Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Resources for IT Professionals
Click to Rate and Give Feedback
TechNet
TechNet Library

  Switch on low bandwidth view
Deploy Windows Server 2003 Certificate Services on the Primary Domain Controller

Windows-based Hosting recommends Secure Sockets Layer (SSL) for Web access. This means that you will need to provide a certificate service, either by purchasing a certificate from a commercial provider or by offering your own certificate service using Windows Server 2003 Certificate Services.

Typically, you obtain certificates from a commercial certificate authority such as VeriSign. This section describes an alternative approach, in which you provide certificate services by using Windows Server 2003 Certificate Services from a server on your Windows-based Hosting network — in this case, AD01.

Windows Server 2003 includes certificate services, which are easily administered through the Certification Authority (CA) console, a snap-in for the Microsoft Management Console (MMC). Windows Server 2003 Certificate Services enables the implementation of a comprehensive PKI. For the purpose of this infrastructure and services architecture, the CA is implemented on the AD01 domain controller. This solution recommends installing a two- or three-tier architecture for certificate services as outlined in the Windows Server 2003 Deployment Guide: Designing and Deploying Directory and Security Services.

Install IIS

Before you install the Microsoft Certification Authority, you must install Internet Information Services (IIS) 6.0. IIS 6.0 runs the certificate server Web site that enables the administrator to issue certificates and the end user to request certificates. The certificate revocation list (CRL) is also published through this Web site.

Install IIS on the AD01 server using the Add/Remove Programs utility.

Dd346484.note(en-us,TechNet.10).gif Note

You need to perform these steps only if you are not using a commercial CA, such as VeriSign, to obtain certificates for SSL and HTTPS support. This procedure is not necessary if you have already installed IIS on AD01.

Procedure DWCM.12: To install IIS

  1. Log on to AD01 using an account that is a member of the Domain Administrators group.

  2. Click Start, point toControl Panel, and then click Add or Remove Programs.

  3. On the Add or Remove Programs page, click Add/Remove Windows Components.

  4. On the Windows Components Wizard page, select Application Server, click Details, and then click Internet Information Services (IIS).

  5. Click Details, and then verify that only the following components are selected:

    • Common Files

    • Internet Information Services Manager

    • World Wide Web Service

  6. Select World Wide Web Service, and then click Details.

  7. Select Active Server Pages, verify that World Wide Web Service is selected, and then click OK.

  8. Click OK, and then click OK again.

  9. Click Next to begin the installation.

  10. On the Completing the Windows Components Wizard page, click Finish.

  11. If you are not installing Certificate Services at this time, close Add/Remove Windows Components.

Install Windows Server 2003 Certificate Services

Install the Microsoft Certificate Authority on the AD01 server.

Dd346484.note(en-us,TechNet.10).gif Note

You need to perform these steps only if you are not using a commercial Certificate Authority, such as VeriSign, to obtain certificates for SSL and HTTPS support.

If you are deploying in a lab or test environment, at a minimum you will need to install the Windows Server 2003 Certificate Services in order to complete the Deployment Walkthrough steps and create a functional environment.

Use the values in the table below for the CA identifying information.

Table: CA Identifying Information Values

Field

Value

Common Name for this CA

fabrikamCA

Distinguished name suffix

DC=fabrikam, DC=COM

Validity period

(default value = 5 years)

Procedure DWCM.13: To install Certificate Services

  1. Click Start, point to Control Panel, and then click Add or Remove Programs.

  2. In the Add or Remove Programs dialog box, click Add/Remove Windows Components.

  3. Select the Certificate Services check box, and then click Yes when you receive the warning message.

  4. Click Next.

  5. On the Certificate Authority Type page, verify that Enterprise root CA is selected, and then click Next.

  6. Enter the information for CA Identifying Information by using the values in Table DWCM.1.

  7. Click Next.

  8. On the Certificate Database Settings page, click Next to accept the default database and log locations.

  9. Click Yes to stop IIS.

  10. If you are prompted, provide the path to the Windows Server 2003, Standard Edition files.

    Dd346484.note(en-us,TechNet.10).gif Note

    A dialog box may appear indicating that Active Server Pages (ASP) must be enabled. In response to whether you want to enable ASP now, click YES and close the dialog box.

  11. Click Finish to complete the wizard.

  12. Close the Add or Remove Programs dialog box.

In this procedure you will add the Domain Controllers group as a member of the CERTSVC_DCOM_ACCESS Group this is required for Certificate AutoEnrollment. Please refer to the Knowledge Base article for further information.

Procedure DWCM.14: To configure the Domain Controllers group for Certificate Services DCOM access

  1. Log on to AD01 using an account that is a member of the Domain Administrators group.

  2. On the taskbar, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Expand fabrikam.com, and then highlight Users.

  4. Right-click CERTSVC_DCOM_ACCESS, and then click Properties.

  5. Click the Members tab, and then click Add.

  6. Type Domain Controllers, and then click Check Names. Verify that the Domain Controllers group is underlined, and then click OK.

  7. Click OK to close the Properties dialog box.

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker