Beruflich Dokumente
Kultur Dokumente
REQUIREMENTS
Your own laptop with VMWare Workstation with the Lab VMs we setup in the first class
You will be required to take screenshots and answer questions at certain points
(Indicated in Green) in the lab - then insert into this document for assignment submission
via Blackboard
RWDC01 Server01
IP Address: IP Address:
192.168.1.50 192.168.1.60
Netmask: Netmask:
255.255.255.0 255.255.255.0
Gateway: Gateway:
192.168.1.2 192.168.1.2
DNS: 192.168.1.50 DNS: 192.168.1.50
Administrator Administrator
Password: Password:
Password01 Password01
OPTIONAL PRECAUTION – Just in case things go wrong in this lab – it is advised to create
a snapshot of your virtual machines in VMWare Workstation at this point (if you have
enough disk space) Call the snapshot PRE-LAB10 just in case you need to go back.
Page | 1
Exercise 19.1 Installing an Enterprise Certificate Authority
In this exercise, you will install Certificate Authority and then configure the server as a root
enterprise CA.
6. On the Select server roles page, select Active Directory Certificate Services. In the
Add Roles and Features Wizard window, click Add Features and then click Next.
9. On the Select role services page, ensure that Certification Authority is selected and
then click Next.
11. On the Installation progress page, after installation is successful, click Configure
Active Directory Certificate Services on the destination server, as shown below.
Page | 2
12. On the Credentials page, click Next.
13. On the Select role services to configure page, click Certification Authority and then
click Next.
14. On the Setup Type page, ensure that Enterprise CA is selected and then click Next.
15. On the CA Type page, ensure that Root CA is selected and then click Next.
16. On the Private Key page, ensure that Create a new private key is selected and then
click Next.
17. On the Cryptography for CA page, answer the following question. Then change the
Key length to 4096 and then click Next.
18. On the CA Name page, answer the following question and then click Next.
19. On the Validity Period page, answer the following question, change the validity period
to 10 years, and then click Next.
20. The CA Database page displays where the certificate database will be stored.
Answer the following question and then click Next.
Where is the default database and log file location and why
Question should caution be used here?
4
Ans. C:\windows\system31\certlog, it is being saved on the local
hard drive an can use up a great dal of space that is needed for
the operating system
22. Take a screen shot showing a successful configuration of the Active Directory
Certificate Services and insert here.
Page | 3
23. Click Close to close the CA successful installation page.
24. Click Close to close the Add Roles and Features Wizard.
End of exercise.
Page | 4
Exercise 19.2 Installing Subordinate Certificate Server
In this exercise, you will install a subordinate certificate server, which will be under the root
enterprise CA you created in the first exercise.
Mindset.: What would determine how many subordinate CAs that an organization may
need?
6. On the Select server roles page, select Active Directory Certificate Services. In the
Add Roles and Features Wizard window, click Add Features and then click Next.
9. On the Select role services page, ensure that Certification Authority is selected and
then click Next.
11. On the Installation progress page, after installation is successful page, click
Configure Active Directory Certificate Services on the destination server.
13. On the Select role services to configure page, click Certification Authority and then
click Next.
14. On the Setup Type page, select Enterprise CA and then click Next.
15. On the CA Type page, ensure that Subordinate CA is selected and then click Next.
16. On the Private Key page, ensure that Create a new private key is selected and then
click Next.
17. On the Cryptography for CA page, keep the default selections for Cryptographic
Service Provider (CSP) and Hash Algorithm. For better security, change the Key
length to 4096 and then click Next.
Page | 5
19. On the Certificate Request page, select Send a certificate request to a parent CA.
Then with the CA name selected, click Select, click the CA that you installed in the
previous exercise, and then click OK. See below. Click Next.
20. The CA Database page displays where the certificate database will be stored. Click
Next.
22. Take a screen shot showing a successful configuration of the Active Directory
Certificate Services and insert here.
Page | 6
23. Click Close to close the CA successful installation page.
24. Click Close to close the Add Roles and Features Wizard.
End of exercise. Leave Server Manager open for the next exercise.
Page | 7
Exercise 19.3 Configuring a Certified Revocation List (CRL) Distribution Point
In this exercise, you will configure a new Certified Revocation List (CRL) distribution point.
3. In the Revoked Certificates Properties window, answer the following question and
then click OK.
What is the CRL publication interval and what is the Delta CRL
Question publication interval?
5
Ans. I week and I day
6. Click the
http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESuffix><DeltaCRLA
llowed>.crl entry and then click Remove. Click Yes to confirm its removal.
8. In the Add Location dialog box, in the Location text box, type http://. Then select
<ServerDNSName> from the Variable pull-down list and click Insert. So far, it should
look like Figure below.
Page | 8
9. Add the necessary variables and text so that the Location is as follows:
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAll
owed>.crl
11. Click OK to close the Properties dialog box. If you are prompted to restart the
services now, click Yes.
End of exercise. Leave the Enterprise Certificate Authority console open for the next
exercise.
In this exercise, you will install and configure the Online Responder.
1. On Server01, in Server Manager, click Manage > Add Roles and Features.
5. On the Select server roles page, expand Active Directory Certificate Services
(Installed) and then select Online Responder. When you are prompted to add
features, click Add Features. Click Next.
10. On the Role Services page, click to select Online Responder and then click Next.
12. Take a screen shot showing a successful configuration of the Online Responder and
insert here.
Page | 9
13. Click Close two times.
16. In the Select extension section, select Authority Information Access (AIA), answer
the following question, and then click Add.
18. Click to select the Include in the AIA extension of issued certificates check box.
19. Click to select the Include in the online certificate status protocol (OCSP)
extension check box and then click OK.
22. In the Certificate Templates console, double-click the OCSP Response Signing
template.
23. In the OCSP Response Signing Properties dialog box, click the Security tab. Under
Permissions for Authenticated Users, select the Allow check box for Enroll and
Autoenroll and then click OK.
25. In the Certification Authority console, right-click the Certificate Templates folder and
choose New > Certificate Template to Issue.
Page | 10
26. In the Enable Certificate Templates dialog box, select the OCSP Response Signing
template and then click OK.
27. Using Server Manager, click Tools > Online Responder Management.
28. In the ocsp console right-click Revocation Configuration and choose Add
Revocation Configuration.
30. On the Name the Revocation Configuration page, in the Name text box, type
<yourdomain> CA Online Responder and then click Next.
31. On the Select CA Certificate Location page, Select a certificate for an Existing
enterprise CA option is already selected. Click Next.
32. On the Choose CA Certificate page, click Browse, click the <yourdomain>-
Server01-CA, and then click OK. Then click Next.
33. On the Select Signing Certificate page, verify that Automatically select a signing
certificate and Auto-Enroll for an OCSP signing certificate are both selected.
34. Take a screen shot of the Select Signing Certificate page and insert here.
End of exercise. Close any open windows before you begin the next exercise.
Page | 11
Exercise 19.5 Performing a CA Backup
Mindset.: What are the components that will need to be restored if you have to restore a
CA?
4. On the Items to Back Up page, click to select Private key and CA certificate, and
Certificate database and certificate database log options.
5. In the Back up to this location text box, type C:\BAK. Click Next.
6. On the Select a Password page, in the Password text box and the Confirm Password
text box, type Password01. Click Next.
10. Take a screen shot of the DataBase folder and insert here.
Page | 12
End of exercise. Close any open windows before you begin the next exercise.
Page | 13