Windows Server - Setup Root Certificate Authority CA wish OCSP Certificate Roles
When we setup an internal LAN for a corporate environment will should need services like SSL, Encrypted VPN, Direct Access and a lot more. They depend on the use of a CA with root and other service certificates. One can buy such certificates or use our own that are created for free. This video shows you how to setup the CA with the OCSP role that enables client computers to check the validity i.e. not revoked of our certificates.
Transcript (machine generated so it contains errors)
Hello were very good day to you. This video is gone off show you how to set up a certificate authority okay on your windows server am also ensure that basically the certificate checking to see whether the certificates are valid is also set up so basically, those ESP service okay role is also that there now. There are a number of steps okay.
However, they can be summarised into literally from about three. The first one. A setting up the certificate authority okay setting are the OCSP and also give a policies and the template. It's all become fairly straightforward. Here I get the first-ever is we've open server manager very simple. This is a domain joined computer, so a dial is help if it is that way again. The ServerManager is endlessly, you get the screen and then add roles and features. Next next next. Okay, so that the very first part, click next next next. We are creating a certificate authority now for future use. Like for example, when we VPNs et cetera we are all add this web enrolment. Okay, you don't really need to do that right now by registering it at the same time, and the online responder. This is the service a service. The role that actually runs on the server and whenever a certificate is used by a client computer. Another server, et cetera check to see that the media is still valid and the server's actually does the verification and say silly was valid. All good continue with what you wanted it back out next. Click next. Okay, because we click the web enrolment did those do a lot of IIS Internet information service server am better added as well, so we'll take a little bit longer to install okay once in, it has finished installing a will ask you to configure in click on your configure enclose here and then click over there and is the same thing. Okay, now it's out of with the main screen. It does a little bit nerve checking and then goes ahead, the first thing, because with.
The web enrolment will just installed that one first and then quickly come back and another to say and take a few seconds. Next, make sure is an enterprise CA, make sure it's a root CA. Next, we are creating a private key. Okay, and you can choose the defaults okay. You can create a common name. A good system that will use the past was lying the domain name. Okay, or the IP address, which makes it easy to find, however, it is the default will just go ahead with that. Click next. Okay, that's that again next and then configure and will happily create our spirit authority and allow us lose another two things were just click both of them, and click next configure, and that's all done now, you will think that is everything needed, but now now we need to open up basically MMC, and we will use this for quite a while, but a time so we need to add into it. Okay, all the certificate once certificate template and certificates and make sure's computer account next and then local computer, that's fine arm certificate authority add this local computer and Okey dokey now we start off with basically going to our certificate templates, which is over here, right click on that and we are then going to basically go down to the and then certificate templates. We basically, click on manage and then work go for the OCSP's response signing, and the key over here is to basically, in security add this server and given the and roll Autoenroll et cetera features so add now you will need to oops ensure that computers are selected just for the fun fair dumpling service accounts as well.
Okay, and this computer, as you probably seen his call VPN server. Okay, check names, it can be anything you want. It does help if you smoke correct there we go now and roll Autoenroll feeling generous, you can do it full permissions, not a major issue at this point okay. Click apply. Click okay. That's down close this one down and now what we are going to do is move on to the next step, which is basically right over here and we need to ensure that some certain extensions are added to certificates that had given this server's address as bird checking server gave the OCSP checking server okay's properties and there we go extensions okay. We are using AIA like a and were clicking add this certificate. The sound servers location is HTTP//server are windows standard ninja, I can see from this bill, but all correct yet all goody-goody are right click okay. Make sure you take the last box which days include an online certificate status protocol OCSP extension clay oh key to click yes. If we were doing so, we say CRI owl as well. Okay certificate revocation lists, it will be the same playing basically extensions and man CDP could be add at the location on your web server aware of the list of all the revoke certificates are okay, but we are happy to deal with it does OCSP as its the happy new modern version that seems to work quite happy okay, so we'll just cancel that now what we need to do is think about correctly will side made a mistake.
We just need to go back to properties because I forgot to add on the extension. This one. The OCSP at the end my mistake/a VPN server window rules ninja/OCSP make sure you do have this added in, and once again, click the box, click apply and you are asked to recite that click okay and that is now set up now. What we need to do is create an OCSP signing request again so we go here and we go to sit to issue child and OCSP remote signing, and that should be there. Can I just checked to make sure everything is fine with that make a so far so good, and all we now need to do is the group policy management issue okay to basically gale this server the authority to basically arm Autoenroll mand sound policy set. If you have not got the group policy management and role or feature installed. Click next next next next group policy management next install okay, so we have installed group policy management. Okay, we now need to see the will actually just the MMC way can that's fine add and remove snap in group policy management and click okay and and group policy further we basically the domain default domain policy can that will show you base a info regarding it, but we need to edit it so well.
Click on edit and now were coming into computer configurations policies okay and then airs windows settings security settings and learn it is basically public key policies should be some your there we go, and now certificate services client autoenrollment we need to enable it, click yes, click yes. Okay, and that is pretty much done for what we needed to do in terms of the major work again close down the surface, PowerShell and Updater group policies rather than restarting the server okay GP up day and learn force okay, that's down, it will take a little bit of time to update all the bolts policies on the server okay still not done delegate were finished. Okay, now is where a listener just for tidiness cut down these things these things. These things just a piece again, resulting in their okay. We need to go to tools and find online responder management. If we click are a reconfiguration you will see it hasn't gone green has all the details so revocation configuration, click on add next. Give it a name. Okay VPN server or whatever you would like okay, select a certificate from an existing enterprise CA.
Don't forget we did set up an enterprise CA, so that's going okay certificates published in active directory or it was on a different computer name. That's fine, but ours is there. This is an old CA that we will delete barred for now, let us keep this because the one we setup today. Okay, that one's okay. Click next. Okay, make sure these two are set up, make sure you have in your OCSP response signing everything the way it is this will be obviously different for you. Okay, but you should have your certificate there and that should be there. Okay, click next. Click finish and now once this thing setup. The good thing is we have a green tech so lovely we now have our online responder working bad service is working that role is working and basically it can check certificates. What we shall do in our next video. Hopefully is to show you how to then now using this configure setting to create the certificates to shall we say, set up a VPN with SSTP okay secure VPNs et cetera or I KE written to et cetera and a lot more. Okay, so for now we have celibacy a it works. It did take a few steps and we can shut down all the things everything is happy for now. Thank you for watching
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.