Building a Certificate Authority (CA) Server for Your Servers and Applications Free of Cost

In any organization, it is a best security practice to have an SSL certificate installed on servers, applications, and databases. To get an SSL certificate, the first step is to have or build a Certificate Authority (CA). SSL Certificates and CA make communication secure between client and server or application. If you do not have a CA ready internally or externally, you can not issue the certificate to any internal or external application. In that case, the risk of the application or server is at stake, as anybody can prove its identity and read critical data to harm the system. The CA is responsible for attesting to the identity of users, computers, and organizations. The CA authenticates an entity and assures the identity by issuing a digitally signed certificate.

This article will focus on how to set up an internal CA for your organization. This provides better control to IT Admin over implementation and certificate life cycle management. You can use any number of SSL certificates free of cost. We will use a Windows server for it.

Windows server comes with inbuilt server roles, but it is not pre-installed. You can install any one or more roles based on your requirement. All these roles are free of cost, so you do not need to pay any additional charges for them.

When you want to set up a Window server for any role, always go with GUI (Desktop) OS version rather than the core version, as it is a command line OS and may not have all roles and features available.

In our case, we are going to use the Windows server 2016 desktop version for installing the AD CS role. This role will promote the windows server as the Certificate Authority to issue the SSL certificate for the internal application or server. Let’s understand the steps to set up Windows servers as the Certificate Authority.

Prerequisites

• Windows server 2016 or a later version
• Windows server is a member of the domain
• Enterprise Admin permission

Installation Steps

1. Log into the server where you will set up Active Directory Certificate Service (AD CS). Open the server manager console. Click Manage –> Add Roles and Features. Select Role-based Installation, and click on next. In the Select destination server section, ensure the correct server is selected.
2. Select Active Directory Certificate Service(AD CS) server role, click Add Features, and then click ext. Read Active Directory Certificate Services Details.
3. Under Role Services of AD CS, select Certificate Authority and Certification Authority Web Enrollment roles.

4. Go to the Web Server Role (IIS) and select the Web Server:

5. Confirm installation.

Configuration Steps

1. Click on the flag on the top of the server manager. Add domain credentials having enterprise admin permission to start with AD CS configuration.

2. Reconfirm the Certification Authority and Certification Authority Web Enrollment role services to configure.

3. Select Enterprise CA to use Active Directory Domain Service (AD DS) service for certificate management.

4. Select Root CA as the first CA in the Public Key Infrastructure (PKI) hierarchy. It is at top of the PKI hierarchy.

5. Create a new private key to generate and issue a certificate. If you have a Private key, you can use the existing private key option.

6. Select the cryptographic provider as RSA with 2048 key length, and SHA256 hash algorithm as per standard. You can choose other providers, key lengths, and hash algorithms from the drop-down menu.

7. Next, give a common CA name, and specify the validity period that determines CA certificate validity.

8. Specify the Certificate Database and log the location for the certificate.

9. Confirm all data is right to proceed. If you want to modify anything, you have a chance to go back and modify it.

10. This is how CA is configured and ready for use.

Thank you for reading. I hope you have understood how to set up CA in an easy way.