Install and Configure Enterprise Root CA

Practice Labs Module
Time
57 minutes
Difficulty
Intermediate

The "Install and Configure Enterprise Root CA" module provides you with the instruction and server hardware to develop your hands-on skills in the defined topics. This module includes the following exercises: Install AD Certificate Services, Configure Certificate Revocation Lists (CRLs), Backup and Restore of Active Directory Certificate...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Overview

Introduction

The Install and Configure Enterprise Root CA module provides you with the instruction and server hardware to develop your hands-on skills in the defined topics. This module includes the following exercises:

  • Install AD Certificate Services
  • Configure Certificate Revocation Lists (CRLs)
  • Backup and Restore of Active Directory Certificate Services

Lab time: It will take approximately 1 hour to complete this lab.

Exam Objectives

The following exam objectives are covered in this lab:

  • Install AD Integrated Enterprise Certificate Authority (CA)
  • Install Enterprise Subordinate CA
  • Configure Certificate Revocation List (CRL) distribution points
  • Configure CA backup and recovery

Exercise 1 - Install AD Certificate Services

Public Key Infrastructure (PKI) is a set of policies and guidelines that control the creation, management, distribution and revocation of certificates (digital ID) in an organization. PKI ensure the secure transfer of electronic information like e-commerce and confidential e-mail between an organization and external parties.

Windows Server 2016 implement PKI using Active Directory (AD) Certificate Services. When AD Certificate Services is deployed in a corporate network, it is considered as an internal resource as most users who will request certificates are members of the organization. This type of resource is called an internal Certification Authority (CA). For companies that transact business with the public like e-commerce or internet banking, it will require the service of a trusted external CA to establish a trust with its customers. The trusted CA proves the identity of an organization to the public as a trustworthy and legitimate business.

In this exercise, you will add then install a parent/root CA which is the starting point of a Windows PKI. The root CA generates a self-signed certificate. After which you will add, install a subordinate CA which forms a hierarchy and trust path with the root CA. The subordinate CA will have the authority to issue certificates validated by the root CA.

Exercise 2 - Configure Certificate Revocation Lists (CRLs)

All certificates issued by a certification authority are recorded in the Issued Certificates folder within the Certification Authority (CA) console. Certificate Revocation List (CRL) is a list of certificates that have been revoked or canceled due to security-related issues that were identified by the Certification Authority administrator. Certificates can be canceled by the certificate administrator in cases where the computer that hosts the certificate is stolen or when the smartcard-based certificate is lost by a user. CRLs are normally published through IIS which can be accessed by all computers with a web browser and network connection.

When a user certificate is revoked by an administrator regardless of the reason, the Certificate Server records that cancellation to prevent a user from reusing a revoked certificate. In a large network, the revocation of the certificate must be replicated to other CA servers to prevent canceled certificates from being used to access network resources.

In this exercise, you will configure certificate revocation lists in Certificate Services.

Exercise 3 - Backup and Restore of Active Directory Certificate Services

If Certificate Services fails to start on the server, no certificate can be issued to a user or computer and certificate revocation lists (CRLs) cannot be published among CA servers in the network. It is essential that you become familiar with different ways to backup and restore AD Certificate Services.

Learning Partner
Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.