Starting with this virtual machine that I previously installed Active Directory on, next I am going to setup a simple Certificate Services service. This should usually be installed on a very secure machine in your organization as it will hold all of the private keys and be able to generate the public keys used in your network and possibly used on external services if you so wish.
Start by going to Control Panel, and Add or Remove Programs.
Click Add/Remove Windows Components, check the box next to Certificate Services. A dialog will appear with a warning as per the photo below.
Be sure you read this warning, and click Yes to continue. Then click Next.
Select ‘Enterprise root CA’ and click Next.
You will be asked for the ‘Common name for this CA:’ type in the computers name. In our case from the last walk through this was “default-fm878pv” which I did not change. If you did not change the name to something more meaningful, you can cancel out now and change it.
Click Next. Click Next again to accept the database paths. You will be asked for the Windows 2003 CD now. Insert it and click OK. After the file copy, you may be presented with this.
In this walk through we will enable Web Enrollment. As we might use it later for smart cards and such.
Back at the Add or Remove programs screen, click Add/Remove Windows Components again click ‘Application Server’ but do not check it, then click Details.
Click on ‘Internet Information Services (IIS)’ but do not check it and click Details.
Scroll down and check the box next to ‘World Wide Web Service’ and click OK. Click OK again. Then click Next. If you removed the 2003 CD, you will need it again.
Reboot the server.
Open a Command Prompt and type ‘certutil -vroot’ as shown in the photo below and hit Enter.
Open Internet Explorer on the server, or another workstation on the network, and connect to the server via name or IP address and browse to /certsrv like shown below in the photo.
If you see this, your web enrollment is working.
You can administrate your Certificate Services install, through Administrative Tools.
You can now use EFS with certificates on your Active Directory client machines. You will now want to look up how to issue administrator certificates to decrypt files encrypted by employees or users that you need access to as the network admin and such.