Chapter 2: Installing Certificate Services

  • Article

Microsoft Certificate Services can be installed on the domain controller on the internal network and issue certificates to hosts within the internal network domain, as well as to hosts that are not members of the Internal network domain. We will use certificates in a variety of configuration scenarios in this ISA Server 2004 Configuration Guide series, including to accomplish the following:

  • Allow the ISA Server 2004 firewall to use the L2TP/IPSec VPN protocol for a site-to-site VPN link
  • Allow the ISA Server 2004 firewall to use the L2TP/IPSec VPN protocol for a VPN client connection from a remote access VPN client
  • Enable remote users to access the Outlook Web Access site using highly secure SSL-to-SSL bridged connections
  • Publish secure Exchange SMTP and POP3 services to the Internet

The certificates enable us to use SSL/TLS security. The SSL (Secure Sockets Layer) protocol is a session layer protocol that encrypts data moving between the client and server machines. SSL security is considered the current standard for providing secure remote access to Web sites. In addition, certificates can be used to confirm the identity of VPN clients and servers so that mutual machine authentication can be performed.

In this document we will discuss the following procedures:

  • Installing Internet Information Services 6.0 to support the Certificate Authority’s Web enrollment site
  • Installing Microsoft Certificate Services in Enterprise CA mode

Install Internet Information Services 6.0

The Certificate Authority’s Web enrollment site uses the Internet Information Services World Wide Publishing Service. Because Exchange 2003 has already been installed on this machine, we will not need to manually install the IIS Web services. The Exchange 2003 setup routine requires that you install the IIS Web services so that the Outlook Web Access site functions properly. However, you should confirm that the WWW Publishing Service is enabled before starting installation of the Enterprise CA.

Perform the following steps to confirm that the WWW Publishing Service is running on the domain controller:

  1. Click Start and point to Administrative Tools. Click Services.
  2. In the Services console, click the Standard tab in the right pane. Scroll down to the bottom of the list and find the World Wide Web Publishing Service entry. Double-click that entry.
  3. In the World Wide Web Publishing Server Properties dialog box, confirm that the Startup type is set to Automatic, and that the Service status is Started.
    Cc302671.5c69e361-246c-4a1a-a385-a6e172b86898(en-us,TechNet.10).gif
  4. Click Cancel and close the Services console.

Now that we’ve confirmed that the WWW Publishing Service is started, the next step is to install the Enterprise CA software.

Install Microsoft Certificate Services in Enterprise CA Mode

Microsoft Certificate Services will be installed in Enterprise CA mode on the domain controller. There are several advantages to installing the CA in enterprise mode versus stand-alone mode. These include:

  • The root CA certificate is automatically entered into the Trusted Root Certification Authorities certificate store on all domain member machines
  • You can use the Certificates MMC snap-in to easily request a certificate. This greatly simplifies requesting machine and Web site certificates
  • All machines can be assigned certificates using the Active Directory autoenrollment feature
  • All domain users can be assigned user certificates using the Active Directory autoenrollment feature

Note that you do not need to install the CA in enterprise mode. You can install the CA in stand-alone mode, but we will not cover the procedures involved with installing the CA in stand-alone mode or how to obtain a certificate from a stand-alone CA in this ISA Server 2004 Configuration Guide series.

Perform the following steps to install the Enterprise CA on the EXCHANGE2003BE domain controller computer:

  1. Click Start, and then point to Control Panel. Click Add or Remove Programs.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
  3. On the Windows Components page, scroll through the list and put a check mark in the Certificate Services check box. Click Yes in the Microsoft Certificate Services dialog box informing you that you may not change the name of the machine or the machine’s domain membership while it is acting as a CA. Click Yes to continue.
  4. Click Next on the Windows Components page.
  5. On the CA Type page, select the Enterprise root CA option and click Next.
    Cc302671.6deb1833-6c54-4999-93fa-d030bab7d4cf(en-us,TechNet.10).gif
  6. On the CA Identifying Information page, enter a name for the CA in the Common name for this CA text box. This should be the DNS host name for the domain controller. Ideally, you will have configured a split DNS infrastructure and this name will be accessible from internal and external locations, so that external hosts will be able to check the certificate revocation list. We will not cover the issue of a split DNS infrastructure in this document. You can find more information about designing and configuring a split DNS infrastructure in the ISA Server 2000 Branch Office Kit document “DNS Considerations for ISA Server 2000 Branch Office Networks” at https://www.tacteam.net/isaserverorg/isabokit/9dnssupport/9dnssupport.htm. In this example we will enter the domain controllers NetBIOS name, EXCHANGE2003BE. Click Next.
    Cc302671.dce74adf-38d6-4cb7-9821-5bc663abb217(en-us,TechNet.10).gif
  7. If the same machine had been configured as a CA in the past, you will be presented with a dialog box asking if you want to overwrite the existing key. If you have already deployed certificates to hosts on your network, then do not overwrite the current key. If you have not yet deployed certificates to hosts on your network, then choose to overwrite the existing key. In this example, we have not previously installed a CA on this machine and we do not see this dialog box.
  8. In the Certificate Database Settings page, use the default locations for the Certificate Database and Certificate database log text boxes. Click Next.
  9. Click Yes in the Microsoft Certificate Services dialog box informing you that Internet Information Services must be restarted. Click Yes to stop the service. The service will be restarted for you automatically.
  10. Click OK in the Insert Disk dialog box. In the Files Needed dialog box, enter the path to the i386 folder in the Copy file from text box and click OK.
  11. Click Finish on the Completing the Windows Components Wizard page.
  12. Close the Add or Remove Programs window.

At this point, the Enterprise CA is able to issue certificates to machines through autoenrollment, the Certificates mmc snap-in, or through the Web enrollment site. Later in this ISA Server 2004 Getting Start Guide series, we will issue a Web site certificate to the OWA Web site and also issue machine certificates to the ISA Server 2004 firewall computer and to an external VPN client and VPN gateway (VPN router) machine.

Conclusion

In this ISA Server 2004 Configuration Guide document we discussed the uses of a certificate authority and how to install an Enterprise CA on the domain controller on the internal network. Later in this guide, we will use this Enterprise CA to issue machine certificates to VPN clients and servers and issue a Web site certificate to the Exchange Server’s Outlook Web Access Web site.