Security: Setting up Certificate Authority Server with Win2003

cyruslab Security, VPN March 27, 2011 2 Minutes

I have been doing pre-shared key based site to site vpn, and decided to move forward to advance vpn technology using digital certificate. I am using Windows 2003 as the Certificate Authority to authenticate users. Pre-shared key is easy to setup and configured but it is not scalable, if you have more than 2 sites that need vpn then you may wish to consider CA as your choice of authentication.

This post records the steps I did to setup a CA.

Pre-requisite for CA using Windows 2003:

1. IIS server.

2. Certificate service.

3. Simple Certificate Enrollment Protocol (SCEP) software which can be downloaded from microsoft.

CA-setup-win2003 — Control Panel > Add or Remove Programs > Add/Remove Windows Components. It is recommended to install IIS first from Application servers. If you have already installed IIS, you can move ahead to install Certificate Services.

CA-setup-win2003-part2 — Before you continue make sure your hostname is the name you desired, after CA is installed you may not change your server hostname.

CA-setup-win2003-part3 — Choose the default Standalone CA.

CA-setup-win2003-part4 — Choose a common name for this CA and also the validity of the CA; default is 5 years.

CA-setup-win2003-part5 — Click next and move on.

CA-setup-win2003-part6 — IIS service will be temporarily stopped.

CA-setup-win2003-part7 — Do ensure your Windows 2003 DVD/CD is loaded.

CA-setup-win2003-part8 — Certificate services installation in progress.

CA-setup-win2003-part9 — Certificate services installation finished.

scep1 — Download SCEP from Microsoft.

scep2 — Double click on the SCEP add-on and begin installation.

scep3 — This is the EULA, click yes and move on.

scep4 — Click next to move on.

scep5 — Choose the default and click next.

scep6 — Click next, it is recommended to checked the box for enhanced security.

scep7 — Fill up the details and click next.

scep8 — Click finish to complete the process.

scep9 — http://cyruslab/certsrv/mscep/mscep.dll is the location where your ASA and router will get the certificate from. Remember it.

Published by cyruslab

View all posts by cyruslab

Published March 27, 2011

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

%d bloggers like this: