Configuring Certificate Services on Windows 2008

This post was going to be part of my post on how to build a App-V demo lab in Workstation, However as it is a bit long . I decided to split it into its own separate post.

Now in my demo environment I needed to utilise secure channels for App-V traffic over my environment. The main reason for this was that in the real world if you want to allow the potential for secure communication over an Internet Facing Scenario a HTTPS/RSTPS deployment is an absolute security requirement.

Now let me first say that I am not a certificate guru! So please do not shoot the messenger, there will be better ways to set this up in the real world but I wanted to show a step-by-step method on how to get this setup in the test environment.

So lets begin:

Go into Server Manager and right Click on Roles> Add Role.

29-01-2010 14-08-35

In the Before you begin Section Click Next, you could check the “skip the page by default” box which will prevent the loading of this form the next time you wish to install a new role.

29-01-2010 14-09-25

In the Select Server Role Section Click “Active Directory Certificate Services” Click next.

29-01-2010 14-10-13

Next is another nothing form, click Next.

29-01-2010 14-11-34

you might ask why need to add the Certificate Authority Web Enrolment , this is so we can add a web page for certificate requests if needed. So select “Certificate Authority Web Enrolment”

29-01-2010 14-12-20

When the pop up appears click Add Required Server Role.

29-01-2010 14-12-59

Once onto the “Setup Type” I have selected the Enterprise option and click Next.

29-01-2010 14-13-48

As this is the first and infact only CA in the environment select Root CA then click Next.

29-01-2010 14-14-32

In the “Private Key” section select “create a new private key” and than click Next.

29-01-2010 14-15-40

now in the “Configure Cryptography for CA” just set up some basics as shown below.

29-01-2010 14-16-06

Next set up your common name for your CA, Click Next Note this is the Certificate for the CA.

29-01-2010 14-16-51

Next chose the certificate validity period, for my test environment I have set a 5 year certificate, Click Next.

29-01-2010 14-17-22

I left the  “Certificate Database” as default, then click Next.

29-01-2010 14-18-03

In the “Introduction to IIS” Note-this is just configuring some additions to IIS for certificate requests) and click next.

29-01-2010 14-18-39

In the Role Services section click next.

29-01-2010 14-19-06

Finally review the configuration changes and click Install

31-01-2010 18-16-19

Right of you go and grab a cup of tea or coffee and let the installation take place, once complete click Close.

29-01-2010 14-20-02

Now remember that earlier it was mentioned that we would not use the original certificate that we created for the Root CA.

What we need to do now is issue a new certificate for the management server. This is done from the IIS7 Management Console. To do this log into the IIS 7 management console via the administration tools.

In IIS7 select your server in the left hand pane.

29-01-2010 14-20-41

Now in the right hand screen you should see a section that says “Server Certificates” .  When you select this you will go into the Server Certificates pane.

29-01-2010 14-21-08

In this area we want to create a new certificate request, so click create certificate request on the right hand side or right click in the right pane and select create certificate request.

Now in the details of my certificate I am going to set the following.

29-01-2010 14-23-39

Common Name: stream.PVM.internal ( This is the DNS name which the clients are pointed too)
Organisation Details: This will depend on your details :o)

Once this is set up click Next, In the Online Certificate Authority Browse and search for your CA, this is what we set up earlier in this blog! and than click Finish!

29-01-2010 14-24-53

29-01-2010 14-25-18

3) Once that is set up you should be able to see your certificate. In the right hand pane!

29-01-2010 14-25-51

Ok that’s the initial set up for the certificates! However we are going to have to come back to this after the Installation of the management server to re-ACL the certificate that we have created for the management server.

DNS Update

One last piece!

We have created a certificate for PVM-App-V.PVM.internal you will also have to add a Alias or CNAME in your DNS forward lookup zone for stream.appv.internal for this to work correctly. So go into DNS and make this one small addition. If you use a CNAME for stream.appv.internal just point it back to your management server machine or Virtual IP address for your NLB Cluster.