Deploying Certificate Services

Most networks use password-based authentication to secure network communications such as VPN and wireless connections. When used with secure authentication methods such as MS-CHAP v2 (for PPTP VPN connections) or WPA (for wireless connections), password-based security can be quite secure. However, password-based authentication can be inconvenient (you must remember a password or network key), and doesn’t ensure the integrity of transmitted data—an industrious hacker could intercept, replay, and tamper with data.

One way of addressing these issues is to sign communications with a digital certificate. Doing so also enables clients to verify the identity of the server (reducing the risk of rogue servers), and to digitally sign and encrypt e-mails. Digital certificates are required by L2TP VPN connections and 802.1X authentication of wireless networks.

Installing Certificate Services

The first step in setting up 802.1X authentication or L2TP VPNs is to install Certificate Services and create an enterprise root Certificate Authority (CA), which can then be used to deploy certificates to users and computers on the network. To do so, complete the following steps:

1. Open Add Or Remove Programs in Control Panel and then click Add/ Remove Windows Components. The Windows Components Wizard appears.

2. On the Windows Components page, select Certificate Services in the component list. The installer warns you that after the CA software is installed, you can’t change the name of the server or move it into or out of an Active Directory domain. Click Yes, and then click Next.

3. On the CA Type page (Figure 15-9), select Enterprise Root CA and then click Next.

4. On the CA Identifying Information page (Figure 15-10), type a descriptive name for the CA (most likely including the company name) and then click Next.

   
   Figure 15-9: The CA Type page of the Windows Components Wizard.

   
   Figure 15-10: The CA Identifying Information page of the Windows Components Wizard.

5. On the Certificate Database Settings page, accept the default storage location for the certificate database and log files and configuration information. Note that the location you specify isn’t where issued certificates are stored; it’s where the CA’s own certificates are stored. Click Next.

   Note

   If the computer acting as the Enterprise Root CA crashes and you lose the CA database, you must reissue every certificate. Consider this extra motivation to regularly back up your entire Windows Small Business Server installation.

6. Click Yes when prompted to stop Microsoft Internet Information Services. When prompted, insert the appropriate Windows Small Business Server 2003 CD or DVD and then click OK. The Windows Components Wizard completes the installation of Certificate Services. Click Finish when it’s done.

Creating a Local Computer and Current User Certificates Console

To request computer and user certificates for client computers, first create a console on the client computer that displays the Certificates (Local Computer) and Certificates (Current User) snap-ins. To do so, complete the following steps:

1. On a client computer, click Start, choose Run, type mmc in the Open box and then click OK. This opens a blank Microsoft Management Console (MMC).

2. Choose Add/Remove Snap-In from the File menu. The Add/Remove Snap-In dialog box appears.

3. Click Add, and select Certificates in the Add Standalone Snap-In dialog box, and then click Add again.

4. In the Certificates Snap-In dialog box (Figure 15-11), select Computer Account, click Next, select Local Computer, and then click Finish.

   
   Figure 15-11: The Certificates Snap-In dialog box.

5. In the Add Standalone Snap-In dialog box, select Certificates again and click Add. The Certificates Snap-In dialog box appears.

6. Select My User Account and then click Finish. Click Close and then OK. This displays the MMC console with the two Certificates snap-ins.

7. Choose Save As from the File menu and then save this to a network share so that you can use the console from any computer on the network.

Requesting Computer and User Certificates

After creating a console that displays the Certificates (Local Computer) and Certificates (Current User) snap-ins, use the following steps to request and install computer and user certificates on a client computer. (But first join the computer to the domain, as described in Chapter 12.)

1. While connected to the network using a wired network connection, a wireless connection using 802.1X authentication with PEAP-MS CHAP v2, or an existing (PPTP) VPN connection, expand the Certificates (Local Computer) container, right-click Personal, choose All Tasks from the shortcut menu, and then choose Request New Certificate.

2. Click Next on the first page of the Certificate Request Wizard. Select Computer on the Certificate Types page (Figure 15-12), and then click Next.

   
   Figure 15-12: Requesting a new certificate for the local computer.

3. On the Certificate Friendly Name And Description page, type a friendly name and description for the certificate. Click Next and then Finish. Click OK in the dialog box that appears if the request was successful. A new certificate is then created in the Certificates (Local Computer)\Personal\Certificates folder.

4. Expand the Certificates (Current User) container, right-click Personal, choose All Tasks from the shortcut menu, and then choose Request New Certificate.

5. Click Next on the first page of the Certificate Request Wizard, select User on the Certificate Types page (Figure 15-13), and then click Next.

   
   Figure 15-13: Requesting a new certificate for a user.

6. On the Certificate Friendly Name And Description page, type a friendly name and description for the certificate, click Next, and then click Finish. Click OK in the dialog box that appears if the request was successful. A new certificate is then created in the Certificates (Current User)\Personal\Certificates folder.

7. Just to be safe, expand the Trusted Root Certification Authorities container in either snap-in, select Certificates, and verify that the enterprise root CA that you created on the Windows Small Business Server computer appears in the list. (In our case, the enterprise root CA is Example Company Internal Certificate Authority.)

Requesting a Certificate for the Windows Small Business Server Computer

The Windows Small Business Server computer should obtain a domain controller certificate so that it can validate its identity to clients for L2TP VPN connections and 802.1X authentication. To do so, first install Certificate Services as an enterprise root CA (as discussed earlier in this chapter), and then use the following procedure to request a certificate from the CA.

1. Open the Certificates (Local Computer) console. See the “Creating A Local Computer and Current User Certificates Console ” section earlier in this chapter if you have yet to create this console.

2. Right-click the Personal container, choose All Tasks from the shortcut menu, and then choose Request New Certificate. The Certificate Request Wizard opens.

3. Click Next on the first page of the Certificate Request Wizard, and on the Certificate Types page, select Domain Controller. Click Next to continue.

4. On the Certificate Friendly Name And Description page, type SBS Server Certificate in the Friendly Name box, optionally type a description, and then click Next.

5. Review the settings and then click Finish. Click OK in the dialog box that appears, which states that the certificate request was successful. (If this doesn’t appear, there’s a problem with Certificate Services.)