Windows Server 2016 - Setup Root Certificate Authority CA with OCSP Certificate Roles
ฝัง
- เผยแพร่เมื่อ 14 ธ.ค. 2024
- Windows Server - Setup Root Certificate Authority CA wish OCSP Certificate Roles
When we setup an internal LAN for a corporate environment we should need services like SSL, Encrypted VPN, Direct Access and a lot more. They depend on the use of a CA with root and other service certificates. One can buy such certificates or use our own that are created for free. This video shows you how to setup the CA with the OCSP role that enables client computers to check the validity i.e. not revoked of our certificates.
For more visit:
www.windows10....
www.servers201...
Transcript (machine generated so it contains errors)
Hello were very good day to you. This video is gone off show you how to set up a certificate authority okay on your windows server am also ensure that basically the certificate checking to see whether the certificates are valid is also set up so basically, those ESP service okay role is also that there now. There are a number of steps okay.
However, they can be summarised into literally from about three. The first one. A setting up the certificate authority okay setting are the OCSP and also give a policies and the template. It's all become fairly straightforward. Here I get the first-ever is we've open server manager very simple. This is a domain joined computer, so a dial is help if it is that way again. The ServerManager is endlessly, you get the screen and then add roles and features. Next next next. Okay, so that the very first part, click next next next. We are creating a certificate authority now for future use. Like for example, when we VPNs et cetera we are all add this web enrolment. Okay, you don't really need to do that right now by registering it at the same time, and the online responder. This is the service a service. The role that actually runs on the server and whenever a certificate is used by a client computer. Another server, et cetera check to see that the media is still valid and the server's actually does the verification and say silly was valid. All good continue with what you wanted it back out next. Click next. Okay, because we click the web enrolment did those do a lot of IIS Internet information service server am better added as well, so we'll take a little bit longer to install okay once in, it has finished installing a will ask you to configure in click on your configure enclose here and then click over there and is the same thing. Okay, now it's out of with the main screen. It does a little bit nerve checking and then goes ahead, the first thing, because with.
The web enrolment will just installed that one first and then quickly come back and another to say and take a few seconds. Next, make sure is an enterprise CA, make sure it's a root CA. Next, we are creating a private key. Okay, and you can choose the defaults okay. You can create a common name. A good system that will use the past was lying the domain name. Okay, or the IP address, which makes it easy to find, however, it is the default will just go ahead with that. Click next. Okay, that's that again next and then configure and will happily create our spirit authority and allow us lose another two things were just click both of them, and click next...
![[LIVE] : ONE ลุมพินี 91 | คู่เอก "คมอาวุธ vs อเล็กเซย์"](http://i.ytimg.com/vi/V0RkEfYFsgM/mqdefault.jpg)
Hi there, in the first part at 01:25 we must have an active directory? or we can have it in the workgroup? because I have windows server 2019 and i want to have in a workgroup? thnx
Is there any video for PKI(With or without OCSP) with 3 tier architecture like one offline root ca and 2 online subCA? I want to learn High Availability(or DR) for PKI. what if this primary server goes down?
That is how most ssl certs are made - it is called a certificate chain from offline top to junior ca certs and other types of certs... The main ca cert needs to be installed on the other junior servers etc...
@@Windows10NinjaWorldNinja thanks for soo fast response. But is there any video from where I can learn whole deployment and failover scenario?
I have not made one, but that is a good idea! Just do a search for setup ca certificate chain server 2016 etc...
@@Windows10NinjaWorld Thank you so much for the help.
Hello. A quick question on this video. Is the instruction set for two different systems PKI and Remote access or is it all done on one system? Thanks
Both - server and client.
Great tutorial, many thanks. Is it wise to install ADCS on a Domain Controller or a separate vm.?
OCPS isn't in the list when trying to add new cert can anyone help?
Great vid, thanks for your help! I can't get the OCSP service to recognize revoked certificates. I've tried adjusting the cache timeout, manually refreshing from the MMC, and various certutil commands but OCSP shows the revoked certs as "good" (via Wireshark). Any ideas?
following this video what is the status of the certificate? th-cam.com/video/PYPBmj_BX5g/w-d-xo.html
Am I the only one who cound't click on Enterprise CA?
Maybe 😃
i couldnt either
Hi Windows Ninja, great tutorial, but one question... How do we test this on a client machine to see if it works?
you watch the next video: th-cam.com/video/uMtJgN0prME/w-d-xo.html
This works great for IE/Edge and Chrome but FireFox doesnt like it: The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. - Error code: SEC_ERROR_UNKNOWN_ISSUER. Any ideas how to satisfy FF?
Firefox needs the CA root certificate installed in Firefox itself manually for steps: wiki.wmtransfer.com/projects/webmoney/wiki/Installing_root_certificate_in_Mozilla_Firefox
Download and save the certificate to a folder first and then follow the website link.
Use this little manual for Firefox:
"about:config"
"security.enterprise_roots.enabled"
"true"
Now Firefox can accept all certificates issued corporate CA and trust Root CA
(if Root CA is in Trusted Root Certificate Auth. on PC)
I'm not sure (if Your error related to specific certificate type), but it might be usefull.
That was FABULOUS!!! GREAT tutorial..
Thanks!
you are simple great!!! thank you so much man!! your video is perfect!!! you help me a lot!!
Hi, following the same steps, at the end I've run pkiview.msc and it's showing an error against the OCSP Location. Could you check in your environment if u are getting everything in OK status please?
Yes all showed OK at the time. If there were issues when the VPN connected it would have shown cert revocation errors.
Did you setup using your lan settings and verify within? Watch the VPN video and run verification on server authentication cert.
Just ran it and it showed status as OK. Also ran certutil -url against the server authentication cert and came back as verified.
Please do remember that this is done within the lan settings. At the end of the day for verification to work your CA, OCSP etc. must be locatable by your DNS and clients with such DNS too etc.
As long as a root cert is installed on the computer and your vpn server, ocsp server etc are reachable then should be fine.
If you do want clients and server setup to be easier then purchasing a trusted cert is usually the option.
We created a video to show that it works. Hope it helps. th-cam.com/video/PYPBmj_BX5g/w-d-xo.html
Fair play to you. I just had a chance to watch it. Managed to fix the issue by revoking the CA Exchange cert as it was issued before the OCSP responder was configured and there wasn't infomartion about the OCSP location in it. After re-issueing it, everything is in OK status :)
Great Guide, very clear thanks.
Great it helped!
Hello,
Thanks a lot for the tutorial !
how to set it up without joining a domain ?
Thanks
Should be as the video but instead of using domains in the certificates you would just use IP addresses.
Hi did you know how to creat an EV ssl? if yes i would like to creat one fro my web sites Thank you.
The methods shown here work for a company where the root CA certificate has to also be manually installed on each computer. For a public website you would need to buy one or use one of the free services e.g. letsencrypt.org/
Sorry, I don't understand really well, So I need to be manual, how.
please contact the company you buy the ssl certificate from and they should advise.
love you tutorial all protocol work other than this ike authenications is unacceptable routing and remote access fix any ideas i follow your tutorial but for some unknown reason i getting this error both inside and outside of my lan
more details please.
Gracias por el tutorial... saludos
this is not anymore a best practice to install a one tier pki. Also OCSP need to be install to a seperate server. This is not a good example
It is an example from a few years back - and it depends on how many servers you have - the example shows how to use the certification system. Implementation is up to individuals.
Amazingg !! Thanks alot
Thanks
thanks!