Install and Configure Certificate Authority in

Windows Server 2016

We will see below topics in this article

• Install Certificate Authority on Windows Server 2016

• Configuring Certificate Authority on Windows Server 2016

• Assigning Certificate on Exchange Server 2016

• Assigning on Test Machine to see Certificate authority is working for Outlook Web Access

Step 1:
You need to have this role installed to have a Certificate Authority

Preferred to be on Dedicated Server or on a Domain Controller.

Open Server Manager – Manage – Add Roles and Features

Step 2:
Choose : Active Directory Certificate Services

Choose Next

And Choose : Certification Authority Web Enrollment

 Choose :

• Certification Authority

• Certification Authority Web Enrollment

Choose Install and Close

Step 3:
To Configure Active Directory Certificate Services – Choose the Exclamation Mark on the Flag

Configure Active Directory Certificate Services on the Destination Server

Choose Next
 Choose

• Certificate Authority

• Certification Authority Web Enrollment

 Choose Enterprise CA
• Enterprise CAs Must be domain members and are typically online to issue certificates or certificate
policies.
Step 4:
Choose Root CA
Root CAs are the first and may be the only CAs Configured in a PKI Hierarchy.
Step 5:
Create a new Private key
 Step 6:
• Use SHA256

• RSA#Microsoft Software Key Storage Provider

• Key Length – 2048

Step 7:
Click Next
Step 8:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next
Step 9:
Specify Certificate Authority Default Database Locations
Click Configure
Choose Configure
We have successfully Installed and Configured – Certificate Authority on Windows Server 2016

Let us see how to Request a Create a Simple Cert from Internal Certificate Authority
Step 10:
Browse http://localhost/certsrv/
You would see a page below like this , Choose “Request a Certificate”
Step 11 –
Click on Advanced Certificate Request

Step 12:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC

Step 13:
Now Copy the Note pad Certificate Request Data – You have to generate a Certificate Request from the
application. For example how we are doing in exchange server

http://www.careexchange.in/how-to-create-an-ssl-certificate-request-for-exchange-server-2013/
Or you can use https://www.digicert.com/util/
Example – Data Should be like below –

—–BEGIN NEW CERTIFICATE REQUEST—–

MIIEXDCCA0QCAQAwgYAxHTAbBgNVBAMMFGV4Y2gyMDE2LmNsb3VkaWQuYml6MRYw
FAYDVQQLDA1FeGNoYW5nZSBUZWFtMRUwEwYDVQQKDAxDYXJlRXhjaGFuZ2UxETAP
BgNVBAcMCE5ldyBZb3JrMRAwDgYDVQQIDAdOZXcgWW9yMQswCQYDVQQGEwJVUzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXVbwTkx4zhUobUvODoSwf1
8b0ti+dQ/WAoJPHlcSTW4weE5vVwQZbjtTqRhHOAOFEDYDnwZhuU1fOjjro+B2B3
zMTlvq0x7JJPsA9Zc611p+slYeTs/pI8hT9Ud2FgbwE3veF5u2uVw6/lbZdA20yU
ZizIsCJkq9Qo2hLpMji3MB4eFRtyvd1eQpCJPnqseUdRVzfdSwN2zf0U7UQCzzG+
q7bL1Pb2jfjFlhr5xb9/RfpaR/U3TmVHjf3/u49mK1JOBuJwJQVCK/HBYHfMPOp6
VEjt8IVApclOE7tZcR3DjjyF73tHYfxUJp2HuVWml/UVemKIcSfVYOcGofNrF88C
AwEAAaCCAZQwGgYKKwYBBAGCNw0CAzEMFgo2LjIuOTIwMC4yMF8GCSsGAQQBgjcV
FDFSMFACAQUMFEVYQ0gyMDE2LkNsb3VkaWQuYml6DBFDTE9VRElEXEVYQ0gyMDE2
JAwiTWljcm9zb2Z0LkV4Y2hhbmdlLlNlcnZpY2VIb3N0LmV4ZTByBgorBgEEAYI3
DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABTAEMAaABh
AG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBp
AGQAZQByAwEAMIGgBgkqhkiG9w0BCQ4xgZIwgY8wDgYDVR0PAQH/BAQDAgWgMFAG
A1UdEQRJMEeCFGV4Y2gyMDE2LmNsb3VkaWQuYml6ghhBdXRvRGlzY292ZXIuQ2xv
dWRpZC5iaXqCCEVYQ0gyMDE2ggtDbG91ZGlkLmJpejAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQWEHXi+M7zoQZ3FlnOeRqsRscG0jANBgkqhkiG9w0BAQUFAAOCAQEA
FlYjkXO1rxadJmNB9g9KEqWU7NlxC3UdX2zyqWwK06cDB3/k+ThKBiYE7uoiaais
YqlE6yoT3T09Nf+rihH8DfS+of14oMYQTKo9By9VdisD6R/iztY05StbVoSambRk
jnOohs1z4v3itufuEzQaqf8Q0Qu8w2xsVVRZx2t0SKfktPASqOzJZEIRS6egqELH
h9dkQBjsdOaTSsqapJXiHpMN53wxXNoztO6mWSVtPzgbfML0+NLT41ZBiIAMjyIj
ztp61S/7O5dfoR9St0cwzaxWSZ5XPriJzKfYQ3dRvl+j/e1gi/rJmw9IUyWGQ2qz
27HqRbsEa/LqFharKDjeBw==
—–END NEW CERTIFICATE REQUEST—–
SavedReqest – (NEW CERTIFICATE REQUEST Data like above)
Choose Template : WebServer
Choose Submit

Step 14:
Choose “Base 64 encoded”
Download Certificate
Step 15:
Save the Certificate – should be .cer extension

Lets how we are applying on Exchange 2016 for Example

Copied my Request .CER File generated from CA to the Exchange and using it.
Shows Certificate Invalid.

Lets see why.

1 – Start – MMC –FILE – Add/Remove Snap-In

2 – choose certificates – Add

3 – Computer Account

4 – Local Computer

5 – Expand Personal – Certificates / Expand Trusted Root Authorities Certificates

Now Login to Root CA Server and Export the Root CA.

Now login to Exchange Server Import the export cert.

Now Certificates looking ok

Make sure you Assign the Certificate for IIS in Exchange Control Panel.

Now you can see things are fine locally on Exchange 2016 server –
– Lets see how we can use on Desktop

First Login to Exchange Server MMC and Export the Certificate with all the certificate path into a PFX file.

Note : The desktop doesn’t need the private keys from any certificate in the chain.

Having the private key gives the ability to decrypt all the traffic between the client and the server even if
that traffic is coming from someone else. It also makes a man in the middle attack on this SSL connection
possible.

On 2 : For End user desktops – Choose do no export private key and use that certificate for import.
Now we have the PFX File Exported.

Open MMC and Import or Install PFX Desktop.

Now browsing the URL –

Share