05:96 - VPN with SSTP okay secure VPN etc or I K
230. 00:17:59:68 / 00:18:11:72 - version 2 etc and a lot more okay so for
231. 00:18:05:96 / 00:18:16:85 - now we have setup a CA it works it did
232. 00:18:11:72 / 00:18:20:75 - take a few steps and we can shut down
233. 00:18:16:84 / 00:18:25:86 - all these things everything is happy for
234. 00:18:20:75 / 00:18:25:86 - now thank you for watching
Visit our YouTube channel: https://www.youtube.com/channel/UCFj1BHYIUYfPWPb1Xn5qFIg